Certification
Risk Profiles
Continuum/AI defines four certification profiles with increasing control requirements based on data sensitivity and potential impact.
Profile summary
| Profile | Data Accessed | Potential Impact | Controls | Validation |
|---|---|---|---|---|
| Essential | Public, internal | Low | 9 | Self-assessment |
| Standard | Confidential | Medium | 24 | Self-assessment with scan |
| Elevated | PII, sensitive | High | 39 | Internal audit |
| Critical | Regulated, financial | Severe | 48 | Third-party audit |
Control distribution by profile
| Domain | Essential | Standard | Elevated | Critical |
|---|---|---|---|---|
| GOV | 2 | 3 | 4 | 5 |
| IDN | 0 | 2 | 3 | 4 |
| AZN | 1 | 2 | 4 | 5 |
| DAT | 2 | 4 | 5 | 6 |
| VAL | 2 | 4 | 5 | 5 |
| EXE | 1 | 4 | 4 | 5 |
| OBS | 1 | 2 | 5 | 6 |
| INT | 0 | 1 | 3 | 4 |
| RES | 0 | 1 | 3 | 4 |
| SUP | 0 | 1 | 3 | 4 |
| Total | 9 | 24 | 39 | 48 |
Essential profile
Essential profile applies to experimental and development deployments with access limited to public and internal data. Nine controls establish baseline security posture including acceptable use policy, ownership assignment, least privilege, data classification, access restrictions, input sanitization, injection detection, process isolation, and action logging.
Standard profile
Standard profile applies to deployments accessing confidential data with medium impact potential. Twenty-four controls add agent inventory, identity verification, temporal constraints, encryption in transit, source verification, and session correlation.
Elevated profile
Elevated profile applies to deployments processing PII and sensitive data. Thirty-nine controls add risk assessment, credential management, action filtering, encryption at rest, content boundary enforcement, anomaly detection, approval workflows, and containment procedures.
Critical profile
Critical profile applies to deployments handling regulated and financial data. All forty-eight controls are required with independent third-party audit validation.