SDOS Runtime Governance Framework — NERC CIP Alignment¶
SDOS Version: 1.9
Standards: NERC CIP-002 through CIP-014 (currently enforceable standards as of 2026)
Enforcing Entity: North American Electric Reliability Corporation (NERC); enforced by FERC under 16 U.S.C. § 824o
Applicability: Owners, operators, and users of the North American bulk electric system (BES)
Document Date: 2026-05-12
Authoring Organization: AAM Cyber (aamcyber.com)
Inventor: Pharns Genece
SDOS Control Catalog: View full control definitions
Purpose¶
This document maps the controls of the SDOS Runtime Governance Framework to the requirements of the NERC Critical Infrastructure Protection (CIP) standards as they apply to AI agent operations within bulk electric system environments. It is intended to assist asset owners, reliability coordinators, transmission operators, and GRC teams evaluating SDOS as a technical governance layer for AI systems deployed within or adjacent to BES Cyber Systems.
NERC CIP was written for the operational technology (OT) environment. AI agents are entering that environment — not as generalist IT tools, but as purpose-built systems for grid operations, energy management, anomaly detection, predictive maintenance, and outage response. Each of these deployments creates a governed autonomous execution surface that NERC CIP's security management controls were not designed to address directly. SDOS fills that gap.
NERC CIP violations carry civil penalties enforced by FERC of up to $1 million per violation per day — making compliance documentation and technical control evidence directly material to regulatory exposure.
This is an informative alignment document. It does not constitute a NERC CIP compliance certification, a FERC filing, or legal advice. NERC CIP compliance determinations must be made through a registered entity's internal compliance program and, where required, through NERC and Regional Entity oversight. This document supports the analysis — it does not replace it.
Applicability¶
This document applies to registered entities and asset owners that deploy agentic AI workflows within or in communication with BES Cyber Systems — including High, Medium, or Low Impact assets as classified under CIP-002. It is relevant when:
- An AI agent operates within an Electronic Security Perimeter (ESP) or has access to a BES Cyber System through an Electronic Access Point (EAP), or
- The entity is evaluating whether a runtime governance layer provides technical controls relevant to CIP-003, CIP-005, CIP-007, CIP-010, CIP-012, or CIP-013 requirements, or
- A supply chain review under CIP-013 includes AI model providers or agentic workflow vendors as vendors in scope.
Important scope clarification: SDOS governs AI agent dispatch — the decision of whether and how an agent operates. It does not configure, operate, or directly interface with BES Cyber Assets. SDOS controls the governance layer above the execution layer. This distinction is material: SDOS is not a BES Cyber System and does not replace the OT-layer security controls required under CIP. It governs the AI agents that may operate within or adjacent to that layer.
Out-of-scope by design: Physical security (CIP-006), incident response reporting obligations (CIP-008 notification requirements), recovery planning (CIP-009 restoration), and personnel risk assessments (CIP-004) are organizational obligations that fall entirely outside the operational boundary of a runtime governance framework.
SDOS Control Catalog Summary¶
The full control catalog with per-control descriptions, evidence types, and related control dependencies is published at /sdos/reference/v1/. The 24 SDOS controls comprising the public runtime control set are:
| Control ID | Title |
|---|---|
| SDOS-GV-01 | Configuration-Governed Module Activation |
| SDOS-GV-02 | Governance-Tiered Model Selection |
| SDOS-GV-03 | Default-Deny Pre-Admission Policy |
| SDOS-GV-04 | Cross-Module Governance Continuity |
| SDOS-GV-05 | Model-Alignment-Independent Policy Enforcement |
| SDOS-RM-01 | Dispatch-Time Risk Classification |
| SDOS-RM-02 | Complexity-Tiered Resource Allocation |
| SDOS-RM-03 | Risk-Floor Model Binding |
| SDOS-AD-01 | Default-Deny Agent Pre-Admission |
| SDOS-IA-01 | Attested Agent Identity |
| SDOS-IA-02 | Attested Module Identity |
| SDOS-IN-01 | Governance Baseline Integrity Verification |
| SDOS-IN-02 | Baseline Drift Detection and System Halt |
| SDOS-IN-03 | Module Manifest Integrity |
| SDOS-EN-01 | Pre-Egress Policy Enforcement |
| SDOS-EN-02 | Subordinate-Side Enforcement Gate |
| SDOS-EN-03 | Fail-Closed Degradation |
| SDOS-EN-04 | Governed Egress with Tamper-Evident Audit |
| SDOS-AU-01 | Per-Invocation Audit Record |
| SDOS-AU-02 | Append-Only Audit Log Integrity |
| SDOS-AU-03 | Dual Audit Trail |
| SDOS-DE-01 | Governed Multi-Agent Deliberation |
| SDOS-DE-02 | Convergence-Based Decision Record |
| SDOS-RS-01 | Governed Return on Safety Investment (ROSI) Evaluation |
How to Use This Document¶
Assessor Use Notice¶
Mapping strength reflects the framework's design coverage of the cited requirement. Operating effectiveness is a property of a specific deployment and must be tested per engagement. NERC CIP requirements vary by impact classification (High, Medium, Low) and applicable systems. Assessors should treat all mappings as control-design assertions requiring implementation verification — including evidence collection, sample selection, and testing against the assessor's own audit program under NERC's Reliability Standards Audit Worksheet (RSAW) methodology. The strength rating is the starting point for a compliance analysis, not a substitute for it.
