{ "file_id": "05_vertical_telecom_it_operations", "version": "2026.03.16", "schema_version": "2.2", "status": "Production Authority", "last_authoritative_sync": "2026-03-16", "description": "Comprehensive enumeration library for the Telecommunications & IT Operations vertical. Covers every subdomain where agentic AI is actively deployed as of March 2026: trouble ticket and service assurance (TM Forum TMF621 v5.0.1), product order management (TMF622 v5.0), network alarm and fault management (ITU-T X.733 / TMF642), AIOps and autonomous network operations, ITIL 4 change and incident management, cybersecurity event handling (NIST CSF 2.0), 5G network slice management (3GPP TS 28.541), service level agreement governance, and regulatory compliance for critical national infrastructure. Designed for use as OTel span attributes in an agentic AI SDK and as policy vocabulary in an OPA Rego GRC portal.", "vertical_metadata": { "vertical_key": "telecom_it_operations", "industry": "Telecommunications & IT Operations", "primary_standards": [ "TM Forum Open API v5.0.1 — TMF621 Trouble Ticket Management API v5.0.1 (July 2025 patch)", "TM Forum Open API v5.0 — TMF622 Product Ordering Management API v5.0.0", "TM Forum Open API v4.0 — TMF640 Service Activation & Configuration API", "TM Forum Open API v5.0 — TMF641 Service Ordering Management API v5.0.0", "TM Forum Open API v5.0 — TMF642 Alarm Management API v5.0.0", "TM Forum Open API v4.1 — TMF628 Performance Threshold Management API", "TM Forum Open API v4.0 — TMF688 Event Management API", "TM Forum Autonomous Networks (AN) Level 4/5 Framework — GB921 Frameworx v23.5", "ITU-T X.733 (1992) — Alarm Reporting Function; extended by ITU-T X.736 Security Alarms", "ITU-T M.3400 — TMN Network Management Functions", "3GPP TS 28.541 — 5G NR Network Resource Model (NRM) for Network Slice Management", "3GPP TS 28.530 — 5G NRM Concepts and Requirements for Network Slice Management", "3GPP TS 28.545 — Fault Supervision for Network Slices", "ITIL 4 — IT Service Management (Axelos, 2019 — current edition)", "ITIL 4 Change Enablement Practice Guide (Axelos, 2020)", "ITIL 4 Incident Management Practice Guide (Axelos, 2020)", "NIST Cybersecurity Framework (CSF) 2.0 (February 2024)", "NIST SP 800-61 Rev 3 — Incident Response Recommendations (2024 Draft)", "ETSI ENI 007 — Terminology for Experiential Networked Intelligence", "ETSI ZSM 002 — Zero-touch Network and Service Management Reference Architecture (2019)", "IEEE 802.1Q — VLANs / Bridged Local Area Networks (for network topology context)", "NERC CIP v7 — Critical Infrastructure Protection (applicable to telco/CNI overlap)", "EU NIS2 Directive (2022/2555) — Network and Information Security for essential entities", "FCC Part 4 — Disruptions to Communications (US outage reporting)", "Ofcom Network Reporting Code (UK) — Communications provider outage notifications" ], "primary_source_urls": [ "https://www.tmforum.org/open-digital-architecture/open-apis", "https://www.tmforum.org/resources/specifications/tmf621-trouble-ticket-management-api-user-guide-v5-0-0/", "https://www.tmforum.org/open-digital-architecture/open-apis/product-ordering-management-api-TMF622/v5.0", "https://www.tmforum.org/open-digital-architecture/open-apis/alarm-management-tmf642/", "https://www.3gpp.org/ftp/Specs/archive/28_series/28.541/", "https://www.3gpp.org/ftp/Specs/archive/28_series/28.530/", "https://www.etsi.org/deliver/etsi_gs/ZSM/001_099/002/01.01.01_60/gs_ZSM002v010101p.pdf", "https://www.nist.gov/cyberframework", "https://www.itil.com/", "https://www.itu.int/rec/T-REC-X.733/en" ], "otel_namespace": "telecom", "opa_namespace": "data.telecom", "agentic_ai_deployment_context": "As of March 2026, agentic AI in telecommunications and IT operations is deployed across: autonomous network operations (Level 3–4 on TM Forum AN scale) with AI-driven fault detection and self-healing, AIOps platforms automating root cause analysis and runbook execution across cloud and on-premises infrastructure, AI-powered trouble ticket triage and resolution (TMF621 API integration), autonomous product order orchestration replacing manual provisioning workflows (TMF622), 5G network slice lifecycle management with AI-driven SLA assurance, security operations centre (SOC) automation for threat detection and incident response, ITIL 4 change management with AI-generated standard change proposals, and customer-facing conversational agents for fault reporting and service updates. The TM Forum Autonomous Networks Level 4 (intent-driven, cross-domain automation with human oversight) represents the target maturity for tier-1 operators. ETSI ZSM zero-touch networks and 3GPP SON (Self-Organising Networks) provide the standards foundation. EU NIS2 (in force October 2024) directly applies to telecoms as essential entities, mandating incident reporting within 24h (early warning) and 72h (detailed notification). FCC Part 4 outage reporting applies to US operators.", "key_regulatory_risk_note": "EU NIS2 Directive (2022/2555) entered force October 18, 2024, applying to telecommunications operators as 'essential entities'. NIS2 Article 21 mandates security measures including AI system governance; Article 23 requires 24-hour early warning and 72-hour detailed incident notification to national CSIRTs. NERC CIP v7 applies to telecom networks overlapping with energy sector critical infrastructure. FCC Part 4 requires US carriers to notify NORS within 120 minutes of discovering an outage meeting threshold criteria. The TM Forum Autonomous Networks framework defines five autonomy levels (AL0–AL4) that map directly to the EU AI Act Article 14 human oversight requirements for AI systems — AL3+ systems (cross-domain autonomous) require documented human oversight mechanisms to remain compliant." }, "subdomains": [ { "subdomain": "Trouble Ticket & Service Assurance", "description": "Covers the TM Forum TMF621 Trouble Ticket Management API v5.0.1 state machine and related enumerations for AI-driven ticket triage, routing, escalation, and resolution. Agentic AI systems consuming or producing TMF621 API resources must use these exact values.", "relevant_standards": [ "TM Forum TMF621 Trouble Ticket Management API v5.0.1 (July 2025 patch)", "TM Forum GB921 Frameworx — Service Assurance", "ITIL 4 Incident Management Practice" ], "categories": [ { "enum_name": "TroubleTicketStatus", "label": "Trouble Ticket Status", "otel_attribute": "telecom.trouble_ticket.status", "opa_policy_path": "data.telecom.trouble_ticket.status", "rego_input_key": "telecom_trouble_ticket_status", "stability": "stable", "description": "The lifecycle state of a trouble ticket per TM Forum TMF621 v5.0.1. These are the exact status values defined in the TMF621 TroubleTicket resource statusType enum. AI triage and routing agents must use these exact values when setting or reading ticket status via the TMF621 API.", "permitted_values": [ "new", "acknowledged", "in_progress", "pending", "held", "resolved", "closed", "cancelled" ], "value_labels": { "new": "New", "acknowledged": "Acknowledged", "in_progress": "In Progress", "pending": "Pending", "held": "Held", "resolved": "Resolved", "closed": "Closed", "cancelled": "Cancelled" }, "code_definitions": { "new": "Ticket has been created and not yet acknowledged by the service desk or AI triage agent", "acknowledged": "Ticket has been received and acknowledged; initial classification in progress", "in_progress": "Active work is occurring on the ticket; an agent or human engineer is investigating", "pending": "Work is paused and waiting on an external dependency (e.g. customer response, vendor action, change window)", "held": "Ticket is blocked on an internal dependency (e.g. waiting for a change to be approved or a related incident to resolve)", "resolved": "Root cause has been identified and corrective action applied; awaiting confirmation from reporter", "closed": "Resolution confirmed by reporter or auto-closed after confirmation window; no further action required", "cancelled": "Ticket was raised in error or is a duplicate; no action taken" }, "regulatory_mappings": { "eu_nis2_art23": "EU NIS2 Article 23 — Incident reporting obligations require ticket state to be machine-readable for regulatory timeline tracking (24h early warning, 72h notification)", "fcc_part4": "FCC Part 4 — Outage reporting; ticket state machine supports NORS notification workflow initiation" }, "use_case": "An AI triage agent creates a ticket in 'new' state, acknowledges it moving to 'acknowledged', then routes it to an autonomous remediation agent moving to 'in_progress'. If the automated fix requires a change window, the agent transitions to 'held' until the change is approved.", "source": "TM Forum TMF621 Trouble Ticket Management API v5.0.1 — statusType enum", "source_url": "https://www.tmforum.org/resources/specifications/tmf621-trouble-ticket-management-api-user-guide-v5-0-0/", "notes": "TMF621 v5.0.1 (July 2025 patch) introduced minor schema fixes to the statusType definition but did not change the permitted status values from v5.0.0." }, { "enum_name": "TroubleTicketSeverity", "label": "Trouble Ticket Severity", "otel_attribute": "telecom.trouble_ticket.severity", "opa_policy_path": "data.telecom.trouble_ticket.severity", "rego_input_key": "telecom_trouble_ticket_severity", "stability": "stable", "description": "Severity of the trouble ticket per TMF621. Drives AI escalation logic, SLA timers, and NOC escalation paths. Critical and major tickets must trigger immediate human-in-the-loop notification under NIS2 for incidents affecting essential services.", "permitted_values": [ "critical", "major", "minor", "no_impact" ], "value_labels": { "critical": "Critical", "major": "Major", "minor": "Minor", "no_impact": "No Impact" }, "code_definitions": { "critical": "Service is fully unavailable or severely degraded; immediate escalation to NOC Level 3 and regulatory notification workflow triggered", "major": "Significant service impact affecting a defined customer segment; SLA breach imminent", "minor": "Partial or intermittent impact; automated remediation eligible without mandatory HITL", "no_impact": "Informational or cosmetic issue; no service degradation" }, "regulatory_mappings": { "eu_nis2_art23": "Severity 'critical' or 'major' tickets affecting essential service must be assessed for NIS2 Article 23 reportability", "fcc_part4": "Critical severity in US telco context may trigger FCC Part 4 NORS reporting threshold assessment" }, "use_case": "AI triage agent assigns severity based on affected service, customer count, and revenue impact. Critical severity tickets trigger automatic NIS2 timeline tracking and human escalation.", "source": "TM Forum TMF621 severityType enum; TM Forum GB921 Frameworx Service