Skip to content

SDOS Runtime Governance Framework — NERC CIP Alignment

Control Mapping to NERC Critical Infrastructure Protection (CIP) Standards

SDOS Version: 1.9
Standards: NERC CIP-002 through CIP-014 (currently enforceable standards as of 2026)
Enforcing Entity: North American Electric Reliability Corporation (NERC); enforced by FERC under 16 U.S.C. § 824o
Applicability: Owners, operators, and users of the North American bulk electric system (BES)
Document Date: 2026-05-12
Authoring Organization: AAM Cyber (aamcyber.com)
Inventor: Pharns Genece

SDOS Control Catalog: View full control definitions


Purpose

This document maps the controls of the SDOS Runtime Governance Framework to the requirements of the NERC Critical Infrastructure Protection (CIP) standards as they apply to AI agent operations within bulk electric system environments. It is intended to assist asset owners, reliability coordinators, transmission operators, and GRC teams evaluating SDOS as a technical governance layer for AI systems deployed within or adjacent to BES Cyber Systems.

NERC CIP was written for the operational technology (OT) environment. AI agents are entering that environment — not as generalist IT tools, but as purpose-built systems for grid operations, energy management, anomaly detection, predictive maintenance, and outage response. Each of these deployments creates a governed autonomous execution surface that NERC CIP's security management controls were not designed to address directly. SDOS fills that gap.

NERC CIP violations carry civil penalties enforced by FERC of up to $1 million per violation per day — making compliance documentation and technical control evidence directly material to regulatory exposure.

This is an informative alignment document. It does not constitute a NERC CIP compliance certification, a FERC filing, or legal advice. NERC CIP compliance determinations must be made through a registered entity's internal compliance program and, where required, through NERC and Regional Entity oversight. This document supports the analysis — it does not replace it.


Applicability

This document applies to registered entities and asset owners that deploy agentic AI workflows within or in communication with BES Cyber Systems — including High, Medium, or Low Impact assets as classified under CIP-002. It is relevant when:

  • An AI agent operates within an Electronic Security Perimeter (ESP) or has access to a BES Cyber System through an Electronic Access Point (EAP), or
  • The entity is evaluating whether a runtime governance layer provides technical controls relevant to CIP-003, CIP-005, CIP-007, CIP-010, CIP-012, or CIP-013 requirements, or
  • A supply chain review under CIP-013 includes AI model providers or agentic workflow vendors as vendors in scope.

Important scope clarification: SDOS governs AI agent dispatch — the decision of whether and how an agent operates. It does not configure, operate, or directly interface with BES Cyber Assets. SDOS controls the governance layer above the execution layer. This distinction is material: SDOS is not a BES Cyber System and does not replace the OT-layer security controls required under CIP. It governs the AI agents that may operate within or adjacent to that layer.

Out-of-scope by design: Physical security (CIP-006), incident response reporting obligations (CIP-008 notification requirements), recovery planning (CIP-009 restoration), and personnel risk assessments (CIP-004) are organizational obligations that fall entirely outside the operational boundary of a runtime governance framework.

SDOS Control Catalog Summary

The full control catalog with per-control descriptions, evidence types, and related control dependencies is published at /sdos/reference/v1/. The 24 SDOS controls comprising the public runtime control set are:

Control ID Title
SDOS-GV-01 Configuration-Governed Module Activation
SDOS-GV-02 Governance-Tiered Model Selection
SDOS-GV-03 Default-Deny Pre-Admission Policy
SDOS-GV-04 Cross-Module Governance Continuity
SDOS-GV-05 Model-Alignment-Independent Policy Enforcement
SDOS-RM-01 Dispatch-Time Risk Classification
SDOS-RM-02 Complexity-Tiered Resource Allocation
SDOS-RM-03 Risk-Floor Model Binding
SDOS-AD-01 Default-Deny Agent Pre-Admission
SDOS-IA-01 Attested Agent Identity
SDOS-IA-02 Attested Module Identity
SDOS-IN-01 Governance Baseline Integrity Verification
SDOS-IN-02 Baseline Drift Detection and System Halt
SDOS-IN-03 Module Manifest Integrity
SDOS-EN-01 Pre-Egress Policy Enforcement
SDOS-EN-02 Subordinate-Side Enforcement Gate
SDOS-EN-03 Fail-Closed Degradation
SDOS-EN-04 Governed Egress with Tamper-Evident Audit
SDOS-AU-01 Per-Invocation Audit Record
SDOS-AU-02 Append-Only Audit Log Integrity
SDOS-AU-03 Dual Audit Trail
SDOS-DE-01 Governed Multi-Agent Deliberation
SDOS-DE-02 Convergence-Based Decision Record
SDOS-RS-01 Governed Return on Safety Investment (ROSI) Evaluation

How to Use This Document

Assessor Use Notice

Mapping strength reflects the framework's design coverage of the cited requirement. Operating effectiveness is a property of a specific deployment and must be tested per engagement. NERC CIP requirements vary by impact classification (High, Medium, Low) and applicable systems. Assessors should treat all mappings as control-design assertions requiring implementation verification — including evidence collection, sample selection, and testing against the assessor's own audit program under NERC's Reliability Standards Audit Worksheet (RSAW) methodology. The strength rating is the starting point for a compliance analysis, not a substitute for it.

