SDOS Runtime Governance Framework — IEEE P2863 Alignment¶
SDOS Version: 1.10 Standard: IEEE P2863 — Draft Recommended Practice for Organizational Governance of Artificial Intelligence Standard Status: Active PAR — draft under development (PAR approved 2020-02-13; not yet published as a final standard) Standard Body: IEEE Computer Society, C/AISC Artificial Intelligence Standards Committee Document Date: 2026-05-17 Alignment Status: Draft-tracking — clause mapping based on publicly available P2863 scope, abstract, and governance principles; will be updated when the standard ballots and publishes Authoring Organization: AAM Cyber (aamcyber.com) Inventor: Pharns Genece
SDOS Control Catalog: View full control definitions
Purpose¶
This document maps the controls of the SDOS Runtime Governance Framework to IEEE P2863 — Draft Recommended Practice for Organizational Governance of Artificial Intelligence. It is intended to assist AI governance leads, board-level AI accountability officers, CISOs, and enterprise risk teams evaluating SDOS as a technical enforcement layer that operationalizes IEEE P2863 organizational governance principles at runtime.
IEEE P2863 is an active draft standard under development by the IEEE Computer Society's Artificial Intelligence Standards Committee. Its PAR was approved in February 2020. The draft addresses governance at the organizational layer — accountability structures, oversight mechanisms, risk ownership, transparency obligations, and auditability requirements. SDOS addresses governance at the operational layer — runtime enforcement, dispatch-time policy evaluation, identity attestation, and tamper-evident audit. This document establishes the connection between those two layers: where IEEE P2863 states what an organization must govern, SDOS provides the technical mechanism by which that governance is enforced.
This alignment document tracks IEEE P2863 based on its publicly available scope, abstract, and stated governance principles. Clause-level mapping will be refined as the standard progresses through balloting and publication. Organizations evaluating SDOS against IEEE P2863 should treat this document as a forward-looking alignment reference, not a conformance determination against a finalized standard.
Why track a draft standard? Organizations building AI governance infrastructure today cannot afford to wait for standards bodies to finalize. IEEE P2863 has been in active development for six years and reflects emerging consensus on organizational AI governance requirements. SDOS was designed to operationalize exactly the kind of accountability, oversight, and auditability obligations that P2863 addresses. Tracking alignment now positions SDOS users to demonstrate readiness when the standard publishes.
Applicability¶
This document applies to organizations implementing IEEE 2863 governance obligations that include agentic AI workflows. It is relevant when:
- The organization is implementing IEEE 2863 accountability and oversight requirements and needs a technical enforcement layer that produces verifiable governance evidence, or
- An AI governance team is mapping organizational policy obligations to operational controls for audit purposes, or
- A board-level AI governance review requires evidence that runtime operations conform to organizational policy, or
- The organization operates autonomous or semi-autonomous AI agent workflows where dispatch-time enforcement is the primary governance mechanism.
IEEE 2863 is an organizational governance standard. Clauses addressing leadership commitment, organizational context, and culture are primarily organizational obligations outside the operational boundary of a runtime governance framework. This document focuses on the clauses where SDOS runtime controls provide direct technical evidence of compliance.