Assurance", "source_url": "https://www.tmforum.org/resources/specifications/tmf621-trouble-ticket-management-api-user-guide-v5-0-0/" }, { "enum_name": "TroubleTicketType", "label": "Trouble Ticket Type", "otel_attribute": "telecom.trouble_ticket.type", "opa_policy_path": "data.telecom.trouble_ticket.type", "rego_input_key": "telecom_trouble_ticket_type", "stability": "stable", "description": "The classification of the trouble ticket per TMF621. Determines routing logic, responsible team assignment, and which AI remediation agents are eligible to handle it.", "permitted_values": [ "trouble_report", "installation_request", "service_request", "billing_dispute", "change_request", "query", "incident", "problem", "network_performance", "security_incident" ], "value_labels": { "trouble_report": "Trouble Report", "installation_request": "Installation Request", "service_request": "Service Request", "billing_dispute": "Billing Dispute", "change_request": "Change Request", "query": "Query", "incident": "Incident", "problem": "Problem", "network_performance": "Network Performance", "security_incident": "Security Incident" }, "use_case": "Security_incident type tickets are routed to the SOC AI agent chain and subject to NIS2/NIST CSF 2.0 incident handling procedures. Problem type tickets engage the problem management AI agent for root cause analysis across related incidents.", "source": "TM Forum TMF621 ticketType enum; ITIL 4 Incident vs Problem vs Service Request classification", "source_url": "https://www.tmforum.org/resources/specifications/tmf621-trouble-ticket-management-api-user-guide-v5-0-0/" }, { "enum_name": "IncidentPriority", "label": "Incident Priority", "otel_attribute": "telecom.incident.priority", "opa_policy_path": "data.telecom.incident.priority", "rego_input_key": "telecom_incident_priority", "stability": "stable", "description": "ITIL 4 incident priority matrix values, combining urgency and impact. Used by AI incident management agents to set escalation timers and determine whether automated resolution is permitted.", "permitted_values": [ "p1_critical", "p2_high", "p3_medium", "p4_low" ], "value_labels": { "p1_critical": "P1 — Critical", "p2_high": "P2 — High", "p3_medium": "P3 — Medium", "p4_low": "P4 — Low" }, "code_definitions": { "p1_critical": "Highest urgency, widest business impact; SLA target typically 15 minutes initial response, 4 hours resolution; always requires HITL for resolution approval", "p2_high": "High urgency or high impact but not both critical; SLA target typically 30 minutes response, 8 hours resolution; HITL required if autonomous action is irreversible", "p3_medium": "Moderate urgency and impact; SLA target typically 2 hours response, 24 hours resolution; autonomous remediation generally permitted", "p4_low": "Low urgency and impact; SLA target typically 4 hours response, 5 business days resolution; fully autonomous handling permitted" }, "ordered": true, "value_ordinals": { "p1_critical": 1, "p2_high": 2, "p3_medium": 3, "p4_low": 4 }, "regulatory_mappings": { "itil4": "ITIL 4 Incident Management Practice — priority matrix based on urgency × impact", "eu_nis2_art23": "P1/P2 incidents affecting essential service may require NIS2 Article 23 notification within 24 hours" }, "use_case": "AI incident management agent assigns priority on ticket creation. P1/P2 incidents trigger HITL escalation workflow; P3/P4 permit autonomous runbook execution.", "source": "ITIL 4 Incident Management Practice Guide (Axelos)", "source_url": "https://www.itil.com/" }, { "enum_name": "ServiceRestorationMethod", "label": "Service Restoration Method", "otel_attribute": "telecom.incident.restoration_method", "opa_policy_path": "data.telecom.incident.restoration_method", "rego_input_key": "telecom_incident_restoration_method", "stability": "proposed", "description": "The method used to restore service after a fault. AI remediation agents must log the restoration method to support post-incident review and SLA reporting.", "permitted_values": [ "autonomous_self_heal", "automated_runbook_executed", "hitl_approved_change", "emergency_change_deployed", "manual_field_intervention", "traffic_rerouting", "failover_to_redundant_path", "service_migration_to_backup_node", "vendor_escalation_resolved", "workaround_temporary", "root_cause_resolved_permanent" ], "value_labels": { "autonomous_self_heal": "Autonomous Self Heal", "automated_runbook_executed": "Automated Runbook Executed", "hitl_approved_change": "HITL Approved Change", "emergency_change_deployed": "Emergency Change Deployed", "manual_field_intervention": "Manual Field Intervention", "traffic_rerouting": "Traffic Rerouting", "failover_to_redundant_path": "Failover to Redundant Path", "service_migration_to_backup_node": "Service Migration to Backup Node", "vendor_escalation_resolved": "Vendor Escalation Resolved", "workaround_temporary": "Workaround Temporary", "root_cause_resolved_permanent": "Root Cause Resolved Permanent" }, "use_case": "Logged on ticket resolution to distinguish AI-driven self-healing from human-driven resolution. Supports post-incident review and autonomous network maturity level assessment per TM Forum AN framework.", "source": "TM Forum Autonomous Networks GB921 Frameworx; ITIL 4 Incident Management — restoration vs resolution", "source_url": "https://www.tmforum.org/autonomous-networks/" } ] }, { "subdomain": "Product Order & Service Provisioning", "description": "Covers TM Forum TMF622 Product Ordering Management API v5.0 and TMF641 Service Ordering API v5.0 state machine enumerations. Agentic AI provisioning systems must use these exact values when interacting with BSS/OSS systems via TM Forum Open APIs.", "relevant_standards": [ "TM Forum TMF622 Product Ordering Management API v5.0.0", "TM Forum TMF641 Service Ordering Management API v5.0.0", "TM Forum TMF640 Service Activation & Configuration API v4.0", "TM Forum GB921 Frameworx — Fulfilment domain" ], "categories": [ { "enum_name": "ProductOrderState", "label": "Product Order State", "otel_attribute": "telecom.product_order.state", "opa_policy_path": "data.telecom.product_order.state", "rego_input_key": "telecom_product_order_state", "stability": "stable", "description": "The lifecycle state of a product order per TM Forum TMF622 v5.0. These are the exact productOrderStateType values in the TMF622 ProductOrder resource. Agentic provisioning agents must use these exact values when reading or setting product order state via the TMF622 API.", "permitted_values": [ "acknowledged", "in_progress", "held", "pending", "cancelled", "completed", "failed", "partial" ], "value_labels": { "acknowledged": "Acknowledged", "in_progress": "In Progress", "held": "Held", "pending": "Pending", "cancelled": "Cancelled", "completed": "Completed", "failed": "Failed", "partial": "Partial" }, "code_definitions": { "acknowledged": "Order received and validated; assigned to provisioning workflow", "in_progress": "Provisioning is actively being executed across one or more network/service domains", "held": "Order is blocked pending an internal dependency (e.g. network capacity, credit check, configuration approval)", "pending": "Order is waiting on an external dependency (e.g. local loop provider, customer premise readiness, regulatory approval)", "cancelled": "Order has been cancelled by customer or system before completion", "completed": "All order items successfully provisioned; service delivered", "failed": "Provisioning failed; no service delivered; remediation required", "partial": "Some order items completed, others failed; mixed outcome requiring manual review" }, "regulatory_mappings": { "eu_nis2_art21": "NIS2 Article 21 — AI-driven provisioning systems are in-scope for supply chain security obligations if provisioning critical infrastructure components" }, "use_case": "An AI provisioning agent polls TMF622 order state to determine next workflow step. 'Partial' state triggers HITL review before determining whether to retry failed items or roll back.", "source": "TM Forum TMF622 Product Ordering Management API v5.0.0 — productOrderStateType enum", "source_url": "https://www.tmforum.org/open-digital-architecture/open-apis/product-ordering-management-api-TMF622/v5.0" }, { "enum_name": "OrderItemAction", "label": "Order Item Action", "otel_attribute": "telecom.order_item.action", "opa_policy_path": "data.telecom.order_item.action", "rego_input_key": "telecom_order_item_action", "stability": "stable", "description": "The action type for an individual order item within a product order per TM Forum TMF622. Determines what the provisioning agent must do for each product line item.", "permitted_values": [ "add", "modify", "delete", "no_change", "suspend", "resume", "port_out" ], "value_labels": { "add": "Add", "modify": "Modify", "delete": "Delete", "no_change": "No Change", "suspend": "Suspend", "resume": "Resume", "port_out": "Port Out" }, "code_definitions": { "add": "Provision a new product/service instance", "modify": "Change characteristics of an existing product/service instance", "delete": "Terminate and deprovision an existing product/service instance", "no_change": "Order item included for reference; no provisioning action required", "suspend": "Temporarily suspend service delivery without deprovisioning resources", "resume": "Restore a suspended service to active delivery", "port_out": "Transfer the service/number to another provider; triggers number portability workflow" }, "use_case": "AI provisioning agent reads order item action to select the correct provisioning workflow. 