{"schema_version":"osuite.buyer_assurance.v1","generated_at":"2026-06-04T02:41:21.642Z","summary":{"buyer_pack_count":7,"curated_plugin_count":14,"official_plugin_count":6,"strategic_watch_count":3,"assurance_pack_count":3,"control_surface_count":9,"runtime_contract_item_count":13},"procurement_message":"OSuite already has the governance substrate. This procurement pack turns that substrate into buyer-consumable control, deployment, and evidence artifacts.","control_matrix":{"schema_version":"osuite.buyer_assurance.v1","standards":[{"id":"eu_ai_act","label":"EU AI Act","focus":"Risk management, human oversight, technical documentation, and traceability."},{"id":"iso_42001","label":"ISO/IEC 42001","focus":"AI management system discipline, governance ownership, and operational controls."},{"id":"nist_ai_rmf","label":"NIST AI RMF","focus":"Govern, map, measure, and manage controls for AI systems."},{"id":"soc2","label":"SOC 2","focus":"Security, change discipline, auditability, and control evidence."},{"id":"owasp_agentic_top_10","label":"OWASP Agentic Top 10","focus":"Agent-specific abuse paths such as tool misuse, goal hijacking, identity abuse, and memory poisoning."},{"id":"owasp_mcp_top_10","label":"OWASP MCP Top 10","focus":"MCP and agent-tool perimeter risks, capability exposure, and request trust."}],"rows":[{"id":"workspace_governance_boundary","title":"Workspace governance boundary","status":"available","summary":"OSuite binds approvals, policy, replay, and exports to a real workspace boundary instead of a vendor-global runtime shell.","evidence_refs":["/api/governance/posture","/docs/workspace-governance","/docs/governance-posture"],"standard_status":{"eu_ai_act":"available","iso_42001":"available","nist_ai_rmf":"available","soc2":"available","owasp_agentic_top_10":"partial","owasp_mcp_top_10":"partial"},"standards":[{"id":"eu_ai_act","label":"EU AI Act","status":"available"},{"id":"iso_42001","label":"ISO/IEC 42001","status":"available"},{"id":"nist_ai_rmf","label":"NIST AI RMF","status":"available"},{"id":"soc2","label":"SOC 2","status":"available"},{"id":"owasp_agentic_top_10","label":"OWASP Agentic Top 10","status":"partial"},{"id":"owasp_mcp_top_10","label":"OWASP MCP Top 10","status":"partial"}]},{"id":"runtime_stage_control","title":"Runtime-stage control projection","status":"available","summary":"Runtime-stage receipts preserve pre_input, pre_tool, post_tool, and pre_output decisions without surrendering final certificate authority.","evidence_refs":["/api/runtime-governance/contract","/docs/agt-runtime-bridge","/docs/neutral-runtime-contract"],"standard_status":{"eu_ai_act":"available","iso_42001":"partial","nist_ai_rmf":"available","soc2":"partial","owasp_agentic_top_10":"available","owasp_mcp_top_10":"partial"},"standards":[{"id":"eu_ai_act","label":"EU AI Act","status":"available"},{"id":"iso_42001","label":"ISO/IEC 42001","status":"partial"},{"id":"nist_ai_rmf","label":"NIST AI RMF","status":"available"},{"id":"soc2","label":"SOC 2","status":"partial"},{"id":"owasp_agentic_top_10","label":"OWASP Agentic Top 10","status":"available"},{"id":"owasp_mcp_top_10","label":"OWASP MCP Top 10","status":"partial"}]},{"id":"approval_orchestration","title":"Deterministic approval orchestration","status":"available","summary":"OSuite can pause, route, approve, deny, and preserve approval receipts where the runtime exposes real control points.","evidence_refs":["/approvals","/api/governance/proof","/docs/system-card"],"standard_status":{"eu_ai_act":"available","iso_42001":"available","nist_ai_rmf":"available","soc2":"available","owasp_agentic_top_10":"available","owasp_mcp_top_10":"partial"},"standards":[{"id":"eu_ai_act","label":"EU AI Act","status":"available"},{"id":"iso_42001","label":"ISO/IEC 42001","status":"available"},{"id":"nist_ai_rmf","label":"NIST AI RMF","status":"available"},{"id":"soc2","label":"SOC 2","status":"available"},{"id":"owasp_agentic_top_10","label":"OWASP Agentic Top 10","status":"available"},{"id":"owasp_mcp_top_10","label":"OWASP MCP Top 10","status":"partial"}]},{"id":"replay_and_proof","title":"Replay and proof bundle closure","status":"available","summary":"Proof bundles, verification, replay traces, and attestation integrity create a buyer-visible evidence chain.","evidence_refs":["/api/governance/proof?format=bundle","/api/governance/proof/verify","/docs/enterprise-assurance"],"standard_status":{"eu_ai_act":"available","iso_42001":"available","nist_ai_rmf":"available","soc2":"available","owasp_agentic_top_10":"partial","owasp_mcp_top_10":"partial"},"standards":[{"id":"eu_ai_act","label":"EU AI Act","status":"available"},{"id":"iso_42001","label":"ISO/IEC 42001","status":"available"},{"id":"nist_ai_rmf","label":"NIST AI RMF","status":"available"},{"id":"soc2","label":"SOC 2","status":"available"},{"id":"owasp_agentic_top_10","label":"OWASP Agentic Top 10","status":"partial"},{"id":"owasp_mcp_top_10","label":"OWASP MCP Top 10","status":"partial"}]},{"id":"identity_and_trust_substrate","title":"Identity and trust substrate","status":"available","summary":"Workspace IAM, identity trust graph, wallet binding, trust grants, and partner identity receipts provide an explicit trust