{ "metadata": { "title": "AI705 v0.1 Gap Matrix", "status": "v0.1_sweep", "generated_on": "2026-05-23", "verdicts": [ "Applies as written", "Applies with modification", "Inapplicable", "Gap", "Needs evidence" ], "threat_vector_definitions": { "weight_theft": "Theft or unauthorized reconstruction of model weights, checkpoints, adapters, key material, or enough model state to reproduce protected capability.", "secret_theft": "Theft of non-weight secrets: facility design, security procedures, credentials, customer/user data, operational telemetry, procurement details, or sensitive mission information.", "sabotage": "Physical or operational disruption, tampering, degradation, or manipulation of AI facility infrastructure, including power, cooling, racks, networks, sensors, and recovery paths." }, "weight_theft_category_definitions": { "stored_weights": "Stored weights, checkpoints, backups, archives, transfer staging, destruction/decommissioning, and associated key custody.", "training_systems": "Active training clusters, accelerators, schedulers, storage fabric, high-speed interconnect, power, cooling, maintenance, and side-channel exposure during computation.", "inference_systems": "Serving replicas, request/response paths, customer or user data boundary, caches/logs, online operations, remote administration, availability pressure, and model-update workflows." } }, "entries": [ { "row_id": "row-004-inventory-of-accredited-scifs-maintained-by-d-ncsc", "row_path": "analysis/rows/row-004-inventory-of-accredited-scifs-maintained-by-d-ncsc.md", "topic": "Inventory of accredited SCIFs maintained by D/NCSC", "source_requirement_ids": [ "icd-705.r0021" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 9): \"The D/NCSC shall manage an inventory of information on all SCIFs subject to this Directive, the scope, form, and format of which shall be established in consultation with IC elements.\" AI705 adds: A central authority should maintain a current inventory of all enclaves that store or process frontier model weights (including training clusters, inference fleets, and offline checkpoint stores) so weight-bearing facilities cannot exist off the books.", "falsifier": "Operator evidence of a complete, regularly-updated registry of all weight-bearing enclaves (with location, scope, accreditation status) shared with an oversight body would shift this to Applies as written.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 9): \"IC elements are responsible for providing to the D/NCSC current information on all SCIFs ... no later than 30 days thereafter in the case of updated or new information.\" AI705 adds: Every vault or HSM-backed store holding production weights or checkpoints should be enrolled in a central inventory with 30-day update cadence for new or moved copies.", "falsifier": "Evidence of a checkpoint-custody registry covering every location where weights are at rest, with timely update reporting, would shift to Applies as written." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 9): \"the scope, form, and format of which shall be established in consultation with IC elements.\" AI705 adds: Training clusters that materialize weights in memory should likewise be enumerated in the inventory, since an unlisted training enclave is an unaudited weight-exfiltration surface.", "falsifier": "Demonstration that all training enclaves are registered and tracked centrally would shift to Applies as written." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 9): \"current information on all SCIFs, as soon as possible but no later than 180 days after the effective date of this Directive.\" AI705 adds: Inference fleets that load full weights (including edge and partner-hosted deployments) must be inventoried so the operator knows every place where weights are reconstructable.", "falsifier": "Operator evidence of a comprehensive, current inference-deployment registry would shift to Applies as written." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 21): \"The D/NCSC shall manage an inventory of information on all SCIFs subject to this Directive.\" AI705 adds: A facility inventory is itself sensitive — the inventory of weight-bearing sites, their addresses, and accreditation details is a high-value target and must be access-controlled like other operational secrets.", "falsifier": "Evidence that the master inventory is compartmented, access-logged, and shared only with cleared oversight personnel would shift to Applies as written." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 9): \"IC elements are responsible for providing to the D/NCSC current information on all SCIFs ... no later than 30 days thereafter in the case of updated or new information.\" AI705 adds: A current inventory of all weight-bearing and training facilities is a prerequisite for incident response and continuity planning — an attacker cannot be defended against at sites the operator has forgotten exist.", "falsifier": "Operator demonstration that incident-response playbooks reference a live facility inventory covering all critical AI infrastructure would shift to Applies as written." } } }, { "row_id": "row-002-rf-shielding-planned-during-initial-construction-when-requir", "row_path": "analysis/rows/row-002-rf-shielding-planned-during-initial-construction-when-requir.md", "topic": "RF shielding planned during initial construction when required by CTTA", "source_requirement_ids": [ "ics-705-01.r0029" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 29): \"When RF shielding is required by Certified TEMPEST Technical Authority (CTTA) evaluation, it should be planned for installation during initial construction as costs are significantly higher to retrofit after construction is complete.\" AI705 adds: rooms or cages housing weight-bearing HSMs, training fabrics, and inference accelerators that produce exploitable RF/EM emanations correlated with weights or key material should have shielding designed in at build time, since retrofit around energized GPU halls and HSM enclaves is prohibitively expensive and disruptive.", "falsifier": "Operator evidence that a qualified TEMPEST-equivalent authority evaluated the weight-handling enclaves and found no RF shielding need, or that modular shielding can be added post-hoc without exposing weights, would shift this toward Inapplicable.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 29): \"When RF shielding is required by Certified TEMPEST Technical Authority (CTTA) evaluation, it should be planned for installation during initial construction as costs are significantly higher to retrofit after construction is complete.\" AI705 adds: HSM vaults and offline weight storage rooms should be shielded at initial construction if EM emanations from key-wrapping or weight-decryption operations are judged exploitable.", "falsifier": "Evidence that stored-weight enclaves use TEMPEST-rated equipment in inherently shielded containers, removing the need for room-level shielding, would shift to Inapplicable." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 29): \"When RF shielding is required by Certified TEMPEST Technical Authority (CTTA) evaluation, it should be planned for installation during initial construction as costs are significantly higher to retrofit after construction is complete.\" AI705 adds: training halls draw megawatts and emit substantial EM, so if a TEMPEST-equivalent assessment finds gradient or weight-correlated emanations, shielding must be installed during build because retrofitting around a live training cluster is effectively impossible.", "falsifier": "A qualified emanations assessment concluding that training-cluster EM does not carry recoverable weight/gradient information would shift to Inapplicable." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 29): \"When RF shielding is required by Certified TEMPEST Technical Authority (CTTA) evaluation, it should be planned for installation during initial construction as costs are significantly higher to retrofit after construction is complete.\" AI705 adds: inference fleets that decrypt and hold weights in accelerator memory should be evaluated for emanation risk and shielded at construction where required, since retrofit during 24/7 serving is costly and creates exposure windows.", "falsifier": "Demonstration that inference nodes operate only on obfuscated/sharded weights such that EM leakage cannot reconstruct model parameters would shift to Inapplicable." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 29): \"When RF shielding is required by Certified TEMPEST Technical Authority (CTTA) evaluation, it should be planned for installation during initial construction as costs are significantly higher to retrofit after construction is complete.\" AI705 adds: spaces processing non-weight secrets — customer prompts and outputs, vendor credentials, BMS telemetry, KMS consoles — should also be assessed for emanation risk and shielded during initial construction where the evaluation calls for it.", "falsifier": "Evidence that non-weight secret processing occurs only on endpoints with device-level TEMPEST certification, eliminating room-shielding requirements, would shift to Inapplicable." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 29): \"When RF shielding is required by Certified TEMPEST Technical Authority (CTTA) evaluation, it should be planned for installation during initial construction as costs are significantly higher to retrofit after construction is complete.