'Port_out' action triggers separate MNP (Mobile Number Portability) agent workflow with regulatory timing requirements.", "source": "TM Forum TMF622 orderItemActionType enum", "source_url": "https://www.tmforum.org/open-digital-architecture/open-apis/product-ordering-management-api-TMF622/v5.0" }, { "enum_name": "ServiceOrderState", "label": "Service Order State", "otel_attribute": "telecom.service_order.state", "opa_policy_path": "data.telecom.service_order.state", "rego_input_key": "telecom_service_order_state", "stability": "stable", "description": "The lifecycle state of a service order per TM Forum TMF641 v5.0. Mirrors TMF622 ProductOrder state at the service layer; used when orchestrating multi-domain service provisioning via the OSS.", "permitted_values": [ "acknowledged", "in_progress", "held", "pending", "cancelled", "completed", "failed", "partial" ], "value_labels": { "acknowledged": "Acknowledged", "in_progress": "In Progress", "held": "Held", "pending": "Pending", "cancelled": "Cancelled", "completed": "Completed", "failed": "Failed", "partial": "Partial" }, "use_case": "AI service orchestration agent coordinates product order (TMF622) and service order (TMF641) states to ensure BSS/OSS alignment. Mismatch between product and service order states is a policy violation requiring HITL investigation.", "source": "TM Forum TMF641 Service Ordering Management API v5.0.0 — serviceOrderStateType enum", "source_url": "https://www.tmforum.org/open-digital-architecture/open-apis/service-ordering-management-tmf641/" }, { "enum_name": "ProvisioningActivationState", "label": "Provisioning Activation State", "otel_attribute": "telecom.provisioning.activation_state", "opa_policy_path": "data.telecom.provisioning.activation_state", "rego_input_key": "telecom_provisioning_activation_state", "stability": "stable", "description": "Service activation state per TM Forum TMF640 Service Activation & Configuration API. Used by AI service activation agents to track service configuration lifecycle.", "permitted_values": [ "designing", "activating", "active", "inactive", "terminating", "terminated" ], "value_labels": { "designing": "Designing", "activating": "Activating", "active": "Active", "inactive": "Inactive", "terminating": "Terminating", "terminated": "Terminated" }, "use_case": "AI activation agent tracks service state through TMF640. Active state is required before SLA monitoring agent begins measurement. Terminating state blocks any modification actions.", "source": "TM Forum TMF640 Service Activation & Configuration API v4.0 — serviceActivationState", "source_url": "https://www.tmforum.org/open-digital-architecture/open-apis/service-activation-and-configuration-tmf640/" } ] }, { "subdomain": "Network Alarm & Fault Management", "description": "Covers ITU-T X.733 alarm reporting function enumerations as implemented in TM Forum TMF642 Alarm Management API v5.0. These are the foundational network fault management enumerations used by AI-driven NOC platforms and AIOps systems.", "relevant_standards": [ "ITU-T X.733 (1992) — Alarm Reporting Function (ISO/IEC 10164-4)", "ITU-T X.736 — Security Alarm Reporting Function (ISO/IEC 10164-7)", "TM Forum TMF642 Alarm Management API v5.0.0", "3GPP TS 28.545 — Fault Supervision for Network Slices", "ETSI ZSM 002 — Zero-touch Network and Service Management" ], "categories": [ { "enum_name": "NetworkAlarmSeverity", "label": "Network Alarm Severity", "otel_attribute": "telecom.alarm.severity", "opa_policy_path": "data.telecom.alarm.severity", "rego_input_key": "telecom_alarm_severity", "stability": "stable", "description": "Alarm perceived severity per ITU-T X.733 Section 8.1.2.3 and TM Forum TMF642 perceivedSeverityType. These are the exact ITU-T/TMF642 values. AIOps agents must use these when processing alarms from NMS/EMS systems.", "permitted_values": [ "critical", "major", "minor", "warning", "indeterminate", "cleared" ], "value_labels": { "critical": "Critical", "major": "Major", "minor": "Minor", "warning": "Warning", "indeterminate": "Indeterminate", "cleared": "Cleared" }, "code_definitions": { "critical": "The condition that generated this alarm is causing severe degradation of the managed object. Immediate corrective action is required.", "major": "The condition that generated this alarm is causing service-affecting degradation. Urgent corrective action is required.", "minor": "The condition that generated this alarm is not currently service-affecting but will become major if not addressed.", "warning": "The condition that generated this alarm is a potential indicator of a future more serious fault.", "indeterminate": "The severity of the condition cannot be determined.", "cleared": "The alarm condition has been resolved; the managed object has returned to its normal state." }, "regulatory_mappings": { "eu_nis2_art23": "Critical and major alarms on essential service infrastructure may trigger NIS2 Article 23 incident reporting obligations", "nerc_cip": "NERC CIP-008 — Critical alarms on BES Cyber Systems require incident response plan activation" }, "use_case": "AI alarm correlation engine classifies incoming alarms by severity. Critical/Major alarms trigger immediate AIOps action and NOC HITL notification. Cleared alarms signal resolution confirmation to trouble ticket management agent.", "source": "ITU-T X.733 Section 8.1.2.3 — perceivedSeverity; TM Forum TMF642 Alarm Management API v5.0", "source_url": "https://www.itu.int/rec/T-REC-X.733/en", "notes": "These values are stable across ITU-T X.733 (1992), 3GPP TS 28.545, and TMF642. The 'cleared' value is the mechanism by which AIOps self-healing confirmation is signalled back to the alarm management system." }, { "enum_name": "AlarmProbableCause", "label": "Alarm Probable Cause", "otel_attribute": "telecom.alarm.probable_cause", "opa_policy_path": "data.telecom.alarm.probable_cause", "rego_input_key": "telecom_alarm_probable_cause", "stability": "stable", "description": "Probable cause categories for network alarms per ITU-T X.733 and extended by TMF642. AIOps root cause analysis agents use these values to classify the root cause hypothesis and trigger appropriate remediation runbooks.", "permitted_values": [ "software_error", "software_program_error", "software_program_abnormally_terminated", "version_mismatch", "configuration_or_customization_error", "hardware_malfunction", "hardware_power_problem", "hardware_resource_exhausted", "cooling_system_failure", "bandwidth_reduced", "congestion", "call_establishment_error", "communications_protocol_error", "communications_subsystem_failure", "cpu_cycles_limit_exceeded", "dataset_or_modem_error", "degraded_signal", "denial_of_service", "duplicate_information", "enclosure_door_open", "equipment_malfunction", "excessive_vibration", "file_error", "fire_detected", "flood_detected", "framing_error", "heating_or_ventilation_cooling_system_problem", "humidity_unacceptable", "input_output_device_error", "input_device_error", "lan_error", "leak_detected", "local_node_transmission_error", "loss_of_frame", "loss_of_signal", "material_supply_exhausted", "multiplexer_problem", "out_of_memory", "output_device_error", "performance_degraded", "power_problem", "pressure_unacceptable", "processor_problem", "pump_failure", "queue_size_exceeded", "receive_failure", "receiver_failure", "remote_node_transmission_error", "resource_at_or_nearing_capacity", "response_time_excessive", "retransmission_rate_excessive", "routing_failure", "security_service_or_mechanism_violation", "signalling_error", "smoke_detected", "software_download_failure", "timing_problem", "toxic_leak_detected", "transmit_failure", "transmitter_failure", "underlying_resource_unavailable", "other" ], "value_labels": { "software_error": "Software Error", "software_program_error": "Software Program Error", "software_program_abnormally_terminated": "Software Program Abnormally Terminated", "version_mismatch": "Version Mismatch", "configuration_or_customization_error": "Configuration or Customization Error", "hardware_malfunction": "Hardware Malfunction", "hardware_power_problem": "Hardware Power Problem", "hardware_resource_exhausted": "Hardware Resource Exhausted", "cooling_system_failure": "Cooling System Failure", "bandwidth_reduced": "Bandwidth Reduced", "congestion": "Congestion", "call_establishment_error": "Call Establishment Error", "communications_protocol_error": "Communications Protocol Error", "communications_subsystem_failure": "Communications Subsystem Failure", "cpu_cycles_limit_exceeded": "Cpu Cycles Limit Exceeded", "dataset_or_modem_error": "Dataset or Modem Error", "degraded_signal": "Degraded Signal", "denial_of_service": "Denial of Service", "duplicate_information": "Duplicate Information", "enclosure_door_open": "Enclosure Door Open", "equipment_malfunction": "Equipment Malfunction", "excessive_vibration": "Excessive Vibration", "file_error": "File Error", "fire_detected": "Fire Detected", "flood_detected": "Flood Detected", "framing_error": "Framing Error", "heating_or_ventilation_cooling_system_problem": "Heating or Ventilation Cooling System Problem", "humidity_unacceptable": "Humidity Unacceptable", "input_output_device_error": "Input Output Device Error", "input_device_error": "Input Device Error", "lan_error": "Lan Error", "leak_detected": "Leak Detected", "local_node_transmission_error": "Local Node Transmission Error", "loss_of_frame": "Loss of Frame", "loss_of_signal": "Loss of Signal", "material_supply_exhausted": "Material Supply Exhausted", "multiplexer_problem": "Multiplexer Problem", "out_of_memory": "Out of Memory", "output_device_error": "Output Device Error", "performance_degraded": "Performance Degraded", "power_problem": "Power Problem", "pressure_unacceptable": "Pressure Unacceptable", "processor_problem": "Processor Problem", "pump_failure": "Pump Failure", "queue_size_exceeded": "Queue Size Exceeded", "receive_failure": "Receive Failure", "receiver_failure": "Receiver Failure", "remote_node_transmission_error": "Remote Node Transmission Error", "resource_at_or_nearing_capacity": "Resource At or Nearing Capacity", "response_time_excessive": "Response Time Excessive", "retransmission_rate_excessive": "Retransmission Rate Excessive", "routing_failure": "Routing Failure", "security_service_or_mechanism_violation": "Security Service or Mechanism Violation", "signalling_error": "Signalling Error", "smoke_detected": "Smoke Detected", "software_download_failure": "Software Download Failure", "timing_problem": "Timing Problem", "toxic_leak_detected": "Toxic Leak Detected", "transmit_failure": "Transmit Failure", "transmitter_failure": "Transmitter Failure", "underlying_resource_unavailable": "Underlying Resource Unavailable", "other": "Other" }, "source": "ITU-T X.733 Annex A — Probable Cause definitions; TM Forum TMF642 probableCauseType enum", "source_url": "https://www.itu.int/rec/T-REC-X.733/en" }, { "enum_name": "AlarmEventType", "label": "Alarm Event Type", "otel_attribute": "telecom.alarm.event_type", "opa_policy_path": "data.telecom.alarm.event_type", "rego_input_key": "telecom_alarm_event_type", "stability": "stable", "description": "Alarm event type categories per ITU-T X.733 Section 8.1.2.1. Classifies the broad category of fault at the first level of alarm taxonomy. Used by AI alarm correlation to route to the appropriate specialist analysis agent.", "permitted_values": [ "communications_alarm", "environmental_alarm", "equipment_alarm", "integrity_violation", "operational_violation", "physical_violation", "processing_error_alarm", "quality_of_service_alarm", "security_service_or_mechanism_violation", "time_domain_violation" ], "value_labels": { "communications_alarm": "Communications Alarm", "environmental_alarm": "Environmental Alarm", "equipment_alarm": "Equipment Alarm", "integrity_violation": "Integrity Violation", "operational_violation": "Operational Violation", "physical_violation": "Physical Violation", "processing_error_alarm": "Processing Error Alarm", "quality_of_service_alarm": "Quality of Service Alarm", "security_service_or_mechanism_violation": "Security Service or Mechanism