SDOS Runtime Governance Framework — NIST AI 600-1 Alignment¶
SDOS Version: 1.10
Document: NIST AI 600-1 — Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile
Version: 1.0 (July 26, 2024)
Issuing Body: National Institute of Standards and Technology (NIST)
Document Date: 2026-05-17
Authoring Organization: AAM Cyber (aamcyber.com)
Inventor: Pharns Genece
SDOS Control Catalog: View full control definitions
Key Facts¶
- What: Alignment mapping between SDOS Runtime Governance Framework controls and the 12 risk categories defined in NIST AI 600-1 — Generative AI Profile (July 2024).
- Who: AAM Cyber, authoring organization. Pharns Genece, inventor.
- Scope: All 12 AI 600-1 risk categories addressed. 6 risk categories carry Direct coverage (CBRN, Dangerous Content, Human-AI Configuration, Information Security, Obscene Content, Value Chain); 3 carry Supportive coverage (Data Privacy, Information Integrity, Intellectual Property); 3 carry Partial coverage where organizational or content-layer controls are required beyond the dispatch enforcement boundary (Confabulation, Environmental Impacts, Harmful Bias). Of 212 suggested actions across GV/MP/MS/MG functions, approximately 106 (~50%) are outside the SDOS operational boundary — primarily design-time, organizational, and content-layer obligations.
- OLIR Status: SDOS-RuntimeGov-to-AI-600-1-v1.0 crosswalk filed, held pending NIST's focal-document inclusion — submitted 2026-05-17, ahead of the program's operational readiness for that publication. Resubmission invited if and when AI 600-1 enters the Program. 4th SDOS submission to the OLIR Program, companion to Reference ID 220.
- Relationship type: Supportive — SDOS provides structural enforcement at the AI agent dispatch layer that supports AI 600-1 risk category intent without claiming full mitigation of generative AI output risks.
- Architectural positioning: SDOS operates below the model output layer. It does not evaluate content for confabulation or bias post-generation, but it controls the conditions under which generation occurs, what tools are invoked based on that output, and what leaves the governed boundary — a structural containment layer for GenAI risk.
- Patent status: Aspects of SDOS are the subject of U.S. Provisional Patent Applications 64/029,300, 64/049,300, 64/067,427, 64/069,200, and 64/076,620.
Purpose¶
This document maps the controls of the SDOS Runtime Governance Framework to the 12 risk categories defined in NIST AI 600-1 — the Generative AI Profile of the AI Risk Management Framework. It is intended to assist AI risk officers, CISOs, GRC auditors, and enterprise AI governance teams evaluating SDOS as a runtime enforcement layer that operationalizes AI 600-1 risk mitigation obligations at the agent dispatch boundary.
NIST AI 600-1 was published in July 2024 as a companion to the NIST AI RMF 1.0. Where the AI RMF 1.0 addresses AI risk management broadly, AI 600-1 focuses specifically on risks unique to or amplified by generative AI: confabulation, data privacy exposure, prompt injection, harmful content generation, value chain integrity, and human-AI configuration failures, among others. Each risk category is paired with suggested actions structured across the GOVERN, MAP, MEASURE, and MANAGE functions of the AI RMF.
SDOS addresses AI 600-1 at the enforcement layer. Generative AI models produce outputs that are probabilistic and not fully predictable at design time. AI 600-1 acknowledges this — its suggested actions focus heavily on governance structures, measurement practices, and operational safeguards that constrain how GenAI outputs flow into consequential actions. SDOS provides exactly that constraint: a policy-enforced gate at the point of dispatch that determines whether a model output may proceed to tool invocation, external egress, or downstream agent action. This dispatch boundary is the operationalization of AI 600-1's risk mitigation intent at the runtime layer.
This is an informative alignment document. It does not constitute an AI 600-1 certification, a NIST conformance determination, or a complete risk treatment for any of the 12 risk categories. Organizations are responsible for implementing the full range of AI 600-1 suggested actions, many of which operate at organizational, procurement, content evaluation, and model selection layers outside the SDOS runtime enforcement boundary.