\" AI705 adds: shielding planned during construction also hardens control-plane and OT/BMS spaces against RF injection and intentional electromagnetic interference attacks that could disrupt training jobs or trigger unsafe facility states, which is far cheaper than retrofitting around live infrastructure.", "falsifier": "Operator evidence that OT/BMS and control systems are inherently RF-immune (fiber-isolated, filtered, hardened equipment) such that no room shielding is needed for availability/integrity would shift to Inapplicable." } } }, { "row_id": "row-001-escort-to-construction-personnel-ratio-and-escort-briefing-r", "row_path": "analysis/rows/row-001-escort-to-construction-personnel-ratio-and-escort-briefing-r.md", "topic": "Escort-to-construction-personnel ratio and escort briefing requirements", "source_requirement_ids": [ "ic-tech-spec-v151.r0381" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 46, paragraph 381): \"The ratio of escort personnel to construction personnel shall be determined by the SSM on a case-by-case basis and documented in the CSP. Prior to assuming escort duties, all escorts shall receive a briefing regarding their responsibilities.\" AI705 adds: When uncleared contractors enter spaces housing weight-bearing infrastructure (HSMs, training clusters, weight storage arrays), the operator must set and document a justified escort ratio and brief escorts on weight-custody-specific risks such as unauthorized device introduction, photography of cabling, or tampering with key-handling equipment.", "falsifier": "Evidence that the operator enforces a documented, risk-justified escort ratio plus a weight-custody-specific escort briefing for all uncleared work near weight-handling systems would shift this to Applies as written.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 46, paragraph 381): \"The ratio of escort personnel to construction personnel shall be determined by the SSM on a case-by-case basis and documented in the CSP.\" AI705 adds: Construction or maintenance near weight-storage vaults and HSMs warrants a tighter, documented escort ratio and a briefing covering risks like covert media insertion or imaging of storage hardware.", "falsifier": "Operator demonstration of a documented escort-ratio policy and storage-vault-specific escort briefings would shift this to Applies as written." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 46, paragraph 381): \"Prior to assuming escort duties, all escorts shall receive a briefing regarding their responsibilities.\" AI705 adds: Escorts overseeing contractors in training-cluster halls need briefings tailored to the training environment — recognizing unauthorized probes on interconnect fabric, rogue USB/JTAG attachments, or attempts to access checkpoint storage.", "falsifier": "Evidence of training-floor-specific escort briefings and a CSP-equivalent ratio document would shift this to Applies as written." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 46, paragraph 381): \"The ratio of escort personnel to construction personnel shall be determined by the SSM on a case-by-case basis...\" AI705 adds: Inference halls also host loaded weights in GPU memory, so escort ratios and briefings must address risks of memory-bus tapping or unauthorized maintenance access during contractor work, even if inference areas are sometimes treated as lower-sensitivity than training.", "falsifier": "Operator showing a risk-tiered escort ratio and inference-specific briefing covering live-weight exposure would shift this to Applies as written." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 46, paragraph 381): \"Prior to assuming escort duties, all escorts shall receive a briefing regarding their responsibilities.\" AI705 adds: Escorts must also be briefed on protecting non-weight secrets visible during construction — facility layouts, BMS/OT panels, vendor identities, customer workload labels, and telemetry displays — and on enforcing photography and device restrictions accordingly.", "falsifier": "Evidence that escort briefings explicitly cover non-weight facility, vendor, and customer-data confidentiality would shift this to Applies as written." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 46, paragraph 381): \"The ratio of escort personnel to construction personnel shall be determined by the SSM on a case-by-case basis and documented in the CSP.\" AI705 adds: Escort ratios and briefings must be calibrated to prevent contractor-introduced sabotage of power, cooling, network, and OT/BMS systems, with escorts trained to recognize tampering with safety interlocks, fiber runs, or implant placement on control equipment.", "falsifier": "Operator demonstration of sabotage-aware escort ratios and briefings covering critical-infrastructure tamper indicators would shift this to Applies as written." } } }, { "row_id": "row-003-protected-distribution-systems-for-unencrypted-classified-in", "row_path": "analysis/rows/row-003-protected-distribution-systems-for-unencrypted-classified-in.md", "topic": "Protected Distribution Systems for unencrypted classified information in transit", "source_requirement_ids": [ "cnssi-7003.r0011" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 11): \"PDS are used to protect all unencrypted NSI through areas of lesser classification or control. Inasmuch as the NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation.\" AI705 adds: unencrypted model weights or checkpoints traversing cabling between weight stores, training fabrics, and inference hosts that runs through lower-trust spaces must be carried in a PDS-equivalent (armored conduit, alarmed pathway, TEMPEST-treated runs) or encrypted in transit with custody-controlled keys.", "falsifier": "Operator demonstration that all weight-bearing links are end-to-end encrypted with HSM-managed keys and never traverse lower-control areas in cleartext would shift this to Inapplicable.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 11): \"PDS are used to protect all unencrypted NSI through areas of lesser classification or control.\" AI705 adds: replication, backup, and migration links carrying stored weight artifacts between vaults or sites must either be encrypted end-to-end or run inside a PDS-equivalent armored/alarmed pathway when crossing lesser-control zones.", "falsifier": "Evidence that stored-weight transport is exclusively encrypted with audited key custody and never in cleartext would shift to Inapplicable." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 11): \"the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation.\" AI705 adds: high-bandwidth training interconnects (NVLink/IB/optical) carrying unencrypted gradients, activations, and checkpoint shards between racks or halls require PDS-equivalent physical and EM safeguards when any segment leaves the cleared training enclave.", "falsifier": "Demonstration that all inter-rack training traffic is link-encrypted or wholly contained within a single contiguous cleared enclosure would shift to Inapplicable." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 11): \"Careful consideration should be given to using encryption or establishing a Controlled Access Area (CAA) in lieu of a PDS.\" AI705 adds: inference fleets serving loaded weights should prefer TLS/mTLS with attested endpoints and CAA-equivalent rack zoning over PDS conduit, but cleartext weight-bearing links between inference hosts and accelerators in mixed-trust colos must be carried in a PDS-equivalent.", "falsifier": "Operator evidence that inference weight planes are always encrypted in transit and confined to a CAA-equivalent zone would shift to Inapplicable." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 11): \"PDS are used to protect all unencrypted NSI through areas of lesser classification or control... the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation.\" AI705 adds: unencrypted carriage of sensitive non-weight data — customer prompts/outputs, RLHF/red-team corpora, vendor schematics, telemetry, key-management traffic — through lesser-control spaces likewise requires PDS-equivalent conduit or encryption, with a documented risk/cost trade study before choosing PDS over crypto.", "falsifier": "Evidence that all sensitive non-weight traffic is encrypted with vetted key management and that physical pathways carry only ciphertext would shift to Inapplicable." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 11): \"the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation.\" AI705 adds: the same conduit, alarming, and inspectability that deters exfiltration also deters covert tap/cut/injection attacks on training control planes, BMS/OT links, and inference availability paths, so PDS-equivalent protection of critical cable runs is a sabotage control as well as a confidentiality control.", "falsifier": "Operator showing that integrity/availability of control and data planes is assured by independent means (redundant diverse paths, cryptographic integrity, continuous link monitoring) without relying on physical pathway protection would shift to Inapplicable." } } }, { "row_id": "row-005-use-of-construction-security-technicians-csts-within-the-u-s", "row_path": "analysis/rows/row-005-use-of-construction-security-technicians-csts-within-the-u-s.md", "topic": "Use of Construction Security Technicians (CSTs) within the U.S. when directed by AO", "source_requirement_ids": [ "scif-preconstruction-checklist-v15.r0018" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Inapplicable", "rationale": "Source (page 11, paragraph 18): \"Within the U S – The use of CSTs is required when directe d by the AO only. Yes No 3.2.1 If yes to 3.2, identify the source that will provide the CSTs. Notes:\" This is a checklist form field about whether a Construction Security Technician is required for a domestic SCIF build and who supplies them; it has no meaningful translation to protection of model weights.", "falsifier": "Operator demonstration that CST-equivalent cleared construction oversight is materially used to protect weight-handling buildouts (e.g., HSM rooms, training hall vaults) would shift this to Applies with modification.", "categories": { "stored_weights": { "verdict": "Inapplicable", "rationale": "Source (page 11, paragraph 18): \"Within the U S – The use of CSTs is required when directe d by the AO only. Yes No 3.2.1 If yes to 3.2, identify the source that will provide the CSTs. Notes:\" The line is a yes/no administrative entry about CST sourcing and does not speak to weight-at-rest