Violation", "time_domain_violation": "Time Domain Violation" }, "use_case": "AIOps correlation engine classifies incoming alarms by event type before applying RCA algorithms. Security event types are routed to the SOC AI agent chain in addition to the NOC.", "source": "ITU-T X.733 Section 8.1.2.1 — eventType; ITU-T X.736 for security alarm types", "source_url": "https://www.itu.int/rec/T-REC-X.733/en" }, { "enum_name": "AcknowledgeState", "label": "Acknowledge State", "otel_attribute": "telecom.alarm.acknowledge_state", "opa_policy_path": "data.telecom.alarm.acknowledge_state", "rego_input_key": "telecom_alarm_acknowledge_state", "stability": "stable", "description": "Alarm acknowledgement state per TM Forum TMF642 acknowledgedStateType. AI NOC agents must track acknowledgement state to prevent duplicate automated remediation actions on the same alarm.", "permitted_values": [ "acknowledged", "unacknowledged" ], "value_labels": { "acknowledged": "Acknowledged", "unacknowledged": "Unacknowledged" }, "use_case": "AIOps agent sets alarm to 'acknowledged' state when taking automated remediation action, preventing concurrent duplicate action by human operator or another AI agent.", "source": "TM Forum TMF642 Alarm Management API v5.0 — acknowledgedStateType", "source_url": "https://www.tmforum.org/open-digital-architecture/open-apis/alarm-management-tmf642/" } ] }, { "subdomain": "AIOps & Autonomous Network Operations", "description": "Covers enumerations specific to AI-driven network operations, including TM Forum Autonomous Networks (AN) maturity levels, AIOps action types, self-healing outcomes, and ETSI ZSM intent-based networking constructs. These enums are not from a single published standard but derive from TM Forum AN framework, ETSI ZSM 002, and 3GPP SON specifications.", "relevant_standards": [ "TM Forum Autonomous Networks GB921 Frameworx v23.5 — Autonomous Networks level definitions", "ETSI ZSM 002 — Zero-touch Network and Service Management Reference Architecture", "ETSI ENI 007 — Terminology for Experiential Networked Intelligence", "3GPP TS 28.313 — Self-Organising Networks (SON) for 5G", "Gartner AIOps Market Guide 2025" ], "categories": [ { "enum_name": "AutonomousNetworkLevel", "label": "Autonomous Network Level", "otel_attribute": "telecom.autonomous_network.level", "opa_policy_path": "data.telecom.autonomous_network.level", "rego_input_key": "telecom_autonomous_network_level", "stability": "stable", "description": "TM Forum Autonomous Networks (AN) maturity level for a given operational domain. Level 0 = fully manual; Level 4 = intent-driven cross-domain autonomous. Directly maps to EU AI Act Article 14 human oversight requirements — Level 3 and above require documented HITL oversight mechanisms.", "permitted_values": [ "al0_manual", "al1_assisted", "al2_partial_autonomous", "al3_conditional_autonomous", "al4_highly_autonomous" ], "value_labels": { "al0_manual": "AL0 — Manual", "al1_assisted": "AL1 — Assisted", "al2_partial_autonomous": "AL2 — Partial Autonomous", "al3_conditional_autonomous": "AL3 — Conditional Autonomous", "al4_highly_autonomous": "AL4 — Highly Autonomous" }, "code_definitions": { "al0_manual": "All operations performed manually by human operators; no AI-driven automation", "al1_assisted": "AI provides recommendations and decision support; humans execute all actions", "al2_partial_autonomous": "AI autonomously executes predefined tasks within a limited scope; humans supervise and can override", "al3_conditional_autonomous": "AI autonomously executes cross-domain intent-driven operations within defined conditions; human oversight required for out-of-scope events", "al4_highly_autonomous": "AI autonomously manages end-to-end network operations including unexpected events; human oversight available but not required for routine operations" }, "ordered": true, "value_ordinals": { "al0_manual": 1, "al1_assisted": 2, "al2_partial_autonomous": 3, "al3_conditional_autonomous": 4, "al4_highly_autonomous": 5 }, "regulatory_mappings": { "eu_ai_act_art14": "EU AI Act Article 14 — Human oversight measures: AL3+ systems must have documented human intervention capability and cannot remove human ability to override", "eu_ai_act_art9": "EU AI Act Article 9 — Risk management system: AL3+ autonomous network systems require documented risk assessment", "nist_ai_rmf_govern": "NIST AI RMF GOVERN 1.1 — Policies for human considerations in AI decisions" }, "use_case": "AI governance portal registers the AN level for each network domain. OPA policy blocks AL4 deployment in regulatory-sensitive domains (e.g. emergency services interconnect) without explicit HITL exception approval.", "source": "TM Forum Autonomous Networks GB921 Frameworx v23.5 — Autonomous Networks level taxonomy", "source_url": "https://www.tmforum.org/autonomous-networks/", "notes": "TM Forum defines 5 levels (L0–L4). This library uses descriptive snake_case labels suffixed with the level code for readability in OTel span attributes and OPA policy rules." }, { "enum_name": "AIOpsActionType", "label": "AI Ops Action Type", "otel_attribute": "telecom.aiops.action_type", "opa_policy_path": "data.telecom.aiops.action_type", "rego_input_key": "telecom_aiops_action_type", "stability": "proposed", "description": "The category of action taken or recommended by an AIOps AI agent. Used to classify the type of autonomous operation for audit logging, HITL routing, and policy enforcement.", "permitted_values": [ "anomaly_detection", "root_cause_analysis", "predictive_maintenance", "auto_remediation_config_change", "auto_remediation_restart", "auto_remediation_traffic_reroute", "auto_remediation_capacity_scale", "capacity_forecast", "configuration_optimisation", "alert_correlation_suppression", "runbook_execution", "escalation_to_hitl", "intent_translation", "closed_loop_assurance", "network_slice_assurance", "energy_efficiency_optimisation" ], "value_labels": { "anomaly_detection": "Anomaly Detection", "root_cause_analysis": "Root Cause Analysis", "predictive_maintenance": "Predictive Maintenance", "auto_remediation_config_change": "Auto Remediation Config Change", "auto_remediation_restart": "Auto Remediation Restart", "auto_remediation_traffic_reroute": "Auto Remediation Traffic Reroute", "auto_remediation_capacity_scale": "Auto Remediation Capacity Scale", "capacity_forecast": "Capacity Forecast", "configuration_optimisation": "Configuration Optimisation", "alert_correlation_suppression": "Alert Correlation Suppression", "runbook_execution": "Runbook Execution", "escalation_to_hitl": "Escalation to HITL", "intent_translation": "Intent Translation", "closed_loop_assurance": "Closed Loop Assurance", "network_slice_assurance": "Network Slice Assurance", "energy_efficiency_optimisation": "Energy Efficiency Optimisation" }, "regulatory_mappings": { "eu_ai_act_art14": "Auto-remediation actions in AL3+ domains require HITL audit trail per EU AI Act Article 14", "eu_nis2_art21": "Auto-remediation affecting essential service network elements must be included in NIS2 Article 21 change management controls" }, "use_case": "Every AIOps agent span is tagged with its action_type. OPA policy enforces that 'auto_remediation_config_change' actions on P-network elements require HITL approval when the network domain AN level is below AL3.", "source": "TM Forum AIOps frameworks; ETSI ZSM 002 closed-loop automation; Gartner AIOps Market Guide 2025", "source_url": "https://www.tmforum.org/autonomous-networks/" }, { "enum_name": "ClosedLoopAutomationState", "label": "Closed Loop Automation State", "otel_attribute": "telecom.closed_loop.state", "opa_policy_path": "data.telecom.closed_loop.state", "rego_input_key": "telecom_closed_loop_state", "stability": "proposed", "description": "State of a closed-loop automation cycle per ETSI ZSM 002 and TM Forum AN framework. Tracks AI-driven MAPE-K (Monitor-Analyse-Plan-Execute-Knowledge) loop state for GRC audit and oversight.", "permitted_values": [ "monitoring", "analysing", "planning", "executing", "verifying", "completed_success", "completed_partial", "failed_rollback", "paused_hitl_required", "aborted_policy_violation" ], "value_labels": { "monitoring": "Monitoring", "analysing": "Analysing", "planning": "Planning", "executing": "Executing", "verifying": "Verifying", "completed_success": "Completed Success", "completed_partial": "Completed Partial", "failed_rollback": "Failed Rollback", "paused_hitl_required": "Paused HITL Required", "aborted_policy_violation": "Aborted Policy Violation" }, "use_case": "GRC portal tracks closed-loop automation state to detect loops that pause for HITL review. 'Aborted_policy_violation' state is logged when an OPA policy check blocks the 'executing' state transition.", "source": "ETSI ZSM 002 — MAPE-K closed-loop automation; TM Forum Autonomous Networks GB921", "source_url": "https://www.etsi.org/deliver/etsi_gs/ZSM/001_099/002/01.01.01_60/gs_ZSM002v010101p.pdf" }, { "enum_name": "IntentLifecycleState", "label": "Intent Lifecycle State", "otel_attribute": "telecom.intent.lifecycle_state", "opa_policy_path": "data.telecom.intent.lifecycle_state", "rego_input_key": "telecom_intent_lifecycle_state", "stability": "experimental", "description": "State of a network management intent per TM Forum TMF921 Intent Management API and ETSI ENI 007 intent-based networking framework. AI intent translation agents produce machine-executable intents from human-readable goals; this enum tracks the intent through its lifecycle.", "permitted_values": [ "created", "active", "inactive", "suspended", "fulfilled", "partially_fulfilled", "unfulfillable", "expired", "deleted" ], "value_labels": { "created": "Created", "active": "Active", "inactive": "Inactive", "suspended": "Suspended", "fulfilled": "Fulfilled", "partially_fulfilled": "Partially Fulfilled", "unfulfillable": "Unfulfillable", "expired": "Expired", "deleted": "Deleted" }, "use_case": "An operator defines a business intent ('ensure 99.999% availability for emergency services slice'). The intent translation agent decomposes this into network configuration policies. The intent lifecycle state tracks whether the network is currently fulfilling the intent.", "source": "TM Forum TMF921 Intent Management API; ETSI ENI 007 — Intent-based Networking terminology", "source_url": "https://www.tmforum.org/open-digital-architecture/open-apis/" } ] }, { "subdomain": "5G Network Slice Management", "description": "Covers 3GPP TS 28.541 Network Slice NRM enumerations for AI-driven 5G slice lifecycle management, SLA assurance, and admissions control. Agentic AI systems managing network slice instances must use these exact values from 3GPP specifications.", "relevant_standards": [ "3GPP TS 28.541 — NR; Management and orchestration; 5G Network Resource Model (NRM) — Slice NRM", "3GPP TS 28.530 — NR; Management and