Mapping Strength Legend

Rating Meaning
Strong SDOS provides a direct, mechanism-specific technical implementation of the cited requirement through observable runtime behavior.
Partial — [qualifier] SDOS addresses a defined subset of the requirement. The qualifier identifies which subset is covered and which requires additional controls.
Weak — Substrate Only SDOS produces data or infrastructure that enables compliance but does not itself satisfy the requirement.
Out of Scope The requirement falls entirely outside the operational boundary of a runtime governance framework.

Glossary

NERC CIP Terms

Term Definition as Used in This Document
BES Cyber System (BCS) One or more BES Cyber Assets logically grouped to perform one or more reliability tasks for a functional entity
BES Cyber Asset (BCA) A programmable electronic device and its communication networks that, if rendered unavailable, degraded, or misused, would within 15 minutes adversely impact the reliable operation of the BES
Electronic Security Perimeter (ESP) The logical border surrounding a network to which BES Cyber Systems are connected
Electronic Access Point (EAP) A point of access between an ESP and a network outside the ESP
Interactive Remote Access (IRA) User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol
Transient Cyber Asset (TCA) A device directly connected to a BES Cyber System, a network within an ESP, or an External Routable Connectivity (ERC) for 30 consecutive calendar days or less
Physical Security Perimeter (PSP) The physical border surrounding locations of BES Cyber Systems, other Cyber Assets within an ESP, and Physical Access Control Systems
Cyber Vulnerability Any flaw, weakness, or misconfiguration that could be exploited or triggered inadvertently to result in a compromise of the reliability of the BES

SDOS Terms

Term Definition
Point of dispatch The moment a task is assigned to an agent and before any tool execution occurs; the primary SDOS enforcement boundary
Governed egress Outbound operations subject to pre-execution policy enforcement before results are returned
Fail-closed degradation SDOS-EN-03 defines three failure modes: (1) governance infrastructure unavailability — pre-authorized operations may continue under a documented degradation policy; (2) governance baseline integrity failure — all operations halt without exception; (3) partial-degradation states — governed by a documented degradation policy that is itself integrity-verified per IN-01. See control catalog for the full definition.
Governance baseline The authorized configuration state against which SDOS verifies integrity at startup and on demand

NERC CIP Structure Reference

NERC CIP currently comprises twelve enforceable standards (CIP-002 through CIP-014, excluding CIP-006 which was withdrawn in its original form and replaced by the physical security requirements consolidated in CIP-006-6). The standards with the strongest intersection with AI agent governance are:

Standard Title SDOS Relevance
CIP-003 Security Management Controls Security policies governing BES Cyber Systems; AI governance policy anchoring
CIP-005 Electronic Security Perimeters Access control at ESP boundary; AI agent as an EAP-adjacent access subject
CIP-007 System Security Management Ports and services, patch management, malicious code prevention, system access control, audit logs
CIP-010 Configuration Change Management and Vulnerability Management Baseline configuration, change control, vulnerability assessment, TCA protections
CIP-012 Communications between Control Centers Confidentiality and integrity of Real-time Assessment and monitoring data between applicable Control Centers; AI agents operating in communication paths
CIP-013 Supply Chain Risk Management Vendor risk management; AI model providers as supply chain actors

Mapping Table — CIP-003 (Security Management Controls)

CIP-003 requires each responsible entity to implement security management controls to protect BES Cyber Systems. For High and Medium Impact BCS, this includes a documented, board-approved cybersecurity policy. For Low Impact BCS, CIP-003-8 Attachment 1 requires: (1) cyber security awareness, (2) physical security controls, (3) electronic access controls, (4) cyber security incident response, and (5) transient cyber asset and removable media malicious code risk mitigation.

CIP-003 Requirement SDOS Controls Strength Notes
R1 — Senior Manager accountability for BES Cyber System cybersecurity policy RS-01, DE-01, DE-02 Weak — Substrate Only SDOS-RS-01 (Governed Return on Safety Investment Evaluation) generates structured governance effectiveness metrics that feed senior management reporting. SDOS-DE-01 and SDOS-DE-02 (Governed Multi-Agent Deliberation and Convergence-Based Decision Record) support structured AI-layer policy reviews: deliberation panels can assess AI governance posture, and the resulting decision records are auditable artifacts suitable for senior management review. Policy accountability and board-level oversight are organizational obligations
R2 — Delegation of cybersecurity authority GV-01, GV-04, DE-01, DE-02 Weak — Substrate Only Configuration-governed module activation (GV-01) and cross-module governance continuity (GV-04) provide an integrity-controlled record of which AI agent capabilities are authorized — supporting evidence of delegated authority at the AI layer. Governed deliberation panels (DE-01/DE-02) can produce structured assessments of AI capability scope that inform delegation decisions. Delegation of cybersecurity authority is an organizational governance process (board approval, named delegates, documented accountability chain) that SDOS does not implement
R3 — Annually review cybersecurity policies IN-01, IN-02 Weak — Substrate Only Governance baseline integrity verification and drift detection provide the continuous control-state record from which policy review is supported; the annual review process itself is an organizational obligation
CIP-003-8 Att. 1 Sec. 1 — Cyber Security Awareness Out of Scope Security awareness training is a personnel obligation; SDOS does not deliver or track awareness programs
CIP-003-8 Att. 1 Sec. 2 — Physical Security Controls for Low Impact BCS Out of Scope Physical access controls for Low Impact BCS locations are outside the SDOS operational boundary
CIP-003-8 Att. 1 Sec. 3 — Electronic Access Controls for Low Impact BCS GV-03, AD-01, IA-01, EN-01 Strong Default-deny pre-admission (GV-03), agent pre-admission gate (AD-01), attested agent identity (IA-01), and pre-egress enforcement (EN-01) collectively implement electronic access control at the AI agent dispatch boundary — limiting AI agent operations to explicitly admitted, cryptographically verified agents before any governed action executes
CIP-003-8 Att. 1 Sec. 5 — Transient Cyber Asset and Removable Media IA-01, IA-02, GV-03 Partial — Identity Gate Attested agent and module identity requirements mean that transient AI agents (e.g., agents invoked on-demand for a limited engagement) are subject to the same identity verification and admission controls as persistent agents; physical TCA handling and removable media malicious code controls are outside SDOS scope