protections.", "falsifier": "Evidence that weight storage enclaves are constructed under CST-equivalent oversight regimes would move this to Applies with modification." }, "training_systems": { "verdict": "Inapplicable", "rationale": "Source (page 11, paragraph 18): \"Within the U S – The use of CSTs is required when directe d by the AO only. Yes No 3.2.1 If yes to 3.2, identify the source that will provide the CSTs. Notes:\" Procedural form field about CST sourcing; no analog to training cluster construction controls is stated in the source itself.", "falsifier": "Evidence that training hall construction is governed by an AO-directed cleared technician regime analogous to CST sourcing would move this to Applies with modification." }, "inference_systems": { "verdict": "Inapplicable", "rationale": "Source (page 11, paragraph 18): \"Within the U S – The use of CSTs is required when directe d by the AO only. Yes No 3.2.1 If yes to 3.2, identify the source that will provide the CSTs. Notes:\" Checklist trivia about CST source identification; not translatable to inference serving infrastructure.", "falsifier": "Evidence that inference pod construction relies on CST-equivalent cleared technicians by operator policy would move this to Applies with modification." } } }, "secret_theft": { "verdict": "Inapplicable", "rationale": "Source (page 11, paragraph 18): \"Within the U S – The use of CSTs is required when directe d by the AO only. Yes No 3.2.1 If yes to 3.2, identify the source that will provide the CSTs. Notes:\" This is an administrative yes/no plus a free-text source identification field; it does not articulate a substantive control over facility, vendor, or telemetry secrets.", "falsifier": "Evidence that the CST-sourcing entry is treated by the AO as a substantive control governing access to sensitive construction drawings or vendor identities would move this to Applies with modification." }, "sabotage": { "verdict": "Inapplicable", "rationale": "Source (page 11, paragraph 18): \"Within the U S – The use of CSTs is required when directe d by the AO only. Yes No 3.2.1 If yes to 3.2, identify the source that will provide the CSTs. Notes:\" The line records whether CSTs are required and who provides them; it states no anti-tampering or availability requirement that maps to AI infrastructure sabotage.", "falsifier": "Evidence that the CST-sourcing decision is the mechanism by which construction-phase tamper risk to power/cooling/network is mitigated would shift this to Applies with modification." } } }, { "row_id": "row-007-primary-emergency-egress-door-hardware-bypass-keyway-ff-l-28", "row_path": "analysis/rows/row-007-primary-emergency-egress-door-hardware-bypass-keyway-ff-l-28.md", "topic": "Primary/emergency egress door hardware: bypass keyway, FF-L-2890 egress device, and access control deactivation when unoccupied", "source_requirement_ids": [ "scif-fixed-facility-checklist-v15.r0037" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 10, paragraph 37): \"Is there a by-pass keyway for use in the event of an access control system failure?... A GSA-approved pedestrian door egress device with deadbolt meeting the most current version of Federal Specification FF-L-2890... Doors must be deactivated when the SCIF is not occupied, or as determined by the AO.\" AI705 adds: Doors to weight-bearing enclaves (HSM rooms, training-cluster cages, checkpoint storage vaults) need an equivalent failure-mode design — a controlled mechanical bypass for ACS failure, a high-assurance egress device, and an unoccupied-mode lockdown — so that ACS outages do not become a weight-exfiltration window.", "falsifier": "Operator demonstration that weight-bearing enclaves use a documented ACS-failure procedure (mechanical bypass or two-person manual override), FF-L-2890-equivalent egress hardware, and an enforced unoccupied lockdown state would shift this to Applies as written.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 10, paragraph 37): \"Is there a by-pass keyway for use in the event of an access control system failure?... Doors must be deactivated when the SCIF is not occupied, or as determined by the AO.\" AI705 adds: Weight/checkpoint storage vaults and HSM rooms must have a defined ACS-failure bypass, FF-L-2890-equivalent egress hardware, and be locked down when unoccupied so that an ACS outage cannot be used to walk weights out.", "falsifier": "Evidence that the weight vault door has a logged mechanical bypass, certified egress hardware, and an enforced unoccupied lockdown would shift to Applies as written." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 10, paragraph 37): \"A GSA-approved pedestrian door egress device with deadbolt meeting the most current version of Federal Specification FF-L-2890 for secondary door use... Doors must be deactivated when the SCIF is not occupied.\" AI705 adds: Training-cluster cages, where weights are actively materialized in GPU memory and on local NVMe, need equivalent egress-and-deactivation discipline so a fire-alarm or ACS-failure event cannot be staged to extract checkpoints.", "falsifier": "Operator demonstration that training-floor doors enforce FF-L-2890-equivalent egress, a controlled bypass procedure, and unoccupied deactivation would shift to Applies as written." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 10, paragraph 37): \"Is there a by-pass keyway for use in the event of an access control system failure?\" AI705 adds: Inference halls hold loaded weights in GPU memory and on local caches, so doors into those halls also need a controlled ACS-failure bypass and unoccupied-mode lockdown, though the residency risk is lower than for training/storage enclaves.", "falsifier": "Evidence that inference-hall doors have an equivalent bypass procedure and unoccupied lockdown, or that weights are never resident locally, would shift verdict accordingly." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 10, paragraph 37): \"Doors must be deactivated when the SCIF is not occupied, or as determined by the AO.\" AI705 adds: Rooms holding non-weight secrets — customer prompt logs, vendor crypto material, BMS/OT consoles, signing keys — need the same ACS-failure bypass discipline and unoccupied-deactivation behavior so a controls glitch is not an opportunistic entry path.", "falsifier": "Operator evidence that secret-bearing rooms enforce FF-L-2890-equivalent egress, a logged bypass, and unoccupied lockdown would shift to Applies as written." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 10, paragraph 37): \"Is there a by-pass keyway for use in the event of an access control system failure?... Doors must be deactivated when the SCIF is not occupied.\" AI705 adds: For sabotage, the bypass keyway is itself a risk — if it grants unsupervised entry to power, cooling, network spine, or BMS rooms during an ACS outage, an attacker can disrupt training or inference; the control must therefore be paired with two-person rule and unoccupied lockdown on availability-critical spaces.", "falsifier": "Evidence that any mechanical bypass into availability-critical rooms requires two-person access, is alarmed, and that those rooms are deactivated when unoccupied would shift to Applies as written." } } }, { "row_id": "row-008-type-1-controlled-access-workstation-configuration-in-cubicl", "row_path": "analysis/rows/row-008-type-1-controlled-access-workstation-configuration-in-cubicl.md", "topic": "Type 1 controlled-access workstation configuration in cubicle/office environments", "source_requirement_ids": [ "scif-ca-checklist-v15.r0015" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 15): \"Workstations in a cubicle or office configuration – Type 1: a. Is the CA in a cubicle or other open environment? ☐ Yes ☐ No b. Is the workstation in a closable office? ☐ Yes ☐ No... d. Are display screens positioned to avoid \"shoulder-surfing\"? ☐ Yes ☐ No e. Are polarized privacy screens installed? ☐ Yes ☐ No f. Is printing of CA material required?\" This is an administrative checklist about human-operator workstation ergonomics (shoulder surfing, privacy screens, office doors, printer location) that has no meaningful analog to weight custody — frontier model weights do not reside on operator desktop workstations with visible display screens.", "falsifier": "Operator evidence that weights or checkpoints are routinely viewed/handled on human-operated workstations with display screens in shared office space would make display-positioning and privacy-screen controls relevant and shift this to Applies with modification.", "categories": { "stored_weights": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 15): \"Is the CA in a cubicle or other open environment?... Are display screens positioned to avoid \"shoulder-surfing\"? ☐ Yes ☐ No\". Stored weights live in object storage and HSM-backed key stores, not on cubicle workstations with shoulder-surfable monitors, so the workstation-ergonomics checklist does not translate.", "falsifier": "Evidence that weight files are routinely opened or inspected on operator desktops in open office environments would shift this to Applies with modification." }, "training_systems": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 15): \"Is the workstation in a closable office?... If yes, is there an access control device?\". Training clusters are accessed via remote job submission from bastions, not from cubicle workstations whose office-door and printer posture this checklist enumerates.", "falsifier": "Evidence that training job control or checkpoint handling occurs from physical cubicle workstations with local printing would make this Applies with modification." }, "inference_systems": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 15): \"Are polarized privacy screens installed? ☐ Yes ☐ No f. Is printing of CA material required?