SDOS Runtime Governance Framework — ISO 42001 Alignment¶
SDOS Version: 1.9
Standard: ISO/IEC 42001:2023 — Artificial Intelligence Management System
Published: December 2023
Document Date: 2026-05-03
Authoring Organization: AAM Cyber (aamcyber.com)
Inventor: Pharns Genece
SDOS Control Catalog: View full control definitions
Purpose¶
This document maps the controls of the SDOS Runtime Governance Framework to ISO/IEC 42001:2023. It is intended to assist AI governance leads, CISOs, and quality management teams evaluating SDOS as a technical control layer within an ISO 42001 Artificial Intelligence Management System (AIMS).
This is an informative alignment document. It does not constitute an ISO 42001 certification assessment or a determination of AIMS conformance. Organizations must engage accredited certification bodies for formal ISO 42001 certification audits.
Applicability¶
This document applies to organizations building or operating an ISO 42001 AIMS that includes agentic AI workflows. It is relevant when:
- The organization is implementing Clause 8 (Operation) controls that address AI system deployment and monitoring, or
- The AIMS scope includes agentic AI systems where runtime enforcement is required, or
- A conformance team is documenting how technical controls satisfy ISO 42001 Annex A objectives.
This document focuses on ISO 42001's operational and technical clauses. Management system clauses addressing leadership, context of the organization, and planning (Clauses 4–6) are largely organizational obligations outside the operational boundary of a runtime governance framework.
SDOS Control Catalog Summary¶
The full control catalog with per-control descriptions, evidence types, and related control dependencies is published at /sdos/reference/v1/. The 24 SDOS controls comprising the public runtime control set are:
| Control ID | Title |
|---|---|
| SDOS-GV-01 | Configuration-Governed Module Activation |
| SDOS-GV-02 | Governance-Tiered Model Selection |
| SDOS-GV-03 | Default-Deny Pre-Admission Policy |
| SDOS-GV-04 | Cross-Module Governance Continuity |
| SDOS-GV-05 | Model-Alignment-Independent Policy Enforcement |
| SDOS-RM-01 | Dispatch-Time Risk Classification |
| SDOS-RM-02 | Complexity-Tiered Resource Allocation |
| SDOS-RM-03 | Risk-Floor Model Binding |
| SDOS-AD-01 | Default-Deny Agent Pre-Admission |
| SDOS-IA-01 | Attested Agent Identity |
| SDOS-IA-02 | Attested Module Identity |
| SDOS-IN-01 | Governance Baseline Integrity Verification |
| SDOS-IN-02 | Baseline Drift Detection and System Halt |
| SDOS-IN-03 | Module Manifest Integrity |
| SDOS-EN-01 | Pre-Egress Policy Enforcement |
| SDOS-EN-02 | Subordinate-Side Enforcement Gate |
| SDOS-EN-03 | Fail-Closed Degradation |
| SDOS-EN-04 | Governed Egress with Tamper-Evident Audit |
| SDOS-AU-01 | Per-Invocation Audit Record |
| SDOS-AU-02 | Append-Only Audit Log Integrity |
| SDOS-AU-03 | Dual Audit Trail |
| SDOS-DE-01 | Governed Multi-Agent Deliberation |
| SDOS-DE-02 | Convergence-Based Decision Record |
| SDOS-RS-01 | Governed Return on Safety Investment (ROSI) Evaluation |
How to Use This Document¶
Assessor Use Notice¶
Mapping strength reflects the framework's design coverage of the cited requirement. Operating effectiveness is a property of a specific deployment and must be tested per engagement. Assessors should treat all mappings as control-design assertions requiring implementation verification — including evidence collection, sample selection, and testing against the assessor's own audit objective. The strength rating is the starting point for an assessor's testing plan, not a substitute for it.
