Skip to content

SDOS Runtime Governance Framework — IEEE P2863 Alignment

Control Mapping to IEEE P2863 Draft — Recommended Practice for Organizational Governance of Artificial Intelligence
IEEE P2863 — Active PAR (Draft) · Standard under development since 2020 · Not yet balloted or published · Clause mapping is draft-tracking based on publicly available scope and governance principles · Mapping will be finalized upon standard publication

SDOS Version: 1.10 Standard: IEEE P2863 — Draft Recommended Practice for Organizational Governance of Artificial Intelligence Standard Status: Active PAR — draft under development (PAR approved 2020-02-13; not yet published as a final standard) Standard Body: IEEE Computer Society, C/AISC Artificial Intelligence Standards Committee Document Date: 2026-05-17 Alignment Status: Draft-tracking — clause mapping based on publicly available P2863 scope, abstract, and governance principles; will be updated when the standard ballots and publishes Authoring Organization: AAM Cyber (aamcyber.com) Inventor: Pharns Genece

SDOS Control Catalog: View full control definitions


Purpose

This document maps the controls of the SDOS Runtime Governance Framework to IEEE P2863 — Draft Recommended Practice for Organizational Governance of Artificial Intelligence. It is intended to assist AI governance leads, board-level AI accountability officers, CISOs, and enterprise risk teams evaluating SDOS as a technical enforcement layer that operationalizes IEEE P2863 organizational governance principles at runtime.

IEEE P2863 is an active draft standard under development by the IEEE Computer Society's Artificial Intelligence Standards Committee. Its PAR was approved in February 2020. The draft addresses governance at the organizational layer — accountability structures, oversight mechanisms, risk ownership, transparency obligations, and auditability requirements. SDOS addresses governance at the operational layer — runtime enforcement, dispatch-time policy evaluation, identity attestation, and tamper-evident audit. This document establishes the connection between those two layers: where IEEE P2863 states what an organization must govern, SDOS provides the technical mechanism by which that governance is enforced.

This alignment document tracks IEEE P2863 based on its publicly available scope, abstract, and stated governance principles. Clause-level mapping will be refined as the standard progresses through balloting and publication. Organizations evaluating SDOS against IEEE P2863 should treat this document as a forward-looking alignment reference, not a conformance determination against a finalized standard.

Why track a draft standard? Organizations building AI governance infrastructure today cannot afford to wait for standards bodies to finalize. IEEE P2863 has been in active development for six years and reflects emerging consensus on organizational AI governance requirements. SDOS was designed to operationalize exactly the kind of accountability, oversight, and auditability obligations that P2863 addresses. Tracking alignment now positions SDOS users to demonstrate readiness when the standard publishes.


Applicability

This document applies to organizations implementing IEEE 2863 governance obligations that include agentic AI workflows. It is relevant when:

  • The organization is implementing IEEE 2863 accountability and oversight requirements and needs a technical enforcement layer that produces verifiable governance evidence, or
  • An AI governance team is mapping organizational policy obligations to operational controls for audit purposes, or
  • A board-level AI governance review requires evidence that runtime operations conform to organizational policy, or
  • The organization operates autonomous or semi-autonomous AI agent workflows where dispatch-time enforcement is the primary governance mechanism.

IEEE 2863 is an organizational governance standard. Clauses addressing leadership commitment, organizational context, and culture are primarily organizational obligations outside the operational boundary of a runtime governance framework. This document focuses on the clauses where SDOS runtime controls provide direct technical evidence of compliance.