Mapping Table — CIP-005 (Electronic Security Perimeters)

CIP-005 requires responsible entities to manage electronic access to High and Medium Impact BES Cyber Systems. The AI agent dispatch layer introduces a new class of access subject — an autonomous software entity that can invoke tools, read data, and produce operational outputs within or adjacent to an ESP.

CIP-005 Requirement SDOS Controls Strength Notes
R1.1 — Identify all applicable Electronic Access Points for each ESP GV-01, IA-01 Partial — Agent Surface Enumeration Configuration-governed module activation (GV-01) provides an enumerated, authorized list of which AI agent capabilities are active — the software analog of identifying EAPs. Attested agent identity (IA-01) ensures every agent operating within the governed boundary is identifiable. Network-layer EAP identification is an OT infrastructure obligation
R1.2 — Deny by default all inbound and outbound traffic except what is explicitly permitted GV-03, AD-01, EN-01, EN-02 Partial — AI Dispatch Boundary Only Default-deny pre-admission (GV-03) and agent pre-admission gate (AD-01) deny all AI agent operations by default; pre-egress enforcement (EN-01) and subordinate-side enforcement gate (EN-02) apply the same deny-by-default posture to outbound governed operations. CIP-005 R1.2 requires default-deny at the Electronic Access Point — a network perimeter control implemented in OT infrastructure. SDOS implements the same posture at the AI agent dispatch boundary, which is the layer above ESP access. Network-layer ESP access enforcement is an OT infrastructure obligation
R1.3 — Enable only ports and services required for operations GV-01, GV-05 Partial — AI-Layer Surface Minimization Configuration-governed module activation limits the active AI agent capability surface to explicitly authorized modules; model-alignment-independent policy enforcement (GV-05) ensures the restriction is structural. CIP-005 R1.3 addresses network ports and services on BES Cyber Systems — a network infrastructure control. SDOS restricts the AI agent capability surface, not network port configurations on BES Cyber Assets. The controls operate at analogous layers but are not mechanically equivalent
R1.4 — Where Interactive Remote Access is used, implement appropriate controls IA-01, IA-02, EN-01 Partial — Agent Identity Only When AI agents operate through interactive remote access paths, attested agent and module identity provide the identity substrate; pre-egress enforcement governs outbound operations. Human IRA controls (multi-factor authentication, encryption requirements under CIP-005 R2) are outside SDOS scope
R2 — Interactive Remote Access Management (MFA, encryption, intermediate system) IA-01 Weak — Substrate Only Attested agent identity contributes an identity artifact to the IRA session record; MFA for human remote access, intermediate system requirements, and encryption are OT infrastructure and human access controls outside SDOS scope

Mapping Table — CIP-007 (System Security Management)

CIP-007 is the broadest CIP standard from an AI governance perspective. It governs ports and services, software security (patch management, malicious code prevention), security event monitoring, and system access controls for High and Medium Impact BCS.