Applicability¶
This document applies to organizations deploying generative AI in agentic workflows — systems in which a generative AI model produces outputs that are consumed by tools, downstream agents, or external systems. It is relevant when:
- The organization is implementing AI 600-1 risk management obligations and needs a technical enforcement layer at the agent dispatch boundary, or
- A CISO or AI risk officer requires documented control evidence that GenAI output risks are structurally contained before tool invocation or external egress, or
- A GRC team is mapping AI 600-1 suggested actions to operational controls for audit or procurement purposes, or
- The organization is preparing an NIST OLIR submission and needs a reference document establishing the SDOS-to-AI-600-1 crosswalk.
AI 600-1 risk categories addressing content quality (confabulation, bias, harmful content) require content-layer controls — classifiers, output filters, human review — that operate above the dispatch boundary. This document identifies where SDOS provides containment support for those risks and where organizational or content-layer controls are required to complete the treatment.
SDOS Control Catalog Summary¶
The full control catalog with per-control descriptions, evidence types, and related control dependencies is published at /sdos/reference/v1/. The 24 SDOS controls comprising the public runtime control set are:
| Control ID | Title |
|---|---|
| SDOS-GV-01 | Configuration-Governed Module Activation |
| SDOS-GV-02 | Governance-Tiered Model Selection |
| SDOS-GV-03 | Default-Deny Pre-Admission Policy |
| SDOS-GV-04 | Cross-Module Governance Continuity |
| SDOS-GV-05 | Model-Alignment-Independent Policy Enforcement |
| SDOS-RM-01 | Dispatch-Time Risk Classification |
| SDOS-RM-02 | Complexity-Tiered Resource Allocation |
| SDOS-RM-03 | Risk-Floor Model Binding |
| SDOS-AD-01 | Default-Deny Agent Pre-Admission |
| SDOS-IA-01 | Attested Agent Identity |
| SDOS-IA-02 | Attested Module Identity |
| SDOS-IN-01 | Governance Baseline Integrity Verification |
| SDOS-IN-02 | Baseline Drift Detection and System Halt |
| SDOS-IN-03 | Module Manifest Integrity |
| SDOS-EN-01 | Pre-Egress Policy Enforcement |
| SDOS-EN-02 | Subordinate-Side Enforcement Gate |
| SDOS-EN-03 | Fail-Closed Degradation |
| SDOS-EN-04 | Governed Egress with Tamper-Evident Audit |
| SDOS-AU-01 | Per-Invocation Audit Record |
| SDOS-AU-02 | Append-Only Audit Log Integrity |
| SDOS-AU-03 | Dual Audit Trail |
| SDOS-DE-01 | Governed Multi-Agent Deliberation |
| SDOS-DE-02 | Convergence-Based Decision Record |
| SDOS-RS-01 | Governed Return on Safety Investment (ROSI) Evaluation |
How to Use This Document¶
Assessor Use Notice¶
Mapping strength reflects the framework's design coverage of the cited AI 600-1 risk category. Operating effectiveness is a property of a specific deployment and must be tested per engagement. SDOS controls address the dispatch, enforcement, and audit layers — they do not replace content-quality controls (output classifiers, RLHF, human review) that operate at the model output layer. Assessors should treat all mappings as control-design assertions requiring implementation verification.
Mapping Strength Key¶
| Rating | Meaning |
|---|---|
| Direct | SDOS control directly implements enforcement relevant to the cited AI 600-1 risk category as its primary function |
| Supportive | SDOS control contributes containment or evidence toward the cited risk category but does not fully address content-layer dimensions |
| Partial | SDOS control addresses a structural subset of the risk category; content-layer or organizational controls required for complete coverage |
AI 600-1 Risk Category Overview¶
NIST AI 600-1 defines 12 risk categories applicable to generative AI systems. Each category is addressed in the mapping below with the SDOS controls that provide runtime enforcement coverage.