\". Inference serving infrastructure is not operated from desktop workstations and produces no printed material, so the cubicle/privacy-screen/printer checklist does not map.", "falsifier": "Evidence that inference operators routinely view raw model outputs or weight-adjacent material on shared-office displays would shift this to Applies with modification." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 3, paragraph 15): \"Are display screens positioned to avoid \"shoulder-surfing\"? ☐ Yes ☐ No e. Are polarized privacy screens installed? ☐ Yes ☐ No f. Is printing of CA material required? ☐ Yes ☐ No If yes, explain printer location, connectivity and procedures to retrieve printed material.\" AI705 adds: SRE/operations staff viewing sensitive facility diagrams, customer data, incident telemetry, or vendor credentials on workstations in open NOCs or shared offices should have equivalent shoulder-surfing mitigations (screen orientation, privacy filters, closable rooms with access control) and controlled print workflows for any hardcopy of sensitive operational material.", "falsifier": "Operator demonstration that all sensitive non-weight material is accessed exclusively from enclosed access-controlled rooms with no printing capability would shift this to Inapplicable." }, "sabotage": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 15): \"Is the CA in a cubicle or other open environment?... Are polarized privacy screens installed?... Is printing of CA material required?\". This checklist addresses visual confidentiality and print handling at operator workstations, which does not bear on availability or integrity of AI training/inference infrastructure.", "falsifier": "Evidence that operator workstations in cubicles are an authoritative control plane whose physical compromise could disrupt training/inference would shift this to Applies with modification." } } }, { "row_id": "row-006-periodic-re-evaluation-of-facility-security-posture", "row_path": "analysis/rows/row-006-periodic-re-evaluation-of-facility-security-posture.md", "topic": "Periodic re-evaluation of facility security posture", "source_requirement_ids": [ "ics-705-02.r0009" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 3.a): \"The CSA shall ensure that regular, periodic re-evaluations are conducted to ensure continued security (to include TEMPEST, physical, technical, etc.) of the SCIF based on the sensitivity of programs, threat, facility modifications, and past security performance, or at least every five years.\" AI705 adds: An equivalent authority must re-evaluate the controls that protect weights — including custody chains, HSM/KMS configurations, training/inference enclave integrity, and side-channel/TEMPEST posture — on a recurring basis driven by model sensitivity, threat changes, and infrastructure modifications, with a hard cap no longer than five years.", "falsifier": "Evidence that the operator already conducts documented, threat-informed re-evaluations of all weight-handling systems on a defined cadence not exceeding five years would shift this to Applies as written.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 3.a): \"regular, periodic re-evaluations are conducted to ensure continued security (to include TEMPEST, physical, technical, etc.) of the SCIF based on the sensitivity of programs, threat, facility modifications, and past security performance, or at least every five years.\" AI705 adds: Re-evaluations must cover the storage tier holding weight artifacts and checkpoints — object stores, KMS/HSM bindings, backup vaults, and the physical/TEMPEST envelope around them — at least every five years and whenever a model of materially higher sensitivity is introduced.", "falsifier": "Operator demonstration of a recurring, sensitivity-tiered re-evaluation program for weight storage with cycle ≤5 years would shift to Applies as written." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 3.a): \"based on the sensitivity of programs, threat, facility modifications, and past security performance, or at least every five years.\" AI705 adds: Training clusters must be re-evaluated on the same cadence because their long-lived access to plaintext gradients and checkpoints makes them a primary weight-exfiltration surface, and 'facility modifications' should be read to include cluster re-cabling, fabric upgrades, and topology changes.", "falsifier": "Evidence that training-cluster security reviews are already triggered by both time and configuration-change events on a documented schedule would shift to Applies as written." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 3.a): \"regular, periodic re-evaluations are conducted to ensure continued security... or at least every five years.\" AI705 adds: Inference fleets — which decrypt weights into accelerator memory and expose user-facing surfaces — must be re-evaluated against current extraction and side-channel threats on the same cadence, with past security performance (incidents, anomalies) feeding the review.", "falsifier": "Evidence of a recurring inference-fleet security assessment program with sensitivity-weighted scope would shift to Applies as written." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 3.a): \"The CSA shall ensure that regular, periodic re-evaluations are conducted to ensure continued security (to include TEMPEST, physical, technical, etc.) of the SCIF based on the sensitivity of programs, threat, facility modifications, and past security performance, or at least every five years.\" AI705 adds: The re-evaluation scope must extend to non-weight secrets — facility design docs, vendor and supply-chain credentials, telemetry pipelines, customer prompts/outputs, and personnel access lists — since stale controls around these are a common avenue for compromise.", "falsifier": "Evidence that operator re-evaluations already enumerate and test controls over non-weight secret categories on a ≤5-year cycle would shift to Applies as written." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 3.a): \"continued security (to include TEMPEST, physical, technical, etc.) of the SCIF based on the sensitivity of programs, threat, facility modifications, and past security performance.\" AI705 adds: Periodic re-evaluations must also cover availability and integrity controls — BMS/OT, power and cooling, network resilience, supply-chain tampering paths, and CI/CD integrity — because facility modifications and evolving threats degrade sabotage resistance over time.", "falsifier": "Operator evidence of recurring resilience and integrity reviews of OT, power/cooling, and build pipelines on a defined cadence would shift to Applies as written." } } }, { "row_id": "row-009-stonework-facade-visual-inspection-and-3-destructive-testing", "row_path": "analysis/rows/row-009-stonework-facade-visual-inspection-and-3-destructive-testing.md", "topic": "Stonework facade visual inspection and 3% destructive testing of internal stonework", "source_requirement_ids": [ "inspectable-materials-checklist-v15.r0006" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Inapplicable", "rationale": "Source (page 2, paragraph 6): \"Stonework for the façade needs only visual inspection. Internal stone work must undergo a 3% random destruction test.\" This is a construction-material inspection rule about masonry and has no analog to model weight custody or the compute that handles weights.", "falsifier": "Operator demonstration that interior stonework conceals conduit paths used to exfiltrate weight-bearing media would shift this toward Applies with modification.", "categories": { "stored_weights": { "verdict": "Inapplicable", "rationale": "Source (page 2, paragraph 6): \"Stonework for the façade needs only visual inspection. Internal stone work must undergo a 3% random destruction test.\" Destructive sampling of building stone does not bear on storage of weight artifacts.", "falsifier": "Evidence that weight storage vaults are constructed of inspectable stone whose integrity gates access would change this verdict." }, "training_systems": { "verdict": "Inapplicable", "rationale": "Source (page 2, paragraph 6): \"Stonework for the façade needs only visual inspection. Internal stone work must undergo a 3% random destruction test.\" Stone inspection has no bearing on training cluster integrity.", "falsifier": "Evidence that training halls rely on stone partitions whose hidden defects enable weight exfiltration would change this verdict." }, "inference_systems": { "verdict": "Inapplicable", "rationale": "Source (page 2, paragraph 6): \"Stonework for the façade needs only visual inspection. Internal stone work must undergo a 3% random destruction test.\" Inference serving infrastructure is unaffected by masonry sampling rules.", "falsifier": "Evidence that inference enclaves are bounded by stonework whose integrity is load-bearing for weight protection would change this verdict." } } }, "secret_theft": { "verdict": "Inapplicable", "rationale": "Source (page 2, paragraph 6): \"Stonework for the façade needs only visual inspection. Internal stone work must undergo a 3% random destruction test.\" This is a building-materials QA checklist line with no translation to protection of facility, operational, vendor, telemetry, or customer-data secrets.", "falsifier": "Operator demonstration that hollow internal stonework is a documented covert-channel or listening-device concealment path in their threat model would shift this to Applies with modification." }, "sabotage": { "verdict": "Inapplicable", "rationale": "Source (page 2, paragraph 6): \"Stonework for the façade needs only visual inspection. Internal stone work must undergo a 3% random destruction test.\" Random destructive testing of masonry does not map to availability or integrity controls on AI infrastructure.", "falsifier": "Evidence that internal stonework structurally supports critical AI infrastructure (e.g., cooling, power vaults) such that undetected defects could cause outage would shift this to Applies with modification." } } }, { "row_id": "row-010-pre-construction-biographical-screening-of-non-cleared-const", "row_path": "analysis/rows/row-010-pre-construction-biographical-screening-of-non-cleared-const.md", "topic": "Pre-construction biographical screening of non-cleared construction personnel", "source_requirement_ids": [ "ic-tech-spec-v151.r0558" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 57, paragraph 558): \"All non-cleared construction personnel shall provide the SSM with biographical data (full name, current address, SSN, DPOB, proof of citizenship, etc.), and fingerprint cards as allowed by local laws prior to the start of construction/renovation.