Docs/standard/templates/statement of applicability template

OAIES Statement of Applicability Template

Template version: 1.0.1
Published: 2026-07-16
Applies to: OAIES 1.x

Purpose

Create the authoritative, auditable record of control applicability and implementation for one bounded AI system.

Why

The SoA prevents omitted controls, undocumented exclusions, and evidence scattered across disconnected systems. It binds scope, risk classification, ownership, evidence, exceptions, and approval in one versioned record.

How

Replace every {VARIABLE_FIELD}. Do not delete catalog rows. Use Not applicable only for a factually absent applicability condition. Record None with rationale where a variable field does not apply.

Document Control

Field Value
SoA ID {SOA_ID}
SoA version {SOA_VERSION}
Status {DRAFT_APPROVED_SUPERSEDED}
OAIES version {OAIES_VERSION}
Created {YYYY-MM-DD}
Approved {YYYY-MM-DD}
Next review {YYYY-MM-DD}
Repository/record URI {AUTHORITATIVE_URI}
Previous version {PREVIOUS_SOA_URI_OR_NONE}

System and Claim Scope

Field Value
System name and version {SYSTEM_NAME_AND_VERSION}
System owner {NAME_ROLE_ID}
Business owner {NAME_ROLE_ID}
Environments {ENVIRONMENTS}
Assessment period {START_DATE_TO_END_DATE}
Boundary record {BOUNDARY_RECORD_URI_AND_VERSION}
Included components and suppliers {COMPONENT_AND_SUPPLIER_INVENTORY_URI}
Excluded components and rationale {EXCLUSIONS_WITH_BOUNDARY_RATIONALE_OR_NONE}
Intended use {INTENDED_USE}
Foreseeable misuse {FORESEEABLE_MISUSE}
Affected persons/groups {AFFECTED_PERSONS_AND_GROUPS}
Jurisdictions {JURISDICTIONS}

Classification

Dimension Selection Rationale and approval evidence
Workload profiles {P1_P2_P3_P4_P5_P6_ALL_THAT_APPLY} {RATIONALE_AND_APPROVAL_URI}
Autonomy {A0_A1_A2_A3_A4} {MAXIMUM_CAPABILITY_RATIONALE_AND_APPROVAL_URI}
Impact {I0_I1_I2_I3} {HARM_RATIONALE_AND_APPROVAL_URI}
Legal/policy designations {DESIGNATIONS_OR_NONE} {LEGAL_OR_POLICY_ANALYSIS_URI}
Material-change triggers {TRIGGERS} {CHANGE_POLICY_URI}
Evidence records schedule {RETENTION_POLICY_AND_JURISDICTION_MAPPING} {LEGAL_RECORDS_APPROVAL_URI}
Exception-duration tiers {APPROVED_MAXIMA_BY_IMPACT} {RISK_RATIONALE_AND_APPROVAL_URI}
Reassessment/surveillance cadence {APPROVED_CADENCE_BY_IMPACT} {RISK_CLAIM_OBLIGATION_RATIONALE_URI}

Control Applicability Register

Copy one row for every control in the claimed OAIES version.

Control ID Control version Disposition Applicability rationale Implementation summary Control owner Evidence IDs/URIs Exception ID/expiry Last tested Next review
{OAIES_DOMAIN_NNN} {CONTROL_VERSION} {APPLICABLE_CONFORMING_APPLICABLE_EXCEPTION_APPLICABLE_NONCONFORMING_NOT_APPLICABLE} {FACTUAL_RATIONALE} {IMPLEMENTATION} {NAME_ROLE_ID} {EVIDENCE_REFERENCES} {EXCEPTION_OR_NONE} {YYYY-MM-DD} {YYYY-MM-DD}

Reconciliation

Check Result Evidence
Catalog control count {COUNT} {CATALOG_VERSION_URI}
SoA distinct control count {COUNT} {RECONCILIATION_OUTPUT_URI}
Missing or duplicate IDs {NONE_OR_IDS} {VALIDATION_OUTPUT_URI}
Applicable without evidence/exception {NONE_OR_IDS} {VALIDATION_OUTPUT_URI}
Expired exceptions {NONE_OR_IDS} {EXCEPTION_QUERY_URI}
Unapproved exclusions {NONE_OR_IDS} {APPROVAL_QUERY_URI}

Approval

Role Name/identity Decision Date Signature/record
System owner {IDENTITY} {APPROVE_REJECT} {YYYY-MM-DD} {SIGNATURE_URI}
Independent risk owner {IDENTITY_OR_NOT_REQUIRED_WITH_REASON} {APPROVE_REJECT_NA} {YYYY-MM-DD} {SIGNATURE_URI_OR_NA}
Assessor {IDENTITY} {VALIDATED_NOT_VALIDATED} {YYYY-MM-DD} {ASSESSMENT_URI}

Tradeoffs

Benefit Cost
Complete control inventory Register maintenance
Traceable evidence Integration with evidence sources
Explicit exclusions Review and approval effort

Anti-patterns

  • Deleting controls that appear not applicable.
  • Using implementation difficulty as exclusion rationale.
  • Linking to mutable dashboards without preserving query, period, and integrity metadata.
  • Allowing an expired exception to remain a passing disposition.

Enterprise Considerations

Store the approved SoA in a version-controlled GRC or records system. Enforce unique IDs, role-based approval, immutable history, exception-expiry alerts, and automated reconciliation against the official OAIES catalog.

Checklist

  • Every variable field is completed or explicitly marked None with rationale.
  • Every catalog control appears exactly once.
  • Classifications match the approved boundary and maximum capability.
  • Every applicable control links to evidence or an active exception.
  • Every exclusion cites a factual applicability condition.
  • Reconciliation has no unresolved error.
  • Required approvers signed the same SoA version.
  • Retention, exception, and surveillance periods trace to approved risk and obligation decisions.

Authoritative References

Changelog

Version Date Change
1.0.1 2026-07-16 Added policy evidence for retention, exception duration, and reassessment cadence decisions.
1.0.0 2026-07-16 Established the normative SoA record structure.