basis.","evidence_refs":["/api/governance/posture","/docs/enterprise-iam","/docs/governance-posture"],"standard_status":{"eu_ai_act":"available","iso_42001":"available","nist_ai_rmf":"available","soc2":"available","owasp_agentic_top_10":"available","owasp_mcp_top_10":"available"},"standards":[{"id":"eu_ai_act","label":"EU AI Act","status":"available"},{"id":"iso_42001","label":"ISO/IEC 42001","status":"available"},{"id":"nist_ai_rmf","label":"NIST AI RMF","status":"available"},{"id":"soc2","label":"SOC 2","status":"available"},{"id":"owasp_agentic_top_10","label":"OWASP Agentic Top 10","status":"available"},{"id":"owasp_mcp_top_10","label":"OWASP MCP Top 10","status":"available"}]},{"id":"plugin_boundary_model","title":"Curated plugin and partner boundary model","status":"available","summary":"Curated plugin exchange plus signed manifests, bounded scopes, and partner authority limits reduce integration ambiguity for buyers.","evidence_refs":["/api/plugins/exchange","/docs/plugin-exchange"],"standard_status":{"eu_ai_act":"partial","iso_42001":"available","nist_ai_rmf":"available","soc2":"available","owasp_agentic_top_10":"available","owasp_mcp_top_10":"available"},"standards":[{"id":"eu_ai_act","label":"EU AI Act","status":"partial"},{"id":"iso_42001","label":"ISO/IEC 42001","status":"available"},{"id":"nist_ai_rmf","label":"NIST AI RMF","status":"available"},{"id":"soc2","label":"SOC 2","status":"available"},{"id":"owasp_agentic_top_10","label":"OWASP Agentic Top 10","status":"available"},{"id":"owasp_mcp_top_10","label":"OWASP MCP Top 10","status":"available"}]},{"id":"deployment_boundary_pack","title":"Deployment and boundary packaging","status":"available","summary":"Hosted, self-hosted, Azure Marketplace, and Teams collaboration paths are documented as different operational boundaries.","evidence_refs":["/readiness/deployment-profiles","/readiness/compliance-procurement","/docs/enterprise-assurance"],"standard_status":{"eu_ai_act":"partial","iso_42001":"available","nist_ai_rmf":"available","soc2":"available","owasp_agentic_top_10":"partial","owasp_mcp_top_10":"partial"},"standards":[{"id":"eu_ai_act","label":"EU AI Act","status":"partial"},{"id":"iso_42001","label":"ISO/IEC 42001","status":"available"},{"id":"nist_ai_rmf","label":"NIST AI RMF","status":"available"},{"id":"soc2","label":"SOC 2","status":"available"},{"id":"owasp_agentic_top_10","label":"OWASP Agentic Top 10","status":"partial"},{"id":"owasp_mcp_top_10","label":"OWASP MCP Top 10","status":"partial"}]},{"id":"release_gate_discipline","title":"Release-gate and validation discipline","status":"available","summary":"Readiness, enterprise validation, benchmarks, and system-card language create a release discipline buyers can inspect.","evidence_refs":["/readiness/release-readiness","/readiness/benchmarks","/docs/system-card"],"standard_status":{"eu_ai_act":"partial","iso_42001":"available","nist_ai_rmf":"available","soc2":"available","owasp_agentic_top_10":"partial","owasp_mcp_top_10":"partial"},"standards":[{"id":"eu_ai_act","label":"EU AI Act","status":"partial"},{"id":"iso_42001","label":"ISO/IEC 42001","status":"available"},{"id":"nist_ai_rmf","label":"NIST AI RMF","status":"available"},{"id":"soc2","label":"SOC 2","status":"available"},{"id":"owasp_agentic_top_10","label":"OWASP Agentic Top 10","status":"partial"},{"id":"owasp_mcp_top_10","label":"OWASP MCP Top 10","status":"partial"}]},{"id":"runtime_enforcement_depth","title":"Runtime enforcement depth disclosure","status":"available","summary":"OSuite distinguishes evidence import, advisory governance, approval-orchestrated governance, and runtime-enforced governance instead of pretending every runtime is equally governed.","evidence_refs":["/docs/system-card","/docs/agt-runtime-bridge","/api/runtime-governance/contract"],"standard_status":{"eu_ai_act":"available","iso_42001":"partial","nist_ai_rmf":"available","soc2":"partial","owasp_agentic_top_10":"available","owasp_mcp_top_10":"available"},"standards":[{"id":"eu_ai_act","label":"EU AI Act","status":"available"},{"id":"iso_42001","label":"ISO/IEC 42001","status":"partial"},{"id":"nist_ai_rmf","label":"NIST AI RMF","status":"available"},{"id":"soc2","label":"SOC 2","status":"partial"},{"id":"owasp_agentic_top_10","label":"OWASP Agentic Top 10","status":"available"},{"id":"owasp_mcp_top_10","label":"OWASP MCP Top 10","status":"available"}]}],"summary":{"surface_count":9,"available":9,"partial":0,"planned":0}},"runtime_governance_narrative":{"schema_version":"osuite.buyer_assurance.v1","title":"Enterprise runtime governance narrative","defensive_case":["Agent enthusiasm is no longer enough for enterprise deployment. Buyers now ask how unsafe or ambiguous actions are governed, approved, explained, replayed, and exported.","OSuite answers that demand by treating runtime governance, approval, replay, and proof as a tenant-visible control plane instead of a hidden SDK detail."],"authority_model":{"final_authority":"pcaa","runtime_governor":"Trust Boundary Runtime","explanation":"AGT or another external governor can enforce runtime controls close to execution, but OSuite remains the workspace approval, replay, export, and certificate layer."