Skip to content

SDOS Runtime Governance Framework — NIST AI 600-1 Alignment

Control Mapping to NIST AI 600-1 — Generative AI Profile of the AI Risk Management Framework
NIST AI 600-1 — Crosswalk Filed Ahead of Program's Operational Readiness · SDOS-RuntimeGov-to-AI-600-1-v1.0 · Crosswalk filed, held pending NIST's focal-document inclusion — submitted 2026-05-17, ahead of the program's operational readiness for that publication. Resubmission invited if and when AI 600-1 enters the Program. Companion to NIST OLIR Reference ID 220 (AI RMF 1.0, public review through 2026-06-12) and companion submissions to the OLIR Program (CSF 2.0, SP 800-53 Rev 5.2.0, filed 2026-05-15).

SDOS Version: 1.10
Document: NIST AI 600-1 — Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile
Version: 1.0 (July 26, 2024)
Issuing Body: National Institute of Standards and Technology (NIST)
Document Date: 2026-05-17
Authoring Organization: AAM Cyber (aamcyber.com)
Inventor: Pharns Genece

SDOS Control Catalog: View full control definitions


Key Facts

  • What: Alignment mapping between SDOS Runtime Governance Framework controls and the 12 risk categories defined in NIST AI 600-1 — Generative AI Profile (July 2024).
  • Who: AAM Cyber, authoring organization. Pharns Genece, inventor.
  • Scope: All 12 AI 600-1 risk categories addressed. 6 risk categories carry Direct coverage (CBRN, Dangerous Content, Human-AI Configuration, Information Security, Obscene Content, Value Chain); 3 carry Supportive coverage (Data Privacy, Information Integrity, Intellectual Property); 3 carry Partial coverage where organizational or content-layer controls are required beyond the dispatch enforcement boundary (Confabulation, Environmental Impacts, Harmful Bias). Of 212 suggested actions across GV/MP/MS/MG functions, approximately 106 (~50%) are outside the SDOS operational boundary — primarily design-time, organizational, and content-layer obligations.
  • OLIR Status: SDOS-RuntimeGov-to-AI-600-1-v1.0 crosswalk filed, held pending NIST's focal-document inclusion — submitted 2026-05-17, ahead of the program's operational readiness for that publication. Resubmission invited if and when AI 600-1 enters the Program. 4th SDOS submission to the OLIR Program, companion to Reference ID 220.
  • Relationship type: Supportive — SDOS provides structural enforcement at the AI agent dispatch layer that supports AI 600-1 risk category intent without claiming full mitigation of generative AI output risks.
  • Architectural positioning: SDOS operates below the model output layer. It does not evaluate content for confabulation or bias post-generation, but it controls the conditions under which generation occurs, what tools are invoked based on that output, and what leaves the governed boundary — a structural containment layer for GenAI risk.
  • Patent status: Aspects of SDOS are the subject of U.S. Provisional Patent Applications 64/029,300, 64/049,300, 64/067,427, 64/069,200, and 64/076,620.

Purpose

This document maps the controls of the SDOS Runtime Governance Framework to the 12 risk categories defined in NIST AI 600-1 — the Generative AI Profile of the AI Risk Management Framework. It is intended to assist AI risk officers, CISOs, GRC auditors, and enterprise AI governance teams evaluating SDOS as a runtime enforcement layer that operationalizes AI 600-1 risk mitigation obligations at the agent dispatch boundary.

NIST AI 600-1 was published in July 2024 as a companion to the NIST AI RMF 1.0. Where the AI RMF 1.0 addresses AI risk management broadly, AI 600-1 focuses specifically on risks unique to or amplified by generative AI: confabulation, data privacy exposure, prompt injection, harmful content generation, value chain integrity, and human-AI configuration failures, among others. Each risk category is paired with suggested actions structured across the GOVERN, MAP, MEASURE, and MANAGE functions of the AI RMF.

SDOS addresses AI 600-1 at the enforcement layer. Generative AI models produce outputs that are probabilistic and not fully predictable at design time. AI 600-1 acknowledges this — its suggested actions focus heavily on governance structures, measurement practices, and operational safeguards that constrain how GenAI outputs flow into consequential actions. SDOS provides exactly that constraint: a policy-enforced gate at the point of dispatch that determines whether a model output may proceed to tool invocation, external egress, or downstream agent action. This dispatch boundary is the operationalization of AI 600-1's risk mitigation intent at the runtime layer.