orchestration; Concepts, use cases and requirements for management of networks and network slicing", "3GPP TS 28.545 — NR; Management and orchestration; Fault Supervision for Network Slices", "GSMA NG.116 — Generic Network Slice Template (GST) v7.0" ], "categories": [ { "enum_name": "NetworkSliceInstanceState", "label": "Network Slice Instance State", "otel_attribute": "telecom.network_slice.instance_state", "opa_policy_path": "data.telecom.network_slice.instance_state", "rego_input_key": "telecom_network_slice_instance_state", "stability": "stable", "description": "Lifecycle state of a Network Slice Instance (NSI) per 3GPP TS 28.541 Section 6.3.3 operationalState and administrativeState composite model. AI slice lifecycle management agents use these states to orchestrate slice provisioning, activation, deactivation, and termination.", "permitted_values": [ "instantiated_not_configured", "configured", "activated", "deactivated", "terminated" ], "value_labels": { "instantiated_not_configured": "Instantiated not Configured", "configured": "Configured", "activated": "Activated", "deactivated": "Deactivated", "terminated": "Terminated" }, "code_definitions": { "instantiated_not_configured": "NSI has been instantiated (resources allocated) but network slice subnet configuration not yet applied", "configured": "NSI has been fully configured; ready for activation", "activated": "NSI is active and capable of serving UE traffic according to the slice profile", "deactivated": "NSI is administratively deactivated; resources may still be allocated", "terminated": "NSI has been fully released; all resources deallocated" }, "use_case": "AI slice management agent tracks NSI state. SLA assurance agent only begins monitoring when state is 'activated'. OPA policy enforces that transition from 'configured' to 'activated' on a critical URLLC slice (e.g. emergency services) requires HITL approval.", "source": "3GPP TS 28.541 Section 6.3.3 — NetworkSliceSubnet NRM; 3GPP TS 28.530 lifecycle states", "source_url": "https://www.3gpp.org/ftp/Specs/archive/28_series/28.541/" }, { "enum_name": "SliceServiceType", "label": "Slice Service Type", "otel_attribute": "telecom.network_slice.service_type", "opa_policy_path": "data.telecom.network_slice.service_type", "rego_input_key": "telecom_network_slice_service_type", "stability": "stable", "description": "3GPP 5G network slice service type (SST) standardised values per 3GPP TS 23.501 Table 5.15.2.2-1. Determines the SLA profile and QoS requirements that AI slice assurance agents must enforce.", "permitted_values": [ "embb", "urllc", "miot", "v2x", "hmtc" ], "value_labels": { "embb": "Enhanced Mobile Broadband", "urllc": "Ultra-reliable Low Latency Communications", "miot": "Massive Io T", "v2x": "Vehicle-to-everything", "hmtc": "High-performance Machine Type Communications" }, "code_definitions": { "embb": "Enhanced Mobile Broadband — high throughput, moderate latency; consumer broadband and video", "urllc": "Ultra-Reliable Low Latency Communications — sub-millisecond latency, 99.9999% reliability; industrial IoT, autonomous vehicles, remote surgery", "miot": "Massive IoT — low power, high device density, intermittent traffic; smart meters, sensors", "v2x": "Vehicle-to-Everything — ultra-low latency, high mobility; connected and autonomous vehicles", "hmtc": "High-performance Machine Type Communications — high throughput and low latency for enterprise IoT" }, "regulatory_mappings": { "eu_ai_act_annex3": "URLLC slices supporting critical infrastructure (energy, transport, health) may bring the slice management AI system within scope of EU AI Act Annex III high-risk classification" }, "use_case": "OPA policy enforces stricter HITL requirements and lower AN autonomy level ceilings for URLLC and V2X slices due to their safety-critical nature.", "source": "3GPP TS 23.501 Table 5.15.2.2-1 — Standardised SST values; GSMA NG.116 Generic Network Slice Template v7.0", "source_url": "https://www.3gpp.org/ftp/Specs/archive/23_series/23.501/", "notes": "Standardised SST numeric codes: embb=1, urllc=2, miot=3, v2x=4, hmtc=5. These values are retained as interoperability reference for 3GPP and GSMA artefacts." }, { "enum_name": "SliceSLAViolationType", "label": "Slice SLA Violation Type", "otel_attribute": "telecom.network_slice.sla_violation_type", "opa_policy_path": "data.telecom.network_slice.sla_violation_type", "rego_input_key": "telecom_network_slice_sla_violation_type", "stability": "proposed", "description": "Category of SLA violation detected by AI slice assurance agent on a 5G network slice. Used to trigger appropriate remediation action and HITL escalation.", "permitted_values": [ "latency_breach", "throughput_breach", "reliability_breach", "availability_breach", "jitter_breach", "packet_loss_breach", "concurrent_ue_capacity_breach", "geographic_coverage_gap", "energy_efficiency_breach", "isolation_violation" ], "value_labels": { "latency_breach": "Latency Breach", "throughput_breach": "Throughput Breach", "reliability_breach": "Reliability Breach", "availability_breach": "Availability Breach", "jitter_breach": "Jitter Breach", "packet_loss_breach": "Packet Loss Breach", "concurrent_ue_capacity_breach": "Concurrent Ue Capacity Breach", "geographic_coverage_gap": "Geographic Coverage Gap", "energy_efficiency_breach": "Energy Efficiency Breach", "isolation_violation": "Isolation Violation" }, "use_case": "AI slice assurance agent detects SLA violation, classifies by type, and triggers closed-loop remediation. 'Isolation_violation' type is the most severe — it means traffic from one slice may be affecting another — and always requires immediate HITL escalation.", "source": "3GPP TS 28.545 — Fault Supervision for Network Slices; GSMA NG.116 GST SLA KPIs", "source_url": "https://www.3gpp.org/ftp/Specs/archive/28_series/28.545/" } ] }, { "subdomain": "ITIL 4 Change & Problem Management", "description": "Covers ITIL 4 change enablement and problem management enumerations. AI-generated change proposals and problem records must use these values for ITSM platform interoperability and governance evidence.", "relevant_standards": [ "ITIL 4 — IT Service Management (Axelos, 2019)", "ITIL 4 Change Enablement Practice Guide", "ITIL 4 Problem Management Practice Guide", "ISO/IEC 20000-1:2018 — IT Service Management System requirements" ], "categories": [ { "enum_name": "ITILChangeCategory", "label": "ITIL Change Category", "otel_attribute": "telecom.itil.change_category", "opa_policy_path": "data.telecom.itil.change_category", "rego_input_key": "telecom_itil_change_category", "stability": "stable", "description": "ITIL 4 change type classification. AI-driven change management agents must correctly classify any proposed change before execution. Emergency changes on production systems always require HITL approval.", "permitted_values": [ "standard", "normal", "emergency", "ai_generated_standard", "ai_generated_normal", "automated_remediation" ], "value_labels": { "standard": "Standard", "normal": "Normal", "emergency": "Emergency", "ai_generated_standard": "AI Generated Standard", "ai_generated_normal": "AI Generated Normal", "automated_remediation": "Automated Remediation" }, "code_definitions": { "standard": "Pre-approved, low-risk, well-understood change that can be implemented by following an established procedure without additional approval", "normal": "Requires scheduling, review by Change Advisory Board (CAB), and formal approval before implementation", "emergency": "Urgent change to restore service; requires post-implementation review; must be approved by Emergency CAB", "ai_generated_standard": "Change proposed by an AI agent that maps to a pre-approved standard change pattern; can be auto-executed if within approved scope", "ai_generated_normal": "Change proposed by an AI agent that requires CAB review; AI generates the change record and supporting evidence but humans approve", "automated_remediation": "Change executed automatically by an AIOps closed-loop agent in response to a detected incident; logged post-execution for governance review" }, "regulatory_mappings": { "eu_nis2_art21": "NIS2 Article 21(2)(d) — Change management for essential entities; 'emergency' and 'automated_remediation' changes on essential service infrastructure must be documented in the NIS2-compliant change management process", "eu_ai_act_art14": "AI-generated changes in AL3+ environments require documented human override capability per EU AI Act Article 14" }, "use_case": "AIOps agent generates a change record with category 'ai_generated_standard'. OPA policy validates the change matches an approved standard change template. If matched, execution proceeds. If not matched, category is escalated to 'ai_generated_normal' and CAB is notified.", "source": "ITIL 4 Change Enablement Practice Guide (Axelos); ISO/IEC 20000-1:2018", "source_url": "https://www.axelos.com/certifications/itil-service-management/what-is-itil/", "notes": "ai_generated_standard, ai_generated_normal, and automated_remediation are GRC extensions to standard ITIL 4 change types, necessary to distinguish AI-originated changes in the audit trail for EU AI Act and NIS2 compliance." }, { "enum_name": "ITILChangeApprovalState", "label": "ITIL Change Approval State", "otel_attribute": "telecom.itil.change_approval_state", "opa_policy_path": "data.telecom.itil.change_approval_state", "rego_input_key": "telecom_itil_change_approval_state", "stability": "stable", "description": "The CAB review and approval state for a change request per ITIL 4. AI change management agents must gate execution on this state for 'normal' and 'emergency' changes.", "permitted_values": [ "draft", "submitted_for_review", "under_review", "approved", "approved_with_conditions", "rejected", "withdrawn", "post_implementation_review_required" ], "value_labels": { "draft": "Draft", "submitted_for_review": "Submitted for Review", "under_review": "Under Review", "approved": "Approved", "approved_with_conditions": "Approved with Conditions", "rejected": "Rejected", "withdrawn": "Withdrawn", "post_implementation_review_required": "Post Implementation Review Required" }, "use_case": "OPA policy blocks AI change execution unless approval_state is 'approved' or 'approved_with_conditions' for normal changes. Automated_remediation changes proceed without pre-approval but are logged with state 'post_implementation_review_required'.", "source": "ITIL 4 Change Enablement Practice Guide", "source_url": "https://www.axelos.com/certifications/itil-service-management/what-is-itil/" }, { "enum_name": "ProblemStatus", "label": "Problem Status", "otel_attribute": "telecom.itil.problem_status", "opa_policy_path": "data.telecom.itil.problem_status", "rego_input_key": "telecom_itil_problem_status", "stability": "stable", "description": "ITIL 4 Problem