CIP-007 Requirement SDOS Controls Strength Notes
R1.1 — Enable only logical network accessible ports required for operations GV-01, GV-05 Partial — AI-Layer Surface Minimization Configuration-governed module activation restricts the AI agent capability surface to explicitly authorized modules; model-alignment-independent enforcement ensures the restriction is structural, not advisory. CIP-007 R1.1 addresses logical network ports on BES Cyber Systems — a network infrastructure control. SDOS minimizes the AI agent capability surface, not network port configurations on BES Cyber Assets
R2 — Security Patch Management (identify, assess, implement patches within 35 days for High/Medium) IN-01, IN-02, IN-03 Partial — Baseline Control Governance baseline integrity verification and drift detection ensure the governance layer itself operates from an integrity-controlled, known-good state. AI model versioning and patching (analogous to firmware/software patching under CIP-007 R2) requires a separate organizational patch management process for the AI models and governance infrastructure components
R3 — Malicious Code Prevention (deploy and monitor malicious code prevention tools) GV-05, EN-01, EN-03 Weak — Behavioral Gate Only Model-alignment-independent policy enforcement (GV-05) prevents AI agents from executing operations outside their authorized governance policy regardless of model-generated output content — a behavioral containment that does not substitute for malicious code prevention. CIP-007 R3 requires deployment of malicious code prevention tools (signature detection, endpoint protection). SDOS provides no signature scanning, no malware detection, and no EDR capability. The behavioral gate limits blast radius if a malicious input reaches the governance layer; it does not detect malicious code
R4.1 — Log events at the BES Cyber System level (authentication, command changes, etc.) AU-01, AU-02, AU-03 Strong Per-invocation audit record (AU-01) generates a structured log entry for every AI agent dispatch decision before any execution occurs; append-only log integrity (AU-02) prevents tampering; dual audit trail (AU-03) ensures log continuity. These controls constitute a complete security event logging implementation at the AI agent dispatch layer
R4.2 — Generate alerts for detected Cyber Security Incidents EN-01, EN-02, EN-03, AU-01 Partial — Dispatch Layer Event Records Pre-egress enforcement (EN-01) and subordinate-side gate (EN-02) generate a blocked-operation record for every denied AI agent action; fail-closed degradation (EN-03) halts and records when governance integrity fails; per-invocation audit records (AU-01) capture the full event detail. CIP-007 R4.2 requires alerts to reach a monitoring system or security staff — SDOS generates the event records from which external alerting is built; the alert delivery mechanism (SIEM integration, monitoring workflow) is a deployment-layer obligation outside the governance framework
R4.3 — Retain security event logs for 90 calendar days AU-02, AU-03 Partial — Integrity Mechanism Only SDOS-AU-02 (append-only integrity) and SDOS-AU-03 (dual audit trail) provide the tamper-evident, redundant logging infrastructure. Log retention policy enforcement — 90-day minimum, storage capacity management, archival — is an operational obligation outside the governance framework
R5.1 — Limit access only to authorized users (individual or role-based) GV-03, AD-01, IA-01, GV-02 Strong Default-deny pre-admission, agent pre-admission gate, and attested agent identity collectively limit AI agent access to explicitly admitted, cryptographically verified agents operating under authorized governance policy. Governance-tiered model selection (GV-02) ensures that when AI agents operate in access-relevant workflows, the model processing access decisions meets the minimum capability tier required for that decision class. No AI agent operates within the governed boundary without explicit admission. Coverage is scoped to the AI agent dispatch layer; human user account access controls are an OT infrastructure and organizational obligation.
R5.2 — Change default passwords before operational use; manage shared/service accounts IA-01, IA-02 Partial — Identity Only Attested agent and module identity provide verified identity at the AI dispatch boundary; credential management for service accounts used by the AI infrastructure is an operational security obligation outside SDOS scope
R5.3 — Annually review user accounts GV-01, IN-01 Partial — Roster Control Configuration-governed module activation maintains an explicit, integrity-verified list of authorized AI agent modules; governance baseline integrity verification detects unauthorized changes to that roster. Annual review of human user accounts and system service accounts is an organizational obligation
R5.4 — No shared or group accounts for Interactive Remote Access IA-01, IA-02, GV-04 Partial — AI Agent Identity Only Attested agent identity (IA-01) and module identity (IA-02) ensure every AI agent operating through governed remote access paths presents an individual, cryptographically verified identity — no two agents share a governance identity token. Cross-module governance continuity (GV-04) ensures the same identity policy applies uniformly across all modules. CIP-007 R5.4 prohibits shared accounts for human Interactive Remote Access; the AI-agent analog is individual agent identity, which SDOS enforces structurally. Human IRA account management is an OT infrastructure and organizational obligation
R5.5 — Limit unsuccessful authentication attempts for Interactive Remote Access AD-01, AU-01, GV-03 Partial — Admission Failure Logging Only Agent pre-admission gate (AD-01) halts agents that fail admission; per-invocation audit record (AU-01) captures every admission failure with agent identity, timestamp, and denial basis; default-deny pre-admission (GV-03) ensures no failed agent reaches execution. CIP-007 R5.5 requires lockout or alert mechanisms for unsuccessful human authentication attempts; SDOS generates a complete admission-failure audit record at the AI layer. Enforcement of session lockout after repeated failures for human IRA sessions is an OT infrastructure obligation

Mapping Table — CIP-010 (Configuration Change Management and Vulnerability Management)

CIP-010 requires responsible entities to manage changes to BES Cyber Systems and identify vulnerabilities in those systems. At the AI layer, configuration drift and unauthorized capability expansion are the analog risks.

CIP-010 Requirement SDOS Controls Strength Notes
R1.1 — Develop a baseline configuration for each BES Cyber System GV-01, GV-02, IN-01 Strong Configuration-governed module activation defines the authorized capability state — which modules are active, which governance rules apply — as the AI-layer baseline. Governance baseline integrity verification confirms this state continuously. Governance-tiered model selection policy (GV-02) is itself a baseline configuration element: the model tier assignments for each task class are part of the versioned, integrity-controlled configuration that constitutes the AI governance baseline
R1.2 — Authorize and document changes to baseline configurations GV-01, IN-01, IN-02 Strong Any change to the authorized module activation configuration requires an explicit governance policy update with integrity re-verification. Unauthorized changes are detected by drift detection (IN-02) and halt operations. This is the AI-layer analog of CIP-010's authorized change requirement
R1.3 — Within 35 days of baseline change, update security controls IN-01, IN-02, IN-03 Strong Governance baseline integrity verification, drift detection, and module manifest integrity collectively ensure the AI governance layer reflects only the current, authorized configuration — changes that are not integrity-verified do not take effect, enforcing update discipline structurally at the governance layer. CIP-010 R1.3 applies to BES Cyber System baseline changes; SDOS satisfies the requirement at the AI governance layer. BES Cyber System security control updates following OT infrastructure changes remain an operational obligation addressed by separate tooling.
R1.4 — Verify the identity of software, patches, and upgrades IN-03 Strong Module manifest integrity (IN-03) provides cryptographic verification of every module's declared identity and authorized capabilities before activation — the direct AI-layer analog of software identity verification under CIP-010 R1.4
R2 — Monitor for unauthorized changes to baseline configuration at least every 35 days IN-01, IN-02 Partial — Continuous AI-Layer Monitoring Governance baseline integrity verification continuously monitors for configuration drift; drift detection and system halt (IN-02) provides automated detection and response at every startup and on-demand invocation — more frequent than the 35-day cadence required by CIP-010 R2. CIP-010 R2 applies to BES Cyber System configurations; SDOS monitors the AI governance layer configuration. Coverage of the underlying BES Cyber System baseline remains an OT infrastructure obligation
R3 — Vulnerability Management (assess at least every 15 months for High/Medium BCS) IN-01, IN-02, RS-01 Partial — Continuous Governance Monitoring Governance baseline integrity and ROSI evaluation provide continuous monitoring of the AI governance control layer. Vulnerability assessments of the underlying AI models, inference infrastructure, and OT network components are an organizational security obligation requiring separate tooling and methodology
R4 — Transient Cyber Asset (TCA) protection for High and Medium Impact BCS IA-01, IA-02, GV-03, AD-01 Partial — Identity Gate High and Medium Impact BCS have more demanding TCA requirements than Low Impact assets under CIP-003 Att. 1 Sec. 5. When AI agents function as transient governed agents (deployed temporarily, with defined operational scope and time limits), attested agent identity (IA-01) and module identity (IA-02) enforce verified identification at every dispatch cycle. Default-deny pre-admission (GV-03) and agent pre-admission gate (AD-01) ensure transient AI agents are explicitly admitted before any governed operation executes — the structural analog of managed, authorized TCA access. Physical TCA protections (authorization controls for physical devices, malicious code mitigation for removable media), documentation of TCA authorizations, and verification of security controls applied to TCA hardware are outside the SDOS operational boundary

