OAIES-GOV-001Normative · activeGovernance
The organization MUST maintain an approved system boundary covering every component and dependency capable of affecting outputs or actions.
- Applicability
- Universal
- Objective evidence
- Versioned boundary record, architecture/data-flow diagram, dependency inventory, owner approval
OAIES-GOV-002Normative · activeGovernance
The organization MUST name one system owner and a control owner for every applicable control.
- Applicability
- Universal
- Objective evidence
- Signed ownership register and SoA owner fields
OAIES-GOV-003Normative · activeGovernance
The system owner MUST classify all applicable workload profiles, autonomy level, and impact level before production use and after material change.
- Applicability
- Universal
- Objective evidence
- Dated classification record with rationale, approver, and change history
OAIES-GOV-004Normative · activeGovernance
The SoA MUST include every control in the claimed OAIES version and record its applicability disposition and rationale.
- Applicability
- Universal
- Objective evidence
- Complete version-controlled SoA; automated or manual completeness reconciliation
OAIES-GOV-005Normative · activeGovernance
A not-applicable disposition MUST NOT be used solely because implementation is costly, difficult, outsourced, or incomplete.
- Applicability
- Universal
- Objective evidence
- SoA rationales tied to boundary facts; assessor challenge log
OAIES-GOV-006Normative · activeGovernance
Third-party components MUST remain inside the system boundary wherever their behavior can affect conformance.
- Applicability
- Universal
- Objective evidence
- Supplier inventory, contracts/assurance reports, boundary diagram, shared-responsibility matrix
OAIES-RSK-001Normative · activeRisk
A4 deployment MUST NOT enter production without documented executive authorization, independent risk assessment, bounded authority, and tested containment.
- Applicability
- A4
- Objective evidence
- Signed authorization, independent assessment report, authority policy, containment test results
OAIES-RSK-002Normative · activeRisk
The system owner MUST maintain a risk register covering intended use, foreseeable misuse, affected parties, failure modes, likelihood, impact, safeguards, residual risk, and treatment owner.
- Applicability
- Universal
- Objective evidence
- Approved risk register linked to system version and review history
OAIES-RSK-003Normative · activeRisk
Residual risks above the organization’s approved tolerance MUST NOT be accepted by the system owner alone.
- Applicability
- Universal
- Objective evidence
- Risk policy, approval matrix, signed acceptance by authorized risk owner
OAIES-MOD-001Normative · activeModel
The organization MUST define measurable acceptance criteria and evaluate the complete system against representative and adversarial cases before release.
- Applicability
- Universal
- Objective evidence
- Versioned evaluation plan, dataset lineage, executable results, threshold decision
OAIES-MOD-002Normative · activeModel
Production model, prompt, policy, tool, and configuration versions MUST be uniquely identifiable and reproducible.
- Applicability
- Universal
- Objective evidence
- Immutable release manifest, hashes/versions, configuration snapshot, rebuild or replay result
OAIES-MOD-003Normative · activeModel
Material model or prompt changes MUST NOT bypass regression, safety, and security gates.
- Applicability
- Universal
- Objective evidence
- Change diff, CI/release gate logs, evaluation comparison, approval record
OAIES-DAT-001Normative · activeData
Data used for training, tuning, retrieval, evaluation, or inference MUST have documented provenance, permitted purpose, sensitivity, retention, and responsible owner.
- Applicability
- Universal
- Objective evidence
- Data inventory, lineage records, legal basis/license, classification and retention policy
OAIES-DAT-002Normative · activeData
Sensitive data MUST be minimized and protected in prompts, logs, memory, evaluation sets, and outputs according to its classification.
- Applicability
- Where sensitive data is processed
- Objective evidence
- Data-flow map, minimization decision, access controls, encryption settings, DLP test results
OAIES-SEC-001Normative · activeSecurity
Identity and access controls MUST enforce least privilege for models, tools, data stores, administrative interfaces, and service accounts.
- Applicability
- Universal
- Objective evidence
- Access matrix, policy configuration, entitlement review, denied-access tests
OAIES-SEC-002Normative · activeSecurity
Untrusted input and model output MUST be treated as data rather than executable authority across trust boundaries.
- Applicability
- Universal
- Objective evidence
- Threat model, parser/validator policy, sandbox configuration, injection test results
OAIES-SEC-003Normative · activeSecurity
Secrets MUST NOT be embedded in prompts, source artifacts, model context, logs, or generated output.
