{
  "schema_version": "1.0.0",
  "description": "Dated public record of control proposals Apeiris has submitted upstream to external standards bodies and control libraries. Each entry carries the apeiris source control(s) it derives from, the receiving body and target, the proposal text as submitted, and a neutral status. This artifact is provenance: it establishes what was proposed, where, and when.",
  "framing": "Entries appear here only after they have been submitted to the receiving body. A status of accepted or declined records the body's decision; declined proposals remain listed. Acceptance decisions belong to the receiving body alone.",
  "status_vocabulary": {
    "submitted": "Delivered to the receiving body; no decision yet.",
    "pending": "Acknowledged by the receiving body; under review.",
    "accepted": "Adopted by the receiving body (their assigned identifier recorded).",
    "declined": "Not adopted by the receiving body.",
    "superseded": "Replaced by a later proposal or by the body's own equivalent."
  },
  "updated": "2026-07-16",
  "bodies": [
    {
      "id": "trustcontrols_ai",
      "name": "Agentic Trust Controls",
      "url": "https://trustcontrols.ai",
      "note": "A lean agentic control set layered onto ISO 27001 and ISO 42001, with Developer and User baselines."
    },
    {
      "id": "aiuc_1",
      "name": "AIUC-1",
      "url": "https://www.aiuc-1.com",
      "note": "An AI-agent certification standard: 6 domains, quarterly update cadence, accredited-auditor attestation program."
    }
  ],
  "entries": [
    {
      "id": "SUB-2026-001",
      "body": "trustcontrols_ai",
      "date_submitted": "2026-07-16",
      "type": "new-control",
      "title": "Approval binding to the executed action",
      "source_controls": ["apeiris://authority/controls/PA-11"],
      "target": "HOA (Human Oversight Under Autonomy) · Developer baseline · ISO 42001 A.6.2.4",
      "proposal": "When a human approves a consequential action, the approval is bound to the specific action, parameters, and target reviewed. If any of these change after approval, the approval is invalid and the action returns for review before execution.",
      "rationale": "Closes the time-of-review to time-of-execution gap: without binding, an approval can be applied to an action whose parameters mutated after review.",
      "status": "submitted",
      "their_id": null
    },
    {
      "id": "SUB-2026-002",
      "body": "trustcontrols_ai",
      "date_submitted": "2026-07-16",
      "type": "new-control",
      "title": "Re-authorization of deferred actions at execution time",
      "source_controls": ["apeiris://security/controls/GV-13", "apeiris://security/controls/EC-10"],
      "target": "TUE (Tool Use & Action Execution) · Developer baseline · ISO 42001 A.9.2",
      "proposal": "An action the agent defers for later execution — scheduled, queued, or event-triggered — is re-authorized against current authority, policy, and context at the time it executes, not only when it was created.",
      "rationale": "Authority checked at queue time can be stale, revoked, or re-scoped by fire time; deferral otherwise becomes a standing loophole around invocation-time access control.",
      "status": "submitted",
      "their_id": null
    },
    {
      "id": "SUB-2026-003",
      "body": "trustcontrols_ai",
      "date_submitted": "2026-07-16",
      "type": "new-control",
      "title": "Multi-principal authority intersection",
      "source_controls": ["apeiris://identity/controls/DE-10"],
      "target": "MAS (Multi-Agent Systems & Delegation) · Developer baseline · ISO 42001 A.9.2",
      "proposal": "When an agent acts on behalf of more than one principal in a single action, its effective authority is the intersection of the authority of every contributing principal, never the union.",
      "rationale": "Delegation bounds cover the top-down case; combining simultaneous principals' permissions into authority no single principal holds is the confused-deputy failure and is otherwise unaddressed.",
      "status": "submitted",
      "their_id": null
    },
    {
      "id": "SUB-2026-004",
      "body": "trustcontrols_ai",
      "date_submitted": "2026-07-16",
      "type": "edit",
      "title": "Add the privileged-action chain to the exfiltration-chain separation of duties (TUE-08)",
      "source_controls": ["apeiris://security/controls/EC-16"],
      "target": "TUE-08 · via per-control feedback",
      "proposal": "Generalize TUE-08 to both lethal chains: untrusted input combined with either (a) sensitive-data access and an outbound channel, or (b) a privileged or irreversible tool and a reachable credential. The second chain drives damaging privileged actions without data ever leaving, so egress allowlisting and DLP — the control's named compensations — do not apply to it.",