\" AI705 adds: Before any non-cleared contractor enters spaces housing weight-bearing infrastructure (HSM vaults, training cluster halls, checkpoint storage), the operator should collect equivalent biographical and biometric identifiers so that insider-threat vetting can be performed against the population with physical proximity to weights.", "falsifier": "Operator evidence that non-cleared workers never enter weight-bearing zones, or that an equivalent identity-vetting regime (e.g. contractor background-check vendor with fingerprinting) is already in place, would shift this to Applies as written or Inapplicable.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 57, paragraph 558): \"All non-cleared construction personnel shall provide the SSM with biographical data ... and fingerprint cards as allowed by local laws prior to the start of construction/renovation.\" AI705 adds: Workers building or renovating the weight-storage vault, HSM room, or offline checkpoint repository must be biographically identified and fingerprinted so any later forensic or insider investigation can attribute tampering or covert device emplacement.", "falsifier": "Evidence that weight-storage rooms are constructed only by cleared personnel, or that an equivalent identity-capture program already governs vault contractors, would shift the verdict." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 57, paragraph 558): \"All non-cleared construction personnel shall provide the SSM with biographical data ... and fingerprint cards as allowed by local laws prior to the start of construction/renovation.\" AI705 adds: Contractors who build training-cluster halls, power, cooling, or network rooms should be identity-vetted pre-arrival, since a malicious build-phase emplacement (cabling tap, rogue device) could exfiltrate weights during training runs.", "falsifier": "Operator demonstration that training-hall construction is performed exclusively by cleared/badged staff under continuous escort with logged identity capture would shift the verdict." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 57, paragraph 558): \"All non-cleared construction personnel shall provide the SSM with biographical data ... and fingerprint cards as allowed by local laws prior to the start of construction/renovation.\" AI705 adds: Inference-hall construction crews also handle racks and network paths that route plaintext weights in memory, so the same pre-construction biographical and fingerprint capture should apply to attribute any later compromise.", "falsifier": "Evidence that inference halls are built by cleared personnel only, or that an alternative contractor-identity program of equivalent rigor exists, would shift the verdict." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 57, paragraph 558): \"All non-cleared construction personnel shall provide the SSM with biographical data (full name, current address, SSN, DPOB, proof of citizenship, etc.), and fingerprint cards as allowed by local laws prior to the start of construction/renovation.\" AI705 adds: Construction workers gain incidental exposure to facility layout, security-system wiring, vendor identities, and BMS/OT topology — all sensitive non-weight secrets — so capturing identity data pre-entry enables attribution and deters covert reconnaissance or photography.", "falsifier": "Operator evidence that construction zones are visually and electronically segregated from any sensitive layout/vendor information, or that a comparable identity-capture process already runs, would shift the verdict." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 57, paragraph 558): \"All non-cleared construction personnel shall provide the SSM with biographical data (full name, current address, SSN, DPOB, proof of citizenship, etc.), and fingerprint cards as allowed by local laws prior to the start of construction/renovation.\" AI705 adds: Pre-construction identity capture is a primary deterrent and forensic enabler against build-phase sabotage of power, cooling, fire-suppression, and network infrastructure whose disruption would take training or inference offline.", "falsifier": "Operator demonstration that all construction affecting availability-critical systems is performed by vetted personnel under continuous two-person escort, or that an equivalent vetting program is enforced contractually, would shift the verdict." } } }, { "row_id": "row-011-intrusion-detection-for-unauthorized-human-entry", "row_path": "analysis/rows/row-011-intrusion-detection-for-unauthorized-human-entry.md", "topic": "Intrusion detection for unauthorized human entry", "source_requirement_ids": [ "ics-705-01.r0036" ], "measurement_needed": false, "status": "human_revised", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 5, paragraph 36): \"Intrusion Detection System (IDS) shall detect attempted or actual unauthorized human entry into a SCIF.\" AI705 adds: the IDS must cover weight-storage vaults, training-cluster halls, and inference racks as separate detection zones because the consequences of a missed entry differ across stored weights, active training, and serving.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 5, paragraph 36): \"IDS shall detect attempted or actual unauthorized human entry into a SCIF.\" AI705 adds: weight vaults and offline backup rooms need IDS coverage tuned for low-occupancy spaces where a single intruder is high-signal.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 5, paragraph 36): \"IDS shall detect attempted or actual unauthorized human entry into a SCIF.\" AI705 adds: training halls are typically high-occupancy with frequent maintenance access; IDS must distinguish authorized walk-throughs from unauthorized entry without producing alarm fatigue.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 5, paragraph 36): \"IDS shall detect attempted or actual unauthorized human entry into a SCIF.\" AI705 adds: serving halls operate 24x7 with operator presence; IDS must integrate with shift access logs and remote-administration auditing rather than only physical-zone alarms.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 5, paragraph 36): \"IDS shall detect attempted or actual unauthorized human entry into a SCIF.\" AI705 adds: IDS coverage extends to spaces holding non-weight secrets — operations centers, key custody rooms, contractor staging — because those secrets are exfiltrated by physical access just as classified material is.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 5, paragraph 36): \"IDS shall detect attempted or actual unauthorized human entry into a SCIF.\" AI705 adds: IDS must cover power rooms, cooling plants, and BMS/OT cabinets because sabotage entry points for AI infrastructure are outside the traditional SCIF perimeter.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture." } } }, { "row_id": "row-012-ao-certification-of-pds-prior-to-initial-operation", "row_path": "analysis/rows/row-012-ao-certification-of-pds-prior-to-initial-operation.md", "topic": "AO certification of PDS prior to initial operation", "source_requirement_ids": [ "cnssi-7003.r0015" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 15): \"The AO must ensure PDS are inspected in accordance with SECTION XI and certified prior to initial operation.\" AI705 adds: Before any cable carrying plaintext weights, checkpoint traffic, or training/inference interconnect between custody zones is placed into service, the AI accreditor must inspect and formally certify the protected distribution path.", "falsifier": "Operator evidence that all inter-zone weight and checkpoint traffic is cryptographically protected end-to-end such that no PDS-equivalent path exists would shift this toward Inapplicable.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 15): \"The AO must ensure PDS are inspected in accordance with SECTION XI and certified prior to initial operation.\" AI705 adds: Conduits carrying plaintext weight blobs between storage vaults, HSMs, and compute halls must be inspected and certified by the AO before first use.", "falsifier": "Demonstration that stored weights never traverse a plaintext distribution path (always wrapped by HSM-bound keys) would make PDS certification moot for this category." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 15): \"The AO must ensure PDS are inspected in accordance with SECTION XI and certified prior to initial operation.\" AI705 adds: Training fabric cabling (NVLink/IB) and checkpoint egress paths that carry plaintext gradients or weights between racks must be inspected and certified before the cluster goes live.", "falsifier": "Evidence that all training interconnect traffic is link-encrypted with attested endpoints inside a single contiguous secure volume would shift this to Inapplicable." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 15): \"The AO must ensure PDS are inspected in accordance with SECTION XI and certified prior to initial operation.\" AI705 adds: Cabling that delivers loaded weights or plaintext prompts/responses between inference pods and customer-facing edges must be inspected and certified prior to serving production traffic.", "falsifier": "Proof that inference paths terminate plaintext only inside a single certified enclosure with no inter-zone plaintext runs would reduce this to Inapplicable." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 15): \"The AO must ensure PDS are inspected in accordance with SECTION XI and certified prior to initial operation.