record lifecycle state. AI problem management agents use this to track root cause investigation from initial detection through permanent fix.", "permitted_values": [ "new", "known_error", "root_cause_identified", "workaround_in_place", "change_raised", "resolved", "closed" ], "value_labels": { "new": "New", "known_error": "Known Error", "root_cause_identified": "Root Cause Identified", "workaround_in_place": "Workaround in Place", "change_raised": "Change Raised", "resolved": "Resolved", "closed": "Closed" }, "use_case": "AI problem management agent creates a problem record linked to recurring incidents. When AI RCA identifies root cause, status moves to 'root_cause_identified'. When a workaround is deployed by AIOps, status moves to 'workaround_in_place'. A change record is raised to permanently fix the root cause.", "source": "ITIL 4 Problem Management Practice Guide (Axelos)", "source_url": "https://www.axelos.com/certifications/itil-service-management/what-is-itil/" }, { "enum_name": "ChangeRiskLevel", "label": "Change Risk Level", "otel_attribute": "telecom.itil.change_risk_level", "opa_policy_path": "data.telecom.itil.change_risk_level", "rego_input_key": "telecom_itil_change_risk_level", "stability": "proposed", "description": "Risk classification for a change, as assessed by AI change risk scoring. AI-generated normal changes must include a risk level assessment to support CAB review. Drives HITL escalation and approval routing.", "permitted_values": [ "very_low", "low", "medium", "high", "very_high", "undetermined" ], "value_labels": { "very_low": "Very Low", "low": "Low", "medium": "Medium", "high": "High", "very_high": "Very High", "undetermined": "Undetermined" }, "ordered": true, "value_ordinals": { "very_low": 1, "low": 2, "medium": 3, "high": 4, "very_high": 5, "undetermined": 6 }, "use_case": "AI change risk model scores the change based on blast radius, rollback complexity, and CI criticality. Risk level drives CAB routing — 'high' and 'very_high' require senior CAB or executive HITL approval.", "source": "ITIL 4 Change Enablement — risk assessment guidance; industry AIOps change risk scoring practices", "source_url": "https://www.axelos.com/certifications/itil-service-management/what-is-itil/" } ] }, { "subdomain": "Cybersecurity & SOC Operations", "description": "Covers NIST CSF 2.0 security event classification, NIS2-aligned incident severity, and SOC AI agent action enumerations. AI-driven Security Operations Centre (SOC) systems must use these values for regulatory incident reporting and SIEM/SOAR interoperability.", "relevant_standards": [ "NIST Cybersecurity Framework (CSF) 2.0 (February 2024)", "NIST SP 800-61 Rev 3 Draft — Computer Security Incident Response Recommendations (2024)", "EU NIS2 Directive (2022/2555) Articles 21–23 — Security measures and incident reporting", "ETSI TS 102 165-1 — Cyber Security for the Telecommunications Sector", "ENISA Network Threat Landscape Report 2025", "MITRE ATT&CK for Enterprise v15 (2024)" ], "categories": [ { "enum_name": "CyberSecurityEventKind", "label": "Cyber Security Event Kind", "otel_attribute": "telecom.security.event_kind", "opa_policy_path": "data.telecom.security.event_kind", "rego_input_key": "telecom_security_event_kind", "stability": "stable", "description": "Classification of a cybersecurity event detected by AI-powered SOC or network security monitoring. Aligned to NIST CSF 2.0 DETECT function categories and ENISA telecom threat taxonomy.", "permitted_values": [ "malicious_code_detected", "anomalous_network_traffic", "unauthorised_access_attempt", "unauthorised_access_successful", "data_exfiltration_suspected", "ransomware_suspected", "denial_of_service_detected", "distributed_denial_of_service_detected", "insider_threat_indicator", "supply_chain_compromise_suspected", "zero_day_exploit_suspected", "signalling_attack_detected", "ss7_abuse_detected", "diameter_abuse_detected", "sim_swap_fraud_suspected", "eavesdropping_suspected", "policy_violation", "configuration_drift_security", "certificate_anomaly", "api_abuse_detected" ], "value_labels": { "malicious_code_detected": "Malicious Code Detected", "anomalous_network_traffic": "Anomalous Network Traffic", "unauthorised_access_attempt": "Unauthorised Access Attempt", "unauthorised_access_successful": "Unauthorised Access Successful", "data_exfiltration_suspected": "Data Exfiltration Suspected", "ransomware_suspected": "Ransomware Suspected", "denial_of_service_detected": "Denial of Service Detected", "distributed_denial_of_service_detected": "Distributed Denial of Service Detected", "insider_threat_indicator": "Insider Threat Indicator", "supply_chain_compromise_suspected": "Supply Chain Compromise Suspected", "zero_day_exploit_suspected": "Zero Day Exploit Suspected", "signalling_attack_detected": "Signalling Attack Detected", "ss7_abuse_detected": "Ss7 Abuse Detected", "diameter_abuse_detected": "Diameter Abuse Detected", "sim_swap_fraud_suspected": "Sim Swap Fraud Suspected", "eavesdropping_suspected": "Eavesdropping Suspected", "policy_violation": "Policy Violation", "configuration_drift_security": "Configuration Drift Security", "certificate_anomaly": "Certificate Anomaly", "api_abuse_detected": "Api Abuse Detected" }, "regulatory_mappings": { "eu_nis2_art23": "Events classified as 'ransomware_suspected', 'unauthorised_access_successful', 'data_exfiltration_suspected', or 'distributed_denial_of_service_detected' must be assessed for NIS2 Article 23 significant incident reporting within 24 hours", "nist_csf_detect": "NIST CSF 2.0 DETECT.CM — Continuous monitoring; DETECT.AE — Adverse event analysis", "fcc_part4": "DDoS events meeting outage thresholds may trigger FCC Part 4 NORS filing obligation for US carriers" }, "use_case": "AI SOC agent classifies security events and triggers the NIS2 incident timeline tracker for reportable event types. SS7/Diameter/SIM swap events are telecom-specific attack vectors not covered by generic NIST taxonomy.", "source": "NIST CSF 2.0 DETECT function; ETSI TS 102 165-1; GSMA FS.11 SS7 Vulnerability Assessment; ENISA Telecom Threat Landscape 2025", "source_url": "https://www.nist.gov/cyberframework" }, { "enum_name": "NIS2IncidentSeverity", "label": "NIS2 Incident Severity", "otel_attribute": "telecom.security.nis2_incident_severity", "opa_policy_path": "data.telecom.security.nis2_incident_severity", "rego_input_key": "telecom_security_nis2_incident_severity", "stability": "stable", "description": "NIS2 Directive Article 23 significant incident classification. AI SOC agents must assess every security event against these classifications to determine regulatory reporting obligations and timelines.", "permitted_values": [ "significant_incident_article23", "non_significant_incident", "undetermined_pending_assessment" ], "value_labels": { "significant_incident_article23": "Significant Incident Article23", "non_significant_incident": "Non Significant Incident", "undetermined_pending_assessment": "Undetermined Pending Assessment" }, "code_definitions": { "significant_incident_article23": "Incident meets NIS2 Article 23 significance thresholds: caused substantial disruption to service delivery, substantial financial loss to the entity, or affected other natural or legal persons by causing considerable material or non-material damage. Triggers 24h early warning and 72h detailed notification to national CSIRT.", "non_significant_incident": "Incident does not meet NIS2 Article 23 significance thresholds; no mandatory notification obligation but must be logged for audit", "undetermined_pending_assessment": "Initial classification pending full impact assessment; 24h early warning window is running and assessment must complete before it lapses" }, "regulatory_mappings": { "eu_nis2_art23": "NIS2 Article 23: 24h early warning to national CSIRT; 72h incident notification; 1-month final report for significant incidents", "eu_nis2_art21": "NIS2 Article 21(2)(b) — Incident handling policies for essential entities" }, "use_case": "Every security event above 'policy_violation' severity is assessed by the AI compliance agent for NIS2 significance. If classified as 'significant_incident_article23', the 24h early warning SLA timer is started and HITL notification sent to the CISO.", "source": "EU NIS2 Directive (2022/2555) Article 23; ENISA NIS2 Implementation Guidance 2024", "source_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555" }, { "enum_name": "SOCAutomatedResponseAction", "label": "Soc Automated Response Action", "otel_attribute": "telecom.security.automated_response_action", "opa_policy_path": "data.telecom.security.automated_response_action", "rego_input_key": "telecom_security_automated_response_action", "stability": "proposed", "description": "Categories of automated security response action that a SOAR AI agent can take without HITL pre-approval. Actions affecting customer service, network routing, or causing data loss always require HITL approval regardless of automation level.", "permitted_values": [ "ip_block_firewall", "ip_block_acl", "rate_limit_source", "quarantine_endpoint", "isolate_network_segment", "revoke_api_key", "force_mfa_reauthentication", "disable_compromised_account", "snapshot_forensic_evidence", "escalate_to_hitl_ciso", "notify_affected_customers", "activate_ddos_scrubbing", "divert_traffic_scrubbing_centre", "block_roaming_partner_ss7", "initiate_sim_swap_reversal" ], "value_labels": { "ip_block_firewall": "IP Block Firewall", "ip_block_acl": "IP Block ACL", "rate_limit_source": "Rate Limit Source", "quarantine_endpoint": "Quarantine Endpoint", "isolate_network_segment": "Isolate Network Segment", "revoke_api_key": "Revoke API Key", "force_mfa_reauthentication": "Force MFA Reauthentication", "disable_compromised_account": "Disable Compromised Account", "snapshot_forensic_evidence": "Snapshot Forensic Evidence", "escalate_to_hitl_ciso": "Escalate to HITL CISO", "notify_affected_customers": "Notify Affected Customers", "activate_ddos_scrubbing": "Activate DDoS Scrubbing", "divert_traffic_scrubbing_centre": "Divert Traffic Scrubbing Centre", "block_roaming_partner_ss7": "Block Roaming Partner Ss7", "initiate_sim_swap_reversal": "Initiate Sim Swap Reversal" }, "regulatory_mappings": { "eu_nis2_art21": "NIS2 Article 21(2)(c) — Business continuity and crisis management; automated response actions must be documented in the incident response plan", "gdpr_art33": "Actions classified as 'notify_affected_customers' may trigger GDPR Article 33 personal data breach notification if PII was accessed" }, "use_case": "OPA policy enforces that 'isolate_network_segment' and 'notify_affected_customers' always require HITL approval. 