This is an informative alignment document. It does not constitute an AI 600-1 certification, a NIST conformance determination, or a complete risk treatment for any of the 12 risk categories. Organizations are responsible for implementing the full range of AI 600-1 suggested actions, many of which operate at organizational, procurement, content evaluation, and model selection layers outside the SDOS runtime enforcement boundary.


Applicability

This document applies to organizations deploying generative AI in agentic workflows — systems in which a generative AI model produces outputs that are consumed by tools, downstream agents, or external systems. It is relevant when:

  • The organization is implementing AI 600-1 risk management obligations and needs a technical enforcement layer at the agent dispatch boundary, or
  • A CISO or AI risk officer requires documented control evidence that GenAI output risks are structurally contained before tool invocation or external egress, or
  • A GRC team is mapping AI 600-1 suggested actions to operational controls for audit or procurement purposes, or
  • The organization is preparing an NIST OLIR submission and needs a reference document establishing the SDOS-to-AI-600-1 crosswalk.

AI 600-1 risk categories addressing content quality (confabulation, bias, harmful content) require content-layer controls — classifiers, output filters, human review — that operate above the dispatch boundary. This document identifies where SDOS provides containment support for those risks and where organizational or content-layer controls are required to complete the treatment.


SDOS Control Catalog Summary

The full control catalog with per-control descriptions, evidence types, and related control dependencies is published at /sdos/reference/v1/. The 24 SDOS controls comprising the public runtime control set are:

Control ID Title
SDOS-GV-01 Configuration-Governed Module Activation
SDOS-GV-02 Governance-Tiered Model Selection
SDOS-GV-03 Default-Deny Pre-Admission Policy
SDOS-GV-04 Cross-Module Governance Continuity
SDOS-GV-05 Model-Alignment-Independent Policy Enforcement
SDOS-RM-01 Dispatch-Time Risk Classification
SDOS-RM-02 Complexity-Tiered Resource Allocation
SDOS-RM-03 Risk-Floor Model Binding
SDOS-AD-01 Default-Deny Agent Pre-Admission
SDOS-IA-01 Attested Agent Identity
SDOS-IA-02 Attested Module Identity
SDOS-IN-01 Governance Baseline Integrity Verification
SDOS-IN-02 Baseline Drift Detection and System Halt
SDOS-IN-03 Module Manifest Integrity
SDOS-EN-01 Pre-Egress Policy Enforcement
SDOS-EN-02 Subordinate-Side Enforcement Gate
SDOS-EN-03 Fail-Closed Degradation
SDOS-EN-04 Governed Egress with Tamper-Evident Audit
SDOS-AU-01 Per-Invocation Audit Record
SDOS-AU-02 Append-Only Audit Log Integrity
SDOS-AU-03 Dual Audit Trail
SDOS-DE-01 Governed Multi-Agent Deliberation
SDOS-DE-02 Convergence-Based Decision Record
SDOS-RS-01 Governed Return on Safety Investment (ROSI) Evaluation

How to Use This Document

Assessor Use Notice

Mapping strength reflects the framework's design coverage of the cited AI 600-1 risk category. Operating effectiveness is a property of a specific deployment and must be tested per engagement. SDOS controls address the dispatch, enforcement, and audit layers — they do not replace content-quality controls (output classifiers, RLHF, human review) that operate at the model output layer. Assessors should treat all mappings as control-design assertions requiring implementation verification.

Mapping Strength Key

Rating Meaning
Direct SDOS control directly implements enforcement relevant to the cited AI 600-1 risk category as its primary function
Supportive SDOS control contributes containment or evidence toward the cited risk category but does not fully address content-layer dimensions
Partial SDOS control addresses a structural subset of the risk category; content-layer or organizational controls required for complete coverage

AI 600-1 Risk Category Overview

NIST AI 600-1 defines 12 risk categories applicable to generative AI systems. Each category is addressed in the mapping below with the SDOS controls that provide runtime enforcement coverage.

# Risk Category SDOS Coverage
1 CBRN Information or Capabilities Direct
2 Confabulation Partial
3 Dangerous, Violent, or Hateful Content Direct
4 Data Privacy Supportive
5 Environmental Impacts Partial
6 Harmful Bias and Homogenization Partial
7 Human-AI Configuration Direct
8 Information Integrity Supportive
9 Information Security Direct
10 Intellectual Property Supportive
11 Obscene, Degrading, and Abusive Content Direct
12 Value Chain and Component Integration Direct

Control Mapping

1. CBRN Information or Capabilities

Risk category addresses the potential for generative AI to provide uplift for chemical, biological, radiological, or nuclear threats.