| # | Risk Category | SDOS Coverage |
|---|---|---|
| 1 | CBRN Information or Capabilities | Direct |
| 2 | Confabulation | Partial |
| 3 | Dangerous, Violent, or Hateful Content | Direct |
| 4 | Data Privacy | Supportive |
| 5 | Environmental Impacts | Partial |
| 6 | Harmful Bias and Homogenization | Partial |
| 7 | Human-AI Configuration | Direct |
| 8 | Information Integrity | Supportive |
| 9 | Information Security | Direct |
| 10 | Intellectual Property | Supportive |
| 11 | Obscene, Degrading, and Abusive Content | Direct |
| 12 | Value Chain and Component Integration | Direct |
Control Mapping¶
1. CBRN Information or Capabilities¶
Risk category addresses the potential for generative AI to provide uplift for chemical, biological, radiological, or nuclear threats.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Restricting access to CBRN-capable model invocations | SDOS-GV-03, SDOS-AD-01 | Direct |
| Enforcing capability boundaries at dispatch | SDOS-EN-01, SDOS-GV-05 | Direct |
| Governance-tiered model selection based on risk classification | SDOS-RM-01, SDOS-RM-03, SDOS-GV-02 | Direct |
| Audit of invocations involving elevated risk tiers | SDOS-AU-01, SDOS-AU-02, SDOS-EN-04 | Direct |
SDOS default-deny pre-admission (SDOS-GV-03, SDOS-AD-01) ensures no model capable of CBRN-relevant output is invoked without explicit authorization. Risk classification at dispatch (SDOS-RM-01) assigns elevated risk tiers to invocations involving restricted capability domains, triggering model floor binding (SDOS-RM-03) and enforcement gate evaluation (SDOS-EN-01) before any tool execution proceeds.
2. Confabulation¶
Risk category addresses the generation of false, fabricated, or hallucinated content presented as factual.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Preventing confabulated outputs from triggering tool invocation | SDOS-EN-01, SDOS-EN-02 | Partial |
| Audit trail for outputs that proceed to tool execution | SDOS-AU-01, SDOS-AU-02 | Supportive |
| Fail-closed on unverifiable outputs in high-risk contexts | SDOS-EN-03, SDOS-RM-01 | Partial |
SDOS does not evaluate model outputs for factual accuracy — that is a content-layer function requiring retrieval-augmented generation (RAG), output classifiers, or human review. SDOS provides structural containment: the pre-egress policy gate (SDOS-EN-01) can be configured to require human-in-the-loop authorization before confabulation-sensitive tool invocations proceed in high-risk dispatch tiers, and audit records (SDOS-AU-01) capture the model output that drove each tool invocation for post-hoc review. Content-layer controls are required to complete treatment of this risk category.
3. Dangerous, Violent, or Hateful Content¶
Risk category addresses outputs that recommend, facilitate, or instruct harmful physical actions, or that generate violent or hateful content targeting individuals or groups.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Blocking tool invocations triggered by dangerous or hateful output | SDOS-EN-01, SDOS-GV-03 | Direct |
| Capability boundary enforcement at dispatch | SDOS-GV-05, SDOS-AD-01 | Direct |
| Risk-classified dispatch blocking for elevated harm tiers | SDOS-RM-01, SDOS-RM-03 | Direct |
| Tamper-evident audit of blocked and permitted invocations | SDOS-EN-04, SDOS-AU-01 | Direct |
The pre-egress policy gate (SDOS-EN-01) evaluates whether a model-generated action may proceed to tool execution. In SDOS deployments configured with harm-tier policies, outputs classified as dangerous, violent, or hateful trigger a block outcome before any external system is reached. This is model-alignment-independent enforcement (SDOS-GV-05) — the block occurs regardless of whether the model believes its output is harmful.
4. Data Privacy¶
Risk category addresses unauthorized exposure, inference, or exfiltration of personal or sensitive data through generative AI outputs.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Pre-egress enforcement blocking unauthorized data exfiltration | SDOS-EN-01, SDOS-EN-04 | Supportive |
| Attested identity binding to data access authorizations | SDOS-IA-01, SDOS-IA-02 | Supportive |
| Audit trail for all outbound data operations | SDOS-AU-01, SDOS-AU-02, SDOS-AU-03 | Supportive |
| Subordinate-side enforcement gate for multi-agent data flows | SDOS-EN-02 | Supportive |
SDOS enforces data access boundaries at the egress layer — the governed egress control (SDOS-EN-04) creates a tamper-evident record of all outbound operations, and the pre-egress gate (SDOS-EN-01) can be configured to block egress of data matching defined sensitivity classifications. SDOS does not classify data content or detect PII in model outputs — that requires content-inspection tooling. SDOS provides the enforcement gate and audit record that data privacy controls require; the classification logic operates above the dispatch boundary.
