The 52-Article Charter · 32–36 of 52 · full text

Article 32–36: Complete

Published from the canonical CSOAI Partnership Charter (effective 15 January 2026). Full text below.

Version: 1.0 Effective Date: January 15, 2026, 09:00 GMT

ARTICLE 32: SUPPLY CHAIN TRANSPARENCY

32.1 VENDOR DUE DILIGENCE

32.1.1 Security Assessment

All Third-Party Vendors Must Undergo:

Security questionnaire (based on SIG/SIG Lite)
SOC 2 Type II or ISO 27001 verification
Penetration test results review
Incident history assessment
Business continuity planning review

32.1.2 Privacy Compliance Verification

GDPR compliance documentation
Data processing agreements
Cross-border transfer mechanisms
Privacy impact assessments

32.1.3 Labor Practices Review

No forced labor (ILO conventions)
No child labor
Fair wages and conditions
Freedom of association
Safe workplaces

32.1.4 Environmental Impact Assessment

Carbon footprint disclosure
Renewable energy usage
Waste management practices
Circular economy commitment

32.1.5 Financial Stability Check

Credit ratings
Financial statements
Insurance coverage
Longevity assessment

32.2 CONFLICT MINERALS

32.2.1 Hardware Supply Chain

Requirements:

No conflict minerals from DRC (per Dodd-Frank 1502)
Responsible Minerals Initiative certification
Supply chain audits
Transparency to consumers

32.2.2 Due Diligence

Map smelters and refiners
Verify certifications
Annual reporting

32.3 LABOR STANDARDS

32.3.1 Manufacturing and Operations

All Supply Chain Partners Must:

Comply with local labor laws (minimum)
Meet ILO core conventions
Allow third-party audits
Remediate violations

32.3.2 Data Annotation Workers

Specific Protections:

Living wage (not just minimum wage)
Mental health support (content moderation can be traumatic)
Reasonable hours
Clear contracts
Training and development

32.4 SUPPLY CHAIN MAPPING

32.4.1 Full Traceability

Requirements:

Map all tiers of suppliers (Tier 1, 2, 3+)
Identify critical suppliers
Assess single points of failure
Develop contingency plans

32.4.2 Risk Assessment

Regular Assessment:

Geopolitical risk
Natural disaster exposure
Financial stability
Regulatory changes
Technology obsolescence

32.4.3 Disclosure

Public disclosure (aggregate)
Detailed disclosure to CSOAI on request
Annual supply chain report

32.5 PROCUREMENT ETHICS

32.5.1 Anti-Corruption

No bribery or kickbacks
Gift policies
Competitive bidding
Conflict of interest management
Whistleblower protection

32.5.2 Diversity in Suppliers

Diverse supplier programs (minority, women-owned, etc.)
Local sourcing preferred (equal quality/price)
SME inclusion

ARTICLE 33: INSURANCE & LIABILITY

33.1 REQUIRED INSURANCE COVERAGE

33.1.1 Liability Insurance Minimums

| Risk Tier | General Liability | Cyber Insurance | E&O Insurance | Product Liability |
|-----------|------------------|-----------------|---------------|-------------------|
| Low | £1M | £500K | £500K | £1M |
| Medium | £10M | £5M | £2M | £5M |
| High | £50M | £25M | £10M | £25M |
| Critical | £500M | £100M | £50M | £100M |

33.1.2 Coverage Types

General Liability:

Bodily injury
Property damage
Personal injury
Advertising injury

Cyber Liability:

Data breach response
Business interruption
Cyber extortion
Network security liability

Errors & Omissions (E&O):

Professional negligence
Failure to perform
Misrepresentation

Product Liability:

Defective product claims
AI system failures
Harm from AI recommendations

33.2 CSOAI INSURANCE POOL

33.2.1 Shared Risk Pool

Structure:

Members contribute based on risk tier and revenue
Pool covers claims exceeding individual limits
Reduces insurance costs through collective bargaining
Incentivizes safety (better records = lower contributions)

33.2.2 Contribution Formula

``` Annual Contribution = Base Rate × Risk Tier Factor × Claims History Factor × Revenue Factor

Where:

Base Rate: £10,000
Risk Tier Factor: Low=1, Medium=2, High=4, Critical=10
Claims History Factor: 0.8 (no claims) to 2.0 (multiple claims)
Revenue Factor: Revenue / £100M (capped at 10)

```

33.3 LIABILITY FRAMEWORK

33.3.1 Product Liability Model

Who's Liable for AI Harms?