Mapping Strength Legend¶
| Rating | Meaning |
|---|---|
| Strong | SDOS provides a direct, mechanism-specific technical implementation of the cited requirement through observable runtime behavior. |
| Partial — [qualifier] | SDOS addresses a defined subset of the requirement. The qualifier identifies which subset is covered and which requires additional controls. |
| Weak — Substrate Only | SDOS produces data or infrastructure that enables compliance but does not itself satisfy the requirement. |
| Out of Scope | The requirement falls entirely outside the operational boundary of a runtime governance framework. |
Glossary¶
NERC CIP Terms¶
| Term | Definition as Used in This Document |
|---|---|
| BES Cyber System (BCS) | One or more BES Cyber Assets logically grouped to perform one or more reliability tasks for a functional entity |
| BES Cyber Asset (BCA) | A programmable electronic device and its communication networks that, if rendered unavailable, degraded, or misused, would within 15 minutes adversely impact the reliable operation of the BES |
| Electronic Security Perimeter (ESP) | The logical border surrounding a network to which BES Cyber Systems are connected |
| Electronic Access Point (EAP) | A point of access between an ESP and a network outside the ESP |
| Interactive Remote Access (IRA) | User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol |
| Transient Cyber Asset (TCA) | A device directly connected to a BES Cyber System, a network within an ESP, or an External Routable Connectivity (ERC) for 30 consecutive calendar days or less |
| Physical Security Perimeter (PSP) | The physical border surrounding locations of BES Cyber Systems, other Cyber Assets within an ESP, and Physical Access Control Systems |
| Cyber Vulnerability | Any flaw, weakness, or misconfiguration that could be exploited or triggered inadvertently to result in a compromise of the reliability of the BES |
SDOS Terms¶
| Term | Definition |
|---|---|
| Point of dispatch | The moment a task is assigned to an agent and before any tool execution occurs; the primary SDOS enforcement boundary |
| Governed egress | Outbound operations subject to pre-execution policy enforcement before results are returned |
| Fail-closed degradation | SDOS-EN-03 defines three failure modes: (1) governance infrastructure unavailability — pre-authorized operations may continue under a documented degradation policy; (2) governance baseline integrity failure — all operations halt without exception; (3) partial-degradation states — governed by a documented degradation policy that is itself integrity-verified per IN-01. See control catalog for the full definition. |
| Governance baseline | The authorized configuration state against which SDOS verifies integrity at startup and on demand |
NERC CIP Structure Reference¶
NERC CIP currently comprises twelve enforceable standards (CIP-002 through CIP-014, excluding CIP-006 which was withdrawn in its original form and replaced by the physical security requirements consolidated in CIP-006-6). The standards with the strongest intersection with AI agent governance are:
| Standard | Title | SDOS Relevance |
|---|---|---|
| CIP-003 | Security Management Controls | Security policies governing BES Cyber Systems; AI governance policy anchoring |
| CIP-005 | Electronic Security Perimeters | Access control at ESP boundary; AI agent as an EAP-adjacent access subject |
| CIP-007 | System Security Management | Ports and services, patch management, malicious code prevention, system access control, audit logs |
| CIP-010 | Configuration Change Management and Vulnerability Management | Baseline configuration, change control, vulnerability assessment, TCA protections |
| CIP-012 | Communications between Control Centers | Confidentiality and integrity of Real-time Assessment and monitoring data between applicable Control Centers; AI agents operating in communication paths |
| CIP-013 | Supply Chain Risk Management | Vendor risk management; AI model providers as supply chain actors |
Mapping Table — CIP-003 (Security Management Controls)¶
CIP-003 requires each responsible entity to implement security management controls to protect BES Cyber Systems. For High and Medium Impact BCS, this includes a documented, board-approved cybersecurity policy. For Low Impact BCS, CIP-003-8 Attachment 1 requires: (1) cyber security awareness, (2) physical security controls, (3) electronic access controls, (4) cyber security incident response, and (5) transient cyber asset and removable media malicious code risk mitigation.
| CIP-003 Requirement | SDOS Controls | Strength | Notes |
|---|---|---|---|
| R1 — Senior Manager accountability for BES Cyber System cybersecurity policy | RS-01, DE-01, DE-02 | Weak — Substrate Only | SDOS-RS-01 (Governed Return on Safety Investment Evaluation) generates structured governance effectiveness metrics that feed senior management reporting. SDOS-DE-01 and SDOS-DE-02 (Governed Multi-Agent Deliberation and Convergence-Based Decision Record) support structured AI-layer policy reviews: deliberation panels can assess AI governance posture, and the resulting decision records are auditable artifacts suitable for senior management review. Policy accountability and board-level oversight are organizational obligations |
| R2 — Delegation of cybersecurity authority | GV-01, GV-04, DE-01, DE-02 | Weak — Substrate Only | Configuration-governed module activation (GV-01) and cross-module governance continuity (GV-04) provide an integrity-controlled record of which AI agent capabilities are authorized — supporting evidence of delegated authority at the AI layer. Governed deliberation panels (DE-01/DE-02) can produce structured assessments of AI capability scope that inform delegation decisions. Delegation of cybersecurity authority is an organizational governance process (board approval, named delegates, documented accountability chain) that SDOS does not implement |
| R3 — Annually review cybersecurity policies | IN-01, IN-02 | Weak — Substrate Only | Governance baseline integrity verification and drift detection provide the continuous control-state record from which policy review is supported; the annual review process itself is an organizational obligation |
| CIP-003-8 Att. 1 Sec. 1 — Cyber Security Awareness | — | Out of Scope | Security awareness training is a personnel obligation; SDOS does not deliver or track awareness programs |
| CIP-003-8 Att. 1 Sec. 2 — Physical Security Controls for Low Impact BCS | — | Out of Scope | Physical access controls for Low Impact BCS locations are outside the SDOS operational boundary |
| CIP-003-8 Att. 1 Sec. 3 — Electronic Access Controls for Low Impact BCS | GV-03, AD-01, IA-01, EN-01 | Strong | Default-deny pre-admission (GV-03), agent pre-admission gate (AD-01), attested agent identity (IA-01), and pre-egress enforcement (EN-01) collectively implement electronic access control at the AI agent dispatch boundary — limiting AI agent operations to explicitly admitted, cryptographically verified agents before any governed action executes |
| CIP-003-8 Att. 1 Sec. 5 — Transient Cyber Asset and Removable Media | IA-01, IA-02, GV-03 | Partial — Identity Gate | Attested agent and module identity requirements mean that transient AI agents (e.g., agents invoked on-demand for a limited engagement) are subject to the same identity verification and admission controls as persistent agents; physical TCA handling and removable media malicious code controls are outside SDOS scope |
Mapping Table — CIP-005 (Electronic Security Perimeters)¶
CIP-005 requires responsible entities to manage electronic access to High and Medium Impact BES Cyber Systems. The AI agent dispatch layer introduces a new class of access subject — an autonomous software entity that can invoke tools, read data, and produce operational outputs within or adjacent to an ESP.
