AIFC-064: Data Classification

Status: Draft 0.1 Standard: AI-First Community Standard Short name: AIFC Builds on:

• AIFC-000 Manifesto for AI-First Communities
• AIFC-001 Core Concepts
• AIFC-010 Knowledge Structure
• AIFC-011 Operational DNA
• AIFC-012 Metadata and Markdown
• AIFC-013 Human and AI Readable Content
• AIFC-020 Human-Managed AI
• AIFC-022 AI-NDA Boundary
• AIFC-023 AI as Team Member
• AIFC-034 AI Lock-in and Exit Strategy
• AIFC-050 Community Interface
• AIFC-052 Shared Values Layer
• AIFC-053 Multi-Community Governance
• AIFC-060 Knowledge Security
• AIFC-061 Access Control
• AIFC-062 Agent Permissions
• AIFC-063 Auditability

Purpose of this document: Define Data Classification as a basic security and governance mechanism for the AIFC knowledge base, Source of Truth, Operational DNA, metadata, AI inputs, AI outputs, derived knowledge, audit logs, interfaces, and cross-community sharing. Data Classification makes it possible to govern access, AI processing, sharing, export, audit, retention, and protection of community know-how according to sensitivity and impact.

1. Purpose of this document

This document defines Data Classification.

An AIFC community works with knowledge that may be public, internal, sensitive, or critical.

This knowledge is not only data.

It may contain:

• community purpose,
• values,
• strategy,
• decisions,
• workflows,
• skills,
• AI skills,
• agent permissions,
• security rules,
• customer patterns,
• business model,
• vendor boundaries,
• audit logs,
• Source of Truth metadata,
• or Operational DNA.

Without classification, the community cannot responsibly decide:

• who may read,
• who may change,
• who may export,
• who may share,
• who may use AI,
• who may create derived knowledge,
• who may publish,
• how long content is retained,
• how it is audited,
• how it is protected.

Data Classification is a foundation for safe operation of an AI-first community.

2. Core principle

The core principle of this document is:

Classify knowledge by sensitivity, purpose and impact on community capability.

AIFC states:

Do not classify only files.
Classify capability exposure.

In an AI-first community, the greatest risk may be that a well-structured summary reveals more than the individual documents.

3. Definition

Data Classification is the governed mechanism by which a community labels data, knowledge artefacts, metadata, AI inputs, AI outputs, derived knowledge, audit logs, interfaces, and other information assets according to sensitivity, purpose, risk, and impact.

Data Classification determines:

• access rules,
• AI processing rules,
• export rules,
• sharing rules,
• retention rules,
• audit requirements,
• redaction requirements,
• encryption requirements,
• approval requirements,
• Operational DNA protection,
• cross-community boundary,
• public release constraints.

Minimum requirement

Every meaningful knowledge artefact must have a classification or inherit it from location, type, workflow, owner, or rule.

4. Why Data Classification matters

Without classification, the community does not know what it protects.

That creates two extremes.

First extreme:

Everything is open.

Result:

• know-how leakage,
• Operational DNA leakage,
• uncontrolled AI processing,
• vendor lock-in,
• loss of trust,
• security incident.

Second extreme:

Everything is restricted.

Result:

• weak learning,
• weak onboarding,
• slow cooperation,
• knowledge silos,
• loss of Human Capability Reserve,
• rule bypassing.

Good classification makes it possible to protect what is sensitive while sharing what is safe.

Minimum requirement

Data Classification must support both protection and usability of the knowledge base.

5. Classification is not only confidentiality

Classification is not only about confidentiality.

AIFC classification should consider:

• confidentiality,
• integrity,
• availability,
• capability exposure,
• AI processing risk,
• derived knowledge risk,
• community impact,
• values impact,
• legal/compliance impact,
• cross-community impact,
• Operational DNA exposure.

For example, a public document may have low confidentiality but high reputational impact.

Internal metadata may contain little text but strongly reveal strategy.