AI 600-1 Risk Area SDOS Controls Strength
Restricting access to CBRN-capable model invocations SDOS-GV-03, SDOS-AD-01 Direct
Enforcing capability boundaries at dispatch SDOS-EN-01, SDOS-GV-05 Direct
Governance-tiered model selection based on risk classification SDOS-RM-01, SDOS-RM-03, SDOS-GV-02 Direct
Audit of invocations involving elevated risk tiers SDOS-AU-01, SDOS-AU-02, SDOS-EN-04 Direct

SDOS default-deny pre-admission (SDOS-GV-03, SDOS-AD-01) ensures no model capable of CBRN-relevant output is invoked without explicit authorization. Risk classification at dispatch (SDOS-RM-01) assigns elevated risk tiers to invocations involving restricted capability domains, triggering model floor binding (SDOS-RM-03) and enforcement gate evaluation (SDOS-EN-01) before any tool execution proceeds.


2. Confabulation

Risk category addresses the generation of false, fabricated, or hallucinated content presented as factual.

AI 600-1 Risk Area SDOS Controls Strength
Preventing confabulated outputs from triggering tool invocation SDOS-EN-01, SDOS-EN-02 Partial
Audit trail for outputs that proceed to tool execution SDOS-AU-01, SDOS-AU-02 Supportive
Fail-closed on unverifiable outputs in high-risk contexts SDOS-EN-03, SDOS-RM-01 Partial

SDOS does not evaluate model outputs for factual accuracy — that is a content-layer function requiring retrieval-augmented generation (RAG), output classifiers, or human review. SDOS provides structural containment: the pre-egress policy gate (SDOS-EN-01) can be configured to require human-in-the-loop authorization before confabulation-sensitive tool invocations proceed in high-risk dispatch tiers, and audit records (SDOS-AU-01) capture the model output that drove each tool invocation for post-hoc review. Content-layer controls are required to complete treatment of this risk category.


3. Dangerous, Violent, or Hateful Content

Risk category addresses outputs that recommend, facilitate, or instruct harmful physical actions, or that generate violent or hateful content targeting individuals or groups.

AI 600-1 Risk Area SDOS Controls Strength
Blocking tool invocations triggered by dangerous or hateful output SDOS-EN-01, SDOS-GV-03 Direct
Capability boundary enforcement at dispatch SDOS-GV-05, SDOS-AD-01 Direct
Risk-classified dispatch blocking for elevated harm tiers SDOS-RM-01, SDOS-RM-03 Direct
Tamper-evident audit of blocked and permitted invocations SDOS-EN-04, SDOS-AU-01 Direct

The pre-egress policy gate (SDOS-EN-01) evaluates whether a model-generated action may proceed to tool execution. In SDOS deployments configured with harm-tier policies, outputs classified as dangerous, violent, or hateful trigger a block outcome before any external system is reached. This is model-alignment-independent enforcement (SDOS-GV-05) — the block occurs regardless of whether the model believes its output is harmful.


4. Data Privacy

Risk category addresses unauthorized exposure, inference, or exfiltration of personal or sensitive data through generative AI outputs.

AI 600-1 Risk Area SDOS Controls Strength
Pre-egress enforcement blocking unauthorized data exfiltration SDOS-EN-01, SDOS-EN-04 Supportive
Attested identity binding to data access authorizations SDOS-IA-01, SDOS-IA-02 Supportive
Audit trail for all outbound data operations SDOS-AU-01, SDOS-AU-02, SDOS-AU-03 Supportive
Subordinate-side enforcement gate for multi-agent data flows SDOS-EN-02 Supportive

SDOS enforces data access boundaries at the egress layer — the governed egress control (SDOS-EN-04) creates a tamper-evident record of all outbound operations, and the pre-egress gate (SDOS-EN-01) can be configured to block egress of data matching defined sensitivity classifications. SDOS does not classify data content or detect PII in model outputs — that requires content-inspection tooling. SDOS provides the enforcement gate and audit record that data privacy controls require; the classification logic operates above the dispatch boundary.