| CIP-005 Requirement | SDOS Controls | Strength | Notes |
|---|---|---|---|
| R1.1 — Identify all applicable Electronic Access Points for each ESP | GV-01, IA-01 | Partial — Agent Surface Enumeration | Configuration-governed module activation (GV-01) provides an enumerated, authorized list of which AI agent capabilities are active — the software analog of identifying EAPs. Attested agent identity (IA-01) ensures every agent operating within the governed boundary is identifiable. Network-layer EAP identification is an OT infrastructure obligation |
| R1.2 — Deny by default all inbound and outbound traffic except what is explicitly permitted | GV-03, AD-01, EN-01, EN-02 | Partial — AI Dispatch Boundary Only | Default-deny pre-admission (GV-03) and agent pre-admission gate (AD-01) deny all AI agent operations by default; pre-egress enforcement (EN-01) and subordinate-side enforcement gate (EN-02) apply the same deny-by-default posture to outbound governed operations. CIP-005 R1.2 requires default-deny at the Electronic Access Point — a network perimeter control implemented in OT infrastructure. SDOS implements the same posture at the AI agent dispatch boundary, which is the layer above ESP access. Network-layer ESP access enforcement is an OT infrastructure obligation |
| R1.3 — Enable only ports and services required for operations | GV-01, GV-05 | Partial — AI-Layer Surface Minimization | Configuration-governed module activation limits the active AI agent capability surface to explicitly authorized modules; model-alignment-independent policy enforcement (GV-05) ensures the restriction is structural. CIP-005 R1.3 addresses network ports and services on BES Cyber Systems — a network infrastructure control. SDOS restricts the AI agent capability surface, not network port configurations on BES Cyber Assets. The controls operate at analogous layers but are not mechanically equivalent |
| R1.4 — Where Interactive Remote Access is used, implement appropriate controls | IA-01, IA-02, EN-01 | Partial — Agent Identity Only | When AI agents operate through interactive remote access paths, attested agent and module identity provide the identity substrate; pre-egress enforcement governs outbound operations. Human IRA controls (multi-factor authentication, encryption requirements under CIP-005 R2) are outside SDOS scope |
| R2 — Interactive Remote Access Management (MFA, encryption, intermediate system) | IA-01 | Weak — Substrate Only | Attested agent identity contributes an identity artifact to the IRA session record; MFA for human remote access, intermediate system requirements, and encryption are OT infrastructure and human access controls outside SDOS scope |
Mapping Table — CIP-007 (System Security Management)¶
CIP-007 is the broadest CIP standard from an AI governance perspective. It governs ports and services, software security (patch management, malicious code prevention), security event monitoring, and system access controls for High and Medium Impact BCS.
| CIP-007 Requirement | SDOS Controls | Strength | Notes |
|---|---|---|---|
| R1.1 — Enable only logical network accessible ports required for operations | GV-01, GV-05 | Partial — AI-Layer Surface Minimization | Configuration-governed module activation restricts the AI agent capability surface to explicitly authorized modules; model-alignment-independent enforcement ensures the restriction is structural, not advisory. CIP-007 R1.1 addresses logical network ports on BES Cyber Systems — a network infrastructure control. SDOS minimizes the AI agent capability surface, not network port configurations on BES Cyber Assets |
| R2 — Security Patch Management (identify, assess, implement patches within 35 days for High/Medium) | IN-01, IN-02, IN-03 | Partial — Baseline Control | Governance baseline integrity verification and drift detection ensure the governance layer itself operates from an integrity-controlled, known-good state. AI model versioning and patching (analogous to firmware/software patching under CIP-007 R2) requires a separate organizational patch management process for the AI models and governance infrastructure components |
| R3 — Malicious Code Prevention (deploy and monitor malicious code prevention tools) | GV-05, EN-01, EN-03 | Weak — Behavioral Gate Only | Model-alignment-independent policy enforcement (GV-05) prevents AI agents from executing operations outside their authorized governance policy regardless of model-generated output content — a behavioral containment that does not substitute for malicious code prevention. CIP-007 R3 requires deployment of malicious code prevention tools (signature detection, endpoint protection). SDOS provides no signature scanning, no malware detection, and no EDR capability. The behavioral gate limits blast radius if a malicious input reaches the governance layer; it does not detect malicious code |
| R4.1 — Log events at the BES Cyber System level (authentication, command changes, etc.) | AU-01, AU-02, AU-03 | Strong | Per-invocation audit record (AU-01) generates a structured log entry for every AI agent dispatch decision before any execution occurs; append-only log integrity (AU-02) prevents tampering; dual audit trail (AU-03) ensures log continuity. These controls constitute a complete security event logging implementation at the AI agent dispatch layer |
| R4.2 — Generate alerts for detected Cyber Security Incidents | EN-01, EN-02, EN-03, AU-01 | Partial — Dispatch Layer Event Records | Pre-egress enforcement (EN-01) and subordinate-side gate (EN-02) generate a blocked-operation record for every denied AI agent action; fail-closed degradation (EN-03) halts and records when governance integrity fails; per-invocation audit records (AU-01) capture the full event detail. CIP-007 R4.2 requires alerts to reach a monitoring system or security staff — SDOS generates the event records from which external alerting is built; the alert delivery mechanism (SIEM integration, monitoring workflow) is a deployment-layer obligation outside the governance framework |