Mapping Table — CIP-012 (Communications between Control Centers)

CIP-012-1 (effective 2022) requires responsible entities to develop and implement documented plan(s) to mitigate the risk of unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data transmitted between applicable Control Centers. Applicable registered entity types include Balancing Authorities (BA), Generator Operators (GOP), Generator Owners (GO), Reliability Coordinators (RC), Transmission Operators (TOP), and Transmission Owners (TO) that own or operate a Control Center in scope. Oral communications are excluded from R1 scope.

As AI agents are deployed within or adjacent to control center communication paths — automating alert triage, synthesizing grid state assessments, or producing operational recommendations that travel between Control Centers — SDOS governance applies at the dispatch layer where those agents operate.

CIP-012 Requirement SDOS Controls Strength Notes
R1 — Mitigate the risk of unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data between applicable Control Centers EN-01, EN-02, EN-04, IA-01, GV-05, AU-01 Partial — AI Dispatch Layer Only When AI agents generate or process Real-time Assessment or Real-time monitoring data that traverses Control Center boundaries, pre-egress enforcement (EN-01) and subordinate-side enforcement gate (EN-02) apply policy-based controls to outbound AI agent operations before they execute — directly addressing the unauthorized modification risk at the AI layer. Governed egress with tamper-evident audit (EN-04) produces a tamper-evident record of every governed outbound operation. Attested agent identity (IA-01) verifies the identity of the AI agent producing or handling the data. Model-alignment-independent policy enforcement (GV-05) ensures these controls apply regardless of model provider. CIP-012 R1 is a documented plan requirement: entities must identify protections, locations, and responsibilities for mitigating confidentiality and integrity risks in the transmission channel. SDOS provides the AI-layer technical controls that the plan specifies for the agent-initiated portion of those communications; channel-level protections (e.g., encryption, MACsec) and the plan documentation obligation itself are organizational and OT infrastructure obligations
R1 — Documentation of the plan for mitigating unauthorized disclosure and modification AU-01, AU-02, AU-03, GV-01 Weak — Substrate Only Per-invocation audit records (AU-01), append-only integrity (AU-02), and dual audit trail (AU-03) provide the evidentiary record of AI-layer governance over agent operations that touch in-scope data — supporting the entity's plan documentation with a verifiable technical control record. Configuration-governed module activation (GV-01) provides the versioned record of which AI agent capabilities are authorized to operate in communication-adjacent workflows. R1 requires a documented plan identifying protections, locations, and responsible parties for the full transmission path; SDOS audit records are supporting evidence for the AI-agent portion of that plan, not a substitute for it

Mapping Table — CIP-013 (Supply Chain Risk Management)

CIP-013 requires responsible entities to develop and implement plans to manage cybersecurity risks in the supply chain of industrial control system hardware, software, and services associated with High and Medium Impact BCS. AI model providers and agentic workflow vendors are supply chain actors under this standard.