5. Environmental Impacts

Risk category addresses the energy consumption and carbon footprint of generative AI inference at scale.

AI 600-1 Risk Area SDOS Controls Strength
Governance-tiered model selection limiting unnecessary large-model invocations SDOS-GV-02, SDOS-RM-02 Partial
Complexity-tiered resource allocation preventing over-provisioning SDOS-RM-02, SDOS-RM-03 Partial
ROSI evaluation incorporating resource cost into governance decisions SDOS-RS-01 Partial

SDOS complexity-tiered resource allocation (SDOS-RM-02) and governance-tiered model selection (SDOS-GV-02) ensure that tasks are dispatched to the minimum capable model tier — C1 tasks do not invoke C3-tier models. This is a structural constraint on over-provisioning that has environmental impact as a secondary benefit of governance efficiency. Primary environmental impact measurement and carbon accounting require organizational controls outside the dispatch boundary.


6. Harmful Bias and Homogenization

Risk category addresses discriminatory outputs, reinforcement of harmful stereotypes, and reduction of information diversity through generative AI.

AI 600-1 Risk Area SDOS Controls Strength
Multi-agent deliberation with enforced provider diversity SDOS-DE-01, SDOS-DE-02 Partial
Audit trail supporting post-hoc bias review SDOS-AU-01, SDOS-AU-03 Supportive
Governance-tiered model selection enabling model diversity SDOS-GV-02 Partial

SDOS governed multi-agent deliberation (SDOS-DE-01) enforces structural diversity in multi-agent decision processes — each deliberation panel operates independently with documented convergence records. This partially addresses homogenization at the decision layer by preventing single-model dominance in governed deliberations. Bias detection in individual model outputs requires content-layer evaluation tools. Audit records (SDOS-AU-01, SDOS-AU-03) support retrospective bias analysis.


7. Human-AI Configuration

Risk category addresses improper calibration of human oversight, over-reliance on AI outputs, and insufficient human-in-the-loop controls.

AI 600-1 Risk Area SDOS Controls Strength
Configurable human authorization gates at dispatch SDOS-GV-01, SDOS-EN-01 Direct
Risk-tiered escalation requiring human review at elevated tiers SDOS-RM-01, SDOS-RM-03 Direct
Default-deny requiring explicit admission for autonomous operation SDOS-GV-03, SDOS-AD-01 Direct
Fail-closed degradation halting autonomous operation on governance failure SDOS-EN-03, SDOS-IN-02 Direct
Audit records supporting human review of AI decisions SDOS-AU-01, SDOS-AU-02, SDOS-AU-03 Direct

Human-AI configuration is where SDOS provides its most structurally direct coverage of AI 600-1. The default-deny pre-admission architecture (SDOS-GV-03, SDOS-AD-01) means autonomous AI operation requires explicit authorization — over-reliance cannot occur by default. Risk classification at dispatch (SDOS-RM-01) triggers escalation to human review when risk tier thresholds are exceeded. Configuration-governed module activation (SDOS-GV-01) ensures human-in-the-loop requirements are encoded in versioned policy, not embedded in model behavior that can be fine-tuned away. Fail-closed degradation (SDOS-EN-03) halts autonomous operation when governance integrity cannot be verified.


8. Information Integrity

Risk category addresses the generation and propagation of misinformation, disinformation, and synthetic content that degrades information ecosystems.

AI 600-1 Risk Area SDOS Controls Strength
Pre-egress enforcement blocking synthetic content at publication boundary SDOS-EN-01, SDOS-EN-04 Supportive
Tamper-evident audit trail for all outbound content operations SDOS-AU-01, SDOS-AU-02, SDOS-EN-04 Supportive
Subordinate-side enforcement gate preventing lateral propagation SDOS-EN-02 Supportive
Governance baseline integrity ensuring policy has not been tampered SDOS-IN-01, SDOS-IN-02 Supportive

SDOS cannot detect whether generative AI output constitutes misinformation — that requires content verification, fact-checking, or provenance tooling. SDOS provides the enforcement boundary at which synthetic content can be intercepted before publication: the pre-egress gate (SDOS-EN-01) evaluates whether an outbound content operation is authorized under current policy, and the tamper-evident audit (SDOS-EN-04) records every outbound operation with immutable provenance. Content-layer controls and human review are required to complete treatment.


