CSA AI Controls Matrix (AICM) — execution-layer resolution
CSA AI Controls Matrix (AICM) — execution-layer resolution — 79% covered.
14 requirements · 11 enforced · 0 designed · 0 advisory · 0 deferred.
Source: Cloud Security Alliance, AI Controls Matrix (AICM) v1.0 (2025) — 243 control objectives across 18 security domains, mapped by CSA to ISO/IEC 42001, ISO/IEC 27001, NIST AI RMF, EU AI Act and BSI AIC4. AICM defines WHAT controls should exist; KYE Protocol™ is the EXECUTION LAYER that proves HOW each control RESOLVED at the moment a consequential AI action occurred. KYE binds the AICM domains it resolves at runtime — authority, delegation, scope, oversight, evidence, replay, agent-governance and audit — and marks cloud-service-provider infrastructure controls and model-training-internal controls out of scope (KYE does not operate the cloud platform or train models). · License: CSA AICM is published by the Cloud Security Alliance under its own terms; KYE registry paraphrases each domain's control intent and cites the official identifier for mapping purposes only.
AICM defines the controls. KYE™ operationalises them.
“We implemented Control X” (AICM) answers whether a control exists. “Did this agent action comply with Control X at 10:32 AM yesterday?” (KYE™) answers whether the control RESOLVED at the moment a consequential AI action occurred.
KYE™ binds the AICM domains it resolves at runtime — identity & access, governance & oversight, logging & monitoring, model risk & resilience, supply-chain transparency and the agentic-authority slice. Cloud-service-provider infrastructure controls and model-training-internal controls are marked out of scope: KYE™ does not operate the cloud platform or train the model.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| IAM — Identity & Access Management | 2 | 2 | 0 | 0 | 0 | 100% |
| AAC — Agentic Authority & Accountability | 2 | 2 | 0 | 0 | 0 | 100% |
| GRC — Governance, Risk & Compliance | 1 | 1 | 0 | 0 | 0 | 100% |
| LOG — Logging & Monitoring | 2 | 2 | 0 | 0 | 0 | 100% |
| MRM — Model Risk Management & Resilience | 2 | 1 | 0 | 0 | 0 | 50% |
| STA — Supply Chain & Transparency | 1 | 1 | 0 | 0 | 0 | 100% |
| AIS — Application & Interface Security | 1 | 1 | 0 | 0 | 0 | 100% |
| DSP — Data Security & Privacy Lifecycle | 1 | 1 | 0 | 0 | 0 | 100% |
| IVS — Infrastructure & Virtualisation Security | 1 | 0 | 0 | 0 | 0 | 0% |
| TVM — Threat & Vulnerability Management | 1 | 0 | 0 | 0 | 0 | 0% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
aicm.IAM-01-authority-at-action |
IAM — Identity & Access Management: every AI-agent action is authorised against an explicit, scoped grant at the moment it occurs | enforced | audit_events: kye.purpose.request.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
aicm.IAM-02-scoped-delegation |
IAM — Delegated authority is bounded, time-limited, and revocable, and every delegated decision is attributable to its grant chain | enforced | audit_events: kye.authority.grant.v1, kye.purpose.permission.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/52-DELEGATED-AGENT-BINDING.md |
aicm.AAC-01-agentic-authority |
AAC — Agentic Authority & Accountability: an autonomous AI agent binds to its constitutional authority at task start and refuses out-of-authority actions | enforced | audit_events: kye.agent.governance.v1, kye.agent.refusal.v1engines: internalconstitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
aicm.AAC-02-agent-completion-ledger |
AAC — Every agent task closes with a tamper-evident completion ledger reconciled against its declared scope | enforced | audit_events: kye.agent.completion.v1engines: internalworm_tables: evidence_eventsconstitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
aicm.GRC-01-oversight-attestation |
GRC — Governance, Risk & Compliance: human oversight and a recurring control attestation govern every privileged AI action | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/36-GOVERNEDUI.md |
aicm.LOG-01-evidence-at-action |
LOG — Logging & Monitoring: every consequential AI action emits an immutable, signed evidence record at the moment it occurs | enforced | audit_events: kye.evidence.pack.v1, kye.evidence.tool_call.v1engines: internal, internalworm_tables: evidence_eventsconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
aicm.LOG-02-decision-map-emission |
LOG — A decision map captures the inputs, policy, and rationale that produced each AI decision | enforced | audit_events: kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
aicm.MRM-01-replay-resilience |
MRM — Model Risk Management & Resilience: any AI decision is independently reproducible from its sealed context and public keys | enforced | audit_events: kye.replay.context_seal.v1, kye.replay.proof.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
aicm.STA-01-supply-chain-transparency |
STA — Supply Chain & Transparency: the provenance of every model, tool and data source touched by an action is pinned in evidence | enforced | audit_events: kye.evidence.tool_call.v1engines: internalconstitution_refs: constitution/15-MCP-AND-SDK.md, constitution/52-DELEGATED-AGENT-BINDING.md |
aicm.AIS-01-action-boundary-control |
AIS — Application & Interface Security: AI-agent interactions cross a policy-enforced boundary that denies by default | enforced | audit_events: kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
aicm.DSP-01-data-use-admissibility |
DSP — Data Security & Privacy Lifecycle: data use by an AI action is checked for purpose-admissibility at the moment of use | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md, constitution/63-MEMORY-AUTHORITY-RAIL.md |
aicm.IVS-01-infrastructure-security |
IVS — Infrastructure & Virtualisation Security: hardening, segmentation and patching of the cloud compute and network fabric | out-of-scope | (no enforcement cited) |
aicm.TVM-01-model-training-security |
TVM — Threat & Vulnerability Management: security of the model-training pipeline, training data integrity and model-build hardening | out-of-scope | (no enforcement cited) |
aicm.MRM-02-model-internals-validation |
MRM — Internal model validation, bias testing and performance evaluation of the model artefact itself | out-of-scope | (no enforcement cited) |