Minimum requirement

Classification must account for impact, not only secrecy.

6. Recommended classification levels

AIFC recommends these base classification layers:

Public
Internal
Restricted
Operational DNA

A community may extend this model according to legal, sector, or organizational needs.

Minimum requirement

The community must have clearly defined classification levels and meanings.

7. Public

Public information is intended for public sharing.

Examples:

• public manifesto,
• marketing website,
• public documentation,
• public API description,
• open standard text,
• public community statement,
• open-source examples.

Public does not mean ownerless.

Public artefacts must still be correct, current, approved, and reviewed.

Risks:

• unintended exposure of internal metadata,
• public release of an AI-generated draft,
• outdated public claim,
• Operational DNA exposure in an example,
• legal or reputational impact.

Minimum requirement

Public artefacts derived from the internal knowledge base must have an owner, status, and public release review.

8. Internal

Internal information is intended for the community or organization.

Examples:

• internal guides,
• internal workflows,
• ordinary project documentation,
• meeting notes without sensitive data,
• internal backlog summaries,
• general skills,
• ordinary internal decisions.

Internal does not mean it can be placed into any AI.

Internal does not mean it can be sent to a vendor.

Internal does not mean it cannot contain sensitive metadata.

Minimum requirement

Internal artefacts must have rules for external sharing and AI processing.

9. Restricted

Restricted information is sensitive and has limited access.

Examples:

• customer data,
• incident records,
• security findings,
• vendor contracts,
• financial plans,
• legal/compliance content,
• risk registers,
• non-public strategy,
• sensitive AI governance,
• restricted agent permissions,
• sensitive audit logs,
• personal data,
• confidential partner information.

Restricted artefacts require:

• owner,
• need-to-know,
• purpose limitation,
• access approval,
• AI-NDA Boundary,
• audit,
• retention,
• export control.

Minimum requirement

Restricted artefacts must have owner, access control, AI processing rule, export rule, and audit appropriate to risk.

10. Operational DNA

Operational DNA is critical know-how that describes or enables community capability.

Examples:

• unique operating model,
• internal playbooks,
• decision logic,
• customer pattern synthesis,
• business model details,
• AI skills for critical workflows,
• agent orchestration,
• security boundaries,
• recovery procedures,
• company generation model,
• capability map,
• Source of Truth architecture,
• strategic operating model.

Operational DNA is the most sensitive classification.

Leakage may mean loss of capability, competitive advantage, security, autonomy, or trust.

Minimum requirement

Operational DNA must have the highest protection, limited access, explicit AI-NDA Boundary, audit, export control, and owner.

11. Classification by content

Classification may be based on the artefact’s content.

Examples:

• contains personal data,
• contains customer data,
• contains security information,
• contains strategy,
• contains contract,
• contains AI agent permissions,
• contains secrets,
• contains Operational DNA.

Minimum requirement

Classification must consider the actual artefact content, not only its name or location.

12. Classification by context

The same content may have a different classification depending on context.

Example:

A general description of a workflow may be Internal.

The same workflow combined with customer patterns, decision logic and automation rules may become Operational DNA.

Context may include:

• purpose,
• audience,
• combination with other data,
• timing,
• business impact,
• legal situation,
• incident context,
• competitive context.

Minimum requirement

Classification must consider the context of use and the combination of information.

13. Classification by aggregation

Aggregation may increase sensitivity.

Individual documents may be Internal.

Their synthesis may be Restricted or Operational DNA.

Example:

• 20 internal tickets: Internal.
• AI synthesis of recurring customer failures and product weaknesses: Restricted.
• Synthesis of operating model, skills, customers, and automation: Operational DNA.

Minimum requirement

Aggregated or synthesized knowledge must be classified by the sensitivity of what it reveals, not only by input classifications.

14. Derived knowledge classification

AI often creates derived knowledge.

Derived knowledge is new knowledge created from existing inputs.