SDOS Control Catalog Summary¶
The full control catalog with per-control descriptions, evidence types, and related control dependencies is published at /sdos/reference/v1/. The 24 SDOS controls comprising the public runtime control set are:
| Control ID | Title |
|---|---|
| SDOS-GV-01 | Configuration-Governed Module Activation |
| SDOS-GV-02 | Governance-Tiered Model Selection |
| SDOS-GV-03 | Default-Deny Pre-Admission Policy |
| SDOS-GV-04 | Cross-Module Governance Continuity |
| SDOS-GV-05 | Model-Alignment-Independent Policy Enforcement |
| SDOS-RM-01 | Dispatch-Time Risk Classification |
| SDOS-RM-02 | Complexity-Tiered Resource Allocation |
| SDOS-RM-03 | Risk-Floor Model Binding |
| SDOS-AD-01 | Default-Deny Agent Pre-Admission |
| SDOS-IA-01 | Attested Agent Identity |
| SDOS-IA-02 | Attested Module Identity |
| SDOS-IN-01 | Governance Baseline Integrity Verification |
| SDOS-IN-02 | Baseline Drift Detection and System Halt |
| SDOS-IN-03 | Module Manifest Integrity |
| SDOS-EN-01 | Pre-Egress Policy Enforcement |
| SDOS-EN-02 | Subordinate-Side Enforcement Gate |
| SDOS-EN-03 | Fail-Closed Degradation |
| SDOS-EN-04 | Governed Egress with Tamper-Evident Audit |
| SDOS-AU-01 | Per-Invocation Audit Record |
| SDOS-AU-02 | Append-Only Audit Log Integrity |
| SDOS-AU-03 | Dual Audit Trail |
| SDOS-DE-01 | Governed Multi-Agent Deliberation |
| SDOS-DE-02 | Convergence-Based Decision Record |
| SDOS-RS-01 | Governed Return on Safety Investment (ROSI) Evaluation |
How to Use This Document¶
Assessor Use Notice¶
Mapping strength reflects the framework's design coverage of the cited requirement. Operating effectiveness is a property of a specific deployment and must be tested per engagement. Assessors should treat all mappings as control-design assertions requiring implementation verification — including evidence collection, sample selection, and testing against the assessor's own audit objective. The strength rating is the starting point for an assessor's testing plan, not a substitute for it.
Mapping Strength Key¶
| Rating | Meaning |
|---|---|
| Direct | SDOS control directly implements the cited IEEE 2863 requirement as its primary function |
| Supportive | SDOS control contributes evidence toward the cited requirement but does not fully satisfy it alone |
| Partial | SDOS control addresses a subset of the cited requirement; organizational controls required for full coverage |
IEEE P2863 Governance Principles (Draft)¶
IEEE P2863 is structured around a set of organizational governance Principles and Processes derived from its publicly stated scope. The draft describes governance obligations across the following areas (based on publicly available P2863 scope and abstract — clause identifiers marked [TBC] pending standard publication):
| Area | Description |
|---|---|
| Organizational context | Scope of AI governance, organizational AI inventory, risk appetite |
| Leadership and accountability | Board-level AI accountability, roles and responsibilities, oversight structures |
| Planning and risk management | AI risk identification, treatment, and residual risk acceptance |
| Support and resources | Policies, competence, awareness, and governance tooling |
| Operation and oversight | Operational controls, pre-execution authorization, capability governance |
| Performance evaluation | Audit, monitoring, performance measurement, and effectiveness review |
| Improvement and incident response | Detection, response, corrective action, and governance re-authorization |
The following section maps SDOS runtime controls to these governance areas. Clause identifiers will be updated to match the finalized standard structure upon publication.
Control Mapping¶
Accountability and Policy Governance¶
| IEEE 2863 Clause | Clause Title (TBC) | SDOS Controls | Strength |
|---|---|---|---|
| 5.x | AI governance policy and organizational accountability | SDOS-GV-01, SDOS-GV-03, SDOS-GV-05 | Direct |
| 5.x | Roles and responsibilities for AI oversight | SDOS-IA-01, SDOS-IA-02, SDOS-GV-04 | Direct |
| 5.x | Policy enforcement and change control | SDOS-GV-01, SDOS-IN-01, SDOS-IN-02 | Direct |
| 6.x | AI risk identification and treatment | SDOS-RM-01, SDOS-RM-02, SDOS-RM-03 | Direct |