'Ip_block_firewall' is permitted for AI autonomous execution if confidence score > 0.95 and affected IPs are not customer-facing.", "source": "NIST SP 800-61 Rev 3 Draft — Incident Response Recommendations; GSMA FS.11 SS7 Mitigation; industry SOAR playbook patterns", "source_url": "https://csrc.nist.gov/publications/detail/sp/800-61/rev-3/draft" }, { "enum_name": "MITRETacticCategory", "label": "MITRE Tactic Category", "otel_attribute": "telecom.security.mitre_tactic", "opa_policy_path": "data.telecom.security.mitre_tactic", "rego_input_key": "telecom_security_mitre_tactic", "stability": "stable", "description": "MITRE ATT&CK for Enterprise v15 tactic categories. AI threat hunting and detection agents tag events with the suspected ATT&CK tactic to enable triage prioritisation and playbook selection.", "permitted_values": [ "reconnaissance", "resource_development", "initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "command_and_control", "exfiltration", "impact" ], "value_labels": { "reconnaissance": "Reconnaissance", "resource_development": "Resource Development", "initial_access": "Initial Access", "execution": "Execution", "persistence": "Persistence", "privilege_escalation": "Privilege Escalation", "defense_evasion": "Defense Evasion", "credential_access": "Credential Access", "discovery": "Discovery", "lateral_movement": "Lateral Movement", "collection": "Collection", "command_and_control": "Command and Control", "exfiltration": "Exfiltration", "impact": "Impact" }, "use_case": "AI threat detection agent tags detected adversary behaviours with ATT&CK tactics. OPA policy enforces immediate HITL escalation if tactics 'lateral_movement', 'credential_access', or 'exfiltration' are detected on critical infrastructure systems.", "source": "MITRE ATT&CK for Enterprise v15 (2024) — Tactic taxonomy", "source_url": "https://attack.mitre.org/tactics/enterprise/" } ] }, { "subdomain": "Service Level Management", "description": "Covers SLA/SLO/SLI enumerations for AI-driven service level management agents, including SLA breach classification, performance degradation tracking, and automated remediation eligibility.", "relevant_standards": [ "TM Forum TMF628 Performance Threshold Management API v4.1", "TM Forum TMF657 Service Quality Management API v4.0", "GSMA NG.116 — Generic Network Slice Template v7.0 (SLA KPIs for 5G slices)", "ITU-T Y.1540 — Internet Protocol data communication service — IP packet transfer and availability performance", "IETF RFC 2544 — Benchmarking Methodology for Network Interconnect Devices" ], "categories": [ { "enum_name": "SLAComplianceState", "label": "SLA Compliance State", "otel_attribute": "telecom.sla.compliance_state", "opa_policy_path": "data.telecom.sla.compliance_state", "rego_input_key": "telecom_sla_compliance_state", "stability": "proposed", "description": "Current SLA compliance state as assessed by AI service level management agent. Drives escalation, automated remediation eligibility, and credit note issuance workflows.", "permitted_values": [ "compliant", "at_risk", "breached_minor", "breached_major", "breached_critical", "excused_planned_maintenance", "excused_force_majeure", "disputed_by_customer", "under_measurement" ], "value_labels": { "compliant": "Compliant", "at_risk": "At Risk", "breached_minor": "Breached Minor", "breached_major": "Breached Major", "breached_critical": "Breached Critical", "excused_planned_maintenance": "Excused Planned Maintenance", "excused_force_majeure": "Excused Force Majeure", "disputed_by_customer": "Disputed by Customer", "under_measurement": "Under Measurement" }, "use_case": "AI SLM agent continuously monitors KPIs against SLA thresholds. 'Breached_major' state triggers automatic credit note workflow and HITL notification to account manager. 'Breached_critical' triggers executive escalation and NIS2 assessment.", "source": "TM Forum TMF657 Service Quality Management API; GSMA NG.116 GST SLA KPIs", "source_url": "https://www.tmforum.org/open-digital-architecture/open-apis/" }, { "enum_name": "KPIPerformanceClass", "label": "KPI Performance Class", "otel_attribute": "telecom.kpi.performance_class", "opa_policy_path": "data.telecom.kpi.performance_class", "rego_input_key": "telecom_kpi_performance_class", "stability": "proposed", "description": "The performance class of a measured KPI relative to its threshold. Used by AI performance management agents to classify measurement results for trending and predictive maintenance.", "permitted_values": [ "excellent", "good", "acceptable", "degraded", "critical", "unmeasured" ], "value_labels": { "excellent": "Excellent", "good": "Good", "acceptable": "Acceptable", "degraded": "Degraded", "critical": "Critical", "unmeasured": "Unmeasured" }, "use_case": "AI predictive maintenance agent monitors KPI performance class trends. Three consecutive 'degraded' measurements trigger a predictive maintenance work order before a breach occurs.", "source": "TM Forum TMF628 Performance Threshold Management; ITU-T Y.1540 performance parameter definitions", "source_url": "https://www.tmforum.org/open-digital-architecture/open-apis/" } ] }, { "subdomain": "Regulatory Reporting & Outage Notification", "description": "Covers regulatory reporting obligations for telecommunications operators, including NIS2, FCC Part 4 NORS, and Ofcom outage notification workflows. AI compliance agents use these enumerations to track regulatory submission status and enforce notification deadlines.", "relevant_standards": [ "EU NIS2 Directive (2022/2555) Article 23 — Incident reporting for essential entities", "FCC Part 4 (47 CFR Part 4) — Disruptions to Communications reporting (NORS)", "Ofcom Network Reporting Code 2021 — UK comms provider outage notifications", "3GPP TS 32.111-2 — Notification Integration Reference Point (Alarm IRP)" ], "categories": [ { "enum_name": "NIS2ReportingStage", "label": "NIS2 Reporting Stage", "otel_attribute": "telecom.regulatory.nis2_reporting_stage", "opa_policy_path": "data.telecom.regulatory.nis2_reporting_stage", "rego_input_key": "telecom_regulatory_nis2_reporting_stage", "stability": "stable", "description": "Stage of the NIS2 Article 23 incident reporting lifecycle. AI compliance agents track incidents through this lifecycle to ensure regulatory deadlines are not missed.", "permitted_values": [ "not_reportable", "early_warning_pending", "early_warning_submitted", "incident_notification_pending", "incident_notification_submitted", "intermediate_report_pending", "intermediate_report_submitted", "final_report_pending", "final_report_submitted", "closed_regulatory_complete" ], "value_labels": { "not_reportable": "Not Reportable", "early_warning_pending": "Early Warning Pending", "early_warning_submitted": "Early Warning Submitted", "incident_notification_pending": "Incident Notification Pending", "incident_notification_submitted": "Incident Notification Submitted", "intermediate_report_pending": "Intermediate Report Pending", "intermediate_report_submitted": "Intermediate Report Submitted", "final_report_pending": "Final Report Pending", "final_report_submitted": "Final Report Submitted", "closed_regulatory_complete": "Closed Regulatory Complete" }, "code_definitions": { "early_warning_pending": "Significant incident detected; 24-hour early warning submission to national CSIRT is due; SLA timer running", "early_warning_submitted": "24-hour early warning successfully submitted to national CSIRT", "incident_notification_pending": "72-hour detailed incident notification due; SLA timer running", "incident_notification_submitted": "72-hour detailed notification successfully submitted", "intermediate_report_pending": "Incident ongoing; intermediate progress report due monthly until resolved", "final_report_pending": "Incident resolved; one-month final report due to national CSIRT", "final_report_submitted": "Final report submitted; awaiting regulatory acknowledgement" }, "regulatory_mappings": { "eu_nis2_art23": "NIS2 Article 23(4)(a): 24h early warning; (4)(b): 72h incident notification; (4)(c): one-month final report" }, "use_case": "AI compliance agent automatically advances NIS2 reporting stage and triggers HITL escalation when SLA deadlines are approaching. OPA policy blocks incident closure if NIS2 reporting stage is not 'closed_regulatory_complete' for significant incidents.", "source": "EU NIS2 Directive (2022/2555) Article 23; ENISA NIS2 Reporting Templates 2024", "source_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555" }, { "enum_name": "FCCOutageReportingStage", "label": "Fcc Outage Reporting Stage", "otel_attribute": "telecom.regulatory.fcc_outage_reporting_stage", "opa_policy_path": "data.telecom.regulatory.fcc_outage_reporting_stage", "rego_input_key": "telecom_regulatory_fcc_outage_reporting_stage", "stability": "stable", "description": "Stage of the FCC Part 4 outage reporting lifecycle for US telecommunications carriers. AI compliance agents use these values to track NORS filing obligations and deadlines.", "permitted_values": [ "not_reportable", "nors_initial_notification_pending", "nors_initial_notification_submitted", "nors_final_report_pending", "nors_final_report_submitted", "closed_fcc_complete" ], "value_labels": { "not_reportable": "Not Reportable", "nors_initial_notification_pending": "Nors Initial Notification Pending", "nors_initial_notification_submitted": "Nors Initial Notification Submitted", "nors_final_report_pending": "Nors Final Report Pending", "nors_final_report_submitted": "Nors Final Report Submitted", "closed_fcc_complete": "Closed Fcc Complete" }, "code_definitions": { "nors_initial_notification_pending": "Outage meets FCC Part 4 reporting threshold; initial NORS notification due within 120 minutes of discovery", "nors_initial_notification_submitted": "NORS initial notification filed within 120-minute window", "nors_final_report_pending": "Final outage report due within 30 days of outage start", "nors_final_report_submitted": "NORS final report filed" }, "regulatory_mappings": { "fcc_part4": "47 CFR Part 4.9 — 120-minute initial notification; 47 CFR Part 4.11 — 30-day final report" }, "use_case": "AI compliance agent detects outage events meeting FCC Part 4 threshold criteria (e.g. DS3-equivalent or greater affecting 30 minutes or more) and starts the 120-minute NORS timer. HITL escalation triggered at 90 minutes if submission has not been made.", "source": "FCC 47 CFR Part 4 — Disruptions to Communications", "source_url": "https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-4" } ] } ], "opa_rego_policy_patterns": { "description": "Telecommunications & IT Operations-specific OPA Rego policy patterns referencing enum values from this file and from 00_core_sdk_and_governance.json. Illustrative patterns, not production policies.", "patterns": [ { "pattern_id": "telecom.enforce_hitl_for_al3_auto_remediation", "pattern_name": "enforce_hitl_for_al3_auto_remediation", "enforcement_effect": "require_hitl_approval", "description": "Block