CIP-013 Requirement SDOS Controls Strength Notes
R1.1 — Identify and assess supply chain cybersecurity risks RM-01, RM-02, RM-03, IA-01, IA-02, DE-01, DE-02 Partial — Supplier Identity and Runtime Risk Evidence Dispatch-time risk classification (RM-01), complexity-tiered resource allocation (RM-02), and risk-floor model binding (RM-03) produce a continuous, per-operation supply chain risk signal. Attested agent and module identity (IA-01, IA-02) cryptographically verify supplier identity at every invocation. Governed deliberation panels (DE-01/DE-02) support structured AI supply chain risk identification: a multi-agent panel can systematically assess risk exposure across AI model providers and agentic workflow vendors, producing a convergence-based decision record suitable as a plan-development artifact. CIP-013 R1.1 requires a documented supply chain risk management plan — a planning and policy obligation. SDOS produces the technical evidence that informs that plan; it does not author or maintain the plan itself
R1.2 — Include in plans: verification of software integrity, authenticity of software IN-03, IA-02 Strong Module manifest integrity (IN-03) provides cryptographic verification of every module's identity and capability declaration before activation — directly implementing software integrity and authenticity verification for AI supply chain components at the dispatch layer
R1.2 — Include in plans: vendor remote access, notification of known vulnerabilities EN-01, EN-02, GV-05 Partial — Access Boundary Only Pre-egress enforcement (EN-01), subordinate-side gate (EN-02), and model-alignment-independent policy enforcement (GV-05) constrain what AI agents from any vendor can do at runtime, regardless of the vendor's internal security posture. Vendor remote access controls and vulnerability notification obligations are contractual and organizational
R1.2 — Include in plans: disclosure practices for incidents involving supply chain vendors AU-01, AU-02, AU-03, EN-04 Partial — Evidence Substrate Per-invocation audit record, append-only integrity, dual audit trail, and tamper-evident governed egress audit provide the complete forensic record of every AI agent dispatch event — supporting incident disclosure obligations with an auditable evidence chain. The disclosure process itself is an organizational obligation
R2 — Implement the supply chain risk management plan GV-05, IA-01, IA-02, EN-01 Partial — Technical Control Layer Model-alignment-independent policy enforcement (GV-05) applies governance constraints to all AI vendors' agents structurally; attested identity (IA-01, IA-02) enforces vendor identification at every dispatch; pre-egress enforcement (EN-01) applies consistent rules regardless of vendor origin. CIP-013 R2 requires implementing an approved supply chain risk management plan — an organizational governance obligation. SDOS provides the technical control layer that the plan specifies; plan approval, scope definition, and periodic review are organizational obligations
R3 — Review and update the supply chain risk management plan at least every 15 months IN-01, RS-01, DE-01, DE-02 Weak — Substrate Only Governance baseline integrity verification (IN-01) ensures the AI governance controls specified in the supply chain plan are operating from a known, authorized state — supporting plan review with current control-state evidence. ROSI evaluation (RS-01) generates quantitative effectiveness data for each governance dimension, directly informing the risk-adjusted review of whether existing supply chain controls remain adequate. Governed deliberation panels (DE-01/DE-02) can structure the plan review process at the AI layer: a multi-agent assessment of AI supply chain posture produces a convergence-based decision record suitable as an audit artifact. The review process itself — plan approval, scope updates, senior management sign-off — is an organizational obligation

Outside SDOS Operational Boundary

The following NERC CIP obligations fall outside the SDOS runtime governance boundary and require complementary organizational, OT, and physical controls:

NERC CIP Requirement Why Outside SDOS Scope
CIP-002 — BES Cyber System Categorization (High/Medium/Low Impact classification) Asset categorization is an organizational compliance determination; SDOS does not identify, classify, or inventorize BES Cyber Assets
CIP-004 — Personnel & Training (background investigations, training programs) Human resources and organizational obligation; no AI governance analog
CIP-006 — Physical Security of BES Cyber Systems Physical access controls, visitor management, PSP maintenance
CIP-008 — Incident Reporting and Response Planning (NERC notification obligations) Regulatory reporting obligation; SDOS audit records support factual basis but notification is an organizational governance process
CIP-009 — Recovery Plans for BES Cyber Systems BES restoration, backup, recovery — infrastructure continuity outside governance layer
CIP-011 — Information Protection (BES Cyber System Information classification and handling) Data classification and information protection are organizational; SDOS does not handle or store BCS information
CIP-014 — Physical Security (transmission stations, substations) Physical threat assessment and physical security planning; no software governance analog
OT-layer patch management (CIP-007 R2 cadence) Model and infrastructure patching cadence is an operational security obligation outside the governance layer
Malware detection tooling (CIP-007 R3 signature-based prevention) EDR/AV tooling; SDOS provides behavioral containment, not signature detection

Strongest SDOS Alignment — NERC CIP

Three NERC CIP requirement areas where SDOS alignment is structurally strongest:

1. Default-Deny Electronic Access Control (CIP-003 Att. 1 Sec. 3, CIP-005 R1.2)

CIP-003-8 Attachment 1 Section 3 requires electronic access controls for Low Impact BES Cyber Systems. SDOS implements default-deny posture at the AI agent dispatch boundary: SDOS-GV-03 (Default-Deny Pre-Admission Policy) and SDOS-AD-01 (Default-Deny Agent Pre-Admission) mean no AI agent executes governed operations without explicit admission authorization. Identity is cryptographically verified before admission is evaluated. This structural default-deny posture is not a configuration option — it is the architectural foundation. The same posture applies at the AI-dispatch-layer analog of the ESP boundary addressed by CIP-005 R1.2.

2. Security Event Logging (CIP-007 R4.1, R4.2)

CIP-007 requires security event logging at the BES Cyber System level. SDOS-AU-01 generates a structured audit record for every AI agent dispatch decision before any execution occurs — capturing agent identity, operation type, governance decision (permit/modify/block), and timestamp. SDOS-AU-02 maintains append-only integrity so the record cannot be altered without detection. SDOS-AU-03 maintains dual repositories so the audit trail survives single-repository failure. This constitutes a complete logging implementation at the AI agent layer for the AI dispatch surface.

3. Supply Chain Integrity Verification (CIP-013 R1.2, R2)

AI model providers and agentic workflow vendors are supply chain actors under CIP-013. SDOS-IN-03 (Module Manifest Integrity) provides cryptographic verification of every module's declared identity and authorized capabilities before activation — implementing software integrity and authenticity verification for AI supply chain components at dispatch time. SDOS-IA-01 and SDOS-IA-02 verify agent and module identity at every invocation regardless of provider origin. SDOS-GV-05 (Model-Alignment-Independent Policy Enforcement) ensures governance constraints apply structurally to all vendors' AI agents — not through reliance on vendor-claimed alignment properties.


