gbrain: sync converted org-mode brain files

ideas/compliance/_index.org

@@ -0,0 +1,79 @@
+:PROPERTIES:
+:ID:       e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
+:CREATED:  [2026-05-23 Sat]
+:UPDATED:  [2026-05-23 Sat]
+:END:
+#+title: Compliance Framework Index — Global Regulated Industries
+#+filetags: :passepartout:triad:compliance:global:index:hub:
+
+The verification monopoly and domain gate package revenue streams depend on
+selling into regulated industries. These industries buy compliance, not software.
+Each framework below maps to a gate package the triad can sell — ACL2-verified
+gate rules that produce deterministic audit trails.
+
+See [[file:first-mover-window.org][First-mover window analysis]] and [[file:revenue-table.org][Revenue table]] for the consolidated view.
+
+* US Frameworks
+
+- [[file:hipaa.org][HIPAA]] — Health privacy ($50K/yr, 500K+ orgs)
+- [[file:soc2.org][SOC 2]] — Service organization controls ($50K/yr, 100K+ orgs)
+- [[file:fedramp.org][FedRAMP]] — Federal cloud authorization ($100K/yr, 1K providers)
+- [[file:sox.org][SOX]] — Financial controls ($50K/yr, 10K orgs)
+- [[file:glba.org][GLBA]] — Financial privacy ($40K/yr, 20K orgs)
+- [[file:ny-dfs-500.org][NY DFS 500]] — NY financial cybersecurity ($30K/yr, 3K orgs)
+- [[file:ccpa-cpra.org][CCPA/CPRA]] — California privacy ($40K/yr, 50K+ orgs)
+
+* Canada
+
+- [[file:quebec-law-25.org][Quebec Law 25]] — Provincial privacy ($25K/yr, 10K+ orgs)
+
+* UK and EU
+
+- [[file:gdpr.org][GDPR]] — EU privacy ($50K/yr, 500K+ orgs)
+- [[file:uk-gdpr.org][UK GDPR]] — UK privacy ($40K/yr, 100K+ orgs)
+- [[file:nis2.org][NIS2]] — Network security ($50K/yr, 160K orgs)
+- [[file:eu-ai-act.org][EU AI Act]] — AI regulation ($75K/yr, 100K+ orgs)
+- [[file:dora.org][DORA]] — Financial resilience ($50K/yr, 22K+ orgs)
+- [[file:eidas2.org][eIDAS 2.0]] — Digital identity ($30K/yr, 10K+ orgs)
+- [[file:cra.org][CRA]] — Product cybersecurity ($40K/yr, 50K+ orgs)
+
+* Asia-Pacific
+
+- [[file:appi.org][APPI]] — Japan privacy ($40K/yr, 100K+ orgs)
+- [[file:ismap.org][ISMAP]] — Japan cloud authorization ($75K/yr, 500 providers)
+- [[file:pipa.org][PIPA]] — South Korea privacy ($35K/yr, 50K+ orgs)
+- [[file:privacy-act-aus.org][Privacy Act]] — Australia privacy ($35K/yr, 50K+ orgs)
+- [[file:apra-cps-234.org][APRA CPS 234]] — Australian financial security ($40K/yr, 500 orgs)
+- [[file:irap.org][IRAP]] — Australian cloud authorization ($75K/yr, 300 providers)
+- [[file:dpdp-act.org][DPDP Act]] — India privacy ($30K/yr, 500K+ orgs)
+
+* Latin America
+
+- [[file:lgpd.org][LGPD]] — Brazil privacy ($30K/yr, 200K+ orgs)
+- [[file:lfp-dppp.org][LFPDPPP]] — Mexico privacy ($25K/yr, 50K+ orgs)
+
+* International
+
+- [[file:iso-27001.org][ISO 27001]] — ISMS ($40K/yr, 60K+ orgs)
+- [[file:iso-27701.org][ISO 27701]] — Privacy management ($35K/yr, 1K+ orgs)
+- [[file:basel-iii.org][Basel III]] — Banking capital ($100K/yr, 500 G-SIBs)
+- [[file:fatf.org][FATF]] — AML/CFT ($50K/yr, 50K+ orgs)
+- [[file:ifrs.org][IFRS 17]] — Insurance accounting ($75K/yr, 5K+ orgs)
+- [[file:oecd.org][OECD Guidelines]] — Privacy/AI principles (indirect)
+- [[file:world-bank-esf.org][World Bank ESF]] — Development finance ($50K/yr)
+- [[file:ifc-ps.org][IFC PS]] — Project finance ($50K/yr)
+- [[file:un-cefact.org][UN/CEFACT]] — Trade facilitation ($30K/yr, 50K+ orgs)
+
+* Strategic View
+
+| Region | Frameworks | Total TAM | First-mover priority |
+|--------|-----------|-----------|---------------------|
+| US | 7 | ~$33B | FedRAMP (procurement gate), NY DFS 500 (growing) |
+| UK/EU | 7 | ~$24B | NIS2 (2025 deadline), AI Act (Aug 2026), DORA (in effect) |
+| Asia-Pacific | 7 | ~$9B | DPDP (rules drafting), ISMAP/IRAP (gov cloud gates) |
+| Latin America | 2 | ~$7B | LGPD (largest LATAM market) |
+| International | 9 | ~$4.5B | ISO 27001 (universal baseline), World Bank/IFC (no market exists) |
+
+Next: [[file:first-mover-window.org][First-mover window analysis]] | [[file:revenue-table.org][Full revenue table]]
+See also: [[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/domain-gate-packages.org][Domain gate packages]],
+[[file:../../ideas/compute-marketplace.org][Compute marketplace]], [[file:../../ideas/infrastructure-lock-in.org][Infrastructure lock-in]]