9. Information Security

Risk category addresses adversarial exploitation of generative AI, including prompt injection, jailbreaking, model inversion, and training data extraction.

AI 600-1 Risk Area SDOS Controls Strength
Prompt injection containment — blocking injected instructions from reaching tool execution SDOS-EN-01, SDOS-GV-05 Direct
Model-alignment-independent enforcement blocking injection regardless of model compliance SDOS-GV-05 Direct
Default-deny blocking unauthorized tool invocations regardless of prompt content SDOS-GV-03, SDOS-AD-01 Direct
Governance baseline integrity detecting tampered policy SDOS-IN-01, SDOS-IN-02, SDOS-IN-03 Direct
Attested identity preventing agent impersonation SDOS-IA-01, SDOS-IA-02 Direct
Fail-closed on integrity failure SDOS-EN-03, SDOS-IN-02 Direct
Tamper-evident audit of all security-relevant operations SDOS-AU-01, SDOS-AU-02, SDOS-AU-03 Direct

Information security is the risk category where SDOS provides its highest structural coverage. Prompt injection — the primary adversarial attack vector for agentic GenAI — is structurally mitigated by the model-alignment-independent enforcement architecture (SDOS-GV-05): the pre-egress gate (SDOS-EN-01) evaluates tool invocation requests against policy independently of the model's interpretation of the prompt. An injected instruction that successfully manipulates the model's output cannot bypass SDOS enforcement because SDOS does not execute model-generated instructions as governance decisions — it evaluates the requested action against a versioned policy configuration. Default-deny (SDOS-GV-03, SDOS-AD-01) ensures that no tool invocation proceeds unless explicitly authorized, regardless of what any prompt contains.


10. Intellectual Property

Risk category addresses unauthorized reproduction of copyrighted material, training data memorization, and IP ownership ambiguity in AI-generated outputs.

AI 600-1 Risk Area SDOS Controls Strength
Pre-egress enforcement blocking unauthorized IP exfiltration SDOS-EN-01, SDOS-EN-04 Supportive
Audit trail for all outbound content operations supporting IP review SDOS-AU-01, SDOS-AU-02, SDOS-AU-03 Supportive
Attested identity binding output to authorized principal SDOS-IA-01 Supportive

SDOS does not detect copyright infringement in model outputs — that requires content fingerprinting or memorization detection tooling. SDOS provides the audit trail that IP accountability requires: every outbound content operation is recorded with tamper-evident provenance (SDOS-EN-04), and the pre-egress gate (SDOS-EN-01) can be configured to require authorization for content publication in IP-sensitive deployment contexts. Organizational IP policy and content-layer controls are required to complete treatment.


11. Obscene, Degrading, and Abusive Content

Risk category addresses generation of content that is sexually explicit, degrading, or abusive toward individuals or groups.

AI 600-1 Risk Area SDOS Controls Strength
Capability boundary enforcement blocking invocation of inappropriate content modules SDOS-GV-01, SDOS-GV-03 Direct
Risk-classified dispatch blocking for prohibited content tiers SDOS-RM-01, SDOS-EN-01 Direct
Default-deny preventing unauthorized content generation pathways SDOS-AD-01, SDOS-GV-05 Direct
Audit trail for prohibited content invocations and blocks SDOS-AU-01, SDOS-EN-04 Direct

SDOS configuration-governed module activation (SDOS-GV-01) ensures that modules capable of generating prohibited content categories are not activated without explicit policy authorization. In deployments where such content is prohibited, the default-deny architecture (SDOS-GV-03) and pre-egress gate (SDOS-EN-01) block any pathway to prohibited content generation before tool execution. This is structural exclusion, not content classification — SDOS prevents the invocation pathway from being established, regardless of whether the underlying model would comply with the prohibition.


12. Value Chain and Component Integration

Risk category addresses risks from third-party AI models, fine-tuned components, data pipelines, and supply chain integrity in GenAI deployments.