- Applicability
- Universal
- Objective evidence
- Secret-scanning results, vault references, redacted telemetry sample, incident review
OAIES-OPS-001Normative · activeOperations
Production releases MUST use an approved, attributable, reversible change process with separation appropriate to impact.
- Applicability
- Universal
- Objective evidence
- Release ticket, approver identity, deployment log, rollback plan and exercise
OAIES-OPS-002Normative · activeOperations
The organization MUST monitor safety, security, quality, availability, cost, and policy-relevant events at frequencies justified by risk.
- Applicability
- Universal
- Objective evidence
- Monitoring specification, dashboards/alerts, sampled events, alert test and response records
OAIES-OPS-003Normative · activeOperations
AI incidents MUST enter a documented response process that preserves evidence, limits harm, notifies accountable parties, and records corrective action.
- Applicability
- Universal
- Objective evidence
- Incident plan, exercise or incident record, preserved logs, notifications, corrective-action closure
OAIES-OPS-004Normative · activeOperations
Users MUST receive accurate notice when they interact with AI or when AI materially influences an outcome, except where lawfully exempted and documented.
- Applicability
- User-facing or decision-influencing systems
- Objective evidence
- Interface capture, notice text/version, exemption analysis, usability test
OAIES-ASR-001Normative · activeAssurance
Applicable controls MUST be supported by evidence meeting the quality rules in 03.
- Applicability
- Universal
- Objective evidence
- Evidence index linked bidirectionally to SoA and immutable evidence objects
OAIES-MOD-010Normative · activeModel
Assistant output MUST be constrained or reviewed where an unsupported claim could cause material harm.
- Applicability
- P1, I2–I3
- Objective evidence
- Output policy, enforcement configuration, test corpus and results, review records
OAIES-MOD-011Normative · activeModel
The system MUST communicate material capability limits and uncertainty at the point where a user relies on output.
- Applicability
- P1
- Objective evidence
- Approved UX copy, rendered interface evidence, user-comprehension test
OAIES-MOD-012Normative · activeModel
Safety and refusal behavior MUST be tested against domain-relevant harmful, ambiguous, multilingual, and adversarial requests.
- Applicability
- P1
- Objective evidence
- Threat-informed test set, run metadata, results, defect remediation
OAIES-DAT-010Normative · activeData
Retrieval authorization MUST be enforced at query time using the requesting principal and source permissions.
- Applicability
- P2 with restricted content
- Objective evidence
- Authorization design, index ACL mapping, positive/negative access tests, query audit logs
OAIES-DAT-011Normative · activeData
Retrieved content MUST retain source identity, version or retrieval time, and trust metadata through generation.
- Applicability
- P2
- Objective evidence
- Indexed metadata schema, response trace, citation/provenance tests
OAIES-DAT-012Normative · activeData
The system MUST evaluate retrieval relevance, coverage, grounding, and resistance to content-based instruction injection before release.
- Applicability
- P2
- Objective evidence
- Curated evaluation set, metric definitions, thresholds, run results, poisoning/injection tests
OAIES-DAT-013Normative · activeData
Stale, revoked, or deleted source content MUST be removed from serving indexes within a documented risk-based service level.
- Applicability
- P2
- Objective evidence
- Freshness SLA, deletion propagation logs, reconciliation report, stale-content alert test
OAIES-AGT-010Normative · activeAgent
Code execution MUST occur in an isolated environment with bounded network, filesystem, identity, compute, and time permissions.
- Applicability
- P3 with execution
- Objective evidence
- Sandbox policy/configuration, escape and egress tests, resource-limit logs
OAIES-AGT-011Normative · activeAgent
Generated code MUST pass deterministic tests, static analysis, dependency, license, and secret checks appropriate to the repository before merge or deployment.
- Applicability
- P3 producing code
- Objective evidence
- Required-check configuration, CI logs, branch protection, blocked-failure example
OAIES-AGT-012Normative · activeAgent
Security-sensitive or production-impacting code changes MUST receive independent human approval from an authorized reviewer.
- Applicability
- P3, I2–I3
- Objective evidence
- CODEOWNERS/approval policy, pull-request approvals, reviewer authorization record
OAIES-SEC-010Normative · activeSecurity
Agent-selected dependencies MUST be resolved through approved registries and verified against integrity and vulnerability policy.
- Applicability
- P3 adding dependencies
- Objective evidence
- Registry policy, lockfile/signature or hash verification, SCA report, exception record
OAIES-AGT-020Normative · activeAgent
Every external action MUST pass deterministic authorization, schema validation, policy, and idempotency controls outside the model.