Primary Liability:

Developer: Design defects, inadequate testing
Deployer: Misuse, inadequate oversight
Data Provider: Defective training data

Strict Liability:

For defects that cause harm
No need to prove negligence

Negligence:

For failures in reasonable care
Failure to maintain, update, monitor

33.3.2 Shared Liability

When Multiple Parties Involved:

Joint and several liability
Contribution among parties
Proportional to fault

33.3.3 CSOAI Role

Facilitates insurance market
Provides actuarial data
Dispute resolution
Not liable for licensed systems (unless CSOAI negligence)

33.4 CLAIMS PROCESS

33.4.1 When AI Causes Harm

Victim files claim with insurer
Insurer investigates (CSOAI may assist)
Determination of liability
Settlement negotiation
Payment from insurance
Subrogation if third party at fault

33.4.2 CSOAI Assistance

Technical expertise for investigations
Access to Byzantine Council logs
Independent expert referrals
Mediation services

33.5 INSURANCE INNOVATION

33.5.1 Parametric Insurance

Automatic Payouts on Triggers:

Byzantine Council flags serious issue → Automatic claim initiation
Defined events trigger defined payments
Faster, less disputed

33.5.2 AI-Specific Coverage

Emerging Products:

Algorithmic liability
AI error coverage
Reputation damage from AI
Regulatory fines coverage (where legal)

ARTICLE 34: INTELLECTUAL PROPERTY

34.1 AI-GENERATED CONTENT OWNERSHIP

34.1.1 Current Legal Landscape

US:

Copyright requires human authorship
AI-generated = likely public domain (Thaler v. Vidal)

EU/UK:

Computer-generated works: 50 years protection (UK CDPA s.9(3))
But: Must have "author," AI may not qualify

CSOAI Position:

Human using AI tool retains rights (like Photoshop)
Purely AI-generated (no human input) = public domain
AI-generated content should be labeled

34.1.2 Disclosure Requirements

AI-Generated Content Must Be Labeled:

At creation (metadata)
When shared/published
Per EU AI Act transparency requirements

34.2 MODEL WEIGHTS AS IP

34.2.1 Protection Strategies

Trade Secret:

Keep weights confidential
Implement access controls
Viable for closed-source models

Copyright:

Weights as creative expression? Debated
Training code: Copyrightable
Architecture descriptions: Copyrightable

Patent:

Novel architectures patentable
Expensive, narrow protection
20-year term

34.2.2 CSOAI Guidance

Members decide their IP strategy
Encourage open-source when safe
Protect innovations when necessary
Support licensing for model sharing

34.3 TRAINING DATA ATTRIBUTION

34.3.1 Respect Creators

Principles:

If training data copyrighted, negotiate licenses
Attribution when feasible
Fair compensation to creators
Opt-out mechanisms

34.3.2 Data Licensing

Commercial datasets: Negotiate terms
Creative Commons: Honor license terms
Web scraping: Respect robots.txt, ToS
User-generated: Obtain consent

34.4 PATENT COMMONS

34.4.1 Defensive Patent Pool

CSOAI AI Safety Patent Pool:

Members contribute AI safety patents
Royalty-free cross-licensing within pool
Prevents patent trolls
Accelerates innovation
Modeled on Open Invention Network (Linux)

34.4.2 Participation

Voluntary for members
Encouraged for safety-related patents
Legal framework provided by CSOAI

34.5 OPEN SOURCE AI

34.5.1 CSOAI Position

Support Open Source With Safety Guardrails:

Open weights: Allowed if safety reviewed
Model cards required
Usage restrictions for high-risk models
Responsible release guidelines

34.5.2 Dual Licensing

Commercial + Open Source:

Open source for research/non-commercial
Commercial license for business use
Sustainable model for AI companies

ARTICLE 35: EMERGENCY RESPONSE PROTOCOLS

35.1 INCIDENT CLASSIFICATION

35.1.1 Severity Levels

Level 1 (Minor):

No harm, minor malfunction
Response: Standard troubleshooting
Notification: Log only
Example: Occasional incorrect prediction

Level 2 (Moderate):

Potential harm, containable
Response: Incident team activated
Notification: CSOAI within 1 week
Example: Biased output detected

Level 3 (Major):

Actual harm, widespread impact
Response: Emergency operations center
Notification: CSOAI within 24 hours, public notice
Example: Privacy breach affecting users

Level 4 (Critical):

Severe harm, public safety threat
Response: Full mobilization, Human Council emergency session
Notification: CSOAI within 1 hour, immediate public notice
Example: AI system causes physical harm

Level 5 (Catastrophic):

Existential risk, AGI/ASI emergency
Response: Global coordination, government liaison
Notification: Immediate all channels
Example: Signs of uncontrolled AGI

35.2 EMERGENCY OPERATIONS CENTER (EOC)

35.2.1 Staffing

For Critical Tier Systems:

24/7 staffed EOC
Minimum 3 personnel on shift
Senior decision-maker on call
Technical experts available

For High Tier:

Business hours staffing
On-call 24/7 (30-minute response)

35.2.2 Capabilities

War room facilities
Communication systems
Access to all monitoring
Decision authority delegations
External expert contacts