ideas/compliance/appi.org

@@ -0,0 +1,26 @@
+:PROPERTIES:
+:ID:       auto-appi
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:appi:
+
+
+Japan's comprehensive privacy law (amended 2022, fully effective 2023).
+Applies to any business handling personal information of Japanese residents.
+Key requirements: consent, purpose specification, data retention limits,
+cross-border transfer restrictions (opt-in required), mandatory breach reporting,
+data subject access/deletion rights, pseudonymized/anonymized data provisions.
+Personal Information Protection Commission (PPC) enforces.
+
+Penalties: Up to 100M JPY (~$700K) for violations; criminal penalties up to
+1 year imprisonment. Orders to suspend data processing or delete data.
+
+Who must comply: All businesses handling personal information of Japanese
+residents. Extraterritorial — applies to non-Japanese businesses targeting
+Japanese residents.
+
+Why it matters: APPI's cross-border transfer restrictions require fine-grained
+control over which data leaves Japan. The gate stack can encode "this data has
+APPI cross-border consent flag = false → block egress." First-mover advantage
+is moderate — few non-Japanese vendors target APPI specifically, and the 2022

ideas/compliance/apra-cps-234.org

@@ -0,0 +1,27 @@
+:PROPERTIES:
+:ID:       auto-apra-cps-234
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: APRA CPS 234 (Prudential Standard — Information Security)
+#+filetags: :passepartout:compliance:framework:apra:
+
+** APRA CPS 234 (Prudential Standard — Information Security)
+
+Australian Prudential Regulation Authority standard for regulated financial
+institutions. Requires: clearly defined information security roles and
+responsibilities, periodic cybersecurity capability assessments, robust control
+testing, timely remediation of control weaknesses, mandatory notification of
+material incidents to APRA within 72 hours.
+
+Who must comply: Banks, insurers, superannuation funds regulated by APRA.
+~500 entities.
+
+Penalties: APRA can impose capital requirements, license conditions, or
+license cancellation for non-compliance. Personal liability for board and
+senior management.
+
+Why it matters: CPS 234's control testing requirement creates demand for
+continuous verification — exactly what the gate stack and evaluation harness
+provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is
+escalating. No vendor provides a deterministic control-testing pipeline.
+

ideas/compliance/basel-iii.org

@@ -0,0 +1,27 @@
+:PROPERTIES:
+:ID:       auto-basel-iii
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: Basel III (Bank for International Settlements — Basel Committee)
+#+filetags: :passepartout:compliance:framework:basel:
+
+** Basel III (Bank for International Settlements — Basel Committee)
+
+International banking regulatory framework (BIS Basel Committee). Sets minimum
+capital requirements, liquidity coverage ratio (LCR), net stable funding ratio
+(NSFR), leverage ratio, and counterparty credit risk requirements. National
+implementation via local regulators (Federal Reserve, ECB, PRA, BOJ, etc.).
+
+Who must comply: All internationally active banks. Systemically important
+financial institutions (G-SIBs) face additional surcharges.
+
+Penalties: Capital adequacy violations trigger regulatory intervention at
+increasing severity — restrictions on dividends, mandatory capital raising,
+management replacement, resolution.
+
+Why it matters: Basel's risk-weight calculation is rule-heavy and
+verification-friendly. The gate stack can encode credit risk weight mappings
+and produce auditable proof that capital calculations follow the correct
+methodology. First-mover advantage: Basel compliance is done via spreadsheets
+and specialized risk platforms. No platform uses formal verification for
+risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB

ideas/compliance/ccpa-cpra.org

@@ -0,0 +1,23 @@
+:PROPERTIES:
+:ID:       auto-ccpa-cpra
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:ccpa:
+
+
+California's comprehensive privacy law — the closest US analogue to GDPR.
+CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to
+know, delete, opt out of sale/sharing, correct inaccurate data, limit use
+of sensitive PI. Private right of action for data breaches.
+
+Who must comply: For-profit businesses with >$25M revenue, or handling >100K
+consumer records, or deriving >50% revenue from selling PI. Extraterritorial —
+applies to any business collecting CA resident data.
+
+Penalties: $2,500 per violation (intentional: $7,500). Private right of action
+for breaches: $100-$750 per incident per consumer. CPRA created the California
+Privacy Protection Agency (CPPA) for enforcement.
+
+Why it matters: The opt-out/sale/sharing requirements create complex data flow
+gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"

ideas/compliance/cra.org

@@ -0,0 +1,32 @@
+:PROPERTIES:
+:ID:       auto-cra
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: transaction." First-mover advantage: wallets are being built now; the provider
+#+filetags: :passepartout:compliance:framework:cra:
+
+transaction." First-mover advantage: wallets are being built now; the provider
+that integrates with the wallet standard first locks in the identity gate
+integration.
+
+** CRA (Cyber Resilience Act)
+
+EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements
+for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM
+(software bill of materials) disclosure, CE marking for cybersecurity.
+
+Who must comply: Manufacturers, importers, and distributors of connected products
+sold in the EU. Categories: default (self-declaration), Class I (third-party
+audit), Class II (notified body assessment).
+
+Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with
+reporting obligations.
+
+Why it matters: CRA's CE marking requirement creates a certification pipeline
+that the verification appliance can supply. If Passepartout's gate stack is
+itself CRA-compliant (verified by the evaluation harness), it becomes the
+compliance infrastructure for any product built on it. First-mover advantage:
+Class II products require notified body assessment — the bottleneck is notified
+body capacity. The gate stack's automated evidence pipeline bypasses the
+bottleneck.
+

ideas/compliance/dora.org

@@ -0,0 +1,29 @@
+:PROPERTIES:
+:ID:       auto-dora
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: DORA (Digital Operational Resilience Act)
+#+filetags: :passepartout:compliance:framework:dora:
+
+** DORA (Digital Operational Resilience Act)
+
+EU regulation (effective January 2025) for the financial sector. Requires:
+ICT risk management, incident reporting, digital operational resilience testing,
+ICT third-party risk management (including contractual access and audit rights
+for critical ICT providers), information sharing, threat-led penetration testing
+(TLPT) for systemic institutions.
+
+Who must comply: 22,000+ financial entities in the EU (banks, investment firms,
+payment processors, crypto-asset providers, insurance companies). Also ICT
+third-party providers deemed critical.
+
+Penalties: Up to 2% of average daily turnover × number of days breached, or
+10M EUR for legal entities. Personal liability for management.
+
+Why it matters: DORA's third-party risk management requirement is a natural gate
+stack use case — every ICT provider access must be gated, logged, and auditable.
+TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover
+advantage is extremely time-sensitive: DORA is already in effect (January 2025).
+Financial institutions are scrambling for compliance tooling. A DORA gate package
+at $50K/yr with zero incremental cost per additional user is an immediate sale.
+

ideas/compliance/dpdp-act.org

@@ -0,0 +1,30 @@
+:PROPERTIES:
+:ID:       auto-dpdp-act
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:dpdp:
+
+
+India's first comprehensive federal privacy law (enacted August 2023, rules
+drafting in progress, enforcement expected 2026-2027). Key features: consent
+for personal data processing, data processor obligations, data principal rights
+(right to access, correction, erasure, grievance redressal), Data Protection
+Board of India (DPBI) enforcement, significant penalties, exempted government
+processing for sovereignty/national security.
+
+Penalties: Up to 250 Cr INR (~$30M) per breach. Data fiduciary bears primary
+responsibility regardless of processor fault.
+
+Who must comply: Any organization processing personal data of Indian residents,
+where the data is collected in India or used to profile Indian residents.
+Offshore data processors are in scope.
+
+Why it matters: DPDP is a greenfield privacy regime — India had no comprehensive
+privacy law before 2023. The rules (implementation details) are being drafted
+now. This is the widest first-mover window in the global privacy landscape:
+organizations need compliance tooling that doesn't exist yet. The gate stack's
+consent-managed data access model maps directly to DPDP's consent framework.
+A DPDP gate package at $30K/yr (discounted for India market) captures a market
+of hundreds of thousands of businesses with no incumbent vendor.
+