| R4.3 — Retain security event logs for 90 calendar days | AU-02, AU-03 | Partial — Integrity Mechanism Only | SDOS-AU-02 (append-only integrity) and SDOS-AU-03 (dual audit trail) provide the tamper-evident, redundant logging infrastructure. Log retention policy enforcement — 90-day minimum, storage capacity management, archival — is an operational obligation outside the governance framework |
| R5.1 — Limit access only to authorized users (individual or role-based) | GV-03, AD-01, IA-01, GV-02 | Strong | Default-deny pre-admission, agent pre-admission gate, and attested agent identity collectively limit AI agent access to explicitly admitted, cryptographically verified agents operating under authorized governance policy. Governance-tiered model selection (GV-02) ensures that when AI agents operate in access-relevant workflows, the model processing access decisions meets the minimum capability tier required for that decision class. No AI agent operates within the governed boundary without explicit admission. Coverage is scoped to the AI agent dispatch layer; human user account access controls are an OT infrastructure and organizational obligation. |
| R5.2 — Change default passwords before operational use; manage shared/service accounts | IA-01, IA-02 | Partial — Identity Only | Attested agent and module identity provide verified identity at the AI dispatch boundary; credential management for service accounts used by the AI infrastructure is an operational security obligation outside SDOS scope |
| R5.3 — Annually review user accounts | GV-01, IN-01 | Partial — Roster Control | Configuration-governed module activation maintains an explicit, integrity-verified list of authorized AI agent modules; governance baseline integrity verification detects unauthorized changes to that roster. Annual review of human user accounts and system service accounts is an organizational obligation |
| R5.4 — No shared or group accounts for Interactive Remote Access | IA-01, IA-02, GV-04 | Partial — AI Agent Identity Only | Attested agent identity (IA-01) and module identity (IA-02) ensure every AI agent operating through governed remote access paths presents an individual, cryptographically verified identity — no two agents share a governance identity token. Cross-module governance continuity (GV-04) ensures the same identity policy applies uniformly across all modules. CIP-007 R5.4 prohibits shared accounts for human Interactive Remote Access; the AI-agent analog is individual agent identity, which SDOS enforces structurally. Human IRA account management is an OT infrastructure and organizational obligation |
| R5.5 — Limit unsuccessful authentication attempts for Interactive Remote Access | AD-01, AU-01, GV-03 | Partial — Admission Failure Logging Only | Agent pre-admission gate (AD-01) halts agents that fail admission; per-invocation audit record (AU-01) captures every admission failure with agent identity, timestamp, and denial basis; default-deny pre-admission (GV-03) ensures no failed agent reaches execution. CIP-007 R5.5 requires lockout or alert mechanisms for unsuccessful human authentication attempts; SDOS generates a complete admission-failure audit record at the AI layer. Enforcement of session lockout after repeated failures for human IRA sessions is an OT infrastructure obligation |
Mapping Table — CIP-010 (Configuration Change Management and Vulnerability Management)¶
CIP-010 requires responsible entities to manage changes to BES Cyber Systems and identify vulnerabilities in those systems. At the AI layer, configuration drift and unauthorized capability expansion are the analog risks.
| CIP-010 Requirement | SDOS Controls | Strength | Notes |
|---|---|---|---|
| R1.1 — Develop a baseline configuration for each BES Cyber System | GV-01, GV-02, IN-01 | Strong | Configuration-governed module activation defines the authorized capability state — which modules are active, which governance rules apply — as the AI-layer baseline. Governance baseline integrity verification confirms this state continuously. Governance-tiered model selection policy (GV-02) is itself a baseline configuration element: the model tier assignments for each task class are part of the versioned, integrity-controlled configuration that constitutes the AI governance baseline |
| R1.2 — Authorize and document changes to baseline configurations | GV-01, IN-01, IN-02 | Strong | Any change to the authorized module activation configuration requires an explicit governance policy update with integrity re-verification. Unauthorized changes are detected by drift detection (IN-02) and halt operations. This is the AI-layer analog of CIP-010's authorized change requirement |
| R1.3 — Within 35 days of baseline change, update security controls | IN-01, IN-02, IN-03 | Strong | Governance baseline integrity verification, drift detection, and module manifest integrity collectively ensure the AI governance layer reflects only the current, authorized configuration — changes that are not integrity-verified do not take effect, enforcing update discipline structurally at the governance layer. CIP-010 R1.3 applies to BES Cyber System baseline changes; SDOS satisfies the requirement at the AI governance layer. BES Cyber System security control updates following OT infrastructure changes remain an operational obligation addressed by separate tooling. |
