Conformance

A system conforms to ARCS if all applicable controls for the declared conformance profile are implemented, required documentation exists, lifecycle posture is defined, custody surface is disclosed, preservation posture is supported, and non-creation claims are auditable where asserted. Conformance is evaluated per deployment, not per organization.

16.1 Scoping

A conformance claim may be scoped to a defined subset of the operator's AI systems, provided:

(a) the scope is explicitly stated in the conformance statement;

(b) the scoped systems are independently identifiable and assessable; and

(c) any material interaction between scoped systems and systems outside the declared scope is disclosed in the conformance statement.

Scoping does not permit exclusion of material record surfaces. A system that transmits records to an out-of-scope system must disclose that transmission as a custody event, even if the receiving system is not itself assessed.

16.2 Conformance profiles

ARCS defines three conformance profiles:

Foundation Profile. Requires implementation of ARCS-LIF, ARCS-CUS, and ARCS-TAX, with ARCS-NCR required only if non-creation or non-retention is claimed. The Foundation Profile establishes baseline record identification and surface mapping sufficient to begin governance. Organizations may declare Foundation conformance while implementing remaining families.

Minimum Profile. Requires implementation of all controls in ARCS-LIF, ARCS-CUS, ARCS-TAX, ARCS-OPB, ARCS-PUB, ARCS-PV, and ARCS-VER, with ARCS-NCR required only if non-creation or non-retention is claimed. The Minimum Profile constitutes the institutional minimum for ARCS conformance.

Enterprise Profile. Requires all Minimum Profile controls plus Enterprise Enhanced controls. Enterprise Enhanced controls are defined in the Enterprise Implementation Profile. Universal Enhanced controls apply to all Enterprise Profile declarations. Conditional Enhanced controls apply based on the operator's declared risk factors as specified in the Enterprise Profile document.

16.3 Maturity levels

ARCS defines six maturity levels describing the completeness of an implementation's governance posture. Maturity levels are descriptive; conformance profiles are operative. An operator claiming a maturity level should also declare the corresponding conformance profile.

Level 0 - Undocumented record governance. Interaction records exist, but the implementation has not independently identified, mapped, or documented the record, custody, discovery, and review surfaces. Most organizations deploying AI systems are at Level 0 upon initial assessment. Level 0 reflects reliance on vendor policy statements without independent documentation, not the absence of all data governance.

Level 1 - Record identification. The implementation has identified the interaction records created by its operation. Record surfaces, custody, retention, and routing may remain undocumented. Corresponds approximately to ARCS-TAX and basic ARCS-LIF inventory.

Level 2 - Surface mapping and disclosure. The implementation has mapped where records exist, who holds them, and what review and routing conditions apply. Retention and deletion documentation may remain incomplete. Corresponds approximately to ARCS-CUS, ARCS-TAX, and ARCS-LIF, with review and routing disclosure.

Level 3 - Documented lifecycle governance. The implementation has documented how records move, persist, and are removed across the interaction lifecycle, including retention and deletion controls. Corresponds approximately to ARCS-LIF, ARCS-PUB, and deletion/routing controls.

Level 4 - Governance-grade implementation. The implementation has achieved governance-grade control of interaction records across the normal operating surfaces of the system. Level 4 marks the transition from internal documentation to externally reviewable governance. A Level 4 implementation can demonstrate where interaction records exist, who holds them, and how long they persist, for all normal deployment modes, in a form reviewable by an auditor, procurement officer, or legal counsel. Corresponds to the Minimum Profile.

Level 5 - Full-surface governance. The implementation has governed all known record surfaces, including advanced runtime, derivative, and autonomous execution artifacts. No known material record surface remains undocumented. Level 5 claims SHALL identify the scope of agent runtime, delegation, memory, and derivative-record governance applied, including any material runtime conditions not fully specified by the current version of this standard. Corresponds approximately to the Enterprise Profile with agent runtime coverage.

16.4 Partial conformance

An implementation may declare partial conformance by listing the control families satisfied, provided partial conformance is not represented as Foundation, Minimum, or Enterprise Profile conformance. Partial conformance declarations should identify families satisfied, families in progress, and families not yet addressed.

16.5 Conformance statement requirements

A conformance statement SHALL identify:

(a) system name and operator;

(b) declared conformance profile (Foundation, Minimum, or Enterprise) and maturity level where applicable;

(c) scope of the assessment, including any scoping exclusions;

(d) deployment mode(s) included;

(e) date of assessment;

(f) excluded components with justification;

(g) known non-conforming components;

(h) responsible assessor and assessment type (self-attestation, internal audit, or third-party assessment).

16.6 Reference implementation

At least one reference implementation of ARCS lifecycle controls, including record classification, retention posture enforcement, sovereignty receipt generation, automated purge scheduling, and legal hold override, exists in production code as of the date of this publication candidate. Reference implementations do not confer conformance on other deployments.