ideas/compliance/eidas2.org

@@ -0,0 +1,26 @@
+:PROPERTIES:
+:ID:       auto-eidas2
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:eidas2:
+
+
+** eIDAS 2.0 (Electronic Identification, Authentication and Trust Services)
+
+EU regulation (amended 2024). Creates the EU Digital Identity Wallet — mandatory
+for member states to offer, optional for citizens. Requires: qualified electronic
+signatures/seals/timestamps, qualified trust service providers (QTSPs), and the
+EU Digital Identity Wallet for identity verification across borders.
+
+Who must comply: Trust service providers, government digital identity systems,
+any organization accepting eIDAS-qualified identities. 27 member states must
+provide wallets by 2026.
+
+Penalties: Member state enforcement; penalties vary but non-compliance blocks
+access to the EU digital identity market.
+
+Why it matters: eIDAS 2.0 creates a verified digital identity layer across the
+EU. The gate stack can integrate with eIDAS wallets as the identity provider
+for gate rules — "only X, authenticated via eIDAS wallet, may approve this
+transaction." First-mover advantage: wallets are being built now; the provider

ideas/compliance/eu-ai-act.org

@@ -0,0 +1,32 @@
+:PROPERTIES:
+:ID:       auto-eu-ai-act
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: EU AI Act
+#+filetags: :passepartout:compliance:framework:eu:
+
+** EU AI Act
+
+First comprehensive AI regulation globally (effective August 2026). Risk-based
+tiers: unacceptable (banned), high-risk (conformity assessment), limited
+(transparency), minimal (code of conduct). High-risk systems require: risk
+management, data governance, technical documentation, transparency, human
+oversight, accuracy/robustness/cybersecurity. Third-party conformity assessment
+for some high-risk systems (notified bodies).
+
+Who must comply: Providers and deployers of AI systems in the EU. Extraterritorial
+if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI)
+with additional obligations for systemic-risk GPAI.
+
+Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR).
+
+Why it matters: The EU AI Act's conformity assessment requirement creates an
+instant certification market. Passepartout's gate stack can serve as the
+human oversight and accuracy/robustness infrastructure for any AI system
+deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum
+force: an ACL2-verified gate stack is the most defensible approach to AI Act
+compliance. First-mover advantage: the regulation takes effect August 2026.
+No certification body or tool vendor has an ACL2-based compliance pipeline.
+First to market captures the standard-setting role.
+
+** DORA (Digital Operational Resilience Act)

ideas/compliance/fatf.org

@@ -0,0 +1,32 @@
+:PROPERTIES:
+:ID:       auto-fatf
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
+#+filetags: :passepartout:compliance:framework:fatf:
+
+risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
+is a trivial expense relative to the capital requirement penalty of getting the
+mapping wrong.
+
+** FATF (Financial Action Task Force) — AML/CFT Standards
+
+International standard-setter for anti-money laundering and counter-terrorism
+financing. 40 Recommendations covering: risk assessment, customer due diligence
+(CDD), beneficial ownership transparency, suspicious transaction reporting,
+targeted financial sanctions, proliferation financing. National implementation
+varies by jurisdiction.
+
+Who must comply: Financial institutions, DNFBPs (designated non-financial
+businesses and professions), virtual asset service providers (VASPs). In
+practice: every bank, money service business, crypto exchange, and high-value
+dealer globally.
+
+Penalties: National enforcement varies. Systemic failures lead to FATF grey-list
+(monitoring) or black-list (counter-measures). Grey-listing increases transaction
+costs — Iran and North Korea are black-listed.
+
+Why it matters: FATF's CDD requirements are the most widespread and
+rule-complex compliance obligation globally. The gate stack can encode
+tiered CDD rules, prove that every customer onboarding followed the correct
+verification path, and produce an auditable trail for every suspicion