- Applicability
- P4
- Objective evidence
- Policy-as-code/configuration, action schema, replay/idempotency tests, allow/deny logs
OAIES-AGT-021Normative · activeAgent
Consequential or irreversible actions MUST require informed human approval bound to the exact action payload before execution.
- Applicability
- P4, I2–I3
- Objective evidence
- Approval UX capture, signed payload/hash, approver identity, execution correlation ID
OAIES-AGT-022Normative · activeAgent
Reversible actions MUST have a tested compensation or rollback path before autonomous production execution.
- Applicability
- P4, A2–A3
- Objective evidence
- Rollback procedure, test results, recovery objectives, exercise record
OAIES-AGT-023Normative · activeAgent
Action limits MUST bound value, rate, scope, destination, and cumulative exposure independently of model instructions.
- Applicability
- P4, A2–A3
- Objective evidence
- Runtime limit configuration, boundary tests, limit alerts, blocked-action logs
OAIES-AGT-030Normative · activeAgent
Delegation MUST NOT increase permissions, data access, or action authority beyond the initiating principal and approved workflow.
- Applicability
- P5
- Objective evidence
- Delegation protocol, capability tokens/policies, privilege-escalation tests, trace sample
OAIES-AGT-031Normative · activeAgent
Every inter-agent message and action MUST be attributable to agent identity, version, parent task, and initiating principal.
- Applicability
- P5
- Objective evidence
- Trace schema, immutable end-to-end trace, correlation tests
OAIES-AGT-032Normative · activeAgent
Orchestration MUST enforce termination conditions for cycles, fan-out, cost, time, and repeated failure.
- Applicability
- P5
- Objective evidence
- Orchestrator limits, loop/fan-out tests, cutoff telemetry, incident procedure
OAIES-AGT-033Normative · activeAgent
Conflicting agent outputs MUST be resolved by an explicit deterministic or human-governed policy before consequential action.
- Applicability
- P5 producing consequential action
- Objective evidence
- Conflict policy, scenario tests, decision records and trace
OAIES-RSK-010Normative · activeRisk
A high-impact system MUST complete an impact assessment covering affected groups, rights, safety, accessibility, discrimination, contestability, and cumulative effects before production use.
- Applicability
- P6 or I3
- Objective evidence
- Approved impact assessment, stakeholder input, mitigation tracking
OAIES-RSK-011Normative · activeRisk
High-impact deployment MUST have independent pre-release assurance and an organization-approved reassessment interval derived from impact, change rate, incident history, applicable obligations, and claim period; that interval must be shorter than the approved interval for otherwise comparable lower-impact systems.
- Applicability
- P6 or I3
- Objective evidence
- Assessor independence declaration, assessment report, approved cadence decision with risk rationale and legal mapping, claim-period record, reassessment schedule
OAIES-RSK-012Normative · activeRisk
Affected persons MUST have an accessible path to explanation, correction, contest, and human review of material adverse outcomes.
- Applicability
- P6 or I3 affecting persons
- Objective evidence
- Procedure, interface evidence, service metrics, sampled cases and resolutions
OAIES-MOD-020Normative · activeModel
High-impact performance MUST be evaluated for relevant subgroups, operating conditions, and foreseeable distribution shifts using domain-approved thresholds.
- Applicability
- P6 or I3
- Objective evidence
- Evaluation protocol, subgroup results, threshold approvals, drift tests
OAIES-OPS-010Normative · activeOperations
The operator MUST maintain and test an immediate safe-stop, fallback, or service-withdrawal mechanism.
- Applicability
- P6 or I3; A3–A4
- Objective evidence
- Mechanism design, access authorization, exercise results, recovery record
OAIES-ASR-010Normative · activeAssurance
High-impact evidence MUST be retained under an approved records schedule that accounts for applicable jurisdictional, regulatory, contractual, claim-period, appeal, incident, investigation, and litigation-hold needs and receives independent legal or records-management approval before disposal.
- Applicability
- P6 or I3
- Objective evidence
- Approved records schedule and legal mapping, claim and appeal periods, hold register, disposition approval, integrity and retrieval tests
OAIES-AGT-040Normative · activeAgent
Tool access MUST use explicit allowlists, least-privilege credentials, argument constraints, and default-deny behavior.
- Applicability
- A2–A4
- Objective evidence
- Tool registry, IAM/policy configuration, denied-tool and invalid-argument tests
OAIES-AGT-041Normative · activeAgent
Memory that can influence future actions MUST have provenance, access control, retention, integrity protection, and a deletion mechanism.