Energy Sector AI Deployment Context

Where AI Agents Are Entering the BES Environment

Electric utilities are deploying AI agents across grid operations (load forecasting, dispatch optimization), asset management (predictive maintenance, anomaly detection), energy trading (market participation, price optimization), and cybersecurity operations (alert triage, threat correlation). Each deployment creates an autonomous execution surface that operates within or adjacent to BES Cyber Systems.

The regulatory gap is specific: NERC CIP governs access to and security of BES Cyber Systems. It does not govern the AI agent that issues commands through an authorized access path. An AI agent operating through an authenticated, authorized connection that invokes grid operations tools without governance is operating within the letter of NERC CIP while creating a risk profile that NERC CIP's access and logging requirements were not designed to address.

SDOS governs that gap. The AI agent dispatch layer — where SDOS operates — is the decision layer above the access layer. Access controls tell you who can connect; SDOS tells you what the agent is authorized to do and records every decision.

FERC Order 887 and AI Governance Implications

FERC Order 887 (January 2023) directed NERC to develop new or modified reliability standards addressing the cybersecurity risks associated with inverter-based resources (IBRs). The order demonstrates that FERC will direct reliability standard development when emerging technology interfaces create BES cybersecurity gaps. No AI-specific NERC CIP standard has been issued as of this document's publication date, and FERC Order 887 does not address AI agents directly. Entities deploying AI in grid operations should treat current NERC CIP compliance as a floor, not a ceiling, for AI governance maturity — and monitor NERC standards development for future AI-specific requirements.

DOE AI for Critical Infrastructure

The U.S. Department of Energy's initiatives on AI for grid modernization (including the Grid Modernization Initiative and AI for Energy programs) create pressure for utilities to deploy AI at scale. SDOS provides the runtime governance layer that ensures AI agents operating in grid environments are admitted, verified, dispatched under policy, and audited — at every invocation.


Relationship to Other Frameworks

Entities subject to NERC CIP frequently operate under additional compliance obligations. SDOS maps to the frameworks most relevant to multi-framework critical infrastructure environments:

Framework Overlap Area
CMMC 2.0 Defense industrial base overlap for utilities with DoD contracts; CUI handling requirements
NIST AI RMF AI risk management; SDOS is the control catalog mapped to NIST AI RMF as primary focal document
FedRAMP Rev 5 Federal cloud authorization; relevant for utilities operating cloud-hosted grid management systems
CIS Controls v8 Endpoint and network security controls; complements NERC CIP at the IT layer
ISO 42001 AI management system standard; useful for utilities building an enterprise AI governance program alongside NERC CIP compliance
NIST SP 800-82 Guide to ICS/OT Security; provides the OT-layer security controls that complement SDOS AI-layer governance in BES environments

Full framework library: SDOS Reference Library


Complete SDOS Control Coverage — NERC CIP

This table maps every SDOS control to the NERC CIP requirements it addresses. All 24 SDOS controls are represented. Controls with no direct NERC CIP requirement mapping reflect functions (deliberation, risk measurement) that produce evidence substrates supporting compliance but do not map to a discrete CIP requirement line item. Out-of-scope determinations reflect the SDOS operational boundary, not control deficiency.