| R1.4 — Verify the identity of software, patches, and upgrades | IN-03 | Strong | Module manifest integrity (IN-03) provides cryptographic verification of every module's declared identity and authorized capabilities before activation — the direct AI-layer analog of software identity verification under CIP-010 R1.4 |
| R2 — Monitor for unauthorized changes to baseline configuration at least every 35 days | IN-01, IN-02 | Partial — Continuous AI-Layer Monitoring | Governance baseline integrity verification continuously monitors for configuration drift; drift detection and system halt (IN-02) provides automated detection and response at every startup and on-demand invocation — more frequent than the 35-day cadence required by CIP-010 R2. CIP-010 R2 applies to BES Cyber System configurations; SDOS monitors the AI governance layer configuration. Coverage of the underlying BES Cyber System baseline remains an OT infrastructure obligation |
| R3 — Vulnerability Management (assess at least every 15 months for High/Medium BCS) | IN-01, IN-02, RS-01 | Partial — Continuous Governance Monitoring | Governance baseline integrity and ROSI evaluation provide continuous monitoring of the AI governance control layer. Vulnerability assessments of the underlying AI models, inference infrastructure, and OT network components are an organizational security obligation requiring separate tooling and methodology |
| R4 — Transient Cyber Asset (TCA) protection for High and Medium Impact BCS | IA-01, IA-02, GV-03, AD-01 | Partial — Identity Gate | High and Medium Impact BCS have more demanding TCA requirements than Low Impact assets under CIP-003 Att. 1 Sec. 5. When AI agents function as transient governed agents (deployed temporarily, with defined operational scope and time limits), attested agent identity (IA-01) and module identity (IA-02) enforce verified identification at every dispatch cycle. Default-deny pre-admission (GV-03) and agent pre-admission gate (AD-01) ensure transient AI agents are explicitly admitted before any governed operation executes — the structural analog of managed, authorized TCA access. Physical TCA protections (authorization controls for physical devices, malicious code mitigation for removable media), documentation of TCA authorizations, and verification of security controls applied to TCA hardware are outside the SDOS operational boundary |
Mapping Table — CIP-012 (Communications between Control Centers)¶
CIP-012-1 (effective 2022) requires responsible entities to develop and implement documented plan(s) to mitigate the risk of unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data transmitted between applicable Control Centers. Applicable registered entity types include Balancing Authorities (BA), Generator Operators (GOP), Generator Owners (GO), Reliability Coordinators (RC), Transmission Operators (TOP), and Transmission Owners (TO) that own or operate a Control Center in scope. Oral communications are excluded from R1 scope.
As AI agents are deployed within or adjacent to control center communication paths — automating alert triage, synthesizing grid state assessments, or producing operational recommendations that travel between Control Centers — SDOS governance applies at the dispatch layer where those agents operate.
| CIP-012 Requirement | SDOS Controls | Strength | Notes |
|---|---|---|---|
| R1 — Mitigate the risk of unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data between applicable Control Centers | EN-01, EN-02, EN-04, IA-01, GV-05, AU-01 | Partial — AI Dispatch Layer Only | When AI agents generate or process Real-time Assessment or Real-time monitoring data that traverses Control Center boundaries, pre-egress enforcement (EN-01) and subordinate-side enforcement gate (EN-02) apply policy-based controls to outbound AI agent operations before they execute — directly addressing the unauthorized modification risk at the AI layer. Governed egress with tamper-evident audit (EN-04) produces a tamper-evident record of every governed outbound operation. Attested agent identity (IA-01) verifies the identity of the AI agent producing or handling the data. Model-alignment-independent policy enforcement (GV-05) ensures these controls apply regardless of model provider. CIP-012 R1 is a documented plan requirement: entities must identify protections, locations, and responsibilities for mitigating confidentiality and integrity risks in the transmission channel. SDOS provides the AI-layer technical controls that the plan specifies for the agent-initiated portion of those communications; channel-level protections (e.g., encryption, MACsec) and the plan documentation obligation itself are organizational and OT infrastructure obligations |
| R1 — Documentation of the plan for mitigating unauthorized disclosure and modification | AU-01, AU-02, AU-03, GV-01 | Weak — Substrate Only | Per-invocation audit records (AU-01), append-only integrity (AU-02), and dual audit trail (AU-03) provide the evidentiary record of AI-layer governance over agent operations that touch in-scope data — supporting the entity's plan documentation with a verifiable technical control record. Configuration-governed module activation (GV-01) provides the versioned record of which AI agent capabilities are authorized to operate in communication-adjacent workflows. R1 requires a documented plan identifying protections, locations, and responsible parties for the full transmission path; SDOS audit records are supporting evidence for the AI-agent portion of that plan, not a substitute for it |
Mapping Table — CIP-013 (Supply Chain Risk Management)¶
CIP-013 requires responsible entities to develop and implement plans to manage cybersecurity risks in the supply chain of industrial control system hardware, software, and services associated with High and Medium Impact BCS. AI model providers and agentic workflow vendors are supply chain actors under this standard.