},"runtime_controls":{"supported_receipts":["agt.policy_receipt","agt.identity_receipt","agt.approval_receipt","agt.runtime_receipt","agt.relay_receipt","agt.registry_receipt"],"policy_stages":["pre_input","pre_tool","post_tool","pre_output"],"protocol_lanes":[{"id":"osuite_native","trust_posture":"certificate_authoritative","default_enabled":true},{"id":"messages_governed","trust_posture":"workspace_governed","default_enabled":true},{"id":"a2a_bridge","trust_posture":"delegated_transport","default_enabled":true},{"id":"web3_wallet_bridge","trust_posture":"wallet_bound","default_enabled":false},{"id":"agentic_payment_lane","trust_posture":"receipt_bound","default_enabled":false},{"id":"tap_signed_request","trust_posture":"signed_request","default_enabled":false},{"id":"trust_boundary_runtime","trust_posture":"runtime_enforced","default_enabled":true},{"id":"agentmesh_wire","trust_posture":"encrypted_mesh","default_enabled":true}],"governance_levels":[{"id":"l0","title":"Evidence Import","summary":"OSuite ingests evidence and supports replay, audit, and post-facto analysis."},{"id":"l1","title":"Advisory Governance","summary":"OSuite evaluates policy before execution, but the external runtime may not enforce the stop."},{"id":"l2","title":"Approval-Orchestrated Governance","summary":"OSuite can pause execution, wait for approval, and resume or deny deterministically."},{"id":"l3","title":"Runtime-Enforced Governance","summary":"OSuite sits at the real execution boundary and can enforce before side effects happen."}]},"partner_model":{"identity":"AIM strengthens identity substrate.","security":"AgentGuard contributes runtime and perimeter findings.","trust":"Attestix contributes verifiable trust and compliance materials.","enterprise":"Microsoft accelerator inputs strengthen readiness and buyer posture."},"non_goals":["Do not claim every integrated runtime is fully runtime-enforced.","Do not let plugins or partners replace PCAA certificate closure.","Do not imply transport, wallet signatures, or external policy engines are the system of record for workspace governance."]},"security_questionnaire":{"schema_version":"osuite.buyer_assurance.v1","title":"Security and procurement questionnaire pack","questions":[{"id":"approval_control","question":"How are high-risk agent actions approved?","answer":"OSuite preserves approval semantics as a portable checkpoint with approval receipts. Where the runtime exposes real control points, actions can pause, wait for approval, and resume or deny deterministically.","evidence_refs":["/approvals","/api/governance/proof","/docs/system-card"]},{"id":"runtime_boundary","question":"How do you prevent runtime controls from becoming hand-wavy policy claims?","answer":"OSuite publishes a runtime contract, governance authority split, protocol lanes, and external governor projection so buyers can inspect which layer truly controls execution and which only imports evidence.","evidence_refs":["/api/runtime-governance/contract","/docs/neutral-runtime-contract","/docs/agt-runtime-bridge"]},{"id":"identity_scope","question":"How are enterprise identity and agent identity scoped?","answer":"OSuite separates durable account identity from workspace authority, publishes an IAM capability surface, and enriches trust posture through a workspace identity trust graph.","evidence_refs":["/api/iam/capabilities","/api/governance/posture","/docs/enterprise-iam"]},{"id":"evidence_integrity","question":"What evidence can a security or audit team inspect after the fact?","answer":"Proof bundles, proof verification, replay traces, compliance exports, runtime-stage receipts, and partner trust materials are all projected into buyer-visible artifacts.","evidence_refs":["/api/governance/proof?format=bundle","/api/governance/proof/verify","/api/compliance/report?framework=soc2&format=json"]},{"id":"integration_boundary","question":"How do external plugins and partner integrations avoid taking over the control plane?","answer":"Plugin exchange entries are curated, signed, scope-limited, and explicitly categorized by role. PCAA remains the final authority even when identity, security, trust, or enterprise posture packs are enabled.","evidence_refs":["/api/plugins/exchange","/docs/plugin-exchange","/api/governance/posture"]},{"id":"deployment_boundary","question":"How are deployment ownership and buyer responsibilities made explicit?","answer":"OSuite publishes deployment profiles, release-readiness artifacts, and procurement-facing assurance packs so hosted, self-hosted, Azure Marketplace, and collaboration surfaces are treated as distinct operating modes.","evidence_refs":["/readiness/deployment-profiles","/readiness/compliance-procurement","/docs/enterprise-assurance"]}]},"deployment_boundary_pack":{"schema_version":"osuite.buyer_assurance.v1","title":"Deployment boundary pack","readiness_profiles":[{"id":"azure_well_architected_performance","label":"Azure Well-Architected — Performance Efficiency","focus":"Baseline load, burst concurrency, sustained soak validation, and latency ceilings for buyer-facing surfaces."},{"id":"azure_well_architected_reliability","label":"Azure Well-Architected — Reliability","focus":"Boundary protection, controlled failure probes, recoverability posture, and publication-stack resilience."