a2aws2Agentic Workspace Security Standard

Standard

Claim Language

Working draft

This page renders the current aws2 working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.

This section defines claim language for the working draft. It is candidate normative text because overclaiming can mislead implementers, buyers, reviewers, and external stakeholders.

12.1 Current Claim Posture

aws2 is currently a non-released, profile-first working draft and crosswalk effort. There is no active public conformance profile, compliance profile, certification program, validator program, auditor program, seal, badge, governance body, or external endorsement.

All claims must be bounded to:

  • the named scoped system
  • the candidate controls or families reviewed
  • the evidence artifacts available
  • the mapping sources used
  • the time period reviewed
  • the draft status of the document

12.2 Preferred Claim Verbs

Use "informed by" when a source shaped the design but no specific mapping is claimed.

Use "maps to" when a specific candidate control, family, artifact, or design choice is traceably related to an external source signal.

Use "supports evidence for" when an artifact may help demonstrate that a selected candidate control or external expectation was addressed.

Use "implements selected controls" only when a concrete scoped system, workflow, runtime, tool, connector, skill, or evidence process actually enforces or produces a named subset of candidate controls or artifacts.

Use "reviewed against candidate expectations" when a system was internally checked against draft text, but no released conformance claim exists.

12.3 Disallowed Working-Draft Claims

Working-draft users MUST NOT claim:

  • aws2 compliant
  • aws2 certified
  • aws2 approved
  • aws2 endorsed
  • passed aws2
  • meets aws2 without a bounded and explained candidate-control scope
  • secure because it uses aws2
  • equivalent to an external standard
  • compliant with an external legal or certification framework because of an aws2 mapping

These claim forms require maturity that does not exist in the working draft.

12.4 Allowed Working-Draft Claim Patterns

Acceptable examples:

  • " aws2 is a profile-first crosswalk and evidence model for agentic workspace security."
  • " aws2 is a gap-closing profile that maps candidate controls to existing standards without replacing them."
  • "This system was reviewed against selected candidate aws2 Level 1 expectations."
  • "This control maps to selected aws2 candidate runtime-action controls."
  • "These approval receipts support evidence for selected AWS2-RUN and AWS2-LOG candidate controls."
  • "This implementation produces evidence artifacts relevant to selected source-trust controls for the named scoped system."
  • "This mapping is informed by OWASP, CSA, NIST, ISO, AIUC-1, Five Eyes, and MITRE sources, with source-specific claim limits."

12.5 Stronger Future Claims

"Conforms to an aws2 profile" should be allowed only if a future released profile defines:

  • normative requirements
  • applicability rules
  • minimum evidence artifacts
  • validation method
  • versioning and reassessment rules
  • allowed claim language

"Certified" or equivalent language should be allowed only if a future program defines:

  • released standard or profile
  • independent review or audit path
  • assessor qualification or validation rules
  • evidence package requirements
  • governance and appeal rules
  • revocation, expiry, or nonconformance handling

Until then, certification language is prohibited.

Previous
Governance And Change Management
Next
Future Certification Considerations