Mapping Strength Legend¶
| Rating | Meaning |
|---|---|
| Strong | SDOS provides a direct, mechanism-specific technical implementation of the ISO 42001 control. |
| Partial — [qualifier] | SDOS addresses a defined subset. The qualifier identifies what is covered and what requires additional controls. |
| Weak — Substrate Only | SDOS produces data or infrastructure that enables conformance but does not itself satisfy the control. |
| Out of Scope | The control falls entirely outside the operational boundary of a runtime governance framework. |
ISO 42001 Structure Reference¶
ISO 42001 is organized as a management system standard following the ISO High-Level Structure (HLS):
| Section | Content |
|---|---|
| Clauses 4–6 | Context, Leadership, Planning — organizational obligations |
| Clause 7 | Support — resources, competence, awareness, documentation |
| Clause 8 | Operation — AI system lifecycle, risk treatment, deployment |
| Clause 9 | Performance Evaluation — monitoring, audit, review |
| Clause 10 | Improvement — nonconformity, corrective action |
| Annex A | AI controls (A.2–A.10) — referenced in Clause 6.1 risk treatment |
Glossary¶
| Term | Definition |
|---|---|
| AIMS | Artificial Intelligence Management System — the ISO 42001 framework for governing AI development and use |
| AI system | An engineered system that generates outputs such as predictions, recommendations, decisions, or content |
| AI system impact assessment | ISO 42001's structured process for evaluating AI system effects on individuals and society |
| Point of dispatch | The moment a task is assigned to an agent before tool execution; the primary SDOS enforcement boundary |
| Governed egress | Outbound operations subject to pre-execution policy enforcement before results are returned |
| Fail-closed degradation | SDOS-EN-03 defines three failure modes: (1) infrastructure unavailability — pre-authorized operations may continue under a documented degradation policy; (2) baseline integrity failure — all governed operations halt immediately; (3) partial-degradation states governed by an integrity-verified degradation policy. See EN-03 control definition. |
Scope Statement¶
SDOS operates at the point of dispatch. In an ISO 42001 AIMS context, SDOS implements the operational and technical controls required by Clause 8 and Annex A — specifically those governing how AI systems are deployed, what they are permitted to do, and how their operations are recorded.
Within scope: AI system operational controls (Clause 8), monitoring and measurement (Clause 9.1), and Annex A technical controls (A.6 Data, A.7 Information for Interested Parties, A.8 Use of AI Systems, A.9 Human Oversight, A.10 Documentation and Configuration).
Outside SDOS Operational Boundary (must be addressed by complementary organizational controls):
| Clause / Annex | Content | Why Out of Scope |
|---|---|---|
| Clause 4 | Context of the organization | Organizational/governance obligation |
| Clause 5 | Leadership | Executive and board-level obligation |
| Clause 6 | Planning | Risk planning — pre-deployment |
| Clause 7 | Support | Competence, resources, communication |
| Annex A.3 | Responsibilities for AI systems | Accountability assignment — organizational |
| Annex A.4 | Impact assessment | Risk assessment process — pre-deployment |
| Annex A.5 | AI system lifecycle | SDLC controls — pre-deployment |
Strongest Alignment: Clause 8 and Annex A.6.2 / A.9¶
Clause 8.4 — AI System Operation
ISO 42001 Clause 8.4 requires that organizations implement controls to ensure AI systems operate within defined boundaries and that outputs are monitored. SDOS directly implements this at the dispatch layer:
- SDOS-GV-01 ensures AI systems operate only within explicitly configured module boundaries.
- SDOS-EN-01 and SDOS-EN-02 enforce operational boundaries at the pre-egress and subordinate module levels.
- SDOS-GV-05 ensures enforcement is independent of model alignment — policy applies regardless of AI behavior.
Annex A.9 — Use of AI Systems
Annex A.9 controls require that AI systems are used within their intended purpose and that deviations are detected. SDOS implements:
- SDOS-RM-01 classifies every task at dispatch against defined risk tiers, providing a continuous intended-purpose boundary check.
- SDOS-GV-03 and SDOS-AD-01 enforce that only registered, admitted agents operate — preventing use outside intended scope.
- SDOS-IN-01 and SDOS-IN-02 detect drift from the governance baseline, surfacing deviations before they propagate.
Annex A.6.2 — AI System Lifecycle (Verification and Operation)
Annex A.6.2 requires verification, validation, deployment, operation, and event-log recording controls. SDOS provides:
- SDOS-EN-03 implements fail-closed degradation — when governance infrastructure is unavailable, operations halt rather than continuing unmonitored.
- SDOS-AU-01, SDOS-AU-02, and SDOS-AU-03 produce tamper-evident audit records that enable human review of all AI agent operations.
- SDOS-DE-01 (Deliberation domain) provides governed multi-agent deliberation — structured evaluation by multiple agents with panel composition defined by governance policy rather than agent self-selection. Convergence is a deliberation signal, not a human oversight substitute; DE-01 supports but does not replace the human oversight obligations in A.9.