},{"id":"owasp_api_security","label":"OWASP API Security / ASVS","focus":"Protected route enforcement, invalid credential rejection, SSRF-safe integration probes, and permission-boundary checks."},{"id":"nist_800_53_customer_readiness","label":"NIST SP 800-53 customer-readiness alignment","focus":"Access control, auditability, system protection, evidence integrity, and deployment assurance signals."}],"deployment_profiles":[{"id":"saas","title":"Hosted SaaS","network_boundary":"Public entry with hardened auth boundary, tenant-scoped API access, and managed publication stack.","operations":"OSuite operates upgrades, environment baselines, plugin exchange publication, and hosted runtime policy infrastructure.","monitoring_and_backup":"Centralized health, status, readiness artifacts, deployment validation, and managed operational backups.","identity_integration":"Account center, workspace roles, OIDC-capable identity posture, and break-glass operator isolation.","buyer_fit":"Design partners, regulated pilots, and teams that want rapid adoption with strong governance."},{"id":"self_host","title":"Private / self-hosted","network_boundary":"Customer-owned ingress, egress, secrets, and runtime execution boundary with explicit deployment responsibility.","operations":"Customer platform team owns day-2 operations while OSuite supplies deployment profile, validation expectations, and support posture.","monitoring_and_backup":"Customer-operated monitoring, retention, backup, restore, and incident response stack.","identity_integration":"Customer IdP, local admin bootstrap, and future SCIM/SSO integration posture for regulated enterprise deployment.","buyer_fit":"Highly regulated customers, private cloud deployments, regional data-boundary requirements."},{"id":"azure_marketplace","title":"Azure Marketplace","network_boundary":"Azure-centric regional boundary with customer-controlled networking, policy, and managed service choices.","operations":"Shared model: customer operates the deployment target while OSuite owns release artifacts, packaging guidance, and software lifecycle.","monitoring_and_backup":"Azure-native telemetry and backup patterns are expected to be customer-configured within their landing zone.","identity_integration":"Microsoft-centered enterprise identity and collaboration environments, including future Teams-connected governance flows.","buyer_fit":"Enterprise Azure customers, regional cloud buyers, procurement-driven teams."},{"id":"teams_plugin","title":"Teams plugin","network_boundary":"Microsoft 365 collaboration boundary backed by OSuite-hosted or customer-hosted control plane authority.","operations":"OSuite publishes and governs collaboration semantics; customer admins control enablement and review audience.","monitoring_and_backup":"Teams plugin is expected to inherit monitoring from the primary control plane and collaboration audit records.","identity_integration":"Microsoft 365 collaboration identity paired with OSuite account/workspace authority and explicit approval traces.","buyer_fit":"Review-heavy teams, security and governance committees, Microsoft 365-first enterprises."}],"roadmap_signals":[{"id":"saas-control-plane","status":"in_progress","target":"Q2 2026","title":"Hosted control plane hardening"},{"id":"self-host","status":"planned","target":"Q2–Q3 2026","title":"Private and self-hosted distribution"},{"id":"azure-marketplace","status":"planned","target":"Q3 2026","title":"Azure Marketplace offer"},{"id":"teams-plugin","status":"planned","target":"Q3 2026","title":"Teams and collaboration surface"}]},"approval_evidence_pack":{"schema_version":"osuite.buyer_assurance.v1","title":"Approval and evidence pack","checkpoints":[{"id":"pre_action_admissibility","title":"Pre-action admissibility","summary":"Evaluate whether the proposed action is allowed, warned, blocked, or approval-gated before side effects happen."},{"id":"action_open","title":"Action open","summary":"Create the portable action record that becomes the trust object for replay, scoring, and proof."},{"id":"assumption_capture","title":"Assumption capture","summary":"Record what the runtime believed or depended on so operators can replay the reasoning boundary later."},{"id":"approval_checkpoint","title":"Approval checkpoint","summary":"Pause, wait, or externally hold execution when policy requires a human checkpoint."},{"id":"outcome_closure","title":"Outcome closure","summary":"Write the final result, evidence, and status so the action certificate closes cleanly."}],"runtime_projection":[{"id":"runtime_stage_receipts","title":"Runtime stage receipts","summary":"Preserve pre_input, pre_tool, post_tool, pre_output checkpoints from the external governor so PCAA can prove runtime enforcement instead of only final outcomes."},{"id":"approval_receipts","title":"Approval receipts","summary":"Map external approval workflows into one portable receipt model so workspace approval state remains measurable across runtimes."},{"id":"release_compatibility","title":"Release compatibility surface","summary":"Track the upstream runtime governor release and SDK floor so bridge integrations do not silently drift."}],"action_envelope_fields":[{"key":"action_type","required":true,"summary":"Stable action taxonomy shared by operators, policy, replay, and scoring."