35.3 ESCALATION PROCEDURES

35.3.1 Clear Chain of Command

| Timeline | Action | Responsible |
|----------|--------|-------------|
| 0-5 min | Incident detected | Monitoring system/reporter |
| 5-15 min | On-call engineer notified | Automated |
| 15-30 min | Incident commander assigned | On-call engineer |
| 30-60 min | Executive notified (Level 2+) | Incident commander |
| 1 hour | CSOAI notified (Level 2+) | Incident commander |
| 2 hours | Human Council (Level 3+) | CSOAI |
| 24 hours | Public disclosure (Level 3+) | Communications team |

35.3.2 Decision Authority

Level 1-2: Incident commander
Level 3: Executive approval for major decisions
Level 4-5: Human Council involvement

35.4 CRISIS COMMUNICATION

35.4.1 Pre-Prepared Templates

Templates Ready For:

Internal notification
User communication
Press release
Regulatory notification
CSOAI notification

35.4.2 Communication Principles

Timely (don't wait for perfect information)
Accurate (don't speculate)
Empathetic (acknowledge impact)
Actionable (what should people do)
Updated (commit to ongoing updates)

35.5 POST-INCIDENT REVIEW

35.5.1 Mandatory After Every Incident

Timeline: Within 2 weeks of resolution

Process:

Timeline reconstruction
Root cause analysis (5 Whys, Fishbone)
What worked well?
What could be improved?
Action items (assign owners, deadlines)
Documentation
Share lessons (anonymized) with CSOAI community

35.5.2 CSOAI Incident Database

Anonymized incidents shared
Pattern analysis
Best practices extracted
Industry learning

ARTICLE 36: BUSINESS CONTINUITY & DISASTER RECOVERY

36.1 BUSINESS IMPACT ANALYSIS

36.1.1 Critical Functions Identified

Priority 1 (Mission Critical):

AI inference services (customer-facing)
Safety monitoring (Byzantine Council)
Core databases

Priority 2 (Essential):

Training pipelines
Communication systems
Financial systems

Priority 3 (Important):

Development environments
Reporting systems
Secondary services

36.1.2 Maximum Tolerable Downtime (MTD)

| Priority | MTD |
|----------|-----|
| Critical tier AI | 1 hour |
| High tier AI | 4 hours |
| Medium tier AI | 24 hours |
| Low tier AI | 1 week |
| Byzantine Council | 15 minutes |

36.2 BACKUP STRATEGIES

36.2.1 3-2-1 Rule

3 copies of data
2 different media types
1 off-site backup

36.2.2 Backup Frequency

| System Type | Backup Frequency | Retention |
|-------------|------------------|-----------|
| Critical data | Real-time replication | 7 years |
| High priority | Hourly | 3 years |
| Medium priority | Daily | 1 year |
| Low priority | Weekly | 6 months |

36.2.3 Testing

Quarterly restore tests
Annual full DR exercise
Document results
Address failures

36.3 REDUNDANCY REQUIREMENTS

36.3.1 No Single Point of Failure

For Critical Systems:

Multi-region deployment (different geography)
Active-active or active-passive
Automated failover
Load balancing

36.3.2 Infrastructure Redundancy

Redundant power supplies
Backup generators
Multiple network paths
Diverse carriers

36.4 DISASTER SCENARIOS

36.4.1 Scenarios Prepared For

Natural Disasters:

Earthquake, flood, fire, hurricane
Geographic diversification
Rapid relocation plans

Cyber Attacks:

Ransomware, DDoS, breach
Incident response plans
Clean backups (air-gapped)

Infrastructure Failures:

Power outage, network failure
UPS, generators, diverse connectivity

Pandemics:

Remote work capability
Distributed operations
Supply chain alternatives

Key Personnel Loss:

Cross-training
Documentation
Succession planning

36.5 RECOVERY PROCEDURES

36.5.1 Documented Runbooks

For Each Critical System:

Step-by-step recovery instructions
Contact lists
Decision trees
Communication templates
Dependencies

36.5.2 Recovery Time Objective (RTO)

| System | RTO |
|--------|-----|
| Byzantine Council | 15 minutes |
| Critical AI services | 1 hour |
| High priority services | 4 hours |
| Medium priority | 24 hours |

36.5.3 Recovery Point Objective (RPO)

| System | RPO (max data loss) |
|--------|-----|
| Byzantine Council logs | 0 (no loss) |
| Critical AI services | 15 minutes |
| High priority | 1 hour |
| Medium priority | 24 hours |

END OF PHASE 4: OPERATIONAL REQUIREMENTS (Articles 29-36)

Phase 4 Complete!

Progress: 36 of 52 Articles (69%)

Next: Phase 5 - Economic & Social (Articles 37-44) Then: Phase 6 - Long-Term Governance (Articles 45-52)

From charter to certificate. This article is part of the standard behind Watchdog Certification — independent assessment, Ed25519-signed, publicly verifiable. The crosswalks to the EU AI Act, ISO/IEC 42001 and 18 more frameworks are in the Crosswalk Library; the runtime tools are in the fabric.

The 52-Article Charter is published in full in the Journal. Bespoke briefings: hello@meok.ai.