      "rationale": "The action-side twin of the exfiltration trifecta; each leg alone is fine, their co-occurrence in one flow is the exposure.",
      "status": "submitted",
      "their_id": null
    },
    {
      "id": "SUB-2026-005",
      "body": "trustcontrols_ai",
      "date_submitted": "2026-07-16",
      "type": "new-control",
      "title": "Fail-closed on safeguard degradation",
      "source_controls": ["apeiris://resilience/controls/RG-09"],
      "target": "RBM (Runtime Behavioral Monitoring) · Developer baseline · ISO 42001 A.6.2.6",
      "proposal": "When the safeguards a consequential action depends on — tamper-evident logging, monitoring, or containment — are unavailable or degraded, the agent halts or defers that action rather than proceeding unobserved.",
      "rationale": "Each safeguard may degrade gracefully on its own; nothing otherwise stops an agent from continuing consequential actions while simultaneously unobservable, unstoppable, and unrecorded.",
      "status": "submitted",
      "their_id": null
    },
    {
      "id": "SUB-2026-006",
      "body": "trustcontrols_ai",
      "date_submitted": "2026-07-16",
      "type": "new-control",
      "title": "Aggregate limits across delegation trees and identities",
      "source_controls": ["apeiris://agentic/controls/AO-09", "apeiris://agentic/controls/AO-11", "apeiris://security/controls/GV-12"],
      "target": "RES (Resource & Cost Abuse) · Developer baseline · ISO 42001 A.6.2.6",
      "proposal": "Rate, volume, and cost limits are enforced in aggregate across an agent's full delegation tree and across cooperating agent identities acting on the same task or target, so spawning sub-agents or fresh identities cannot multiply consumption past the limit granted to the originating work.",
      "rationale": "Per-agent budgets miss the fleet case: N sub-agents each within budget can jointly exhaust a shared service, and respawning resets per-identity meters. The limit has to follow the work, not the identity.",
      "status": "submitted",
      "their_id": null
    },
    {
      "id": "SUB-2026-007",
      "body": "aiuc_1",
      "date_submitted": "2026-07-16",
      "type": "requirement-proposal",
      "title": "Bind evaluation validity to the deployed system, not the calendar",
      "source_controls": ["apeiris://model/controls/EV-14"],
      "target": "Testing domains (C/D) · quarterly recertification cadence",
      "proposal": "An agent's effective capability changes the day its tools, permissions, retrieval, or downstream agents change; a certified system can drift materially inside a quarter while every individual change is approved. Proposed requirement: re-evaluation is triggered by material change to the deployed composition (the reachable graph), not only by cadence.",
      "rationale": "Closes capability drift between quarterly recertifications.",
      "status": "submitted",
      "their_id": null
    },
    {
      "id": "SUB-2026-008",
      "body": "aiuc_1",
      "date_submitted": "2026-07-16",
      "type": "requirement-proposal",
      "title": "Compositional requirements across individually-passing controls",
      "source_controls": ["apeiris://security/controls/EC-15", "apeiris://security/controls/EC-16", "apeiris://model/controls/EV-14"],
      "target": "Cross-domain (e.g. B006 ∧ D003 ∧ E015 seams)",
      "proposal": "The worst agent incidents live in combinations where each individual requirement passes while the composed flow is unsafe. Proposed: requirement classes that constrain the composition — no unbroken high-consequence chain across untrusted input, privileged tools, credentials, and outbound channels — alongside the per-requirement checks.",
      "rationale": "Individual-control certification cannot see the seams; compositional requirements make the seams first-class.",
      "status": "submitted",
      "their_id": null
    },
    {
      "id": "SUB-2026-009",
      "body": "aiuc_1",
      "date_submitted": "2026-07-16",
      "type": "crosswalk-quality",
      "title": "Typed crosswalks: make mapped ≠ satisfied visible",
      "source_controls": [],
      "target": "Published AIUC-1 framework crosswalks",
      "proposal": "Offer of a typed crosswalk methodology and a pilot slice (Domain B): each requirement mapping graded with fit (direct/partial/supporting/adjacent), basis (anchored vs asserted), and relation (satisfies/equivalent_to/defends_against/informs), so a reader can distinguish a mapped requirement from a satisfied one.",
      "rationale": "Flat framework-id associations cannot express mapping strength or evidentiary basis; typed mappings can.",
      "status": "submitted",
      "their_id": null
    }
  ]
}