| 6.x | Risk-based decision authority | SDOS-GV-02, SDOS-RM-01, SDOS-AD-01 | Direct |
Operational Oversight and Enforcement¶
| IEEE 2863 Clause | Clause Title (TBC) | SDOS Controls | Strength |
|---|---|---|---|
| 8.x | Operational controls for AI systems | SDOS-EN-01, SDOS-EN-02, SDOS-EN-03 | Direct |
| 8.x | Pre-execution authorization and admission | SDOS-AD-01, SDOS-GV-03, SDOS-IA-01 | Direct |
| 8.x | Model selection and capability governance | SDOS-GV-02, SDOS-RM-02, SDOS-RM-03 | Direct |
| 8.x | Integrity of governance configuration | SDOS-IN-01, SDOS-IN-02, SDOS-IN-03 | Direct |
| 8.x | Fail-safe behavior under system degradation | SDOS-EN-03, SDOS-IN-02 | Direct |
Transparency and Auditability¶
| IEEE 2863 Clause | Clause Title (TBC) | SDOS Controls | Strength |
|---|---|---|---|
| 9.x | Audit and record-keeping for AI operations | SDOS-AU-01, SDOS-AU-02, SDOS-AU-03 | Direct |
| 9.x | Tamper-evident records for governance decisions | SDOS-EN-04, SDOS-AU-02 | Direct |
| 9.x | Performance measurement and governance effectiveness | SDOS-RS-01, SDOS-AU-01, SDOS-AU-03 | Supportive |
| 9.x | Multi-stakeholder deliberation and decision records | SDOS-DE-01, SDOS-DE-02 | Supportive |
Incident Response and Improvement¶
| IEEE 2863 Clause | Clause Title (TBC) | SDOS Controls | Strength |
|---|---|---|---|
| 10.x | Detection and response to AI governance failures | SDOS-IN-02, SDOS-EN-03, SDOS-AU-03 | Direct |
| 10.x | Incident logging and chain-of-custody preservation | SDOS-AU-01, SDOS-AU-02, SDOS-EN-04 | Direct |
| 10.x | Corrective action and baseline re-authorization | SDOS-IN-01, SDOS-IN-02, SDOS-GV-01 | Supportive |
Relationship to Other SDOS Framework Alignments¶
IEEE P2863 occupies the organizational governance layer — it defines what boards and senior leadership must govern. ISO 42001 occupies the management system layer — it defines how that governance is built and maintained. NIST AI RMF 1.0 occupies the risk management layer — it defines how AI risk is identified, measured, and treated.
SDOS runtime controls provide the operational enforcement layer that serves all three:
| Framework | Layer | SDOS Role |
|---|---|---|
| IEEE P2863 (draft) | Organizational governance | Technical enforcement of accountability and oversight obligations |
| ISO 42001:2023 | Management system | Operational controls that satisfy AIMS technical requirements |
| NIST AI RMF 1.0 | Risk management | Runtime enforcement mapped to GOVERN / MAP / MEASURE / MANAGE functions |
| NIST CSF 2.0 | Cybersecurity framework | Control evidence for IDENTIFY / PROTECT / DETECT / RESPOND / RECOVER |
| NIST SP 800-53 Rev 5.2.0 | Security control catalog | Per-control mapping to SP 800-53 control families |
This layered relationship means SDOS runtime evidence satisfies requirements across all five frameworks simultaneously — a single governed operation produces audit trail records that are relevant to IEEE 2863 accountability, ISO 42001 operational controls, and NIST AI RMF risk management all at once.
OLIR Submission Notes¶
Maintenance¶
This document is maintained by AAM Cyber. Version 1.10 is the canonical SDOS version. This alignment document will be updated when: (1) SDOS controls are added or retired, (2) IEEE P2863 publishes as a final standard, or (3) the draft is revised with material changes to its governance principles.
Current status: DRAFT-TRACKING — published as a forward-looking alignment reference. IEEE P2863 is an active draft (Active PAR, not yet balloted or published). Clause IDs marked [TBC] will be resolved upon standard publication. This page is intentionally published in advance of the standard's finalization to demonstrate SDOS readiness against emerging IEEE AI governance requirements.
Contact¶
AAM Cyber aamcyber.com
Framework alignment inquiries: [email protected]
Intellectual Property¶
The SDOS Runtime Governance Framework was invented by Pharns Genece. Aspects of the framework are the subject of pending U.S. Provisional Patent Applications 64/029,300, 64/049,300, 64/067,427, 64/069,200, and 64/076,620. AAM Cyber, all rights reserved unless otherwise indicated.
SDOS Runtime Governance Framework — IEEE P2863 Draft Alignment. Draft-tracking — 2026-05-17.