# ARCS Enterprise Profile

**Standard:** Automated Record Custody Standard (ARCS) v1.0
**Published by:** Vega Commons Project, Inc.
**Version:** 1.0
**Date:** March 2026
**Status:** Normative conformance profile

## 1. Purpose

This document defines the Enterprise Profile for ARCS (Automated Record Custody Standard).

The Enterprise Profile builds on the ARCS Minimum Profile v1.0 by defining additional controls appropriate for organizations that deploy automated systems at scale, operate across multiple business units or jurisdictions, contract with multiple AI or automation vendors, face material legal discovery or regulatory inquiry exposure, or are subject to insurance, audit, or procurement due diligence.

The Enterprise Profile does not replace the Minimum Profile. It extends it. All Minimum Profile required controls remain required in this profile.

## 2. Scope

The Enterprise Profile applies to organizations that deploy automated or AI-assisted systems with interaction records across multiple departments, business units, or subsidiaries; operate multi-vendor AI or automation environments involving two or more model providers, logging services, or orchestration platforms; maintain contractual obligations that may require audit, preservation, or production of interaction records; are subject to material regulatory oversight, insurance coverage requirements, or litigation exposure related to AI or automated systems; or have internal legal, compliance, or risk functions with governance responsibilities over automated systems.

## 3. Profile Structure

The Enterprise Profile uses two control tiers:

| Tier | Definition |
|---|---|
| Required | Controls required by ARCS Minimum Profile v1.0. Unchanged in this profile. |
| Enterprise Enhanced | Additional controls required for Enterprise Profile conformance. These are not optional for organizations within the Enterprise Profile scope. |

Enterprise Enhanced controls address complexity that arises from scale, multi-vendor environments, regulated industries, and material legal exposure. They are calibrated to what a reasonable enterprise risk or compliance function would implement given that context.

## 4. Required Control Families

The Enterprise Profile requires controls from all ARCS control families. ARCS-NCR controls are required if non-creation is claimed.

| Family Code | Family Name | Minimum Profile | Enterprise Profile |
|---|---|---|---|
| ARCS-LIF | Record Lifecycle | Required | Required + Enhanced |
| ARCS-CUS | Custody Surface | Required | Required + Enhanced |
| ARCS-TAX | Record Taxonomy | Required | Required + Enhanced |
| ARCS-OPB | Operator Boundary | Required | Required + Enhanced |
| ARCS-PUB | Publish Boundary | Required | Required + Enhanced |
| ARCS-PV | Preservation and Legal Hold | Required | Required + Enhanced |
| ARCS-VER | Verification and Audit | Required | Required + Enhanced |
| ARCS-NCR | Non-Creation Posture | If claimed | If claimed + Enhanced |

## 5. ARCS-LIF: Record Lifecycle Controls

ARCS-LIF Record Lifecycle.

Required controls: LIF-01 through LIF-08, as defined in the Minimum Profile.

Enterprise Enhanced controls:

LIF-E1. Retention posture reviewed and updated at defined intervals (at minimum annually or on material system change).

LIF-E2. Retention posture documented at business-unit or subsidiary level where systems vary.

LIF-E3. Lifecycle changes subject to internal approval workflow before implementation.

## 6. ARCS-CUS: Custody Surface Controls

ARCS-CUS Custody Surface.

Required controls: CUS-01 through CUS-09, as defined in the Minimum Profile.

Enterprise Enhanced controls:

CUS-E1. Custody surface map maintained as a governed document with version control and owner assignment.

CUS-E2. Vendor custody obligations incorporated into vendor contracts or service agreements.

CUS-E3. Custody surface reviewed when new vendors are onboarded or existing vendor services change materially.

CUS-E4. Cross-jurisdiction custody documented where records may be subject to different legal regimes.

## 7. ARCS-TAX: Record Taxonomy Controls

ARCS-TAX Record Taxonomy.

Required controls: TAX-01 through TAX-10, as defined in the Minimum Profile.

Enterprise Enhanced controls:

TAX-E1. Record taxonomy reviewed and updated at defined intervals or on material system change.

TAX-E2. Taxonomy applied consistently across business units or subsidiaries operating the same system.