},{"key":"declared_goal","required":true,"summary":"Human-readable intent for the action before side effects happen."},{"key":"approval_state","required":false,"summary":"Portable approval checkpoint state independent of runtime brand."},{"key":"trust_material_envelope","required":false,"summary":"Normalized trust material envelope that classifies wallet, credential, delegation, registry, and signature evidence into one portable structure."},{"key":"protocol_lane","required":false,"summary":"Declared interoperability lane used for this action, such as native, message-governed, A2A bridge, or signed-request transport."},{"key":"governance_stage_receipts","required":false,"summary":"Optional runtime stage receipts that preserve pre_input, pre_tool, post_tool, and pre_output enforcement results."},{"key":"approval_receipts","required":false,"summary":"Portable approval workflow receipts that preserve who approved, under which workflow, and with what evidence reference."}],"buyer_message":"OSuite does not only log outcomes. It preserves the path from admissibility through approval to proof closure in a portable evidence structure."},"claims_registry_pack":{"schema_version":"osuite.assurance_claims.v1","generated_at":"2026-06-04T02:41:21.642Z","claims":[{"id":"high_risk_action_gating","label":"High-risk action gating","frameworks":["EU AI Act","ISO/IEC 42001","NIST AI RMF"],"status":"planned","claimText":"Important high-risk actions can be reviewed and gated before side effects when runtime control points are available.","publicStatement":"We use OSuite to preserve pre-execution approval for important AI actions where runtime control points exist.","sharedResponsibility":"Customers still need to enable approval routing and choose runtimes that expose real pre-execution control points.","residualRisk":"No observe-only action paths are currently visible in this packet.","evidenceRefs":["/api/assurance/policy-enforcement","/api/assurance/frontier-governance","/api/governance/proof"],"coveragePercent":0},{"id":"externality_boundary_disclosure","label":"Externality boundary disclosure","frameworks":["EU AI Act","NIST AI RMF"],"status":"planned","claimText":"Governed actions disclose destination and consequence boundaries such as public destination, sensitive egress, external write, and destructive posture.","publicStatement":"We use OSuite to keep public-destination and external-write AI actions visible instead of hiding them inside generic logs.","sharedResponsibility":"Customers remain responsible for deciding which destinations and data classes are allowed for their deployment.","residualRisk":"No public-destination paths are currently called out in this packet.","evidenceRefs":["/api/assurance/policy-enforcement","/api/runtime-governance/contract","/api/governance/proof"],"coveragePercent":0},{"id":"connector_boundary_attestation","label":"Connector boundary attestation","frameworks":["ISO/IEC 42001","NIST AI RMF","OWASP MCP Top 10"],"status":"planned","claimText":"Connector admission, approved-client posture, and review dependency are exportable as buyer-readable trust boundaries.","publicStatement":"We use OSuite to show which AI connectors are governed, which rely on enterprise-owned OAuth, and which still require explicit review.","sharedResponsibility":"Customers still own connector allowlists, OAuth ownership policy, and vendor approval decisions.","residualRisk":"No outstanding review-required connector paths are currently highlighted.","evidenceRefs":["/api/assurance/connector-posture","/api/assurance/frontier-governance"],"coveragePercent":0},{"id":"account_provenance_attestation","label":"Account provenance attestation","frameworks":["ISO/IEC 42001","NIST AI RMF"],"status":"planned","claimText":"Governed action paths can distinguish company, personal, and unknown account provenance for enterprise review.","publicStatement":"We use OSuite to keep company-vs-personal account provenance visible in governed AI action paths.","sharedResponsibility":"Customers still decide which account classes are allowed and must remediate any personal-account paths.","residualRisk":"No personal-account action paths are currently highlighted.","evidenceRefs":["/api/assurance/connector-posture","/api/assurance/identity-admin-baseline"],"coveragePercent":0},{"id":"replayable_evidence_closure","label":"Replayable evidence closure","frameworks":["EU AI Act","ISO/IEC 42001","NIST AI RMF","SOC 2"],"status":"planned","claimText":"Important AI actions close into replayable proof and verification-ready evidence instead of disappearing as tool logs.","publicStatement":"We use OSuite to generate replayable evidence for important AI actions and their approval path.","sharedResponsibility":"Customers still choose retention policy, reviewer workflows, and external evidence export destinations.","residualRisk":"Proof-ready actions are matched by verification-ready evidence in this packet.","evidenceRefs":["/api/governance/proof?format=bundle","/api/governance/proof/verify","/api/assurance/lineage"],"coveragePercent":0},{"id":"shared_responsibility_boundary","label":"Shared responsibility boundary","frameworks":["ISO/IEC 