- Applicability
- A2–A4 with persistent memory
- Objective evidence
- Memory schema, ACLs, integrity test, retention/deletion logs
OAIES-AGT-042Normative · activeAgent
Operators MUST be able to suspend autonomous execution without model cooperation.
- Applicability
- A2–A4
- Objective evidence
- Out-of-band control design, authorized operator list, kill-switch exercise
OAIES-AGT-043Normative · activeAgent
Autonomous decisions and actions MUST produce tamper-evident traces sufficient to reconstruct inputs, policy decisions, tool calls, approvals, outputs, and outcomes.
- Applicability
- A2–A4
- Objective evidence
- Trace specification, integrity controls, sampled reconstruction test
OAIES-ASR-002Normative · activeAssurance
Each evidence item MUST identify source, custodian, collection time, covered period, system scope, control mapping, integrity mechanism, and retention date.
- Applicability
- Universal
- Objective evidence
- Evidence index and sampled evidence metadata
OAIES-ASR-003Normative · activeAssurance
Operating-effectiveness evidence MUST represent the full assessment period and include failures and exceptions in the sampled population.
- Applicability
- Controls expected to operate over time
- Objective evidence
- Population extract, sampling frame, failure records, sample rationale
OAIES-ASR-004Normative · activeAssurance
Evidence MUST NOT rely solely on a control owner’s uncorroborated assertion.
- Applicability
- Universal
- Objective evidence
- Independent system records, configuration export, reperformed test, or corroborating source
OAIES-ASR-005Normative · activeAssurance
The organization MUST protect evidence against unauthorized alteration and verify retrievability throughout retention.
- Applicability
- Universal
- Objective evidence
- Immutable/WORM or signed storage settings, access log, integrity and restore tests
OAIES-GOV-010Normative · activeGovernance
The SoA MUST identify system/version, boundary, profiles, autonomy, impact, OAIES version, every control disposition, rationale, owner, evidence, exception, approval, and review date.
- Applicability
- Universal
- Objective evidence
- Completed approved SoA and schema/completeness validation
OAIES-GOV-011Normative · activeGovernance
Each not-applicable decision MUST cite a factual boundary or applicability condition and receive system-owner approval.
- Applicability
- Universal
- Objective evidence
- SoA rationale, boundary reference, dated approval
OAIES-RSK-020Normative · activeRisk
Each exception MUST identify the unmet requirement, cause, exposure, affected assets/people, likelihood, impact, compensating controls, residual risk, remediation owner, due date, expiry, applicable maximum-duration policy, duration rationale, and approvers.
- Applicability
- Any exception
- Objective evidence
- Completed exception record, linked risk-register entry, approved duration policy, claim-period and jurisdictional/contractual mapping
OAIES-RSK-021Normative · activeRisk
An exception MUST NOT remain valid beyond its expiry or after a material change without reassessment and new approval.
- Applicability
- Any exception
- Objective evidence
- Expiry automation, reassessment, approval history, blocked-release or alert record
OAIES-RSK-022Normative · activeRisk
Compensating controls MUST be tested for the stated risk before exception approval.
- Applicability
- Exception using compensation
- Objective evidence
- Test plan/results, risk comparison, approver review
OAIES-RSK-023Normative · activeRisk
Expired or rejected exceptions MUST cause the affected control to become nonconforming until remediated.
- Applicability
- Any expired/rejected exception
- Objective evidence
- SoA status transition, GRC workflow, claim update or suspension
OAIES-RSK-024Normative · activeRisk
The organization MUST approve exception-duration maxima by residual-impact tier, make higher-impact maxima progressively shorter, and review the maxima when risk tolerance, applicable obligations, or claim periods change.
- Applicability
- Organization permitting exceptions
- Objective evidence
- Approved exception-duration policy, tier rationale, legal/contractual mapping, risk-committee approval and review history
OAIES-ASR-006Normative · activeAssurance
A conformance claim MUST state system boundary, environments, OAIES version, assessor, assessment period, status, active exceptions, issue date, expiry date, and material-change limitation.
- Applicability
- Any public or internal claim
- Objective evidence
- Signed claim or assessment report containing all fields
OAIES-ASR-007Normative · activeAssurance
An OAIES claim MUST NOT be described as certification, accreditation, regulatory approval, endorsement, or organization-wide assurance; any separately issued external certification must be clearly distinguished from the OAIES claim and attributed to its actual scheme and issuing body.