Clause 9.1 — Monitoring, Measurement, Analysis, and Evaluation
Clause 9.1 requires continuous monitoring of AI system performance and conformance. SDOS provides:
- SDOS-AU-01 generates per-invocation records that feed monitoring and measurement workflows.
- SDOS-IN-01 and SDOS-IN-02 provide automated baseline integrity verification with halt response on detected drift.
- SDOS-RM-01 and SDOS-RM-02 provide continuous dispatch-time risk classification data.
Full Mapping Table¶
Note: Annex A sub-clause numbers (A.6.2.x, A.7.x, A.8.x, A.9.x) reflect the ISO/IEC 42001:2023 structure as applied during the v1.1 alignment pass. Organizations conducting formal AIMS conformance assessments should verify Annex A sub-clause numbers against their licensed copy of the standard, as sub-clause numbering is not reproduced in public-access sources.
| ISO 42001 Clause / Annex | SDOS Controls | Mapping Strength | Notes |
|---|---|---|---|
| 8.3 AI risk treatment | RM-01, RM-02, RM-03 | Partial — Runtime Treatment Measures | Dispatch-time risk classification (RM-01), complexity-tiered resource allocation (RM-02), and risk-floor binding (RM-03) implement risk treatment measures at execution. Clause 8.3's treatment planning obligations — identifying treatment options, evaluating alternatives, documenting treatment plans — are organizational processes that precede and surround runtime enforcement. |
| 8.4 AI system operation | GV-01, EN-01, EN-02, GV-05 | Strong | Config-governed activation + pre-egress enforcement + model-alignment-independent policy = operational boundary enforcement. Clause 8.4 is the tightest ISO 42001 fit for SDOS: runtime enforcement of operational boundaries is the core SDOS function. |
| 8.5 AI system documented information | AU-01, AU-02, AU-03 | Partial — Operational Event Records | Per-invocation audit records (AU-01), append-only integrity (AU-02), and dual trail (AU-03) produce the operational event logs required by Clause 8.5. Clause 8.5's full documented information obligation spans procedure documentation, AI system documentation, and records across the AIMS lifecycle — SDOS satisfies the operational event-record component. |
| 9.1 Monitoring, measurement, analysis, evaluation | AU-01, IN-01, IN-02, RM-01 | Strong | Continuous audit generation + baseline drift detection + dispatch-time classification = monitoring substrate |
| 9.2 Internal audit | AU-01, AU-02, IN-01 | Partial — audit data | SDOS generates auditable records and baseline state; formal internal audit program is an organizational obligation |
| 9.3 Management review | AU-01, AU-03, IN-01 | Weak — Substrate Only | SDOS provides evidence for management review; the review process itself is organizational |
| 10.2 Nonconformity and corrective action | IN-02, EN-03, AU-01 | Partial — detection scope | Baseline drift detection + fail-closed halt = nonconformity detection; corrective action process is organizational |
| A.7.2 Data for AI systems | GV-01, EN-01, AU-01 | Partial — dispatch scope | Dispatch-time access policy + pre-egress enforcement cover AI agent data access; data storage governance is out of scope |
| A.7.3 Acquisition of data | AU-01, RM-01 | Weak — Substrate Only | SDOS logs data access at dispatch; risk classification identifies tasks where data quality is high-impact but does not assess or validate data quality directly. Data quality and acquisition governance are pre-deployment obligations. |
| A.7.4 Quality of data for AI systems | AU-01, RM-01 | Weak — Substrate Only | SDOS does not assess or validate data quality. Quality controls operate pre-deployment. |
| A.6.2.4 Verification and validation of the AI system | IN-01, IN-02, IN-03 | Strong | Governance baseline integrity + drift detection + module manifest integrity = operational verification at dispatch |
| A.6.2.6 AI system deployment | GV-01, GV-03, AD-01 | Strong | Configuration-governed activation + default-deny admission = governed deployment behavior |
| A.6.2.8 AI system recording of event logs | AU-01, AU-02, AU-03, EN-04 | Strong | Per-invocation records + append-only integrity + tamper-evident egress audit = complete operation log substrate |
| A.9.2 Processes for responsible use of AI systems | RM-01, GV-03, AD-01 | Partial — Runtime Enforcement Layer | Dispatch-time risk classification (RM-01) and default-deny admission (GV-03, AD-01) provide the runtime enforcement layer for A.9.2's responsible-use requirement. A.9.2's full scope includes acceptable-use policy definition and user training — organizational obligations outside SDOS boundary. |
| A.9.3 Objectives for responsible use of AI systems | EN-03, AU-01, AU-02 | Partial — Technical Measures | Fail-closed degradation + tamper-evident audit support responsible-use objectives; the objectives themselves are organizational |