42001","NIST AI RMF"],"status":"planned","claimText":"Deployment ownership, data boundary, and customer responsibilities are explicitly packaged instead of implied in sales conversations.","publicStatement":"We use OSuite to document where platform controls stop and customer deployment responsibilities begin.","sharedResponsibility":"This claim depends on the customer keeping deployment, identity, retention, and incident settings current.","residualRisk":"Data residency is still undeclared for this workspace and should not be over-claimed in public disclosures.","evidenceRefs":["/api/assurance/procurement-pack","/readiness/public-surfaces/procurement-assurance","/readiness/public-surfaces/deployment-profiles"],"coveragePercent":0}],"summary":{"status":"planned","headline":"The claim layer is available, but some evidence domains still need stronger packaging before customers should over-claim coverage.","detail":"This packet turns runtime governance, connector posture, replay, and deployment boundary artifacts into explicit customer-facing claims with shared-responsibility language and residual-risk notes.","packetHref":"/api/assurance/claims-registry","exportHref":"/api/assurance/claims-registry?format=md&download=1","metrics":[{"key":"claims_total","label":"Claims","value":"6"},{"key":"claims_healthy","label":"Healthy claims","value":"0"},{"key":"claims_partial","label":"Partial claims","value":"0"},{"key":"runtime_adapters","label":"Runtime adapters","value":"0"}],"controls":[{"key":"high_risk_action_gating","label":"High-risk action gating","status":"planned","detail":"Important high-risk actions can be reviewed and gated before side effects when runtime control points are available. Public statement: We use OSuite to preserve pre-execution approval for important AI actions where runtime control points exist. Residual: No observe-only action paths are currently visible in this packet."},{"key":"externality_boundary_disclosure","label":"Externality boundary disclosure","status":"planned","detail":"Governed actions disclose destination and consequence boundaries such as public destination, sensitive egress, external write, and destructive posture. Public statement: We use OSuite to keep public-destination and external-write AI actions visible instead of hiding them inside generic logs. Residual: No public-destination paths are currently called out in this packet."},{"key":"connector_boundary_attestation","label":"Connector boundary attestation","status":"planned","detail":"Connector admission, approved-client posture, and review dependency are exportable as buyer-readable trust boundaries. Public statement: We use OSuite to show which AI connectors are governed, which rely on enterprise-owned OAuth, and which still require explicit review. Residual: No outstanding review-required connector paths are currently highlighted."},{"key":"account_provenance_attestation","label":"Account provenance attestation","status":"planned","detail":"Governed action paths can distinguish company, personal, and unknown account provenance for enterprise review. Public statement: We use OSuite to keep company-vs-personal account provenance visible in governed AI action paths. Residual: No personal-account action paths are currently highlighted."},{"key":"replayable_evidence_closure","label":"Replayable evidence closure","status":"planned","detail":"Important AI actions close into replayable proof and verification-ready evidence instead of disappearing as tool logs. Public statement: We use OSuite to generate replayable evidence for important AI actions and their approval path. Residual: Proof-ready actions are matched by verification-ready evidence in this packet."},{"key":"shared_responsibility_boundary","label":"Shared responsibility boundary","status":"planned","detail":"Deployment ownership, data boundary, and customer responsibilities are explicitly packaged instead of implied in sales conversations. Public statement: We use OSuite to document where platform controls stop and customer deployment responsibilities begin. Residual: Data residency is still undeclared for this workspace and should not be over-claimed in public disclosures."}],"owners":[{"role":"Compliance owner","owner":"Undeclared","status":"partial","detail":"Owns buyer-facing framework and control claims."},{"role":"Audit owner","owner":"Undeclared","status":"partial","detail":"Owns evidence defensibility and packet review."},{"role":"Privacy contact","owner":"Undeclared","status":"partial","detail":"Owns disclosure review for data and boundary statements."