any AIOps auto-remediation action on a network domain operating at AL2 or below without explicit HITL approval. AL3+ domains may allow conditional autonomous execution, but only for approved runbook types.", "applicable_enums": [ "AutonomousNetworkLevel", "AIOpsActionType", "ClosedLoopAutomationState", "ITILChangeCategory" ], "regulatory_basis": "EU AI Act Article 14 — Human oversight for high-risk AI; TM Forum Autonomous Networks GB921 Frameworx AL governance guidelines", "rego_sketch": "package telecom.autonomous_network\n\nrequires_hitl_below_al3 := {\n \"auto_remediation_config_change\",\n \"auto_remediation_capacity_scale\",\n \"configuration_optimisation\",\n \"network_slice_assurance\"\n}\n\ndenied_al_levels := {\"al0_manual\", \"al1_assisted\", \"al2_partial_autonomous\"}\n\ndeny[msg] {\n input.telecom_aiops_action_type in requires_hitl_below_al3\n input.network_domain_an_level in denied_al_levels\n input.gen_ai_hitl_decision != \"approved\"\n msg := sprintf(\"EU AI Act Article 14: Action '%v' on network domain at AN level '%v' requires explicit HITL approval before execution\", [input.telecom_aiops_action_type, input.network_domain_an_level])\n}" }, { "pattern_id": "telecom.enforce_nis2_incident_notification_sla", "pattern_name": "enforce_nis2_incident_notification_sla", "enforcement_effect": "deny", "description": "Block an incident from being marked closed or downgraded in severity if NIS2 Article 23 reporting obligations for a significant incident have not been completed. Ensures AI SOC agents cannot bypass regulatory notification timelines.", "applicable_enums": [ "NIS2IncidentSeverity", "NIS2ReportingStage", "TroubleTicketStatus", "CyberSecurityEventKind" ], "regulatory_basis": "EU NIS2 Directive (2022/2555) Article 23 — 24h early warning, 72h incident notification mandatory for essential entity significant incidents", "rego_sketch": "package telecom.nis2_compliance\n\nincomplete_nis2_stages := {\n \"early_warning_pending\",\n \"incident_notification_pending\",\n \"intermediate_report_pending\",\n \"final_report_pending\"\n}\n\ndeny[msg] {\n input.telecom_security_nis2_incident_severity == \"significant_incident_article23\"\n input.telecom_regulatory_nis2_reporting_stage in incomplete_nis2_stages\n input.requested_ticket_status in {\"closed\", \"resolved\"}\n msg := sprintf(\"NIS2 Article 23 violation: Significant incident cannot be closed while NIS2 reporting stage is '%v'. Complete regulatory notification before closing.\", [input.telecom_regulatory_nis2_reporting_stage])\n}\n\ndeny[msg] {\n input.telecom_security_nis2_incident_severity == \"undetermined_pending_assessment\"\n input.hours_since_incident_detection > 20\n msg := \"NIS2 Article 23: Early warning 24h deadline approaching for unclassified incident. Immediate NIS2 significance assessment required.\"\n}" }, { "pattern_id": "telecom.block_urllc_slice_activation_without_hitl", "pattern_name": "block_urllc_slice_activation_without_hitl", "enforcement_effect": "require_hitl_approval", "description": "Block autonomous AI activation or modification of a URLLC or V2X network slice without HITL approval. URLLC slices support safety-critical applications (emergency services, autonomous vehicles, remote surgery) where incorrect configuration causes direct physical harm.", "applicable_enums": [ "SliceServiceType", "NetworkSliceInstanceState", "AutonomousNetworkLevel", "AIOpsActionType" ], "regulatory_basis": "EU AI Act Annex III — high-risk AI classification for critical infrastructure management; EU AI Act Article 14 human oversight requirement", "rego_sketch": "package telecom.network_slice\n\nsafety_critical_slice_types := {\"urllc\", \"v2x\"}\n\nslice_lifecycle_changes := {\n \"instantiated_not_configured\",\n \"configured\",\n \"activated\",\n \"deactivated\"\n}\n\ndeny[msg] {\n input.telecom_network_slice_service_type in safety_critical_slice_types\n input.target_slice_state in slice_lifecycle_changes\n input.gen_ai_hitl_decision != \"approved\"\n msg := sprintf(\"EU AI Act Annex III: URLLC/V2X slice '%v' state change to '%v' requires explicit HITL approval — safety-critical slice modification may affect emergency services or autonomous vehicle communications\", [input.slice_id, input.target_slice_state])\n}" }, { "pattern_id": "telecom.enforce_fcc_nors_120_minute_timer", "pattern_name": "enforce_fcc_nors_120_minute_timer", "enforcement_effect": "deny", "description": "Trigger mandatory HITL escalation when an FCC Part 4 reportable outage has been running for 90 minutes without an initial NORS notification being submitted. Provides a 30-minute buffer before the 120-minute regulatory deadline.", "applicable_enums": [ "FCCOutageReportingStage", "TroubleTicketSeverity", "NIS2ReportingStage" ], "regulatory_basis": "FCC 47 CFR Part 4.9 — Initial NORS notification due within 120 minutes of carrier discovering a reportable outage", "rego_sketch": "package telecom.fcc_compliance\n\ndeny[msg] {\n input.telecom_regulatory_fcc_outage_reporting_stage == \"nors_initial_notification_pending\"\n input.minutes_since_outage_discovery >= 90\n msg := sprintf(\"FCC Part 4.9 ALERT: Outage '%v' has reached %v minutes without NORS initial notification. Filing required within next 30 minutes. Immediate CISO/NOC escalation required.\", [input.outage_id, input.minutes_since_outage_discovery])\n}\n\ndeny[msg] {\n input.telecom_regulatory_fcc_outage_reporting_stage == \"nors_initial_notification_pending\"\n input.minutes_since_outage_discovery >= 115\n msg := sprintf(\"FCC Part 4.9 VIOLATION IMMINENT: Outage '%v' has reached %v minutes. NORS filing is 5 minutes from regulatory deadline violation.\", [input.outage_id, input.minutes_since_outage_discovery])\n}" }, { "pattern_id": "telecom.block_emergency_change_without_cab_emergency_approval", "pattern_name": "block_emergency_change_without_cab_emergency_approval", "enforcement_effect": "deny", "description": "Block execution of any change classified as 'emergency' or 'ai_generated_normal' that lacks HITL CAB approval. Standard and pre-approved AI-generated changes may proceed autonomously within the approved change window.", "applicable_enums": [ "ITILChangeCategory", "ITILChangeApprovalState", "ChangeRiskLevel", "AIOpsActionType" ], "regulatory_basis": "ITIL 4 Change Enablement Practice — Emergency changes require Emergency CAB approval; EU NIS2 Article 21(2)(d) — Change management controls for essential entities", "rego_sketch": "package telecom.change_management\n\nrequires_explicit_approval := {\n \"normal\",\n \"emergency\",\n \"ai_generated_normal\"\n}\n\nvalid_approved_states := {\"approved\", \"approved_with_conditions\"}\n\ndeny[msg] {\n input.telecom_itil_change_category in requires_explicit_approval\n not input.telecom_itil_change_approval_state in valid_approved_states\n msg := sprintf(\"ITIL 4 / NIS2 Article 21: Change category '%v' requires explicit CAB approval. Current approval state: '%v'. Execution blocked.\", [input.telecom_itil_change_category, input.telecom_itil_change_approval_state])\n}\n\ndeny[msg] {\n input.telecom_itil_change_risk_level in {\"high\", \"very_high\"}\n input.telecom_itil_change_category == \"ai_generated_standard\"\n msg := sprintf(\"Change risk level '%v' exceeds threshold for autonomous standard change execution. Reclassify as ai_generated_normal and obtain CAB approval.\", [input.telecom_itil_change_risk_level])\n}" } ] }, "agent_registry_fields": { "description": "Recommended fields for registering a telecommunications or IT operations domain agentic AI system in the GRC portal. Supplements the core agent identity schema from 00_core_sdk_and_governance.json.", "fields": [ { "field": "autonomous_network_level", "type": "enum", "enum_ref": "AutonomousNetworkLevel", "description": "The TM Forum Autonomous Networks maturity level at which this agent is authorised to operate. AL3+ agents require documented EU AI Act Article 14 human oversight mechanisms before activation.", "required_when": "All agentic AI systems performing network operations or service management actions" }, { "field": "tmforum_api_integrations", "type": "array", "description": "List of TM Forum Open API endpoints this agent integrates with, such as TMF621, TMF622, TMF640, TMF641, TMF642, TMF628, TMF657, TMF688, or TMF921. Required for impact assessment if TM Forum API versions change.", "required_when": "All agents integrating with BSS/OSS platforms via TM Forum Open APIs" }, { "field": "essential_entity_classification", "type": "string", "description": "NIS2 Article 3 entity classification for the telecommunications operator this agent serves. Determines NIS2 reporting obligations and security measure requirements. Use values such as essential_entity, important_entity, or not_in_scope.", "required_when": "All agents deployed for EU-regulated telecommunications operators under NIS2" }, { "field": "nis2_incident_reporting_enabled", "type": "boolean", "description": "True if this agent is integrated with the NIS2 incident reporting workflow and can initiate NIS2 Article 23 reporting stage tracking.", "required_when": "SOC, NOC, and fault management agents for essential entity operators" }, { "field": "network_domains_in_scope", "type": "array", "description": "The network domains within which this agent is authorised to take autonomous actions, such as ran, core_5g_sa, core_5g_nsa, core_4g, transport_ip_mpls, transport_optical, oss_bss, it_operations, data_centre, cloud_infrastructure, or enterprise_lan. Change management policy enforcement is scoped to these domains.", "required_when": "All AIOps and network automation agents" }, { "field": "safety_critical_slice_management", "type": "boolean", "description": "True if this agent is authorised to manage URLLC or V2X network slices supporting safety-critical applications (emergency services, autonomous vehicles, remote surgery). Triggers enhanced HITL requirements and EU AI Act Annex III high-risk classification assessment.", "required_when": "Network slice management agents" }, { "field": "fcc_part4_reporting_scope", "type": "boolean", "description": "True if this agent's network monitoring scope includes infrastructure subject to FCC Part 4 NORS outage reporting obligations. Activates the 120-minute NORS timer tracking capability.", "required_when": "All network monitoring agents for US telecommunications carriers" }, { "field": "change_authority_level", "type": "string", "description": "The maximum ITIL 4 change category this agent is authorised to execute autonomously without pre-approval. Must be set in accordance with the operator's CAB-approved AI change management policy. Use values such as standard_only, ai_generated_standard_only, automated_remediation_post_log, or none_all_require_hitl.", "required_when": "All AIOps and change management automation agents" } ] } }