| CIP-013 Requirement | SDOS Controls | Strength | Notes |
|---|---|---|---|
| R1.1 — Identify and assess supply chain cybersecurity risks | RM-01, RM-02, RM-03, IA-01, IA-02, DE-01, DE-02 | Partial — Supplier Identity and Runtime Risk Evidence | Dispatch-time risk classification (RM-01), complexity-tiered resource allocation (RM-02), and risk-floor model binding (RM-03) produce a continuous, per-operation supply chain risk signal. Attested agent and module identity (IA-01, IA-02) cryptographically verify supplier identity at every invocation. Governed deliberation panels (DE-01/DE-02) support structured AI supply chain risk identification: a multi-agent panel can systematically assess risk exposure across AI model providers and agentic workflow vendors, producing a convergence-based decision record suitable as a plan-development artifact. CIP-013 R1.1 requires a documented supply chain risk management plan — a planning and policy obligation. SDOS produces the technical evidence that informs that plan; it does not author or maintain the plan itself |
| R1.2 — Include in plans: verification of software integrity, authenticity of software | IN-03, IA-02 | Strong | Module manifest integrity (IN-03) provides cryptographic verification of every module's identity and capability declaration before activation — directly implementing software integrity and authenticity verification for AI supply chain components at the dispatch layer |
| R1.2 — Include in plans: vendor remote access, notification of known vulnerabilities | EN-01, EN-02, GV-05 | Partial — Access Boundary Only | Pre-egress enforcement (EN-01), subordinate-side gate (EN-02), and model-alignment-independent policy enforcement (GV-05) constrain what AI agents from any vendor can do at runtime, regardless of the vendor's internal security posture. Vendor remote access controls and vulnerability notification obligations are contractual and organizational |
| R1.2 — Include in plans: disclosure practices for incidents involving supply chain vendors | AU-01, AU-02, AU-03, EN-04 | Partial — Evidence Substrate | Per-invocation audit record, append-only integrity, dual audit trail, and tamper-evident governed egress audit provide the complete forensic record of every AI agent dispatch event — supporting incident disclosure obligations with an auditable evidence chain. The disclosure process itself is an organizational obligation |
| R2 — Implement the supply chain risk management plan | GV-05, IA-01, IA-02, EN-01 | Partial — Technical Control Layer | Model-alignment-independent policy enforcement (GV-05) applies governance constraints to all AI vendors' agents structurally; attested identity (IA-01, IA-02) enforces vendor identification at every dispatch; pre-egress enforcement (EN-01) applies consistent rules regardless of vendor origin. CIP-013 R2 requires implementing an approved supply chain risk management plan — an organizational governance obligation. SDOS provides the technical control layer that the plan specifies; plan approval, scope definition, and periodic review are organizational obligations |
| R3 — Review and update the supply chain risk management plan at least every 15 months | IN-01, RS-01, DE-01, DE-02 | Weak — Substrate Only | Governance baseline integrity verification (IN-01) ensures the AI governance controls specified in the supply chain plan are operating from a known, authorized state — supporting plan review with current control-state evidence. ROSI evaluation (RS-01) generates quantitative effectiveness data for each governance dimension, directly informing the risk-adjusted review of whether existing supply chain controls remain adequate. Governed deliberation panels (DE-01/DE-02) can structure the plan review process at the AI layer: a multi-agent assessment of AI supply chain posture produces a convergence-based decision record suitable as an audit artifact. The review process itself — plan approval, scope updates, senior management sign-off — is an organizational obligation |
Outside SDOS Operational Boundary¶
The following NERC CIP obligations fall outside the SDOS runtime governance boundary and require complementary organizational, OT, and physical controls:
| NERC CIP Requirement | Why Outside SDOS Scope |
|---|---|
| CIP-002 — BES Cyber System Categorization (High/Medium/Low Impact classification) | Asset categorization is an organizational compliance determination; SDOS does not identify, classify, or inventorize BES Cyber Assets |
| CIP-004 — Personnel & Training (background investigations, training programs) | Human resources and organizational obligation; no AI governance analog |
| CIP-006 — Physical Security of BES Cyber Systems | Physical access controls, visitor management, PSP maintenance |
| CIP-008 — Incident Reporting and Response Planning (NERC notification obligations) | Regulatory reporting obligation; SDOS audit records support factual basis but notification is an organizational governance process |
| CIP-009 — Recovery Plans for BES Cyber Systems | BES restoration, backup, recovery — infrastructure continuity outside governance layer |
| CIP-011 — Information Protection (BES Cyber System Information classification and handling) | Data classification and information protection are organizational; SDOS does not handle or store BCS information |
| CIP-014 — Physical Security (transmission stations, substations) | Physical threat assessment and physical security planning; no software governance analog |
| OT-layer patch management (CIP-007 R2 cadence) | Model and infrastructure patching cadence is an operational security obligation outside the governance layer |
| Malware detection tooling (CIP-007 R3 signature-based prevention) | EDR/AV tooling; SDOS provides behavioral containment, not signature detection |
Strongest SDOS Alignment — NERC CIP¶
Three NERC CIP requirement areas where SDOS alignment is structurally strongest:
1. Default-Deny Electronic Access Control (CIP-003 Att. 1 Sec. 3, CIP-005 R1.2)
CIP-003-8 Attachment 1 Section 3 requires electronic access controls for Low Impact BES Cyber Systems. SDOS implements default-deny posture at the AI agent dispatch boundary: SDOS-GV-03 (Default-Deny Pre-Admission Policy) and SDOS-AD-01 (Default-Deny Agent Pre-Admission) mean no AI agent executes governed operations without explicit admission authorization. Identity is cryptographically verified before admission is evaluated. This structural default-deny posture is not a configuration option — it is the architectural foundation. The same posture applies at the AI-dispatch-layer analog of the ESP boundary addressed by CIP-005 R1.2.
2. Security Event Logging (CIP-007 R4.1, R4.2)
CIP-007 requires security event logging at the BES Cyber System level. SDOS-AU-01 generates a structured audit record for every AI agent dispatch decision before any execution occurs — capturing agent identity, operation type, governance decision (permit/modify/block), and timestamp. SDOS-AU-02 maintains append-only integrity so the record cannot be altered without detection. SDOS-AU-03 maintains dual repositories so the audit trail survives single-repository failure. This constitutes a complete logging implementation at the AI agent layer for the AI dispatch surface.
3. Supply Chain Integrity Verification (CIP-013 R1.2, R2)
AI model providers and agentic workflow vendors are supply chain actors under CIP-013. SDOS-IN-03 (Module Manifest Integrity) provides cryptographic verification of every module's declared identity and authorized capabilities before activation — implementing software integrity and authenticity verification for AI supply chain components at dispatch time. SDOS-IA-01 and SDOS-IA-02 verify agent and module identity at every invocation regardless of provider origin. SDOS-GV-05 (Model-Alignment-Independent Policy Enforcement) ensures governance constraints apply structurally to all vendors' AI agents — not through reliance on vendor-claimed alignment properties.