\" AI705 adds: PDS carrying non-weight sensitive traffic — facility telemetry, vendor management channels, customer data, and operational secrets — must likewise be inspected and AO-certified before initial use.", "falsifier": "Evidence that all such secret-bearing channels are protected by certified cryptographic tunnels rather than physical PDS would shift this toward Inapplicable." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 6, paragraph 15): \"The AO must ensure PDS are inspected in accordance with SECTION XI and certified prior to initial operation.\" AI705 adds: Pre-operational inspection and certification of distribution pathways also serves to confirm there are no implanted taps or tampering vectors that could later be used to disrupt or corrupt AI training/inference traffic, and should cover OT/BMS conduits as well.", "falsifier": "Operator demonstration that integrity monitoring on the fabric continuously detects tampering, removing the need for a one-time pre-operational physical certification, would shift this verdict." } } }, { "row_id": "row-013-scope-uniform-physical-technical-security-requirements-for-a", "row_path": "analysis/rows/row-013-scope-uniform-physical-technical-security-requirements-for-a.md", "topic": "Scope: uniform physical/technical security requirements for all SCI facilities", "source_requirement_ids": [ "icd-705.r0008" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 8): \"This Directive establishes that all Intelligence Community (IC) Sensitive Compartmented Information Facilities (SCIF) shall comply with uniform IC physical and technical security requirements (hereinafter \"uniform security requirements\"). This Directive is designed to ensure the protection of Sensitive Compartmented Information (SCI) and foster efficient, consistent , and reciprocal use of SCIFs in the IC. This Directive applies to all facilities accredited by IC elements where SCI is processed, stored, used, or discussed .\" AI705 adds: a uniform baseline must be defined across every facility that processes, stores, or uses frontier model weights and checkpoints so that weight-custody protections do not vary by site or operator.", "falsifier": "Operator evidence of an enforced cross-site uniform weight-protection standard with reciprocity between datacenters would shift this toward Applies as written.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 8): \"This Directive applies to all facilities accredited by IC elements where SCI is processed, stored, used, or discussed .\" AI705 adds: every vault, HSM enclave, and offline backup location holding model weights must fall under one uniform accreditation regime rather than per-site bespoke controls.", "falsifier": "Evidence that all weight-storage enclaves across an operator's footprint are governed by a single accredited baseline would move this to Applies as written." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 8): \"This Directive applies to all facilities accredited by IC elements where SCI is processed, stored, used, or discussed .\" AI705 adds: training clusters that materialize weights and gradients in cleartext on accelerators are SCI-equivalent processing environments and must inherit the same uniform baseline as storage.", "falsifier": "Demonstration that training halls are accredited under the same uniform standard as weight vaults would shift this to Applies as written." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 8): \"all facilities accredited by IC elements where SCI is processed, stored, used, or discussed .\" AI705 adds: inference fleets, which continuously process loaded weights at scale, must be brought under the same uniform accreditation rather than treated as a lower tier than training.", "falsifier": "Evidence that inference datacenters are accredited to the identical baseline as training and storage would move this to Applies as written." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 8): \"This Directive is designed to ensure the protection of Sensitive Compartmented Information (SCI) and foster efficient, consistent , and reciprocal use of SCIFs in the IC.\" AI705 adds: uniform requirements must also cover non-weight sensitive material — research roadmaps, RLHF data, vendor schematics, customer prompts — so protection is consistent across all facilities that handle these secrets.", "falsifier": "Operator showing that non-weight sensitive information is governed by the same uniform cross-site baseline as classified-equivalent material would shift this to Applies as written." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 2, paragraph 8): \"all Intelligence Community (IC) Sensitive Compartmented Information Facilities (SCIF) shall comply with uniform IC physical and technical security requirements.\" AI705 adds: a uniform baseline is equally needed for availability and integrity protections (power, cooling, BMS/OT, supply chain) so that an adversary cannot pick the weakest datacenter as the sabotage entry point.", "falsifier": "Evidence of a uniform, cross-site availability/integrity standard binding every frontier datacenter would move this to Applies as written." } } }, { "row_id": "row-014-secure-storage-area-ssa-description-and-non-operation-securi", "row_path": "analysis/rows/row-014-secure-storage-area-ssa-description-and-non-operation-securi.md", "topic": "Secure Storage Area (SSA) description and non-operation security for OCONUS projects", "source_requirement_ids": [ "scif-preconstruction-checklist-v15.r0025" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Inapplicable", "rationale": "Source (page 14, paragraph 25): \"Projec ts Outside of the US must mark yes. Yes No 4.2.1 If yes to 4.2, describe the SSA, to include type of area/facility/container and location... 4.2.2 If yes to 4.2, describe how the SSA will be secured during hours of non-operation. 24/7 CAGs, IDS, CCTV, locks, fence, etc.\"", "falsifier": "Operator demonstration that this checklist field is being repurposed as a substantive control on weight-bearing storage (rather than a form entry) would shift the verdict toward Applies with modification.", "categories": { "stored_weights": { "verdict": "Inapplicable", "rationale": "Source (page 14, paragraph 25): \"4.2.1 If yes to 4.2, describe the SSA, to include type of area/facility/container and location.\" This is a preconstruction checklist form field requesting a free-text description, not a substantive storage control.", "falsifier": "Evidence that this field gates approval of weight storage enclaves with enforceable criteria would shift to Applies with modification." }, "training_systems": { "verdict": "Inapplicable", "rationale": "Source (page 14, paragraph 25): \"describe how the SSA will be secured during hours of non-operation. 24/7 CAGs, IDS, CCTV, locks, fence, etc.\" The clause addresses physical SSA description on a form and has no analog to training cluster operation, which is continuous rather than having 'non-operation' hours.", "falsifier": "Operator showing the field is used to specify training-hall idle-state controls with binding effect would shift to Applies with modification." }, "inference_systems": { "verdict": "Inapplicable", "rationale": "Source (page 14, paragraph 25): \"describe how the SSA will be secured during hours of non-operation.\" Inference fleets run continuously and the checklist item is an administrative description field, not a control specification.", "falsifier": "Evidence that operators use this field to bind inference enclave dormant-state controls would shift to Applies with modification." } } }, "secret_theft": { "verdict": "Inapplicable", "rationale": "Source (page 14, paragraph 25): \"4.2.1 If yes to 4.2, describe the SSA, to include type of area/facility/container and location. Use additional pages if necessary.\" This is an administrative form field requesting free-text description and disclosure of OCONUS location, not a confidentiality control on facility secrets.", "falsifier": "Demonstration that the form's responses are themselves protected as sensitive facility data with enforceable handling rules would shift toward Applies with modification." }, "sabotage": { "verdict": "Inapplicable", "rationale": "Source (page 14, paragraph 25): \"describe how the SSA will be secured during hours of non-operation. 24/7 CAGs, IDS, CCTV, locks, fence, etc.\" The line is a descriptive checklist entry, not an availability or integrity requirement against disruption.", "falsifier": "Evidence that this checklist field is enforced as a binding resilience requirement for AI infrastructure availability would shift toward Applies with modification." } } }, { "row_id": "row-015-reciprocal-accreditation-of-accredited-scifs-across-ic-eleme", "row_path": "analysis/rows/row-015-reciprocal-accreditation-of-accredited-scifs-across-ic-eleme.md", "topic": "Reciprocal accreditation of accredited SCIFs across IC elements", "source_requirement_ids": [ "ics-705-02.r0013" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 3, paragraph 13): \"Any SCIF that has been accredited by an IC element AO or designee shall be reciprocally accepted for use as accredited by all IC elements when there are no waivers to the requirements established in IC Standard (ICS) 705-01, Physical and Technical Security Standards for Sensitive Compartmented Information Facilities, this Standard, and the IC Tech Specs.\" AI705 adds: A weight-storage or training/inference enclave accredited by one operator's accrediting authority should be reciprocally trusted to hold or process another operator's weights only when there are no outstanding waivers against the AI705 physical/technical baseline.", "falsifier": "Operator evidence that weight custody enclaves are always re-accredited per-tenant regardless of prior accreditation, with no reciprocity claim, would shift this to Inapplicable.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 3, paragraph 13): \"Any SCIF that has been accredited by an IC element AO or designee shall be reciprocally accepted for use as accredited by all IC elements when there are no waivers...