ideas/compliance/fedramp.org

@@ -0,0 +1,60 @@
+:PROPERTIES:
+:ID:       auto-fedramp
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: FedRAMP (Federal Risk and Authorization Management Program)
+#+filetags: :passepartout:compliance:framework:fedramp:
+
+* FedRAMP (Federal Risk and Authorization Management Program)
+
+** What it is
+
+US federal government's standardized approach to security assessment,
+authorization, and continuous monitoring for cloud services. OMB policy
+mandate — federal agencies must use FedRAMP-authorized services when available.
+
+Three impact levels based on data sensitivity:
+
+| Level   | Data type | Examples                        | Cost to achieve | Timeline |
+|---------|-----------|---------------------------------|-----------------|----------|
+| Low     | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
+| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
+| High    | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
+
+Two authorization paths:
+- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA,
+  DOD. Hardest path, most reusable across agencies.
+- **Agency:** authorization by a single federal agency for its own use. Faster
+  but less portable.
+
+Requires continuous monitoring (monthly scans, annual assessments, POA&M
+for findings).
+
+** Who must comply
+
+Any cloud service provider that sells to US federal agencies. Including
+IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies
+are strongly discouraged from using non-authorized services.
+
+** Penalties
+
+No direct fines. Non-authorized providers are simply ineligible for federal
+contracts. FedRAMP is a procurement gate, not a regulatory one.
+
+** Why it matters for the triad
+
+FedRAMP is the highest bar and the most expensive certification to obtain.
+Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
+But those that do capture the US government market with minimal competition.
+For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
+authorization can sell to every federal agency. The gate stack's deterministic
+audit trail maps directly to FedRAMP's continuous monitoring requirement —
+producing verifiable evidence of control effectiveness on every access, not
+just during the annual assessment. This is what justifies the
+[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
+package, it is the evidence pipeline for a certification that costs $1M-$5M
+and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument
+applies hardest here: an agency that has relied on a FedRAMP-authorized compute
+provider for five years cannot switch without re-running the entire authorization
+process with a new provider.
+

ideas/compliance/first-mover-window.org

@@ -0,0 +1,23 @@
+:PROPERTIES:
+:ID:       auto-first-mover-window
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: First-Mover Window Analysis
+#+filetags: :passepartout:compliance:strategy:first-mover:
+
+* First-Mover Window Analysis
+
+The first-mover window is the time in which a new compliance tool can establish
+dominance before incumbents respond or the market settles on a standard approach.
+
+| Window | Frameworks | Rationale |
+|--------|-----------|-----------|
+| **Critical (<12 months)** | EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. |
+| **Wide (12-36 months)** | DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. |
+| **Mature (commodity)** | GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. |
+| **Latent (undiscovered)** | OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. |
+
+
+
+See also: [[file:_index.org][Compliance index]], [[file:revenue-table.org][Revenue table]],
+[[file:../../ideas/verification-appliance.org][Verification appliance]], [[file:../../ideas/verification-monopoly.org][Verification monopoly]]

ideas/compliance/gdpr.org

@@ -0,0 +1,54 @@
+:PROPERTIES:
+:ID:       auto-gdpr
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: GDPR (General Data Protection Regulation)
+#+filetags: :passepartout:compliance:framework:gdpr:
+
+* GDPR (General Data Protection Regulation)
+
+** What it is
+
+EU regulation (effective May 2018) governing the processing of personal data of
+natural persons in the EU. Extraterritorial — applies to any organization
+processing EU personal data regardless of where the organization is based.
+
+Key requirements:
+- Lawful basis for processing (consent, contract, legal obligation, vital
+  interests, public task, legitimate interests)
+- Data minimization — collect only what is necessary
+- Purpose limitation — do not reuse data for incompatible purposes
+- Storage limitation — delete when no longer needed
+- Right of access, rectification, erasure (right to be forgotten),
+  data portability, restriction, objection
+- Data Protection Impact Assessment (DPIA) for high-risk processing
+- Breach notification within 72 hours to supervisory authority
+- Data Protection Officer (DPO) appointment for certain controllers/processors
+- Data Processing Agreements (DPAs) between controllers and processors
+
+** Who must comply
+
+Any organization that processes personal data of EU residents. Includes
+controllers (determine purposes and means) and processors (process on behalf
+of controller). Non-EU organizations with EU data subjects are in scope.
+
+** Penalties
+
+Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered
+system. Supervisory authorities in each member state enforce. Private right
+of action for damages.
+
+** Why it matters for the triad
+
+GDPR is the most extraterritorial and aggressively enforced privacy framework.
+The gate stack's principle of least privilege maps naturally to GDPR's data
+minimization requirement. Every data access is gated by a verified rule that
+states the purpose — the proof log is a built-in DPIA artifact. For the
+[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
+maintain DPAs with all clients. Proof logs themselves may constitute personal
+data if they reference natural persons (names in access rules, etc.), creating
+a demand for privacy-preserving proof techniques. This is why the
+[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
+purpose-boundary gate rules that are independently verified by the provider's
+[[file:evaluation-harness.org][evaluation harness]].
+

