# ARCS Positioning Quick Reference

**Automated Record Custody Standard v1.0**
Published by Vega Commons Project, Inc. · arcsstandard.org

---

## What ARCS Governs

ARCS defines governance controls for the lifecycle, custody, retention, preservation, and deletion of interaction records generated by automated systems. It addresses a prior question that other frameworks assume away: does the record exist, who controls it, and can it be compelled?

## The Lifecycle Governance Gap

Existing frameworks govern access, safety, privacy, and content. None govern the record itself as a lifecycle object. An organization may be fully compliant with ISO 42001, SOC 2, NIST AI RMF, and GDPR, and still have no documented posture on what interaction records it retains, where they persist, who holds custody, or how they would be produced in response to litigation, regulatory inquiry, or audit.

## Position in the Governance Stack

| Layer | Function | Representative Frameworks |
|---|---|---|
| Content and Safety | Model behavior, output filtering | NIST AI RMF, EU AI Act, internal policies |
| Privacy and Access | Data minimization, consent, access controls | GDPR, CCPA/CPRA, HIPAA |
| Security | Infrastructure protection, threat management | SOC 2, NIST SP 800-53, FedRAMP, ISO 27001 |
| Management Systems | Organizational AI governance | ISO/IEC 42001 |
| **Record Lifecycle** | **Custody, retention, deletion, preservation, production** | **ARCS** |

ARCS occupies the record lifecycle layer. It does not replace privacy, security, safety, or management system frameworks. It governs the record surface those frameworks generate and assume exists.

## What Adjacent Frameworks Do Not Cover

| Framework | Governs | Does Not Govern |
|---|---|---|
| NIST AI RMF | Risk identification, measurement, management | Record retention, custody chain, deletion verification |
| ISO/IEC 42001 | AI management system requirements | Interaction record lifecycle, vendor custody mapping |
| SOC 2 | Security controls, availability, confidentiality | Record taxonomy, preservation posture, multi-vendor custody |
| GDPR/CCPA | Data subject rights, consent, minimization | Operator-side record governance, litigation hold, production readiness |
| EU AI Act | Transparency, logging for high-risk systems | Record custody architecture, cross-vendor lifecycle governance |

## The Access-Control Ceiling

Provider-level controls govern their own systems only. They cannot govern the full cross-vendor record surface an enterprise creates when it uses multiple AI providers, integrates agent workflows, or deploys local models. ARCS occupies the layer above individual provider controls and below organizational policy.

## Protocol Stack

MCP governs action. x402 governs value. ARCS governs the records.

---

© 2024-2026 Vega Commons Project, Inc. All rights reserved.
ARCS and Automated Record Custody Standard are trademarks of Vega Commons Project, Inc.