It may be:

• summary,
• synthesis,
• pattern,
• prediction,
• risk assessment,
• strategy interpretation,
• capability map,
• customer insight,
• vulnerability map,
• operational model.

Derived knowledge may be more sensitive than its inputs.

Minimum requirement

AI-generated derived knowledge must be classified by impact and by what it reveals.

15. Metadata classification

Metadata may be sensitive.

Examples:

• owner,
• priority,
• status,
• review date,
• risk level,
• classification,
• AI access,
• dependencies,
• related decisions,
• related agents,
• affected communities,
• Operational DNA marker,
• strategy linkage.

Metadata may reveal community structure, priorities, or weaknesses.

Minimum requirement

Metadata must be classified or protected according to what it reveals.

16. Prompt and output classification

Prompts and AI outputs must be classified.

A prompt may contain sensitive data.

An output may contain:

• summary of Restricted content,
• new derived knowledge,
• hallucinated but sensitive-looking content,
• inferred strategy,
• customer pattern,
• security insight,
• Operational DNA.

Minimum requirement

Critical AI prompts and outputs must have classification or an audit policy that handles their sensitivity.

17. Audit log classification

Audit logs may be highly sensitive.

They may reveal:

• who accesses what,
• which artefacts are sensitive,
• how agents act,
• security incidents,
• vendor involvement,
• AI-NDA Boundary violations,
• existence of Operational DNA,
• access patterns.

Minimum requirement

Audit logs must have their own classification and access control.

18. Interface classification

Community Interface, Enterprise Interface, and public interface must be classified.

An interface may be public, internal, or restricted.

Risk appears when an interface reveals:

• internal workflow,
• decision logic,
• security boundaries,
• customer patterns,
• agent capabilities,
• Operational DNA,
• internal escalation paths.

Minimum requirement

Interfaces must be reviewed against Operational DNA exposure and classified accordingly.

19. Skill classification

Human skills and AI skills may have different sensitivity.

Public skill:

• general procedure,
• open standard pattern,
• public checklist.

Internal skill:

• internal work procedure.

Restricted skill:

• security review skill,
• incident response skill,
• sensitive customer handling skill.

Operational DNA skill:

• unique operational playbook,
• agent orchestration,
• company generation capability,
• strategic decision logic.

Minimum requirement

Skills must be classified by the capability they reveal.

20. Agent permission classification

Agent permissions may themselves be sensitive.

They may reveal:

• what the agent may do,
• where it has access,
• which systems exist,
• which actions are forbidden,
• which security boundaries exist,
• where weaknesses are,
• what is Operational DNA.

Minimum requirement

Agent permissions must have classification and access control appropriate to risk.

21. Decision Record classification

Decision Records may be public, internal, restricted, or Operational DNA.

It depends on what the decision reveals.

A Decision Record may contain:

• values conflict,
• strategy,
• security risk,
• AI dependency,
• vendor boundary,
• risk acceptance,
• customer impact,
• legal reasoning.

Minimum requirement

Decision Records must have classification according to content, impact, and audience.

22. Classification and AI-NDA Boundary

The AI-NDA Boundary must be derived from classification.

Example:

Public:
AI processing allowed by default unless restricted by policy.

Internal:
AI processing allowed only with approved tools or rules.

Restricted:
AI processing requires AI-NDA Boundary and purpose limitation.

Operational DNA:
AI processing requires explicit approval, strict boundary, audit and usually private or controlled environment.

Minimum requirement

Every classification level must have an AI processing rule.

23. Classification and access control

Access Control is based on classification.

Classification determines:

• who may read,
• who may edit,
• who may approve,
• who may share,
• who may export,
• who may pass content to AI,
• which audit is required,
• which retention applies.

Minimum requirement

Access rules must be mapped to classification levels.

24. Classification and export

Export is especially risky for Restricted and Operational DNA.