SDOS Control Catalog Summary

The full control catalog with per-control descriptions, evidence types, and related control dependencies is published at /sdos/reference/v1/. The 24 SDOS controls comprising the public runtime control set are:

Control ID Title
SDOS-GV-01 Configuration-Governed Module Activation
SDOS-GV-02 Governance-Tiered Model Selection
SDOS-GV-03 Default-Deny Pre-Admission Policy
SDOS-GV-04 Cross-Module Governance Continuity
SDOS-GV-05 Model-Alignment-Independent Policy Enforcement
SDOS-RM-01 Dispatch-Time Risk Classification
SDOS-RM-02 Complexity-Tiered Resource Allocation
SDOS-RM-03 Risk-Floor Model Binding
SDOS-AD-01 Default-Deny Agent Pre-Admission
SDOS-IA-01 Attested Agent Identity
SDOS-IA-02 Attested Module Identity
SDOS-IN-01 Governance Baseline Integrity Verification
SDOS-IN-02 Baseline Drift Detection and System Halt
SDOS-IN-03 Module Manifest Integrity
SDOS-EN-01 Pre-Egress Policy Enforcement
SDOS-EN-02 Subordinate-Side Enforcement Gate
SDOS-EN-03 Fail-Closed Degradation
SDOS-EN-04 Governed Egress with Tamper-Evident Audit
SDOS-AU-01 Per-Invocation Audit Record
SDOS-AU-02 Append-Only Audit Log Integrity
SDOS-AU-03 Dual Audit Trail
SDOS-DE-01 Governed Multi-Agent Deliberation
SDOS-DE-02 Convergence-Based Decision Record
SDOS-RS-01 Governed Return on Safety Investment (ROSI) Evaluation

How to Use This Document

Assessor Use Notice

Mapping strength reflects the framework's design coverage of the cited requirement. Operating effectiveness is a property of a specific deployment and must be tested per engagement. Assessors should treat all mappings as control-design assertions requiring implementation verification — including evidence collection, sample selection, and testing against the assessor's own audit objective. The strength rating is the starting point for an assessor's testing plan, not a substitute for it.

Mapping Strength Key

Rating Meaning
Direct SDOS control directly implements the cited IEEE 2863 requirement as its primary function
Supportive SDOS control contributes evidence toward the cited requirement but does not fully satisfy it alone
Partial SDOS control addresses a subset of the cited requirement; organizational controls required for full coverage

IEEE P2863 Governance Principles (Draft)

IEEE P2863 is structured around a set of organizational governance Principles and Processes derived from its publicly stated scope. The draft describes governance obligations across the following areas (based on publicly available P2863 scope and abstract — clause identifiers marked [TBC] pending standard publication):

Area Description
Organizational context Scope of AI governance, organizational AI inventory, risk appetite
Leadership and accountability Board-level AI accountability, roles and responsibilities, oversight structures
Planning and risk management AI risk identification, treatment, and residual risk acceptance
Support and resources Policies, competence, awareness, and governance tooling
Operation and oversight Operational controls, pre-execution authorization, capability governance
Performance evaluation Audit, monitoring, performance measurement, and effectiveness review
Improvement and incident response Detection, response, corrective action, and governance re-authorization

The following section maps SDOS runtime controls to these governance areas. Clause identifiers will be updated to match the finalized standard structure upon publication.


Control Mapping

Accountability and Policy Governance

IEEE 2863 Clause Clause Title (TBC) SDOS Controls Strength
5.x AI governance policy and organizational accountability SDOS-GV-01, SDOS-GV-03, SDOS-GV-05 Direct
5.x Roles and responsibilities for AI oversight SDOS-IA-01, SDOS-IA-02, SDOS-GV-04 Direct
5.x Policy enforcement and change control SDOS-GV-01, SDOS-IN-01, SDOS-IN-02 Direct
6.x AI risk identification and treatment SDOS-RM-01, SDOS-RM-02, SDOS-RM-03 Direct
6.x Risk-based decision authority SDOS-GV-02, SDOS-RM-01, SDOS-AD-01 Direct

