Annual certification fails for AI. The 2024 generation of AI assurance — ISO 42001 certificates, SOC 2 sections, internal-audit attestations — was designed for software systems whose behaviour is stable between attestations. Modern AI systems are not stable: they drift on the model, the retrieval corpus, the system prompt, and the downstream tools, often within a single audit cycle. The artefact a firm holds — "we were audited on date X" — answers a question no buyer is asking.This working paper proposes a different *shape* for AI assurance: a continuous-verification certification issued against a published, versioned standard, mapped to multiple framework certificates by design, expressed as a signed JWT badge that any party can verify offline, and automatically suspended when live operating signal deviates from the standard. The paper describes the **AOS-1 Verified** mark as a working implementation of that shape.Contents: (1) the failure modes of annual AI assurance and the three diligence questions modern enterprise buyers actually ask; (2) the AOS-1 Operating Assurance Standard — 47 controls across 15 families, with versioned per-control evidence requirements; (3) the five-level AOS-1 maturity model (Unmanaged → Self-attested → Continuous-monitoring → Audit-evidenced → Regulator-aligned → Certified Autonomous); (4) the eight-framework cross-walk — ISO/IEC 42001, the EU AI Act (deployer-side complete, provider-side selective), NIST AI RMF, NIST AI 600-1, ISO/IEC 27001, SOC 2, the Colorado AI Act, the Korean AI Framework Act; (5) the continuous-verification loop — four signal classes, deviation thresholds, and suspension semantics; (6) the mechanics of the signed JWT badge and the JWKS-based offline verification protocol; (7) the audit-export bundle and its role in regulator interaction; (8) the path to EU AI Act Article 43 notified-body designation via ISO/IEC 17065 accreditation; and (9) the six-step certification journey with median engaged duration of 84 days.The paper closes with a comparative analysis against ISO 42001 certification, SOC 2 (AI scope), and Big-4 AI audit opinions, setting out the conditions under which AOS-1 Verified is a complement to those instruments rather than a substitute.
Rami Mohammed Kheir (Sun,) studied this question.