\" AI705 adds: Vaults/HSM rooms holding model weights that meet the full AI705 baseline at one operator should be acceptable for housing another operator's weights without redundant accreditation, but only absent waivers.", "falsifier": "Evidence that weight vaults are never shared or cross-accepted between operators would shift to Inapplicable." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 3, paragraph 13): \"Any SCIF that has been accredited by an IC element AO or designee shall be reciprocally accepted for use as accredited by all IC elements when there are no waivers...\" AI705 adds: A training cluster accredited by one AO as protecting weights/checkpoints to the AI705 standard should be reciprocally accepted by peer operators for joint or transferred training workloads, absent waivers.", "falsifier": "Demonstration that training clusters are never used cross-organizationally and reciprocity has no operational meaning would shift to Inapplicable." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 3, paragraph 13): \"Any SCIF that has been accredited by an IC element AO or designee shall be reciprocally accepted for use as accredited by all IC elements when there are no waivers...\" AI705 adds: An inference enclave accredited at one operator should be acceptable for serving another operator's weights under the same baseline, provided no waivers to AI705 physical/technical requirements are open.", "falsifier": "Evidence that inference enclaves are never reused across operators or that contractual arrangements forbid reciprocity would shift to Inapplicable." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 3, paragraph 13): \"Any SCIF that has been accredited by an IC element AO or designee shall be reciprocally accepted for use as accredited by all IC elements when there are no waivers...\" AI705 adds: Facilities accredited to handle sensitive non-weight material (customer data, red-team findings, vendor secrets, telemetry) at one operator should be reciprocally accepted by peers under AI705, provided no waivers exist.", "falsifier": "Operator showing that secret-handling spaces are always re-accredited per data owner regardless of prior accreditation would shift to Inapplicable." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 3, paragraph 13): \"Any SCIF that has been accredited by an IC element AO or designee shall be reciprocally accepted for use as accredited by all IC elements when there are no waivers...\" AI705 adds: Availability/integrity protections (power, cooling, BMS/OT hardening) accredited at one operator's site should be reciprocally accepted when hosting another operator's workloads, but only when no waivers against AI705 resilience requirements remain open.", "falsifier": "Evidence that sabotage-resilience accreditations are never relied on cross-operator, or that each tenant independently re-accredits availability controls, would shift to Inapplicable." } } }, { "row_id": "row-016-destruction-methods-and-emergency-action-plan-for-classified", "row_path": "analysis/rows/row-016-destruction-methods-and-emergency-action-plan-for-classified.md", "topic": "Destruction methods and Emergency Action Plan for classified/sensitive material", "source_requirement_ids": [ "scif-fixed-facility-checklist-v15.r0098" ], "measurement_needed": false, "status": "human_revised", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 21, paragraph 98): \"Describe the method and equipment used for destruction of classified/sensitive material ... Is a secondary method of destruction available? ... Do you have a written Emergency Action Plan (EAP) approved by AO?\" AI705 adds: weight destruction must cover HSM zeroization, key material destruction, training checkpoint shredding, and offline backup destruction, with the EAP covering loss-of-control scenarios that compromise model weights.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 21, paragraph 98): describes destruction methods and EAP. AI705 adds: stored weights require cryptographic erasure plus physical destruction of any unencrypted backup media; the EAP must include the time-window in which a partial-zeroize is verifiable.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 21, paragraph 98): describes destruction methods and EAP. AI705 adds: training clusters hold weights in memory and on local storage during runs; the EAP must specify how to drain active training before an emergency destruction is invoked.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 21, paragraph 98): describes destruction methods and EAP. AI705 adds: inference replicas may hold partial weight copies in distributed caches; destruction procedures must cover replica drain and cache invalidation, not just a single primary store.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 21, paragraph 98): describes destruction methods and EAP. AI705 adds: non-weight secrets — facility design, security procedures, customer data — also require destruction coverage, and the EAP must explicitly include their custody chain.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 21, paragraph 98): describes destruction methods and EAP. AI705 adds: the EAP must address sabotage-driven emergencies (power tampering, cooling failure, OT compromise) where destruction may be needed to prevent compromised weights from being exfiltrated during a chaotic event.", "falsifier": "Revisit if operator review or new measurement evidence shows the requirement applies in a way the revised verdict does not capture." } } }, { "row_id": "row-017-controlled-access-ca-material-handling-scanning-copying-stor", "row_path": "analysis/rows/row-017-controlled-access-ca-material-handling-scanning-copying-stor.md", "topic": "Controlled Access (CA) material handling: scanning/copying, storage, workstation lock, end-of-day securing", "source_requirement_ids": [ "scif-ca-checklist-v15.r0016" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 16): \"Is scanning/copying of CA material required? ... Is storage of CA material required within the CA? ... do only individuals briefed to the CA program have access to the GSA approved storage container? ... Describe procedures to secure the workstation when the individual leaves the CA ... Describe procedures to secure the CA at the end of day.\" AI705 adds: weight-bearing artifacts (checkpoints, exported weight shards, key material) require explicit equivalents — controlled copy/export paths, custody in HSM-or-equivalent storage limited to briefed weight-custodians, locked operator workstations, and an end-of-shift custody reconciliation.", "falsifier": "Operator evidence that weight export, checkpoint storage, custodian workstation locking, and end-of-day weight custody handoff are all governed by named procedures with logging would shift this to Applies as written.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 16): \"Is storage of CA material required within the CA? ... do only individuals briefed to the CA program have access to the GSA approved storage container? ... Describe procedures to secure the CA at the end of day.\" AI705 adds: stored weights and checkpoints are the direct analog of CA material in storage — they must reside in access-controlled crypto storage (HSM/KMS or sealed weight vault) accessible only to briefed weight-custodians, with end-of-day custody reconciliation.", "falsifier": "Demonstration that weight checkpoints are held in an enumerated, briefed-personnel-only custody system with daily reconciliation logs would shift this to Applies as written." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 16): \"Is scanning/copying of CA material required? ... If yes, explain copier/scanner location, connectivity and procedures to protect CA material.\" AI705 adds: training systems perform the AI analog of 'copying' every time they checkpoint or export weights, so the operator must document where checkpoint writers live, their network connectivity, and the procedure that protects the resulting weight artifacts.", "falsifier": "Operator documentation enumerating every checkpoint/export path out of training clusters, with connectivity and protection procedures, would shift this to Applies as written." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 16): \"Describe procedures to secure the workstation when the individual leaves the CA (for any length of time).\" AI705 adds: inference operator workstations and serving-host consoles that can touch loaded weights must auto-lock and require re-authentication on unattended departure, mirroring the CA workstation locking requirement.", "falsifier": "Evidence of enforced screen-lock, session-timeout, and re-auth controls on all inference operator consoles would shift this to Applies as written." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 16): \"Is scanning/copying of CA material required? ... explain copier/scanner location, connectivity and procedures to protect CA material.\" AI705 adds: non-weight secrets (customer prompts/outputs, red-team datasets, vendor configs, eval results) need equivalent controlled-copy/export, storage-custody, workstation-lock, and end-of-day procedures so they cannot be exfiltrated through scan/print/copy analogs (USB, cloud sync, email, screen capture).", "falsifier": "Operator showing DLP-enforced export controls, briefed-personnel-only storage, and end-of-day clean-desk/clean-session checks for sensitive non-weight data would shift this to Applies as written." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 4, paragraph 16): \"Describe procedures to secure the workstation when the individual leaves the CA (for any length of time). ... Describe procedures to secure the CA at the end of day.