Export rules must define:

• who may export,
• in which format,
• whether metadata is exported,
• whether redaction is needed,
• whether encryption is needed,
• whether approval is needed,
• whether export may be given to a vendor,
• whether export may be processed by AI.

Minimum requirement

Restricted and Operational DNA export must require explicit approval and audit.

25. Classification and public release

Public release is a classification change outward.

The community must check:

• does it contain Restricted content?
• does it contain sensitive metadata?
• does it reveal Operational DNA?
• is the output approved?
• is AI-generated content reviewed?
• are customer or partner rights violated?
• is internal reasoning being published?

Minimum requirement

Moving internal or sensitive know-how into a public output must have public release review.

26. Classification and retention

Classification affects retention.

Public content may be retained long-term.

Internal content may have a review cycle.

Restricted content may have limited retention.

Operational DNA may require long-term protection, regular review, and access control.

Audit logs may have separate retention rules.

Minimum requirement

Classification levels must have retention or review rules.

27. Classification and deletion

Deletion must respect classification.

Some content must be deleted because of law or boundary.

Some content must not be deleted because of audit.

Some content should be archived.

Some content must be removed from agent memory, embeddings, or cache.

Minimum requirement

Sensitive classification levels must have deletion, archive, or retention rules.

28. Classification and embeddings

Embeddings and vector stores must inherit classification from sources.

If a source changes, is deleted, or becomes restricted, the community must address:

• re-indexing,
• access filtering,
• deletion,
• tenant isolation,
• retrieval restrictions,
• audit,
• leakage prevention.

Minimum requirement

Embeddings from Restricted or Operational DNA content must be protected at the same or higher level as the source.

29. Classification and aggregation in Human Cockpit Layer

The Human Cockpit Layer may show aggregations.

Aggregation may reveal sensitive information even when individual items are not shown.

Examples:

• number of critical security incidents,
• weakness map,
• list of agents with access,
• strategic priorities,
• risk heatmap,
• customer complaint pattern.

Minimum requirement

The Human Cockpit Layer must classify aggregated views by what they reveal.

30. Classification and cross-community sharing

When sharing between communities, it must be clear:

• what classification applies in the source community,
• whether the receiving community recognizes the same classification,
• which boundary applies,
• whether AI may be used,
• whether derived knowledge may be created,
• who owns the shared knowledge,
• how incidents are handled.

Minimum requirement

Cross-community sharing of non-public knowledge requires classification mapping or explicit sharing boundary.

31. Classification inheritance

Classification may be inherited.

Examples:

• folder /restricted sets default restricted,
• workflow sets output classification,
• data source sets derived artefact classification,
• AI-NDA Boundary sets AI processing rules,
• interface sets public/internal boundary.

Inheritance reduces friction.

But it must not be blind.

Content may require higher classification than the default.

Minimum requirement

Classification inheritance must allow classification to increase according to content and impact.

32. Classification override

Sometimes classification must change.

Override must be governed.

Examples:

• public release of an internal artefact,
• classification increase after an incident,
• lowering after redaction,
• change after removal of personal data,
• change after aggregation,
• change after AI synthesis.

Minimum requirement

Lowering the classification of Restricted or Operational DNA must require approval.

33. Classification review

Classification may become stale.

Review asks:

• is the classification still correct?
• did the content change?
• did the context change?
• did the audience change?
• was derived knowledge created?
• was the content aggregated?
• did the legal situation change?
• did AI processing risk change?
• can the content be safely published?
• does the content need stronger protection?

Minimum requirement

Restricted and Operational DNA artefacts must have a classification review cycle or trigger.

34. AI-assisted classification

AI may help with classification.

It may:

• propose classification,
• detect personal data,
• detect secrets,
• detect Operational DNA exposure,
• warn about sensitive metadata,
• propose redaction,
• propose AI processing rules,
• detect sensitivity changes after aggregation.

However, AI must not lower the classification of a critical artefact without approval.