| A.9.4 Intended use of the AI system | RM-01, GV-01, GV-02 | Strong | Dispatch-time risk classification + configuration-governed module activation enforce intended-use boundaries at runtime |
| A.8.2 External reporting | AU-01, AU-02, AU-03 | Partial — audit scope | Tamper-evident audit records provide evidence for external reporting; communication obligations are organizational |
| A.8.3 Communication of incidents | AU-01, IN-01, IN-02 | Weak — Substrate Only | SDOS produces detection signals; communication procedures and channels are organizational |
| A.10 Documentation of AI systems | AU-01, AU-02, AU-03, GV-01 | Partial — Operational Records | A.10 requires documentation of AI systems including their purpose, design characteristics, and operational logs. SDOS produces the operational event-record layer (AU-01/02/03) and configuration documentation (GV-01); AI system design documentation and purpose records are pre-deployment organizational obligations outside SDOS scope. |
Mapping by SDOS Domain¶
Governance (GV)¶
| Control | ISO 42001 Relevance |
|---|---|
| SDOS-GV-01 — Configuration-Governed Module Activation | Clause 8.4: AI system operation within defined boundaries; A.6.2.6: deployment governance |
| SDOS-GV-02 — Governance-Tiered Model Selection | A.9.2/A.9.4: intended-use tiering |
| SDOS-GV-03 — Default-Deny Pre-Admission Policy | A.9.2: intended-use boundary enforcement |
| SDOS-GV-04 — Cross-Module Governance Continuity | A.6.2.6: deployment continuity across module boundaries |
| SDOS-GV-05 — Model-Alignment-Independent Policy Enforcement | Clause 8.4: operational boundary enforcement independent of model behavior |
Risk Management (RM)¶
| Control | ISO 42001 Relevance |
|---|---|
| SDOS-RM-01 — Dispatch-Time Risk Classification | Clause 8.3: operational risk treatment; A.9.2/A.9.4: continuous intended-use verification |
| SDOS-RM-02 — Complexity-Tiered Resource Allocation | Clause 8.3: risk-proportionate resource allocation |
| SDOS-RM-03 — Risk-Floor Model Binding | A.9.2: minimum capability floor as risk treatment |
Enforcement (EN)¶
| Control | ISO 42001 Relevance |
|---|---|
| SDOS-EN-01 — Pre-Egress Policy Enforcement | Clause 8.4: operational boundary enforcement |
| SDOS-EN-02 — Subordinate-Side Enforcement Gate | Clause 8.4: secondary boundary enforcement at module level |
| SDOS-EN-03 — Fail-Closed Degradation | A.9.3: responsible-use technical measures |
| SDOS-EN-04 — Governed Egress with Tamper-Evident Audit | A.6.2.8: event log recording for every governed output |
Identity and Attestation (IA)¶
| Control | ISO 42001 Relevance |
|---|---|
| SDOS-IA-01 — Attested Agent Identity | A.6.2.6: deployed agent identification; A.9.3: accountability chain |
| SDOS-IA-02 — Attested Module Identity | A.6.2.6: module identity is verified before activation |
Audit (AU)¶
| Control | ISO 42001 Relevance |
|---|---|
| SDOS-AU-01 — Per-Invocation Audit Record | Clause 9.1: monitoring substrate; A.6.2.8: event log recording |
| SDOS-AU-02 — Append-Only Audit Log Integrity | A.6.2.8: tamper-protection for operation logs |
| SDOS-AU-03 — Dual Audit Trail | A.6.2.8/A.8.2: redundant logs for review and reporting |
Integrity (IN)¶
| Control | ISO 42001 Relevance |
|---|---|
| SDOS-IN-01 — Governance Baseline Integrity Verification | A.6.2.4: verification of governance configuration |
| SDOS-IN-02 — Baseline Drift Detection and System Halt | Clause 10.2: nonconformity detection with halt response |
| SDOS-IN-03 — Module Manifest Integrity | A.6.2.4: integrity verification before module activation |
Deliberation (DE)¶
| Control | ISO 42001 Relevance |
|---|---|
| SDOS-DE-01 — Governed Multi-Agent Deliberation | A.9.3: responsible-use technical measure (deliberation signal, not human oversight substitute) |
| SDOS-DE-02 — Convergence-Based Decision Record | A.9.2/A.9.3: intended-use monitoring; Clause 9.1: performance evaluation |
Admission (AD)¶
| Control | ISO 42001 Relevance |
|---|---|
| SDOS-AD-01 — Default-Deny Agent Pre-Admission | A.9.2: default-deny as intended-use enforcement foundation |
Risk Measurement (RS)¶
| Control | ISO 42001 Relevance |
|---|---|
| SDOS-RS-01 — Governed ROSI Evaluation | Clause 9.1: monitoring, measurement, analysis, and evaluation — RS-01 provides quantified evidence that governance overhead produces measurable risk reduction, directly supporting the AIMS performance evaluation obligation; A.9.2: operational data supporting responsible-use process review |
ISO 42001 Alignment Differentiated: The Deliberation Domain¶
ISO 42001 is the only framework in the SDOS alignment library where the Deliberation (DE) domain has a strong alignment path. Where CIS Controls v8, DORA, and PCI-DSS have no analog for multi-model deliberation, ISO 42001 Annex A.9 (Human Oversight) and A.8.2 (Intended Use) directly support DE domain controls.