AI 600-1 Risk Area SDOS Controls Strength
Module manifest integrity verification for all integrated components SDOS-IN-03, SDOS-IA-02 Direct
Governance baseline integrity detecting unauthorized component substitution SDOS-IN-01, SDOS-IN-02 Direct
Attested module identity preventing unauthorized component activation SDOS-IA-02, SDOS-GV-01 Direct
Cross-module governance continuity across multi-component workflows SDOS-GV-04 Direct
Subordinate-side enforcement gate for third-party agent integrations SDOS-EN-02 Direct
Tamper-evident audit of component-level operations SDOS-AU-01, SDOS-AU-02, SDOS-EN-04 Direct

Value chain and component integrity is a structural problem — it is about whether the components operating in a governed workflow are the authorized components, not whether their outputs are safe. SDOS addresses this at the architectural level: module manifest integrity (SDOS-IN-03) cryptographically verifies each module against its authorized manifest before activation. Governance baseline integrity (SDOS-IN-01, SDOS-IN-02) detects unauthorized changes to the governance configuration itself — including substitution of authorized components with adversarial replacements. Baseline drift triggers system halt (SDOS-IN-02), preventing continued operation on a compromised configuration. Attested module identity (SDOS-IA-02) binds each active module to a declared, verifiable identity.


SDOS Coverage Summary by Domain

SDOS Domain Primary AI 600-1 Risk Categories Supported
Governance (GV) CBRN, Dangerous Content, Human-AI Configuration, Obscene Content, Value Chain
Risk Management (RM) CBRN, Confabulation, Environmental, Human-AI Configuration
Admission (AD) CBRN, Dangerous Content, Human-AI Configuration, Obscene Content
Identity and Attestation (IA) Data Privacy, Information Security, Value Chain
Integrity (IN) Information Security, Value Chain
Enforcement (EN) All 12 risk categories — primary dispatch boundary
Audit (AU) All 12 risk categories — evidence layer
Deliberation (DE) Harmful Bias and Homogenization
Risk Measurement (RS) Environmental Impacts

The Enforcement and Audit domains provide coverage across all 12 risk categories because the dispatch boundary (EN) and the audit record (AU) are universal control points in any governed agentic GenAI deployment.


Coverage Summary by AI RMF Function

NIST AI 600-1 organizes its 212 suggested actions across four AI RMF functions. SDOS coverage varies by function because the functions address different layers of the AI risk lifecycle — governance design, risk identification, measurement, and operational management. SDOS operates exclusively at the dispatch and enforcement layer; its coverage is deepest where AI 600-1 actions address runtime enforcement obligations.

AI RMF Function Total Actions SDOS Mapped Not Mapped
GOVERN (GV) 114 95 19
MAP (MP) 58 30 28
MEASURE (MS) 148 130 18
MANAGE (MG) 101 90 11
Total 421 345 76

Note: Counts reflect the submitted SDOS-RuntimeGov-to-AI-600-1-v1.0 OLIR crosswalk (v1.4, submitted 2026-05-17). Rows include all 212 AI 600-1 action IDs; actions outside the SDOS dispatch boundary are included as No Mapping rows with per-row rationale. Total row count is higher than 212 because multi-control actions are split into separate rows per NIST OLIR format requirements.

Coverage pattern by function:

  • GOVERN (GV): Mixed coverage. GV actions addressing policy documentation, role assignment, training, and procurement are organizational obligations outside the dispatch boundary. GV actions addressing runtime authorization gates, module activation policies, and configuration governance map directly to SDOS-GV, SDOS-RM, and SDOS-EN controls.
  • MAP (MP): Lowest coverage. MP addresses AI risk identification, categorization, and stakeholder analysis — primarily design-time and organizational activities. SDOS contributes runtime evidence (dispatch logs, classification records) that supports mapping activities but does not perform the mapping itself.
  • MEASURE (MS): Moderate coverage. The majority of MS actions address model evaluation, bias testing, output quality measurement, and human feedback collection — content and model-layer activities above the dispatch boundary. SDOS contributes audit records that serve as measurement substrates and risk classification outputs that feed MS processes.
  • MANAGE (MG): Strongest coverage among the four functions. MG actions addressing runtime enforcement, incident response triggers, containment, and audit evidence align closely with SDOS-EN, SDOS-AU, SDOS-IN, and SDOS-RS controls.