- Applicability
- Any claim
- Objective evidence
- Approved claim language, communications review, and separate external certificate/scheme record where referenced
OAIES-ASR-008Normative · activeAssurance
The organization MUST suspend or correct a claim when a major nonconformity, expired exception, material scope change, or unreliable evidence invalidates its basis.
- Applicability
- Active claim
- Objective evidence
- Claim register, trigger alert, withdrawal/correction notice, reassessment record
OAIES-GOV-020Normative · activeGovernance
The standard maintainer MUST publish versioned release notes identifying control-level additions, changes, deprecations, retirements, migrations, effective dates, and the evidence-based rationale for each migration window.
- Applicability
- Every OAIES release
- Objective evidence
- Signed/tagged release, changelog, control diff, compatibility/risk analysis, adopter migration evidence, migration notice
OAIES-GOV-021Normative · activeGovernance
A deprecated control MUST retain its ID and normative force until its published retirement date.
- Applicability
- Deprecated controls
- Objective evidence
- Version archive, release notice, control registry
OAIES-GOV-022Normative · activeGovernance
A retired control ID MUST NOT be reassigned to another requirement.
- Applicability
- Standard maintenance
- Objective evidence
- Automated registry uniqueness check and historical catalog
OAIES-GOV-023Normative · activeGovernance
Affected claims MUST be reassessed when a requirement is withdrawn for urgent safety, security, or legal reasons.
- Applicability
- Withdrawn requirement
- Objective evidence
- Withdrawal notice, claim register query, reassessment/suspension records
OAIES-ASR-020Normative · activeAssurance
The assessor MUST document scope, criteria, period, team competence, independence, limitations, methods, populations, samples, tests, evidence, findings, and conclusion.
- Applicability
- Every conformance assessment
- Objective evidence
- Complete signed assessment report and workpapers
OAIES-ASR-021Normative · activeAssurance
The assessor MUST validate SoA completeness and challenge not-applicable rationales against system-boundary facts.
- Applicability
- Every conformance assessment
- Objective evidence
- Catalog reconciliation, challenge log, corrected SoA
OAIES-ASR-022Normative · activeAssurance
The assessor MUST test both control design and operating effectiveness unless the report explicitly provides a design-only conclusion whose approved expiry is bounded by the claim period and whose wording excludes operating effectiveness.
- Applicability
- Every positive conclusion
- Objective evidence
- Test workpapers, control-frequency and operating-cycle analysis, period evidence, approved design-only expiry and claim language where applicable
OAIES-ASR-023Normative · activeAssurance
Sample selection MUST be reproducible and risk-based, derive size and census decisions from approved assurance and deviation criteria, include failures and overrides, apply stronger criteria to I3, and preserve the source population or immutable query.
- Applicability
- Assessment using samples
- Objective evidence
- Approved sampling methodology, population/control-frequency analysis, assurance and tolerable-deviation decisions, I3 escalation rationale, seed/query, population hash/export, selected records
OAIES-ASR-024Normative · activeAssurance
I3 assessments MUST use an assessor independent of control ownership, implementation, operation, and delivery reporting lines.
- Applicability
- P6 or I3
- Objective evidence
- Organization chart, role declarations, conflict check, engagement approval
OAIES-ASR-025Normative · activeAssurance
A positive conclusion MUST NOT be issued when a major nonconformity remains open or a scope limitation prevents sufficient appropriate evidence.
- Applicability
- Every conformance assessment
- Objective evidence
- Finding register, limitation analysis, report conclusion, quality review
OAIES-ASR-026Normative · activeAssurance
Assessment reports MUST receive factual review and independent quality review before issuance.
- Applicability
- Every conformance assessment
- Objective evidence
- Management responses, review notes, reviewer sign-off, issued report hash
OAIES-ASR-027Normative · activeAssurance
Active claims MUST follow an organization-approved surveillance interval derived from impact, change rate, control frequency, incident history, applicable obligations, and claim period; I3 intervals must be shorter than otherwise comparable lower-impact intervals, and material change, major incident, invalid evidence, or withdrawal of relied-upon supplier assurance triggers immediate review.
- Applicability
- Active claim
- Objective evidence
- Approved cadence policy and system-specific rationale, legal/contractual mapping, claim-period record, I3 escalation comparison, surveillance reports, change/incident and supplier triggers
OAIES-ASR-028Normative · activeAssurance
Corrective actions MUST identify root cause, owner, due date, remediation, validation method, and closure evidence.
- Applicability
- Any nonconformity
- Objective evidence
- Corrective-action record, validation results, assessor closure