Operational Oversight and Enforcement

IEEE 2863 Clause Clause Title (TBC) SDOS Controls Strength
8.x Operational controls for AI systems SDOS-EN-01, SDOS-EN-02, SDOS-EN-03 Direct
8.x Pre-execution authorization and admission SDOS-AD-01, SDOS-GV-03, SDOS-IA-01 Direct
8.x Model selection and capability governance SDOS-GV-02, SDOS-RM-02, SDOS-RM-03 Direct
8.x Integrity of governance configuration SDOS-IN-01, SDOS-IN-02, SDOS-IN-03 Direct
8.x Fail-safe behavior under system degradation SDOS-EN-03, SDOS-IN-02 Direct

Transparency and Auditability

IEEE 2863 Clause Clause Title (TBC) SDOS Controls Strength
9.x Audit and record-keeping for AI operations SDOS-AU-01, SDOS-AU-02, SDOS-AU-03 Direct
9.x Tamper-evident records for governance decisions SDOS-EN-04, SDOS-AU-02 Direct
9.x Performance measurement and governance effectiveness SDOS-RS-01, SDOS-AU-01, SDOS-AU-03 Supportive
9.x Multi-stakeholder deliberation and decision records SDOS-DE-01, SDOS-DE-02 Supportive

Incident Response and Improvement

IEEE 2863 Clause Clause Title (TBC) SDOS Controls Strength
10.x Detection and response to AI governance failures SDOS-IN-02, SDOS-EN-03, SDOS-AU-03 Direct
10.x Incident logging and chain-of-custody preservation SDOS-AU-01, SDOS-AU-02, SDOS-EN-04 Direct
10.x Corrective action and baseline re-authorization SDOS-IN-01, SDOS-IN-02, SDOS-GV-01 Supportive

Relationship to Other SDOS Framework Alignments

IEEE P2863 occupies the organizational governance layer — it defines what boards and senior leadership must govern. ISO 42001 occupies the management system layer — it defines how that governance is built and maintained. NIST AI RMF 1.0 occupies the risk management layer — it defines how AI risk is identified, measured, and treated.

SDOS runtime controls provide the operational enforcement layer that serves all three:

Framework Layer SDOS Role
IEEE P2863 (draft) Organizational governance Technical enforcement of accountability and oversight obligations
ISO 42001:2023 Management system Operational controls that satisfy AIMS technical requirements
NIST AI RMF 1.0 Risk management Runtime enforcement mapped to GOVERN / MAP / MEASURE / MANAGE functions
NIST CSF 2.0 Cybersecurity framework Control evidence for IDENTIFY / PROTECT / DETECT / RESPOND / RECOVER
NIST SP 800-53 Rev 5.2.0 Security control catalog Per-control mapping to SP 800-53 control families

This layered relationship means SDOS runtime evidence satisfies requirements across all five frameworks simultaneously — a single governed operation produces audit trail records that are relevant to IEEE 2863 accountability, ISO 42001 operational controls, and NIST AI RMF risk management all at once.


OLIR Submission Notes


Maintenance

This document is maintained by AAM Cyber. Version 1.10 is the canonical SDOS version. This alignment document will be updated when: (1) SDOS controls are added or retired, (2) IEEE P2863 publishes as a final standard, or (3) the draft is revised with material changes to its governance principles.

Current status: DRAFT-TRACKING — published as a forward-looking alignment reference. IEEE P2863 is an active draft (Active PAR, not yet balloted or published). Clause IDs marked [TBC] will be resolved upon standard publication. This page is intentionally published in advance of the standard's finalization to demonstrate SDOS readiness against emerging IEEE AI governance requirements.


Contact

AAM Cyber aamcyber.com

Framework alignment inquiries: [email protected]


Intellectual Property

The SDOS Runtime Governance Framework was invented by Pharns Genece. Aspects of the framework are the subject of pending U.S. Provisional Patent Applications 64/029,300, 64/049,300, 64/067,427, 64/069,200, and 64/076,620. AAM Cyber, all rights reserved unless otherwise indicated.


SDOS Runtime Governance Framework — IEEE P2863 Draft Alignment. Draft-tracking — 2026-05-17.