Outside SDOS Operational Boundary

The following AI 600-1 action categories are outside the SDOS operational boundary and require organizational, content-layer, or model-layer controls:

Action Category AI RMF Functions Reason Outside Boundary
Model training and fine-tuning governance GV, MG Pre-deployment; SDOS operates at runtime
RLHF and alignment techniques GV, MG Model-layer; SDOS is model-alignment-independent
Output content classification and filtering MS, MG Content-layer; SDOS does not evaluate output semantics
Bias and fairness testing of model outputs MS Content/model-layer evaluation
Data provenance and training data governance MP, MS Pre-deployment data management
Human feedback collection and red-teaming MS Model evaluation activity
Procurement and supplier qualification GV, MP Pre-deployment organizational activity
Workforce AI literacy and training GV Organizational capability development
Incident notification and regulatory reporting MG Organizational response obligation
GenAI use case categorization MP Design-time risk classification; SDOS performs dispatch-time classification only

These boundary exclusions are not gaps in SDOS — they are the design boundary. SDOS is a dispatch-time enforcement layer, not a full AI governance management system. Organizations implementing AI 600-1 should treat SDOS as the runtime enforcement component of a broader AI governance architecture that includes organizational policies, model evaluation practices, and content-layer controls.


Relationship to Other SDOS Framework Alignments

NIST AI 600-1 is a generative AI profile of the AI RMF 1.0 — it extends the RMF's GOVERN/MAP/MEASURE/MANAGE structure to address risks specific to generative AI systems. It is not a standalone framework; it is meant to be used in conjunction with the base AI RMF.

SDOS is already aligned to the base AI RMF 1.0 (NIST OLIR Reference ID 220). This AI 600-1 alignment extends that relationship to the GenAI-specific risk layer:

Framework Layer SDOS Role
NIST AI RMF 1.0 AI risk management (broad) Runtime enforcement mapped to GOVERN / MAP / MEASURE / MANAGE
NIST AI 600-1 Generative AI risk (specific) Dispatch-boundary containment for all 12 GenAI risk categories
NIST CSF 2.0 Cybersecurity framework Control evidence for IDENTIFY / PROTECT / DETECT / RESPOND / RECOVER
NIST SP 800-53 Rev 5.2.0 Security control catalog Per-control mapping to SP 800-53 control families
ISO 42001:2023 AI management system Operational controls satisfying AIMS technical requirements
EU AI Act Regulatory compliance Runtime enforcement of high-risk AI system obligations

A single governed operation in SDOS produces audit trail records simultaneously relevant to AI 600-1 risk containment, AI RMF risk management, CSF 2.0 cybersecurity controls, and ISO 42001 operational requirements.


OLIR Submission Record

SDOS-RuntimeGov-to-AI-600-1-v1.0 was submitted to the NIST OLIR Program on 2026-05-17 as the 4th SDOS informative reference.

  • Submitted: 2026-05-17
  • Status: Crosswalk filed, held pending NIST's focal-document inclusion — submitted ahead of the program's operational readiness for AI 600-1 as a focal document. Resubmission invited if and when AI 600-1 enters the Program.
  • Focal Document: NIST AI 600-1 v1.0 (July 26, 2024)
  • Reference Document: SDOS Runtime Governance Framework v1.10
  • Reference Document URL: https://aamcyber.com/sdos/reference/v1/
  • Relationship Type: Supportive
  • Informative Reference Name: SDOS-RuntimeGov-to-AI-600-1-v1.0
  • Crosswalk: 421 data rows, 212/212 action IDs, 345 mapped, 76 No Mapping with per-row rationale, Column F blank throughout
  • Participation Agreement: Signed 2026-05-12 (covers all four SDOS OLIR submissions)
  • Companion references: NIST OLIR Reference ID 220 (AI RMF 1.0, cataloged 2026-05-13); CSF 2.0 (submitted 2026-05-15, screening); SP 800-53 Rev 5.2.0 (submitted 2026-05-15, screening)

Maintenance

This document is maintained by AAM Cyber. Version 1.10 is the canonical SDOS version. Submitted to NIST OLIR 2026-05-17. This alignment document will be updated when: (1) SDOS controls are added or retired, (2) NIST AI 600-1 is revised, or (3) OLIR submission status changes.


Contact

AAM Cyber
aamcyber.com

Framework alignment inquiries: [email protected]


Intellectual Property

The SDOS Runtime Governance Framework was invented by Pharns Genece. Aspects of the framework are the subject of pending U.S. Provisional Patent Applications 64/029,300, 64/049,300, 64/067,427, 64/069,200, and 64/076,620. AAM Cyber, all rights reserved unless otherwise indicated.


SDOS Runtime Governance Framework — NIST AI 600-1 (Generative AI Profile) Alignment. Version 1.0 — Submitted to NIST OLIR 2026-05-17.