}],"facts":["Claims are evidence-backed support statements, not legal certification statements.","Every claim includes shared-responsibility language so customer disclosures do not imply vendor-only compliance.","Use this packet when procurement, legal, or security teams ask what customers can defensibly say in public or in security reviews."],"linkedRecords":[{"title":"AI trust disclosure","href":"/api/assurance/ai-trust-disclosure"},{"title":"Compliance coverage","href":"/api/assurance/compliance-coverage"},{"title":"Procurement pack","href":"/api/assurance/procurement-pack"}]}},"ai_trust_disclosure_pack":{"schema_version":"osuite.assurance_claims.v1","generated_at":"2026-06-04T02:41:21.642Z","public_statements":["- We use OSuite to preserve pre-execution approval for important AI actions where runtime control points exist.","- We use OSuite to keep public-destination and external-write AI actions visible instead of hiding them inside generic logs.","- We use OSuite to show which AI connectors are governed, which rely on enterprise-owned OAuth, and which still require explicit review.","- We use OSuite to keep company-vs-personal account provenance visible in governed AI action paths.","- We use OSuite to generate replayable evidence for important AI actions and their approval path.","- We use OSuite to document where platform controls stop and customer deployment responsibilities begin."],"summary":{"status":"planned","headline":"Customers now have a Trust Center packet that translates OSuite governance into public AI trust language without claiming more than the evidence supports.","detail":"This packet is designed for website trust pages, security answer packs, press responses, and board-facing summaries. It turns OSuite governance posture into externally explainable statements plus clear shared-responsibility caveats.","packetHref":"/api/assurance/ai-trust-disclosure","exportHref":"/api/assurance/ai-trust-disclosure?format=md&download=1","metrics":[{"key":"public_statements","label":"Public statements","value":"6"},{"key":"disclosure_ready_claims","label":"Disclosure-ready claims","value":"0"},{"key":"public_destinations","label":"Public destinations","value":"0"},{"key":"personal_accounts","label":"Personal accounts","value":"0"}],"controls":[{"key":"high_risk_action_governance","label":"High-risk action governance","status":"planned","detail":"Public claims can now say that important AI actions are routed through reviewable governance points where runtime control points exist."},{"key":"public_boundary_disclosure","label":"Public boundary disclosure","status":"planned","detail":"Public claims can now explain public destinations, external writes, and sensitive egress boundaries as explicit governance objects."},{"key":"proof_and_audit_evidence","label":"Proof and audit evidence","status":"planned","detail":"Public claims can now point to replayable evidence rather than only dashboard screenshots or security-review prose."},{"key":"shared_responsibility","label":"Shared responsibility","status":"planned","detail":"The packet explicitly tells customers where OSuite controls stop and where customer deployment, identity, DLP, and legal review still matter."}],"facts":["Use this packet for public trust pages, customer trust centers, procurement answer packs, and press-safe AI governance explanations.","Do not state that a framework is certified or fully legally complied with unless the customer separately holds that certification or legal determination.","Good public claims should name the control, the scope, and the residual exceptions."],"owners":[{"role":"Disclosure reviewer","owner":"Undeclared","status":"partial","detail":"Reviews public AI trust statements before publication."},{"role":"Security evidence owner","owner":"Undeclared","status":"partial","detail":"Confirms the evidence still backs the published statements."}],"linkedRecords":[{"title":"Claims registry","href":"/api/assurance/claims-registry"},{"title":"Compliance coverage","href":"/api/assurance/compliance-coverage"},{"title":"Connector posture","href":"/api/assurance/connector-posture"}]}},"compliance_coverage_pack":{"schema_version":"osuite.assurance_claims.v1","generated_at":"2026-06-04T02:41:21.642Z","frameworks":[{"id":"eu_ai_act","label":"EU AI Act","status":"planned","coveragePercent":0,"detail":"3 claim domain(s) contribute to this framework coverage view. This percentage reflects evidence-backed control support, not legal certification."},{"id":"iso_42001","label":"ISO/IEC 42001","status":"planned","coveragePercent":0,"detail":"5 claim domain(s) contribute to this framework coverage view. This percentage reflects evidence-backed control support, not legal certification."},{"id":"nist_ai_rmf","label":"NIST AI RMF","status":"planned","coveragePercent":0,"detail":"5 claim domain(s) contribute to this framework coverage view. This percentage reflects evidence-backed control support, not legal certification."}],"exceptions":["High-risk action gating: No observe-only action paths are currently visible in this packet.","Externality boundary disclosure: No public-destination paths are currently called out in this packet.","Connector boundary attestation: No outstanding review-required connector paths are currently highlighted.","Account provenance attestation: No personal-account action paths are currently highlighted.","Replayable evidence closure: Proof-ready actions are matched by verification-ready evidence in this packet.","Shared responsibility boundary: Data residency is still undeclared for this workspace and should not be over-claimed in public disclosures."],"summary":{"status":"planned","headline":"OSuite can now show framework-aligned coverage as evidence-backed control support instead of a vague “we support AI laws” statement.","detail":"Coverage values in this packet are designed for procurement and security review. They quantify how much evidence-backed control support is visible for each framework family while preserving exceptions and shared responsibility.","packetHref":"/api/assurance/compliance-coverage","exportHref":"/api/assurance/compliance-coverage?format=md&download=1","metrics":[{"key":"frameworks","label":"Frameworks","value":"3"},{"key":"healthy_frameworks","label":"Healthy frameworks","value":"0"},{"key":"partial_frameworks","label":"Partial frameworks","value":"0"},{"key":"exceptions","label":"Exceptions","value":"6"}],"classes":[{"key":"eu_ai_act","label":"EU AI Act","status":"planned","count":"0%","detail":"3 claim domain(s) contribute to this framework coverage view. This percentage reflects evidence-backed control support, not legal certification."