5. Environmental Impacts¶
Risk category addresses the energy consumption and carbon footprint of generative AI inference at scale.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Governance-tiered model selection limiting unnecessary large-model invocations | SDOS-GV-02, SDOS-RM-02 | Partial |
| Complexity-tiered resource allocation preventing over-provisioning | SDOS-RM-02, SDOS-RM-03 | Partial |
| ROSI evaluation incorporating resource cost into governance decisions | SDOS-RS-01 | Partial |
SDOS complexity-tiered resource allocation (SDOS-RM-02) and governance-tiered model selection (SDOS-GV-02) ensure that tasks are dispatched to the minimum capable model tier — C1 tasks do not invoke C3-tier models. This is a structural constraint on over-provisioning that has environmental impact as a secondary benefit of governance efficiency. Primary environmental impact measurement and carbon accounting require organizational controls outside the dispatch boundary.
6. Harmful Bias and Homogenization¶
Risk category addresses discriminatory outputs, reinforcement of harmful stereotypes, and reduction of information diversity through generative AI.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Multi-agent deliberation with enforced provider diversity | SDOS-DE-01, SDOS-DE-02 | Partial |
| Audit trail supporting post-hoc bias review | SDOS-AU-01, SDOS-AU-03 | Supportive |
| Governance-tiered model selection enabling model diversity | SDOS-GV-02 | Partial |
SDOS governed multi-agent deliberation (SDOS-DE-01) enforces structural diversity in multi-agent decision processes — each deliberation panel operates independently with documented convergence records. This partially addresses homogenization at the decision layer by preventing single-model dominance in governed deliberations. Bias detection in individual model outputs requires content-layer evaluation tools. Audit records (SDOS-AU-01, SDOS-AU-03) support retrospective bias analysis.
7. Human-AI Configuration¶
Risk category addresses improper calibration of human oversight, over-reliance on AI outputs, and insufficient human-in-the-loop controls.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Configurable human authorization gates at dispatch | SDOS-GV-01, SDOS-EN-01 | Direct |
| Risk-tiered escalation requiring human review at elevated tiers | SDOS-RM-01, SDOS-RM-03 | Direct |
| Default-deny requiring explicit admission for autonomous operation | SDOS-GV-03, SDOS-AD-01 | Direct |
| Fail-closed degradation halting autonomous operation on governance failure | SDOS-EN-03, SDOS-IN-02 | Direct |
| Audit records supporting human review of AI decisions | SDOS-AU-01, SDOS-AU-02, SDOS-AU-03 | Direct |
Human-AI configuration is where SDOS provides its most structurally direct coverage of AI 600-1. The default-deny pre-admission architecture (SDOS-GV-03, SDOS-AD-01) means autonomous AI operation requires explicit authorization — over-reliance cannot occur by default. Risk classification at dispatch (SDOS-RM-01) triggers escalation to human review when risk tier thresholds are exceeded. Configuration-governed module activation (SDOS-GV-01) ensures human-in-the-loop requirements are encoded in versioned policy, not embedded in model behavior that can be fine-tuned away. Fail-closed degradation (SDOS-EN-03) halts autonomous operation when governance integrity cannot be verified.
8. Information Integrity¶
Risk category addresses the generation and propagation of misinformation, disinformation, and synthetic content that degrades information ecosystems.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Pre-egress enforcement blocking synthetic content at publication boundary | SDOS-EN-01, SDOS-EN-04 | Supportive |
| Tamper-evident audit trail for all outbound content operations | SDOS-AU-01, SDOS-AU-02, SDOS-EN-04 | Supportive |
| Subordinate-side enforcement gate preventing lateral propagation | SDOS-EN-02 | Supportive |
| Governance baseline integrity ensuring policy has not been tampered | SDOS-IN-01, SDOS-IN-02 | Supportive |
SDOS cannot detect whether generative AI output constitutes misinformation — that requires content verification, fact-checking, or provenance tooling. SDOS provides the enforcement boundary at which synthetic content can be intercepted before publication: the pre-egress gate (SDOS-EN-01) evaluates whether an outbound content operation is authorized under current policy, and the tamper-evident audit (SDOS-EN-04) records every outbound operation with immutable provenance. Content-layer controls and human review are required to complete treatment.