Minimum requirement

AI-assisted classification must be marked as proposal until approved for Restricted or Operational DNA artefacts.

35. Misclassification

Misclassification is incorrect sensitivity labeling.

Examples:

• Operational DNA marked Internal,
• public output contains Restricted metadata,
• AI output is unclassified,
• aggregate dashboard reveals a sensitive pattern,
• audit log is too open,
• vendor export is under-classified.

Misclassification is a knowledge security risk.

Minimum requirement

Misclassification incidents must be recorded and handled according to impact.

36. Classification and values

Classification is not only a technical rule.

It reflects community values.

Examples:

• privacy,
• trust,
• transparency,
• resilience,
• accountability,
• learning,
• community sovereignty,
• operational safety.

Too low a classification may violate trust.

Too high a classification may harm learning and cooperation.

Minimum requirement

Classification policy must balance security, transparency, learning, and responsibility.

37. Classification and Human Capability Reserve

If critical know-how is too closed, the community may lose recovery capability.

The community therefore needs:

• redacted training examples,
• safe learning versions,
• internal summaries,
• role-based access,
• fallback manuals,
• human skills,
• access for backup roles.

Classification should protect learning, not destroy it.

Minimum requirement

Operational DNA protection must be balanced with Human Capability Reserve through safe human-readable variants or training paths.

38. Classification and AI lock-in

If sensitive know-how exists only in an AI vendor platform, agent memory, or proprietary skill store, classification and control are weakened.

AIFC prefers classification of critical artefacts to be held in the Source of Truth or governance repository.

Minimum requirement

Critical classified artefacts must not be authoritatively classified only in an AI vendor system.

39. Classification policy

An AIFC community should have a classification policy.

It defines:

• classification levels,
• meaning of levels,
• examples,
• access rules,
• AI processing rules,
• export rules,
• retention rules,
• public release rules,
• review rules,
• misclassification handling,
• ownership,
• approval rules.

Minimum requirement

A community working with non-public know-how must have a classification policy or equivalent.

40. Suggested metadata

Example metadata for artefact classification:

classification:
  level: public | internal | restricted | operational_dna
  owner:
  reason:
  inherited_from:
  contains_personal_data: true | false
  contains_secrets: true | false
  contains_customer_data: true | false
  contains_operational_dna: true | false
  ai_processing:
    allowed: true | false
    rule: public_allowed | approved_tools_only | redaction_required | private_environment_only | explicit_approval_required | forbidden
    ai_nda_boundary:
  export:
    allowed: true | false
    approval_required: true | false
    redaction_required: true | false
  sharing:
    internal_allowed: true | false
    external_allowed: true | false
    cross_community_boundary_required: true | false
  audit_required: true | false
  retention_rule:
  review_cycle:
  last_reviewed:

Example metadata for classification review:

classification_review:
  id:
  title:
  status: scheduled | in_progress | approved | changed | escalated | closed
  artefact:
  current_classification:
  proposed_classification:
  reason:
  ai_assisted: true | false
  reviewer:
  approval_required: true | false
  decision:
  decision_record:
  created_at:
  closed_at:

Example metadata for a misclassification incident:

misclassification_incident:
  id:
  title:
  status: observed | triaged | contained | corrected | under_review | closed
  artefact:
  original_classification:
  corrected_classification:
  incident_type:
    - under_classified
    - over_classified
    - missing_classification
    - public_leak
    - ai_processing_violation
    - export_violation
    - metadata_leak
    - derived_knowledge_misclassified
  affected_communities:
  ai_involved: true | false
  impact:
  corrective_actions:
  related_change_proposal:
  owner:
  created_at:
  closed_at:

These structures are illustrative.

The final schema should be defined in the agent-actionable layer of the standard.

41. Anti-patterns

AIFC rejects the following anti-patterns.

41.1 No classification

Knowledge artefacts have no classification and access is governed by chance or convenience.