This is architecturally significant: ISO 42001 was designed for AI systems specifically. Frameworks like PCI-DSS and HIPAA govern environments where AI might operate. ISO 42001 governs AI itself — creating a tighter fit with AI-native controls like deliberation, bias detection, and alignment-independent enforcement.
Relationship to Other Frameworks¶
SDOS is also mapped to NIST AI RMF 1.0, EU AI Act, DORA, HIPAA, PCI-DSS v4.0, and CIS Controls v8. For organizations pursuing multi-framework alignment, SDOS controls address overlapping technical requirements simultaneously.
ISO 42001 and the EU AI Act have significant structural overlap. Organizations subject to both should note that the EU AI Act's high-risk AI system requirements (Article 9 risk management, Article 12 logging, Article 14 human oversight) map to the same SDOS controls that satisfy ISO 42001 Clause 8 and Annex A.8/A.9.
Full NIST AI RMF mapping: SDOS Control Catalog and Reference Document v1.10
Architectural Positioning¶
SDOS operates at the dispatch-time enforcement layer — the moment immediately before an AI agent invokes a tool, makes a decision, or produces an output. The SDOS framework does not replace organizational, physical, or personnel cybersecurity controls. It provides a runtime layer that enforces governance policy at the boundary where AI agents act, adding an architectural layer of cybersecurity assurance for AI-augmented operations.
For alignment purposes, SDOS supports the operational and technical requirements addressing how AI-driven cyber operations are deployed, monitored, and audited. Requirements addressing the organizational, physical, or personnel layer fall outside the SDOS scope and require separate controls.
Maintenance¶
This document is maintained by AAM Cyber as part of the SDOS Reference Library. The library currently covers 17 framework alignments: NIST AI RMF 1.0, NIST CSF 2.0, NIST SP 800-53 Rev 5.2.0, NIST AI 600-1, EU AI Act, DORA, HIPAA, PCI-DSS v4.0, CIS Controls v8, ISO 42001, FedRAMP Rev 5, CMMC 2.0, SOC 2, NAIC MDL-668, NERC CIP, IEEE P2863 (draft), and FAA UAS/AAM (principles-mapped). Version history for every framework alignment is published at /sdos/reference/changelog/.
Subsequent updates to this alignment page will be issued when: (1) screening feedback from a recognized standards body requires revision, (2) the focal framework releases a revision requiring mapping review, or (3) SDOS controls are added or retired affecting the alignment.
Intellectual Property¶
The SDOS Runtime Governance Framework was invented by Pharns Genece. Aspects of the framework are the subject of pending U.S. Provisional Patent Applications 64/029,300, 64/049,300, 64/067,427, 64/069,200, and 64/076,620. The scope of pending claims is defined by the as-filed specifications and is not coextensive with the descriptions in this control catalog. AAM Cyber, all rights reserved unless otherwise indicated.
Patent inquiries should be directed to AAM Cyber at aamcyber.com.
Contact¶
AAM Cyber
aamcyber.com
Questions about SDOS framework alignment with ISO 42001 requirements: [email protected]
SDOS Runtime Governance Framework — ISO/IEC 42001:2023 Alignment. Version 1.3. Published 2026-05-03.