\" AI705 adds: unattended or end-of-day-unsecured operator workstations and admin consoles are a sabotage vector into training/inference/BMS control planes, so lock-on-departure and end-of-day shutdown/verification procedures must extend to any console that can issue change actions.", "falsifier": "Evidence that all privileged consoles (orchestration, BMS/OT, deploy pipelines) enforce lock-on-idle and end-of-day integrity checks would shift this to Applies as written." } } }, { "row_id": "row-018-inspection-of-furniture-with-built-in-electrical-devices-and", "row_path": "analysis/rows/row-018-inspection-of-furniture-with-built-in-electrical-devices-and.md", "topic": "Inspection of furniture with built-in electrical devices and construction materials prior to introduction into secure space", "source_requirement_ids": [ "inspectable-materials-checklist-v15.r0012" ], "measurement_needed": false, "status": "human_revised", "threat_vectors": { "weight_theft": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 12): \"Furniture having built in electrical devices or lamps must be disassembled and inspected separately ... X-Ray Ultrasonic Visual Metal Detector Destructive Test.\" Furniture-borne surveillance is not a credible weight-theft path for AI datacenters; hardware supply-chain vetting and TEMPEST review of accelerator racks address the equivalent concern.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed.", "categories": { "stored_weights": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 12): describes furniture x-ray / destructive inspection. Stored-weight protection at AI datacenters is end-to-end cryptographic and physical; office furniture is not a meaningful exfil channel.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed." }, "training_systems": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 12): describes furniture x-ray / destructive inspection. Training-cluster threats are addressed by accelerator-rack TEMPEST review and supplier vetting, not furniture inspection.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed." }, "inference_systems": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 12): describes furniture x-ray / destructive inspection. Inference-side exfil paths are network and operator-access controls, not furniture handling.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed." } } }, "secret_theft": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 12): describes inspection of furniture with built-in electrical devices. Non-weight secrets at AI datacenters are protected by access control, OPSEC, and supply-chain vetting; furniture introduction is not a salient channel.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed." }, "sabotage": { "verdict": "Inapplicable", "rationale": "Source (page 3, paragraph 12): describes inspection of furniture entering secure space. Sabotage concerns at AI datacenters focus on BMS/OT, power, cooling, and network paths; furniture inspection is not a meaningful sabotage control.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed." } } }, { "row_id": "row-019-ids-coverage-on-scif-perimeter-access-points-with-ul-listed", "row_path": "analysis/rows/row-019-ids-coverage-on-scif-perimeter-access-points-with-ul-listed.md", "topic": "IDS coverage on SCIF perimeter access points with UL-listed motion sensors and high-security switches", "source_requirement_ids": [ "ic-tech-spec-v151.r0804" ], "measurement_needed": false, "status": "v0.1_sweep", "threat_vectors": { "weight_theft": { "verdict": "Applies with modification", "rationale": "Source (page 74, paragraph 804): \"Areas of a SCIF through which reasonable access could be gained, including walls common to areas not protected at the SCI level, shall be protected by IDS consisting of UL 639 listed motion sensors and UL 634 listed High Security Switches (HSS) that meet UL Level II requirements and/or other AO-approved equivalent sensors.\" AI705 adds: rooms and cages holding weight-bearing storage and the GPU fabric that processes weights must have motion detection and high-security door/access switches on every reasonable-access surface, including shared walls with non-weight areas.", "falsifier": "Operator evidence that weight-storage and training/inference halls have UL 639 motion coverage and UL 634 Level II HSS (or AO-equivalent) on all reasonable-access penetrations would shift this to Applies as written.", "categories": { "stored_weights": { "verdict": "Applies with modification", "rationale": "Source (page 74, paragraph 804): \"shall be protected by IDS consisting of UL 639 listed motion sensors and UL 634 listed High Security Switches (HSS) that meet UL Level II requirements\". AI705 adds: the vault/HSM room or cold-storage enclosure housing weight checkpoints and key material is the highest-value reasonable-access target and must carry UL Level II HSS on its door plus motion coverage of the enclosure interior and any shared walls.", "falsifier": "Demonstration that the weight vault uses UL 634 Level II HSS on all openings and UL 639 motion coverage on shared walls would move this to Applies as written." }, "training_systems": { "verdict": "Applies with modification", "rationale": "Source (page 74, paragraph 804): \"Areas... through which reasonable access could be gained, including walls common to areas not protected at the SCI level, shall be protected by IDS\". AI705 adds: training halls share walls with power, cooling, and tenant spaces that are not cleared for weight access, so those shared walls and any door into the training cage need motion sensors and Level II HSS.", "falsifier": "Inspection showing UL-listed motion and HSS coverage on every training-hall door and shared wall would shift to Applies as written." }, "inference_systems": { "verdict": "Applies with modification", "rationale": "Source (page 74, paragraph 804): \"All new SCIF accreditations shall use UL Level II HSS. Existing UL Level I HSS are authorized until major IDS modifications/upgrades are made.\" AI705 adds: inference halls that load production weights must meet the same reasonable-access IDS coverage, with new builds using UL Level II HSS and legacy Level I tolerated only until the next major retrofit.", "falsifier": "Evidence that all new inference deployments install Level II HSS and that legacy Level I switches are tracked for upgrade at the next IDS modification would shift to Applies as written." } } }, "secret_theft": { "verdict": "Applies with modification", "rationale": "Source (page 74, paragraph 804): \"Areas of a SCIF through which reasonable access could be gained... shall be protected by IDS consisting of UL 639 listed motion sensors and UL 634 listed High Security Switches\". AI705 adds: rooms holding non-weight secrets — customer prompt logs, red-team corpora, vendor schematics, crypto material in safes — also need UL-listed motion plus Level II HSS on their doors and shared walls.", "falsifier": "Operator showing that secret-storage rooms (SOC, key safes, sensitive data rooms) carry equivalent UL 639/634 Level II IDS coverage would shift to Applies as written." }, "sabotage": { "verdict": "Applies with modification", "rationale": "Source (page 74, paragraph 804): \"Areas... through which reasonable access could be gained, including walls common to areas not protected at the SCI level, shall be protected by IDS\". AI705 adds: sabotage-critical spaces — power rooms, BMS/OT cabinets, cooling plant, network meet-me rooms — share walls with general-access areas and must carry motion sensors and Level II HSS so unauthorized entry to disable AI infrastructure is detected before damage.", "falsifier": "Evidence that all sabotage-critical infrastructure rooms have UL 639 motion and UL 634 Level II HSS on reasonable-access points would shift to Applies as written." } } }, { "row_id": "row-020-waiver-request-submission-when-an-icd-705-standard-cannot-be", "row_path": "analysis/rows/row-020-waiver-request-submission-when-an-icd-705-standard-cannot-be.md", "topic": "Waiver request submission when an ICD 705 standard cannot be met", "source_requirement_ids": [ "ics-705-01.r0054" ], "measurement_needed": false, "status": "human_revised", "threat_vectors": { "weight_theft": { "verdict": "Inapplicable", "rationale": "Source (page 6, paragraph 54): \"The AO shall request waiver approval of the IC element head or designee, pursuant to ICD 705. A waiver request submitted when a standard cannot be met shall include the following.\" AI705 is itself the standards-translation layer for non-classified AI facilities; the IC-element waiver chain does not apply.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed.", "categories": { "stored_weights": { "verdict": "Inapplicable", "rationale": "Source (page 6, paragraph 54): ICD-705 waiver chain. AI705's row-level review records deviations from ICD 705 for stored-weight controls; the IC-element waiver process is for accredited SCIFs, not AI weight vaults.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed." }, "training_systems": { "verdict": "Inapplicable", "rationale": "Source (page 6, paragraph 54): ICD-705 waiver chain. Training-system deviations are captured in AI705 row verdicts and operator-review decisions, not via the IC-element waiver pathway.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed." }, "inference_systems": { "verdict": "Inapplicable", "rationale": "Source (page 6, paragraph 54): ICD-705 waiver chain. Inference-system deviations are captured in AI705 row verdicts and operator-review decisions, not via the IC-element waiver pathway.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed." } } }, "secret_theft": { "verdict": "Inapplicable", "rationale": "Source (page 6, paragraph 54): ICD-705 waiver chain. Non-weight-secret deviations from ICD-705 are recorded in AI705 review rather than the IC-element waiver process.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed." }, "sabotage": { "verdict": "Inapplicable", "rationale": "Source (page 6, paragraph 54): ICD-705 waiver chain. Sabotage-relevant deviations from ICD-705 are captured in AI705 review and operator decisions, not the IC-element waiver chain.", "falsifier": "Revisit if a CTTA, accreditor, or operator review identifies an AI-datacenter analog this revision missed." } } } ] }