41.2 Classification by folder only

Folder location determines classification, but content is not reviewed.

41.3 Everything internal

The community marks everything as internal and ignores Restricted and Operational DNA.

41.4 Everything restricted

The community marks everything as restricted and kills learning, onboarding, and cooperation.

41.5 AI output unclassified

AI outputs are used without classification even when they contain derived knowledge.

41.6 Metadata ignored

Metadata is not protected even though it reveals sensitive information.

41.7 Aggregation ignored

Aggregation or synthesis increases sensitivity, but classification does not change.

41.8 Public release without review

Internal content is published without checking Operational DNA exposure.

41.9 AI declassification

AI lowers classification without human approval.

41.10 Vendor classification mismatch

The community shares data with a vendor without verifying that the vendor recognizes the same classification and boundary.

41.11 Embeddings without classification

Embeddings from Restricted content are stored as ordinary technical artefacts.

41.12 Classification as bureaucracy

Classification is treated as a compliance checkbox, not as protection of community capability.

42. Minimal requirements

An AIFC community must at minimum meet these Data Classification requirements:

1. Meaningful knowledge artefacts have classification or inherit it from a rule.
2. Data Classification supports both protection and usability of the knowledge base.
3. Classification accounts for impact, not only secrecy.
4. The community has clearly defined classification levels.
5. Public artefacts derived from the internal knowledge base have owner, status, and public release review.
6. Internal artefacts have rules for external sharing and AI processing.
7. Restricted artefacts have owner, access control, AI processing rule, export rule, and audit.
8. Operational DNA has highest protection, limited access, AI-NDA Boundary, audit, export control, and owner.
9. Classification considers the actual artefact content.
10. Classification considers context of use and combinations of information.
11. Aggregated or synthesized knowledge is classified by what it reveals.
12. AI-generated derived knowledge is classified by impact.
13. Metadata is classified or protected according to what it reveals.
14. Critical AI prompts and outputs have classification or audit policy.
15. Audit logs have their own classification and access control.
16. Interfaces are reviewed against Operational DNA exposure.
17. Skills are classified by the capability they reveal.
18. Agent permissions have classification and access control.
19. Decision Records have classification according to content, impact, and audience.
20. Every classification level has an AI processing rule.
21. Access rules are mapped to classification levels.
22. Restricted and Operational DNA export requires approval and audit.
23. Moving internal or sensitive know-how into a public output has public release review.
24. Classification levels have retention or review rules.
25. Sensitive classification levels have deletion, archive, or retention rules.
26. Embeddings from Restricted or Operational DNA content are protected like the source.
27. The Human Cockpit Layer classifies aggregated views by what they reveal.
28. Cross-community sharing of non-public knowledge requires classification mapping or explicit sharing boundary.
29. Classification inheritance allows classification to increase by content and impact.
30. Lowering classification of Restricted or Operational DNA requires approval.
31. Restricted and Operational DNA artefacts have classification review cycle or trigger.
32. AI-assisted classification is marked as proposal until approved for Restricted or Operational DNA.
33. Misclassification incidents are recorded and handled according to impact.
34. Classification policy balances security, transparency, learning, and responsibility.
35. Operational DNA protection is balanced with Human Capability Reserve through safe variants or training paths.
36. Critical classified artefacts are not authoritatively classified only in an AI vendor system.
37. A community working with non-public know-how has classification policy or equivalent.

43. Summary

Data Classification is a foundation of a safe AI-first knowledge base.

Without classification, it is not possible to responsibly govern:

• access,
• AI processing,
• export,
• sharing,
• audit,
• retention,
• public release,
• Operational DNA protection,
• cross-community boundaries.

AIFC therefore states:

Classify what knowledge reveals.
Classify what AI derives.
Classify what aggregation exposes.
Classify what capability depends on.

Correct classification allows the community to share safely, protect precisely, and use AI without losing control.

Data Classification turns knowledge sensitivity into governed protection and usable trust.