SDOS Control Governance Function NERC CIP Requirements Addressed Highest Strength
GV-01 — Configuration-Governed Module Activation Governance CIP-003 R2, R3; CIP-005 R1.1, R1.3; CIP-007 R1.1, R5.3; CIP-010 R1.1, R1.2, R1.3; CIP-012 R1 (documentation); CIP-013 R2 Strong (CIP-010 R1.1)
GV-02 — Governance-Tiered Model Selection Governance CIP-007 R5.1; CIP-010 R1.1 Partial (contributes to Strong rows; not independently Strong)
GV-03 — Default-Deny Pre-Admission Policy Governance CIP-003 Att.1 Sec.3; CIP-005 R1.2; CIP-007 R5.5; CIP-010 R4 Strong (CIP-003 Att.1 Sec.3)
GV-04 — Cross-Module Governance Continuity Governance CIP-003 R2; CIP-007 R5.4 Weak — Substrate Only
GV-05 — Model-Alignment-Independent Policy Enforcement Governance CIP-005 R1.3; CIP-007 R1.1, R3; CIP-012 R1; CIP-013 R1.2, R2 Partial
RM-01 — Dispatch-Time Risk Classification Risk Management CIP-013 R1.1, R1.2 Partial
RM-02 — Complexity-Tiered Resource Allocation Risk Management CIP-013 R1.1 Partial
RM-03 — Risk-Floor Model Binding Risk Management CIP-013 R1.1 Partial
EN-01 — Pre-Egress Policy Enforcement Enforcement CIP-003 Att.1 Sec.3; CIP-005 R1.2, R1.4; CIP-007 R4.2; CIP-012 R1; CIP-013 R1.2, R2 Strong (CIP-007 R4.2)
EN-02 — Subordinate-Side Enforcement Gate Enforcement CIP-005 R1.2; CIP-007 R4.2; CIP-012 R1; CIP-013 R1.2 Strong (CIP-007 R4.2)
EN-03 — Fail-Closed Degradation Enforcement CIP-007 R3, R4.2 Strong (CIP-007 R4.2)
EN-04 — Governed Egress with Tamper-Evident Audit Enforcement CIP-007 R4.1; CIP-012 R1; CIP-013 R1.2 Strong (CIP-007 R4.1)
IA-01 — Attested Agent Identity Identity and Attestation CIP-003 Att.1 Sec.3, Sec.5; CIP-005 R1.1, R1.4, R2; CIP-007 R5.1, R5.2, R5.4; CIP-010 R4; CIP-012 R1; CIP-013 R2 Strong (CIP-003 Att.1 Sec.3)
IA-02 — Attested Module Identity Identity and Attestation CIP-003 Att.1 Sec.5; CIP-005 R2; CIP-007 R5.2, R5.4; CIP-010 R4; CIP-013 R1.1, R1.2 Strong (CIP-013 R1.2)
AU-01 — Per-Invocation Audit Record Audit CIP-007 R4.1, R4.2, R5.5; CIP-012 R1 (Weak — plan substrate); CIP-013 R1.2 Strong (CIP-007 R4.1)
AU-02 — Append-Only Audit Log Integrity Audit CIP-007 R4.1, R4.3; CIP-010 R2; CIP-012 R1 (Weak — plan substrate); CIP-013 R1.2 Strong (CIP-007 R4.1)
AU-03 — Dual Audit Trail Audit CIP-007 R4.1, R4.3; CIP-012 R1 (Weak — plan substrate); CIP-013 R1.2 Strong (CIP-007 R4.1)
IN-01 — Governance Baseline Integrity Verification Integrity CIP-003 R3; CIP-007 R2, R5.3; CIP-010 R1.1, R1.2, R1.3, R2; CIP-012 R1 (documentation); CIP-013 R3 Strong (CIP-010 R1.2)
IN-02 — Baseline Drift Detection and System Halt Integrity CIP-003 R3; CIP-007 R2; CIP-010 R1.2, R2 Strong (CIP-010 R1.2)
IN-03 — Module Manifest Integrity Integrity CIP-007 R2; CIP-010 R1.4; CIP-013 R1.2 Strong (CIP-010 R1.4)
DE-01 — Governed Multi-Agent Deliberation Deliberation CIP-003 R1, R2; CIP-013 R1.1, R3 Weak — Substrate Only
DE-02 — Convergence-Based Decision Record Deliberation CIP-003 R1, R2; CIP-013 R1.1, R3 Weak — Substrate Only
RS-01 — Governed ROSI Evaluation Risk Measurement CIP-003 R1; CIP-010 R3; CIP-013 R3 Weak — Substrate Only
AD-01 — Default-Deny Agent Pre-Admission Admission CIP-003 Att.1 Sec.3; CIP-005 R1.2; CIP-007 R5.5; CIP-010 R4 Strong (CIP-003 Att.1 Sec.3)

Coverage Summary

Category Count
SDOS controls with at least one Strong mapping 11 of 24
SDOS controls with Partial mapping (no Strong) 9 of 24
SDOS controls with Weak / Substrate-Only mapping only 4 of 24
SDOS controls with no direct CIP mapping (out-of-scope domain) 0 of 24
NERC CIP standards with SDOS mapping table 6 of 13 (CIP-003, CIP-005, CIP-007, CIP-010, CIP-012, CIP-013)
NERC CIP standards out of scope by design 7 of 13 (CIP-002, CIP-004, CIP-006, CIP-008, CIP-009, CIP-011, CIP-014)

Every SDOS control touches at least one NERC CIP requirement. No control is dead weight in a BES AI deployment context.


Architectural Positioning

SDOS operates at the dispatch-time enforcement layer — the moment immediately before an AI agent invokes a tool, makes a decision, or produces an output. The SDOS framework does not replace organizational, physical, or personnel cybersecurity controls. It provides a runtime layer that enforces governance policy at the boundary where AI agents act, adding an architectural layer of cybersecurity assurance for AI-augmented operations.

For alignment purposes, SDOS supports the operational and technical requirements addressing how AI-driven cyber operations are deployed, monitored, and audited. Requirements addressing the organizational, physical, or personnel layer fall outside the SDOS scope and require separate controls.

Maintenance

This document is maintained by AAM Cyber as part of the SDOS Reference Library. The library currently covers 17 framework alignments: NIST AI RMF 1.0, NIST CSF 2.0, NIST SP 800-53 Rev 5.2.0, NIST AI 600-1, EU AI Act, DORA, HIPAA, PCI-DSS v4.0, CIS Controls v8, ISO 42001, FedRAMP Rev 5, CMMC 2.0, SOC 2, NAIC MDL-668, NERC CIP, IEEE P2863 (draft), and FAA UAS/AAM (principles-mapped). Version history for every framework alignment is published at /sdos/reference/changelog/.

Subsequent updates to this alignment page will be issued when: (1) screening feedback from a recognized standards body requires revision, (2) the focal framework releases a revision requiring mapping review, or (3) SDOS controls are added or retired affecting the alignment.

Intellectual Property

The SDOS Runtime Governance Framework was invented by Pharns Genece. Aspects of the framework are the subject of pending U.S. Provisional Patent Applications 64/029,300, 64/049,300, 64/067,427, 64/069,200, and 64/076,620. The scope of pending claims is defined by the as-filed specifications and is not coextensive with the descriptions in this document. AAM Cyber, all rights reserved unless otherwise indicated.

Patent inquiries should be directed to AAM Cyber at aamcyber.com.


Contact

AAM Cyber
aamcyber.com

Electric utilities, reliability coordinators, and OT security teams developing AI governance programs for NERC CIP-covered environments: [email protected]


SDOS Runtime Governance Framework — NERC CIP Alignment. Version 1.3. Published 2026-05-12.

View library changelog →