},{"key":"iso_42001","label":"ISO/IEC 42001","status":"planned","count":"0%","detail":"5 claim domain(s) contribute to this framework coverage view. This percentage reflects evidence-backed control support, not legal certification."},{"key":"nist_ai_rmf","label":"NIST AI RMF","status":"planned","count":"0%","detail":"5 claim domain(s) contribute to this framework coverage view. This percentage reflects evidence-backed control support, not legal certification."}],"facts":["Coverage percentages describe evidence-backed control support, not legal certification.","Use this packet to explain where OSuite materially helps a framework review and where customer controls or legal review still carry the remaining burden.","Residual exceptions remain visible so customers do not over-claim complete coverage."],"states":["Method: healthy claims score 1.0, partial claims score 0.5, planned claims score 0.0.","Coverage only counts claim domains that are mapped into a framework family.","Coverage is meant for buyer review and control-planning, not for legal opinions."],"linkedRecords":[{"title":"Claims registry","href":"/api/assurance/claims-registry"},{"title":"AI trust disclosure","href":"/api/assurance/ai-trust-disclosure"},{"title":"Procurement pack","href":"/api/assurance/procurement-pack"}]}},"assurance_packs":{"standards":[{"id":"regional_governance","title":"Regional governance packs","summary":"Japan, EU, and North America buyer-ready narratives that connect runtime governance to enterprise operating expectations."},{"id":"deployment_safety","title":"System-card and release-gate discipline","summary":"Product release discipline tied to runtime coverage, validation evidence, safeguards, and known limitations."},{"id":"identity_and_access","title":"Enterprise IAM and separation of duties","summary":"Identity-provider support, role boundaries, provisioning posture, and break-glass isolation for enterprise review."},{"id":"privacy_and_boundary","title":"Privacy, residency, and deployment boundary assurance","summary":"Residency, retention, privacy ownership, processor posture, and deployment responsibility made explicit for buyers."}],"packs":[{"id":"japan_enterprise","title":"Japan enterprise governance pack","status":"partial","region":"Japan","buyer_profile":"Risk, security, and operating committees evaluating enterprise AI governance in Japan.","standards":["Japan AI governance guidance","Internal lifecycle governance and named-owner expectations","Privacy-aware runtime evidence and operating-model disclosure"],"deliverables":["Workspace governance posture and named-owner summary","Replayable action evidence for high-risk runtime actions","Deployment profile and operational-boundary narrative"],"next_actions":["Harden buyer-grade export language for regional control owners.","Expand privacy and escalation evidence in formal exports."]},{"id":"eu_ai_act_gdpr","title":"EU AI Act and GDPR assurance pack","status":"partial","region":"European Union","buyer_profile":"Security, privacy, and procurement teams evaluating AI Act readiness, data protection posture, and deployment boundaries.","standards":["EU AI Act-oriented governance posture","GDPR / DPIA-style privacy and processor transparency","Residency, retention, and evidence portability expectations"],"deliverables":["Governance posture mapped to runtime coverage and evidence","Data residency, retention, and privacy ownership statements","Procurement-facing deployment and support posture"],"next_actions":["Increase export completeness for DPIA-style buyer workflows.","Make privacy posture more explicit in customer-visible surfaces."]},{"id":"north_america_enterprise","title":"North America enterprise readiness pack","status":"partial","region":"North America","buyer_profile":"Enterprise platform, security, and architecture teams assessing deployment safety, IAM maturity, and release discipline.","standards":["Deployment-safety and release-gate discipline","Enterprise IAM, auditability, and role separation","Private deployment and operational ownership clarity"],"deliverables":["System-card-aligned release readiness posture","IAM capability statement and deployment profile sheets","Validation evidence and boundary checks"],"next_actions":["Advance self-host buyer package and backup/recovery material.","Promote more IAM controls from preview to production-ready posture."]}],"summary":{"total_packs":3,"complete_packs":0,"partial_packs":3,"planned_packs":0}}}