9. Information Security¶
Risk category addresses adversarial exploitation of generative AI, including prompt injection, jailbreaking, model inversion, and training data extraction.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Prompt injection containment — blocking injected instructions from reaching tool execution | SDOS-EN-01, SDOS-GV-05 | Direct |
| Model-alignment-independent enforcement blocking injection regardless of model compliance | SDOS-GV-05 | Direct |
| Default-deny blocking unauthorized tool invocations regardless of prompt content | SDOS-GV-03, SDOS-AD-01 | Direct |
| Governance baseline integrity detecting tampered policy | SDOS-IN-01, SDOS-IN-02, SDOS-IN-03 | Direct |
| Attested identity preventing agent impersonation | SDOS-IA-01, SDOS-IA-02 | Direct |
| Fail-closed on integrity failure | SDOS-EN-03, SDOS-IN-02 | Direct |
| Tamper-evident audit of all security-relevant operations | SDOS-AU-01, SDOS-AU-02, SDOS-AU-03 | Direct |
Information security is the risk category where SDOS provides its highest structural coverage. Prompt injection — the primary adversarial attack vector for agentic GenAI — is structurally mitigated by the model-alignment-independent enforcement architecture (SDOS-GV-05): the pre-egress gate (SDOS-EN-01) evaluates tool invocation requests against policy independently of the model's interpretation of the prompt. An injected instruction that successfully manipulates the model's output cannot bypass SDOS enforcement because SDOS does not execute model-generated instructions as governance decisions — it evaluates the requested action against a versioned policy configuration. Default-deny (SDOS-GV-03, SDOS-AD-01) ensures that no tool invocation proceeds unless explicitly authorized, regardless of what any prompt contains.
10. Intellectual Property¶
Risk category addresses unauthorized reproduction of copyrighted material, training data memorization, and IP ownership ambiguity in AI-generated outputs.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Pre-egress enforcement blocking unauthorized IP exfiltration | SDOS-EN-01, SDOS-EN-04 | Supportive |
| Audit trail for all outbound content operations supporting IP review | SDOS-AU-01, SDOS-AU-02, SDOS-AU-03 | Supportive |
| Attested identity binding output to authorized principal | SDOS-IA-01 | Supportive |
SDOS does not detect copyright infringement in model outputs — that requires content fingerprinting or memorization detection tooling. SDOS provides the audit trail that IP accountability requires: every outbound content operation is recorded with tamper-evident provenance (SDOS-EN-04), and the pre-egress gate (SDOS-EN-01) can be configured to require authorization for content publication in IP-sensitive deployment contexts. Organizational IP policy and content-layer controls are required to complete treatment.
11. Obscene, Degrading, and Abusive Content¶
Risk category addresses generation of content that is sexually explicit, degrading, or abusive toward individuals or groups.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Capability boundary enforcement blocking invocation of inappropriate content modules | SDOS-GV-01, SDOS-GV-03 | Direct |
| Risk-classified dispatch blocking for prohibited content tiers | SDOS-RM-01, SDOS-EN-01 | Direct |
| Default-deny preventing unauthorized content generation pathways | SDOS-AD-01, SDOS-GV-05 | Direct |
| Audit trail for prohibited content invocations and blocks | SDOS-AU-01, SDOS-EN-04 | Direct |
SDOS configuration-governed module activation (SDOS-GV-01) ensures that modules capable of generating prohibited content categories are not activated without explicit policy authorization. In deployments where such content is prohibited, the default-deny architecture (SDOS-GV-03) and pre-egress gate (SDOS-EN-01) block any pathway to prohibited content generation before tool execution. This is structural exclusion, not content classification — SDOS prevents the invocation pathway from being established, regardless of whether the underlying model would comply with the prohibition.
12. Value Chain and Component Integration¶
Risk category addresses risks from third-party AI models, fine-tuned components, data pipelines, and supply chain integrity in GenAI deployments.
| AI 600-1 Risk Area | SDOS Controls | Strength |
|---|---|---|
| Module manifest integrity verification for all integrated components | SDOS-IN-03, SDOS-IA-02 | Direct |
| Governance baseline integrity detecting unauthorized component substitution | SDOS-IN-01, SDOS-IN-02 | Direct |
| Attested module identity preventing unauthorized component activation | SDOS-IA-02, SDOS-GV-01 | Direct |
| Cross-module governance continuity across multi-component workflows | SDOS-GV-04 | Direct |
| Subordinate-side enforcement gate for third-party agent integrations | SDOS-EN-02 | Direct |
| Tamper-evident audit of component-level operations | SDOS-AU-01, SDOS-AU-02, SDOS-EN-04 | Direct |
Value chain and component integrity is a structural problem — it is about whether the components operating in a governed workflow are the authorized components, not whether their outputs are safe. SDOS addresses this at the architectural level: module manifest integrity (SDOS-IN-03) cryptographically verifies each module against its authorized manifest before activation. Governance baseline integrity (SDOS-IN-01, SDOS-IN-02) detects unauthorized changes to the governance configuration itself — including substitution of authorized components with adversarial replacements. Baseline drift triggers system halt (SDOS-IN-02), preventing continued operation on a compromised configuration. Attested module identity (SDOS-IA-02) binds each active module to a declared, verifiable identity.