Energy Sector AI Deployment Context¶
Where AI Agents Are Entering the BES Environment¶
Electric utilities are deploying AI agents across grid operations (load forecasting, dispatch optimization), asset management (predictive maintenance, anomaly detection), energy trading (market participation, price optimization), and cybersecurity operations (alert triage, threat correlation). Each deployment creates an autonomous execution surface that operates within or adjacent to BES Cyber Systems.
The regulatory gap is specific: NERC CIP governs access to and security of BES Cyber Systems. It does not govern the AI agent that issues commands through an authorized access path. An AI agent operating through an authenticated, authorized connection that invokes grid operations tools without governance is operating within the letter of NERC CIP while creating a risk profile that NERC CIP's access and logging requirements were not designed to address.
SDOS governs that gap. The AI agent dispatch layer — where SDOS operates — is the decision layer above the access layer. Access controls tell you who can connect; SDOS tells you what the agent is authorized to do and records every decision.
FERC Order 887 and AI Governance Implications¶
FERC Order 887 (January 2023) directed NERC to develop new or modified reliability standards addressing the cybersecurity risks associated with inverter-based resources (IBRs). The order demonstrates that FERC will direct reliability standard development when emerging technology interfaces create BES cybersecurity gaps. No AI-specific NERC CIP standard has been issued as of this document's publication date, and FERC Order 887 does not address AI agents directly. Entities deploying AI in grid operations should treat current NERC CIP compliance as a floor, not a ceiling, for AI governance maturity — and monitor NERC standards development for future AI-specific requirements.
DOE AI for Critical Infrastructure¶
The U.S. Department of Energy's initiatives on AI for grid modernization (including the Grid Modernization Initiative and AI for Energy programs) create pressure for utilities to deploy AI at scale. SDOS provides the runtime governance layer that ensures AI agents operating in grid environments are admitted, verified, dispatched under policy, and audited — at every invocation.
Relationship to Other Frameworks¶
Entities subject to NERC CIP frequently operate under additional compliance obligations. SDOS maps to the frameworks most relevant to multi-framework critical infrastructure environments:
| Framework | Overlap Area |
|---|---|
| CMMC 2.0 | Defense industrial base overlap for utilities with DoD contracts; CUI handling requirements |
| NIST AI RMF | AI risk management; SDOS is the control catalog mapped to NIST AI RMF as primary focal document |
| FedRAMP Rev 5 | Federal cloud authorization; relevant for utilities operating cloud-hosted grid management systems |
| CIS Controls v8 | Endpoint and network security controls; complements NERC CIP at the IT layer |
| ISO 42001 | AI management system standard; useful for utilities building an enterprise AI governance program alongside NERC CIP compliance |
| NIST SP 800-82 | Guide to ICS/OT Security; provides the OT-layer security controls that complement SDOS AI-layer governance in BES environments |
Full framework library: SDOS Reference Library
Complete SDOS Control Coverage — NERC CIP¶
This table maps every SDOS control to the NERC CIP requirements it addresses. All 24 SDOS controls are represented. Controls with no direct NERC CIP requirement mapping reflect functions (deliberation, risk measurement) that produce evidence substrates supporting compliance but do not map to a discrete CIP requirement line item. Out-of-scope determinations reflect the SDOS operational boundary, not control deficiency.
| SDOS Control | Governance Function | NERC CIP Requirements Addressed | Highest Strength |
|---|---|---|---|
| GV-01 — Configuration-Governed Module Activation | Governance | CIP-003 R2, R3; CIP-005 R1.1, R1.3; CIP-007 R1.1, R5.3; CIP-010 R1.1, R1.2, R1.3; CIP-012 R1 (documentation); CIP-013 R2 | Strong (CIP-010 R1.1) |
| GV-02 — Governance-Tiered Model Selection | Governance | CIP-007 R5.1; CIP-010 R1.1 | Partial (contributes to Strong rows; not independently Strong) |
| GV-03 — Default-Deny Pre-Admission Policy | Governance | CIP-003 Att.1 Sec.3; CIP-005 R1.2; CIP-007 R5.5; CIP-010 R4 | Strong (CIP-003 Att.1 Sec.3) |
| GV-04 — Cross-Module Governance Continuity | Governance | CIP-003 R2; CIP-007 R5.4 | Weak — Substrate Only |
| GV-05 — Model-Alignment-Independent Policy Enforcement | Governance | CIP-005 R1.3; CIP-007 R1.1, R3; CIP-012 R1; CIP-013 R1.2, R2 | Partial |
| RM-01 — Dispatch-Time Risk Classification | Risk Management | CIP-013 R1.1, R1.2 | Partial |
| RM-02 — Complexity-Tiered Resource Allocation | Risk Management | CIP-013 R1.1 | Partial |
| RM-03 — Risk-Floor Model Binding | Risk Management | CIP-013 R1.1 | Partial |
| EN-01 — Pre-Egress Policy Enforcement | Enforcement | CIP-003 Att.1 Sec.3; CIP-005 R1.2, R1.4; CIP-007 R4.2; CIP-012 R1; CIP-013 R1.2, R2 | Strong (CIP-007 R4.2) |
