awossAgentic Workspace Security Standard

Control Families

AWOSS-GOV: Governance, Exceptions, And Change Management

Working draft

This page renders the current awoss working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.

Objective:

The scoped agentic workspace system should have accountable governance for policy decisions, deployment approval, exceptions, changes, risk acceptance, review cadence, procurement or supplier due diligence, AI literacy, and future claim language.

Primary layer: organization and governance.

Typical owner: governance/risk owner and accountable business sponsor.

Applicability:

Applies when agentic workspace systems are deployed, expanded, reviewed, marketed, mapped to external frameworks, or used to support security, compliance, procurement, supplier, legal, or assurance discussions.

Level 1 Candidate Requirements

AWOSS-GOV-L1-001: The scoped agentic workspace system MUST identify the governance owner or owner group responsible for accepting the system boundary, target level, claim limits, external mapping statements, and known gaps.

AWOSS-GOV-L1-002: The scoped agentic workspace system MUST document exceptions, assumptions, and risk acceptances that materially affect candidate control interpretation, including owner, rationale, expiry or review date where applicable.

AWOSS-GOV-L1-003: The scoped agentic workspace system MUST use conservative claim language for working-draft use and must not claim awoss compliance, certification, legal compliance, approval, endorsement, or complete coverage of any external standard.

Level 2 Candidate Requirements

AWOSS-GOV-L2-001: The scoped agentic workspace system MUST define a review cadence or trigger-based review process for production systems, including boundary changes, new high-impact action authority, new trusted sources, material policy changes, supplier or provider changes, external standards changes, and unresolved validation findings.

AWOSS-GOV-L2-002: The scoped agentic workspace system MUST maintain an exception and risk acceptance register for material gaps, including owner, rationale, expiry or review date, evidence basis, claim limit, and remediation plan where applicable.

AWOSS-GOV-L2-003: The scoped agentic workspace system SHOULD coordinate security, risk, business, runtime, workspace, source, and evidence owners before expanding agent authority, accepting persistent exceptions, changing high-impact suppliers or sources, or making external mapping statements.

Level 3 Candidate Requirements

AWOSS-GOV-L3-001: The scoped agentic workspace system MUST require separated or independent review for high-assurance deployment changes, persistent exceptions, high-impact source or supplier changes, and material claim-language or external-mapping changes.

AWOSS-GOV-L3-002: The scoped agentic workspace system MUST test governance procedures for incident escalation, emergency stop, rollback, exception expiry, reassessment, evidence access, and disclosure or notification decision routing in high-impact environments.

AWOSS-GOV-L3-003: The scoped agentic workspace system SHOULD maintain a formal reassessment process tied to release changes, provider changes, external standards changes, material incidents, control failures, regulatory changes, and recurring management review.

Minimum evidence examples:

  • governance owner record
  • deployment or boundary approval
  • AI literacy or role-training record
  • procurement or supplier due-diligence record
  • exception and risk acceptance register
  • review cadence or trigger policy
  • change-management record
  • claim-limit record
  • external mapping review record
  • reassessment or incident exercise record

Mapping notes:

  • The completed crosswalk treats AWOSS-GOV as a governance and claim-discipline family shaped by accountability, risk management, management-system, procurement, human oversight, exception handling, careful-adoption, risk-scoring, review-cadence, and claim-language signals from EU AI Act, OWASP AISVS, OWASP Agentic Skills Top 10, OWASP AIVSS, CSA AICM, CSA MAESTRO, NIST AI RMF, NIST AI 600-1, ISO/IEC 42001, ISO/IEC 23894, AIUC-1, Five Eyes guidance, and MITRE ATLAS. Governance records support bounded decision-making and mapping review; they do not create an external governance body, legal conclusion, certification path, or endorsement.

Claim limits:

  • Governance records support selected candidate controls and future review-readiness. They do not create legal compliance, ISO/IEC 42001 certification, EU AI Act conformity, a public governance body, auditor program, certification path, or external endorsement for awoss.
Previous
AWOSS-VAL: Validation, Testing, And Review
Next
Appendix A: Evidence Artifact Catalogue