SDOS Coverage Summary by Domain¶
| SDOS Domain | Primary AI 600-1 Risk Categories Supported |
|---|---|
| Governance (GV) | CBRN, Dangerous Content, Human-AI Configuration, Obscene Content, Value Chain |
| Risk Management (RM) | CBRN, Confabulation, Environmental, Human-AI Configuration |
| Admission (AD) | CBRN, Dangerous Content, Human-AI Configuration, Obscene Content |
| Identity and Attestation (IA) | Data Privacy, Information Security, Value Chain |
| Integrity (IN) | Information Security, Value Chain |
| Enforcement (EN) | All 12 risk categories — primary dispatch boundary |
| Audit (AU) | All 12 risk categories — evidence layer |
| Deliberation (DE) | Harmful Bias and Homogenization |
| Risk Measurement (RS) | Environmental Impacts |
The Enforcement and Audit domains provide coverage across all 12 risk categories because the dispatch boundary (EN) and the audit record (AU) are universal control points in any governed agentic GenAI deployment.
Coverage Summary by AI RMF Function¶
NIST AI 600-1 organizes its 212 suggested actions across four AI RMF functions. SDOS coverage varies by function because the functions address different layers of the AI risk lifecycle — governance design, risk identification, measurement, and operational management. SDOS operates exclusively at the dispatch and enforcement layer; its coverage is deepest where AI 600-1 actions address runtime enforcement obligations.
| AI RMF Function | Total Actions | SDOS Mapped | Not Mapped |
|---|---|---|---|
| GOVERN (GV) | 114 | 95 | 19 |
| MAP (MP) | 58 | 30 | 28 |
| MEASURE (MS) | 148 | 130 | 18 |
| MANAGE (MG) | 101 | 90 | 11 |
| Total | 421 | 345 | 76 |
Note: Counts reflect the submitted SDOS-RuntimeGov-to-AI-600-1-v1.0 OLIR crosswalk (v1.4, submitted 2026-05-17). Rows include all 212 AI 600-1 action IDs; actions outside the SDOS dispatch boundary are included as No Mapping rows with per-row rationale. Total row count is higher than 212 because multi-control actions are split into separate rows per NIST OLIR format requirements.
Coverage pattern by function:
- GOVERN (GV): Mixed coverage. GV actions addressing policy documentation, role assignment, training, and procurement are organizational obligations outside the dispatch boundary. GV actions addressing runtime authorization gates, module activation policies, and configuration governance map directly to SDOS-GV, SDOS-RM, and SDOS-EN controls.
- MAP (MP): Lowest coverage. MP addresses AI risk identification, categorization, and stakeholder analysis — primarily design-time and organizational activities. SDOS contributes runtime evidence (dispatch logs, classification records) that supports mapping activities but does not perform the mapping itself.
- MEASURE (MS): Moderate coverage. The majority of MS actions address model evaluation, bias testing, output quality measurement, and human feedback collection — content and model-layer activities above the dispatch boundary. SDOS contributes audit records that serve as measurement substrates and risk classification outputs that feed MS processes.
- MANAGE (MG): Strongest coverage among the four functions. MG actions addressing runtime enforcement, incident response triggers, containment, and audit evidence align closely with SDOS-EN, SDOS-AU, SDOS-IN, and SDOS-RS controls.