TAX-E3. Taxonomy documented in sufficient detail for production in legal or regulatory proceedings.

## 8. ARCS-OPB: Operator Boundary Controls

ARCS-OPB Operator Boundary.

Required controls: OPB-01 through OPB-05, as defined in the Minimum Profile.

Enterprise Enhanced controls:

OPB-E1. Boundary definition maintained as a governed document with owner, version, and approval.

OPB-E2. Boundary reviewed at defined intervals and on acquisition, divestiture, or material architecture change.

OPB-E3. Governance responsibility for ARCS controls assigned to named function (e.g., legal, compliance, IT risk).

## 9. ARCS-PUB: Publish Boundary Controls

ARCS-PUB Publish Boundary.

Required controls: PUB-01 through PUB-06, as defined in the Minimum Profile.

Enterprise Enhanced controls:

PUB-E1. Publish events logged with sufficient metadata to support later identification and production.

PUB-E2. Third-party recipient data retention obligations incorporated into applicable agreements.

## 10. ARCS-PV: Preservation and Legal Hold Controls

ARCS-PV Preservation and Legal Hold.

Required controls: PV-01 through PV-06, as defined in the Minimum Profile.

Enterprise Enhanced controls:

PV-E1. Legal hold process integrated with legal department or outside counsel hold management workflow.

PV-E2. Vendor legal hold capabilities confirmed in writing at onboarding and reviewed annually.

PV-E3. Litigation hold notifications to vendors documented and retained.

PV-E4. Preservation scope includes business messaging and collaboration tools that may contain interaction record references.

## 11. ARCS-VER: Verification and Audit Controls

ARCS-VER Verification and Audit.

Required controls: VER-01 through VER-06, as defined in the Minimum Profile.

Enterprise Enhanced controls:

VER-E1. Verification cycle defined at fixed intervals (at minimum annually).

VER-E2. Verification scope includes all in-scope vendors with custody of interaction records.

VER-E3. Verification results documented and retained; material gaps escalated.

VER-E4. ARCS governance assigned to a committee, working group, or named responsible function.

VER-E5. ARCS controls integrated into enterprise risk management or GRC framework.

## 12. ARCS-NCR: Non-Creation Controls (If Claimed)

Complete this section only if the system claims non-creation or non-retention for any record category.

ARCS-NCR Non-Creation Posture. Required if claimed.

Required controls: NCR-01 through NCR-05, as defined in the Minimum Profile.

Enterprise Enhanced controls:

NCR-E1. Non-creation claims reviewed by legal or compliance function before assertion.

NCR-E2. Technical controls supporting non-creation verified by independent internal or external review.

## 13. Enterprise Conformance Statement

A system may use the following conformance statement only if all Minimum Profile required controls and all Enterprise Enhanced controls are implemented and documentation is available for review:

"This system conforms to ARCS Enterprise Profile v1.0 (Automated Record Custody Standard), incorporating all controls required by ARCS Minimum Profile v1.0."

Use of this statement requires conformance with all Required and Enterprise Enhanced controls in Sections 5 through 11. NCR controls are required only if non-creation is claimed.

## 14. Relationship to Other Frameworks

Enterprise organizations typically operate within existing risk management frameworks. The following guidance supports integration:

| Framework | Integration Point |
|---|---|
| SOC 2 Type II | ARCS-VER and ARCS-CUS controls map to availability and confidentiality criteria; lifecycle governance is a distinct control domain. |
| ISO 27001 | ARCS-OPB boundary controls complement asset management; ARCS-PV complements incident and legal obligations handling. |
| NIST SP 800-53 | ARCS-LIF and ARCS-PV complement AU (Audit and Accountability) and SI (System and Information Integrity) control families. |
| NIST AI RMF | ARCS operates in the GOVERN and MANAGE functions; lifecycle governance complements risk treatment. |
| EU AI Act | ARCS-TAX and ARCS-LIF support logging and traceability obligations; lifecycle governance extends beyond what the Act requires. |
| E-Discovery (FRCP) | ARCS-PV controls directly support litigation hold and ESI preservation obligations. |

*Vega Commons Project, Inc. | ARCS Enterprise Profile | v1.0 | March 2026*