Section navigation
ARCS-OPB: Operator Boundary
Minimum Profile
The ARCS-OPB family addresses the question of what the operator is actually claiming responsibility for. The controls in this family govern scope declaration, boundary clarity, and the distinction between operator-governed activity and external or adjacent systems. These controls are grouped together because governance claims lose value when responsibility boundaries are vague. An operator cannot make meaningful custody, deletion, or audit statements unless the governed perimeter is stated clearly.
The formal definition and scope of this family are maintained in the Standard.
| Control | Description |
|---|---|
| OPB-01 | The operator SHALL define operator boundary: all systems creating, transmitting, storing, or logging interaction records. |
| OPB-02 | The operator SHALL list in-scope systems: applications, APIs, model providers, storage, logging, analytics, safety, backup. |
| OPB-03 | Vendor inclusion rule: the operator SHALL treat a vendor as inside the boundary if the operator sends records to, causes records at, or relies on the vendor for storage or deletion. |
| OPB-04 | Out-of-scope systems: the operator SHALL document why, what records exist, deletion control, preservation capability. |
| OPB-05 | Boundary change procedure: the operator SHALL update custody surface and retention posture when architecture changes. |