Outside SDOS Operational Boundary¶
The following AI 600-1 action categories are outside the SDOS operational boundary and require organizational, content-layer, or model-layer controls:
| Action Category | AI RMF Functions | Reason Outside Boundary |
|---|---|---|
| Model training and fine-tuning governance | GV, MG | Pre-deployment; SDOS operates at runtime |
| RLHF and alignment techniques | GV, MG | Model-layer; SDOS is model-alignment-independent |
| Output content classification and filtering | MS, MG | Content-layer; SDOS does not evaluate output semantics |
| Bias and fairness testing of model outputs | MS | Content/model-layer evaluation |
| Data provenance and training data governance | MP, MS | Pre-deployment data management |
| Human feedback collection and red-teaming | MS | Model evaluation activity |
| Procurement and supplier qualification | GV, MP | Pre-deployment organizational activity |
| Workforce AI literacy and training | GV | Organizational capability development |
| Incident notification and regulatory reporting | MG | Organizational response obligation |
| GenAI use case categorization | MP | Design-time risk classification; SDOS performs dispatch-time classification only |
These boundary exclusions are not gaps in SDOS — they are the design boundary. SDOS is a dispatch-time enforcement layer, not a full AI governance management system. Organizations implementing AI 600-1 should treat SDOS as the runtime enforcement component of a broader AI governance architecture that includes organizational policies, model evaluation practices, and content-layer controls.
Relationship to Other SDOS Framework Alignments¶
NIST AI 600-1 is a generative AI profile of the AI RMF 1.0 — it extends the RMF's GOVERN/MAP/MEASURE/MANAGE structure to address risks specific to generative AI systems. It is not a standalone framework; it is meant to be used in conjunction with the base AI RMF.
SDOS is already aligned to the base AI RMF 1.0 (NIST OLIR Reference ID 220). This AI 600-1 alignment extends that relationship to the GenAI-specific risk layer:
| Framework | Layer | SDOS Role |
|---|---|---|
| NIST AI RMF 1.0 | AI risk management (broad) | Runtime enforcement mapped to GOVERN / MAP / MEASURE / MANAGE |
| NIST AI 600-1 | Generative AI risk (specific) | Dispatch-boundary containment for all 12 GenAI risk categories |
| NIST CSF 2.0 | Cybersecurity framework | Control evidence for IDENTIFY / PROTECT / DETECT / RESPOND / RECOVER |
| NIST SP 800-53 Rev 5.2.0 | Security control catalog | Per-control mapping to SP 800-53 control families |
| ISO 42001:2023 | AI management system | Operational controls satisfying AIMS technical requirements |
| EU AI Act | Regulatory compliance | Runtime enforcement of high-risk AI system obligations |
A single governed operation in SDOS produces audit trail records simultaneously relevant to AI 600-1 risk containment, AI RMF risk management, CSF 2.0 cybersecurity controls, and ISO 42001 operational requirements.
OLIR Submission Record¶
SDOS-RuntimeGov-to-AI-600-1-v1.0 was submitted to the NIST OLIR Program on 2026-05-17 as the 4th SDOS informative reference.
- Submitted: 2026-05-17
- Status: Crosswalk filed, held pending NIST's focal-document inclusion — submitted ahead of the program's operational readiness for AI 600-1 as a focal document. Resubmission invited if and when AI 600-1 enters the Program.
- Focal Document: NIST AI 600-1 v1.0 (July 26, 2024)
- Reference Document: SDOS Runtime Governance Framework v1.10
- Reference Document URL: https://aamcyber.com/sdos/reference/v1/
- Relationship Type: Supportive
- Informative Reference Name: SDOS-RuntimeGov-to-AI-600-1-v1.0
- Crosswalk: 421 data rows, 212/212 action IDs, 345 mapped, 76 No Mapping with per-row rationale, Column F blank throughout
- Participation Agreement: Signed 2026-05-12 (covers all four SDOS OLIR submissions)
- Companion references: NIST OLIR Reference ID 220 (AI RMF 1.0, cataloged 2026-05-13); CSF 2.0 (submitted 2026-05-15, screening); SP 800-53 Rev 5.2.0 (submitted 2026-05-15, screening)
Maintenance¶
This document is maintained by AAM Cyber. Version 1.10 is the canonical SDOS version. Submitted to NIST OLIR 2026-05-17. This alignment document will be updated when: (1) SDOS controls are added or retired, (2) NIST AI 600-1 is revised, or (3) OLIR submission status changes.
Contact¶
AAM Cyber
aamcyber.com
Framework alignment inquiries: [email protected]
Intellectual Property¶
The SDOS Runtime Governance Framework was invented by Pharns Genece. Aspects of the framework are the subject of pending U.S. Provisional Patent Applications 64/029,300, 64/049,300, 64/067,427, 64/069,200, and 64/076,620. AAM Cyber, all rights reserved unless otherwise indicated.
SDOS Runtime Governance Framework — NIST AI 600-1 (Generative AI Profile) Alignment. Version 1.0 — Submitted to NIST OLIR 2026-05-17.