Section navigation
Position in Governance Stack
Standard Context: ARCS v1.0 Published by: Vega Commons Project, Inc.
1. Purpose
This document defines the position of ARCS within the existing governance, security, privacy, and risk management framework stack.
ARCS does not replace existing standards. It defines a governance layer that is not addressed by current frameworks: the lifecycle, custody, retention, preservation, and deletion of interaction records generated by automated systems.
2. Record Lifecycle as a Governance Domain
Modern software systems increasingly generate interaction records through automated processes, including conversational systems, automated decision systems, workflow platforms, orchestration tools, and agentic or multi-service environments. These records may exist across multiple vendors, services, and internal systems.
Existing governance frameworks address the security of data, the privacy of personal information, the behavior of automated systems, operational controls, and audit and compliance requirements. No current framework defines governance for the full lifecycle of automated interaction records once they exist.
This gap creates risk across legal discovery, regulatory inquiry, audit and compliance review, internal investigation, and insurance exposure.
3. Governance Stack Overview
The modern governance stack operates across layered domains. ARCS occupies the record lifecycle layer:
| Layer | Function | Examples |
|---|---|---|
| Privacy / Data Protection | Governs personal data processing | GDPR, CCPA, HIPAA |
| Security Controls | Governs protection of systems and data | NIST SP 800-53, ISO 27001 |
| AI / Model Risk | Governs behavior of automated systems | NIST AI RMF, EU AI Act |
| Compliance / Audit | Governs operational assurance | SOC 2, internal controls |
| Record Lifecycle / Custody | Governs existence, retention, and custody of automated interaction records | ARCS v1.0 |
4. Relationship to Existing Standards
4.1 NIST SP 800-53
SP 800-53 defines security and privacy controls for information systems. It addresses access control, logging, auditing, and data protection. It does not define whether automated interaction records should exist, how long they should be retained, who holds custody across vendors, or when records must be preserved or deleted.
4.2 NIST AI Risk Management Framework
The NIST AI RMF addresses model behavior, risk management, and governance processes. It does not define lifecycle governance for interaction records produced during system use.
4.3 EU AI Act
The EU AI Act requires logging, documentation, and traceability for certain systems. It defines when records must exist. It does not define lifecycle governance after records are created, including custody, retention limits, cross-vendor propagation, or preservation posture.
4.4 ISO 27001 / SOC 2
ISO 27001 and SOC 2 define information security and control environments governing protection, availability, integrity, and access. They do not define governance for automated interaction records as a distinct class.
4.5 Privacy Law (GDPR / CCPA / other jurisdictions)
Privacy frameworks apply when records contain personal data. Automated interaction records may create risk even when they are not personal data. ARCS governs record lifecycle independent of data classification.
5. Scope of the Record Lifecycle Layer
Interaction records generated by automated systems may be created without user awareness, may exist across multiple vendors, may be retained by default, and may be discoverable in legal proceedings or regulatory inquiries. They may trigger regulatory obligations and create insurance exposure even when no breach occurs. The governance problem is defined by existence and custody, not by security or privacy alone.
6. Custody Surface and Multi-Vendor Systems
Modern systems often include client software, cloud services, model providers, logging services, evaluation pipelines, monitoring tools, and agent orchestration platforms. Interaction records may exist in any of these locations.
Existing frameworks do not define how custody is governed across this surface. ARCS defines the custody surface and the rules for lifecycle governance across it.
7. Preservation Posture and Legal Risk
Courts and regulators across jurisdictions increasingly treat automated interaction records as electronically stored information (ESI). Organizations may be required to preserve records, produce records, explain records, and audit records. Risk arises from the existence and retention of records, not only from misuse.
ARCS defines controls for retention limits, deletion policies, preservation triggers, and custody responsibility.
8. Scope
ARCS applies to automated interaction records, system-generated logs, conversational records, agent execution traces, workflow artifacts, evaluation outputs, and monitoring records.
ARCS does not define model safety, model training, system performance, privacy law compliance, or security controls. It defines lifecycle and custody governance.
9. Position in the Governance Stack
ARCS occupies the layer between system operation and legal, regulatory, and audit exposure. It governs the records that automated systems produce during operation and the lifecycle obligations that attach to those records. This layer is not addressed by the frameworks described above.
Vega Commons Project, Inc. | Position in Governance Stack | v3 | April 2026