Skip to content
Security Management
CODESeMS

Security events. One operation.Sealed perimeter.

Security events live beside safety on one connected operation — the same record, the same doors, the same closure discipline. The difference is the perimeter: sensitive fields are kept sealed by the database, even from the AI assistant, for anyone without clearance.

SEC-2026-0148
ILLUSTRATIVE
Perimeter breach — east gate
ICAO ANNEX 17 · UNLAWFUL ENTRY
CONFIDENTIAL
Flight DeckAccountabilityWorkflowRisk
RISK AXIS
THREAT
Elevated
VULNERABILITY
Moderate
IMPACT
Major
Sealed to cleared roles · hidden from the assistant otherwise
01FLIGHT-DECK DOORS

Learn one record once.
Open it anywhere.

A security event opens on the same doors as every occurrence. Master the record once, and you know every module — one detail surface across the platform.

D1
Flight Deck
The event at a glance — facts, status, severity.
D2
Accountability
Who owns it, who must sign, who is informed.
D3
Workflow
The stages it moves through — none can be skipped.
D4
Risk
Threat, vulnerability and impact on one axis.
DOORSFlight Deck · Accountability · Workflow · Risk — one composition, every moduleILLUSTRATIVE
02ANNEX-19 CONFIDENTIALITY

Sensitive stays sealed.
Even from the assistant.

Three sensitivity tiers, each with explicit clearance grants. A record above your clearance never reaches your queue, your alerts, or the AI assistant — it fails closed, across roles and across organisations.

  • ProtectedCleared security population
    Routine security records, visible to the security team under their access scope.
  • RestrictedNamed clearances only
    Sensitive events surfaced only to roles granted an explicit clearance.
  • ConfidentialHighest clearance only
    Closed-hold records. Invisible in queues, alerts, and the AI assistant for everyone else.
ENFORCEDDatabase-enforced isolation · fails closed across roles and organisationsILLUSTRATIVE
03CLOSURE GATES

A security event
can’t close on faith.

Security events inherit the same enforced governance as safety. Closing one means passing the gates — not flipping a status field.

G1
A workflow that can’t skip a step.
Oversight and closure stages are part of the record. A generic update can’t jump them, and every move is recorded.
G2
Rate the controls that held.
Security events use the same barrier and bow-tie engine as safety. Each control is assessed — which held, which degraded.
G3
A degraded barrier needs proof.
A degraded control requires a linked action that passes an effectiveness check before the event can close. Waivers are auditable.
AUDITEDEvery mutation logged in the same transaction · a regulator-ready trailILLUSTRATIVE
04ONE CONNECTED OPERATION

Breach and hazard,
one record.

  • When a breach is also a hazard.
    One record, linked across safety and security.

    A perimeter breach that creates a runway-incursion hazard is a single record, linked both ways. Each team works it under their own scope; the sensitive security fields stay sealed inside the security perimeter.

  • When you set the severity.
    The officer decides; the AI offers a second opinion.

    From the threat, vulnerability and impact on the record, the AI assistant proposes a level. Your security officer accepts, adjusts, or overrules it. The level on file is always a person’s call, with the reasoning beside it.

  • When you trace the connection.
    Caused-by, mitigated-by, documented-in.

    Linked records carry their relationship: the hazard a breach caused, the action that mitigated it, the controlled procedure it documents. The connection is a fact on the record, not a note in a margin.

  • When the amendment lands.
    The change finds what it touches.

    An Annex 17 amendment flows into the requirements, procedures and training it affects, so you see what has to change — instead of re-reading every document to guess.

05PERSONAL QUEUE

The right post-holder.
Nothing leaked.

A single urgency-scored queue routes security items to the role that owns them — delegation- and confidentiality-aware. Notifications respect the same perimeter.

  • Required
    Responsible post-holder
    High-severity security items routed to the role that owns them, urgency-scored to the top.
  • Recommended
    Owner or delegate
    Items that need attention soon — delegation-aware, so cover does not mean a dropped ball.
  • Watch
    Cleared roles only
    Lower-urgency items kept in view. A record you can’t see never reaches your queue or your inbox.
SCOPEDPer-user read state · tenant-isolated · respects the security perimeterILLUSTRATIVE
SeMS · SECURITY MODULE

See the perimeter hold.
Watch an event close.

Walk a confidential security event through the doors, the closure gates, and the queue — with the founder, on your data shape, in 30 minutes.