| EN-02 — Subordinate-Side Enforcement Gate | Enforcement | CIP-005 R1.2; CIP-007 R4.2; CIP-012 R1; CIP-013 R1.2 | Strong (CIP-007 R4.2) |
| EN-03 — Fail-Closed Degradation | Enforcement | CIP-007 R3, R4.2 | Strong (CIP-007 R4.2) |
| EN-04 — Governed Egress with Tamper-Evident Audit | Enforcement | CIP-007 R4.1; CIP-012 R1; CIP-013 R1.2 | Strong (CIP-007 R4.1) |
| IA-01 — Attested Agent Identity | Identity and Attestation | CIP-003 Att.1 Sec.3, Sec.5; CIP-005 R1.1, R1.4, R2; CIP-007 R5.1, R5.2, R5.4; CIP-010 R4; CIP-012 R1; CIP-013 R2 | Strong (CIP-003 Att.1 Sec.3) |
| IA-02 — Attested Module Identity | Identity and Attestation | CIP-003 Att.1 Sec.5; CIP-005 R2; CIP-007 R5.2, R5.4; CIP-010 R4; CIP-013 R1.1, R1.2 | Strong (CIP-013 R1.2) |
| AU-01 — Per-Invocation Audit Record | Audit | CIP-007 R4.1, R4.2, R5.5; CIP-012 R1 (Weak — plan substrate); CIP-013 R1.2 | Strong (CIP-007 R4.1) |
| AU-02 — Append-Only Audit Log Integrity | Audit | CIP-007 R4.1, R4.3; CIP-010 R2; CIP-012 R1 (Weak — plan substrate); CIP-013 R1.2 | Strong (CIP-007 R4.1) |
| AU-03 — Dual Audit Trail | Audit | CIP-007 R4.1, R4.3; CIP-012 R1 (Weak — plan substrate); CIP-013 R1.2 | Strong (CIP-007 R4.1) |
| IN-01 — Governance Baseline Integrity Verification | Integrity | CIP-003 R3; CIP-007 R2, R5.3; CIP-010 R1.1, R1.2, R1.3, R2; CIP-012 R1 (documentation); CIP-013 R3 | Strong (CIP-010 R1.2) |
| IN-02 — Baseline Drift Detection and System Halt | Integrity | CIP-003 R3; CIP-007 R2; CIP-010 R1.2, R2 | Strong (CIP-010 R1.2) |
| IN-03 — Module Manifest Integrity | Integrity | CIP-007 R2; CIP-010 R1.4; CIP-013 R1.2 | Strong (CIP-010 R1.4) |
| DE-01 — Governed Multi-Agent Deliberation | Deliberation | CIP-003 R1, R2; CIP-013 R1.1, R3 | Weak — Substrate Only |
| DE-02 — Convergence-Based Decision Record | Deliberation | CIP-003 R1, R2; CIP-013 R1.1, R3 | Weak — Substrate Only |
| RS-01 — Governed ROSI Evaluation | Risk Measurement | CIP-003 R1; CIP-010 R3; CIP-013 R3 | Weak — Substrate Only |
| AD-01 — Default-Deny Agent Pre-Admission | Admission | CIP-003 Att.1 Sec.3; CIP-005 R1.2; CIP-007 R5.5; CIP-010 R4 | Strong (CIP-003 Att.1 Sec.3) |
Coverage Summary¶
| Category | Count |
|---|---|
| SDOS controls with at least one Strong mapping | 11 of 24 |
| SDOS controls with Partial mapping (no Strong) | 9 of 24 |
| SDOS controls with Weak / Substrate-Only mapping only | 4 of 24 |
| SDOS controls with no direct CIP mapping (out-of-scope domain) | 0 of 24 |
| NERC CIP standards with SDOS mapping table | 6 of 13 (CIP-003, CIP-005, CIP-007, CIP-010, CIP-012, CIP-013) |
| NERC CIP standards out of scope by design | 7 of 13 (CIP-002, CIP-004, CIP-006, CIP-008, CIP-009, CIP-011, CIP-014) |
Every SDOS control touches at least one NERC CIP requirement. No control is dead weight in a BES AI deployment context.
Architectural Positioning¶
SDOS operates at the dispatch-time enforcement layer — the moment immediately before an AI agent invokes a tool, makes a decision, or produces an output. The SDOS framework does not replace organizational, physical, or personnel cybersecurity controls. It provides a runtime layer that enforces governance policy at the boundary where AI agents act, adding an architectural layer of cybersecurity assurance for AI-augmented operations.
For alignment purposes, SDOS supports the operational and technical requirements addressing how AI-driven cyber operations are deployed, monitored, and audited. Requirements addressing the organizational, physical, or personnel layer fall outside the SDOS scope and require separate controls.
Maintenance¶
This document is maintained by AAM Cyber as part of the SDOS Reference Library. The library currently covers 17 framework alignments: NIST AI RMF 1.0, NIST CSF 2.0, NIST SP 800-53 Rev 5.2.0, NIST AI 600-1, EU AI Act, DORA, HIPAA, PCI-DSS v4.0, CIS Controls v8, ISO 42001, FedRAMP Rev 5, CMMC 2.0, SOC 2, NAIC MDL-668, NERC CIP, IEEE P2863 (draft), and FAA UAS/AAM (principles-mapped). Version history for every framework alignment is published at /sdos/reference/changelog/.
Subsequent updates to this alignment page will be issued when: (1) screening feedback from a recognized standards body requires revision, (2) the focal framework releases a revision requiring mapping review, or (3) SDOS controls are added or retired affecting the alignment.
Intellectual Property¶
The SDOS Runtime Governance Framework was invented by Pharns Genece. Aspects of the framework are the subject of pending U.S. Provisional Patent Applications 64/029,300, 64/049,300, 64/067,427, 64/069,200, and 64/076,620. The scope of pending claims is defined by the as-filed specifications and is not coextensive with the descriptions in this document. AAM Cyber, all rights reserved unless otherwise indicated.
Patent inquiries should be directed to AAM Cyber at aamcyber.com.
Contact¶
AAM Cyber
aamcyber.com
Electric utilities, reliability coordinators, and OT security teams developing AI governance programs for NERC CIP-covered environments: [email protected]
SDOS Runtime Governance Framework — NERC CIP Alignment. Version 1.3. Published 2026-05-12.