ideas/compliance/glba.org

@@ -0,0 +1,23 @@
+:PROPERTIES:
+:ID:       auto-glba
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:glba:
+
+
+US federal law governing financial institutions' handling of nonpublic personal
+information (NPI). Requires privacy notices, opt-out rights, and a Safeguards
+Rule requiring an information security program.
+
+Who must comply: Banks, credit unions, insurance companies, securities firms,
+financial advisers. ~20,000 institutions.
+
+Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers
+and directors personally liable.
+
+Why it matters: The Safeguards Rule maps directly to gate stack access controls.
+Every NPI access is gated; the proof log is the security program's evidence.
+First-mover advantage is narrow (GLBA is well-understood) but the market is
+large because every financial institution that dodges HIPAA still faces GLBA.
+

ideas/compliance/hipaa.org

@@ -0,0 +1,44 @@
+:PROPERTIES:
+:ID:       auto-hipaa
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: HIPAA (Health Insurance Portability and Accountability Act)
+#+filetags: :passepartout:compliance:framework:hipaa:
+
+* HIPAA (Health Insurance Portability and Accountability Act)
+
+** What it is
+
+US federal law enacted 1996. Governs how protected health information (PHI)
+is stored, transmitted, and accessed. Two relevant rules:
+
+- **Privacy Rule:** controls use and disclosure of PHI. Patients have rights
+  to access, amend, and request accounting of disclosures. Minimum necessary
+  standard — only the minimum PHI needed for the task may be used.
+- **Security Rule:** administrative, physical, and technical safeguards for
+  electronic PHI (ePHI). Requires access controls, audit controls, integrity
+  controls, person/entity authentication, and transmission security.
+
+** Who must comply
+
+Covered entities (health plans, healthcare clearinghouses, healthcare providers
+who transmit any ePHI) and business associates (any vendor handling PHI on behalf
+of a covered entity). Business Associate Agreements (BAAs) are mandatory.
+
+** Penalties
+
+Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per
+violation category. Criminal penalties for knowing misuse (up to 10 years
+imprisonment). State AGs can also bring civil actions.
+
+** Why it matters for the triad
+
+HIPAA is the largest single compliance market in US healthcare — every hospital,
+clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]]
+($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
+constraints. Every PHI access attempt passes through the gate stack, producing
+a machine-checkable audit trail that satisfies the Security Rule's audit control
+requirement automatically. No separate logging infrastructure needed. Over a
+five-year deployment, the accumulated fact store and proof history create
+[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
+

ideas/compliance/ifc-ps.org

@@ -0,0 +1,26 @@
+:PROPERTIES:
+:ID:       auto-ifc-ps
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: projects in 100+ countries. Also adopted by many multilateral development banks
+#+filetags: :passepartout:compliance:framework:ifc:
+
+projects in 100+ countries. Also adopted by many multilateral development banks
+(MDBs) as their standard.
+
+Why it matters: ESF compliance is condition precedent to World Bank disbursement.
+Delays in compliance verification delay project funding. The gate stack's
+deterministic rule system can encode ESF standards as execution gates — "no
+disbursement unless ESS5 resettlement plan is verified complete." First-mover
+advantage: World Bank compliance is entirely document-based (reports, audits,
+site visits). A verified gate system is unprecedented.
+
+** IFC Performance Standards (PS)
+
+International Finance Corporation's standards for environmental and social
+sustainability in private sector investment. Eight standards: PS1 (risk
+management), PS2 (labor), PS3 (resource efficiency), PS4 (community health),
+PS5 (land/resettlement), PS6 (biodiversity), PS7 (indigenous peoples), PS8
+(cultural heritage). Adopted by over 80 Equator Principles financial
+institutions (project finance lenders).
+

ideas/compliance/ifrs.org

@@ -0,0 +1,26 @@
+:PROPERTIES:
+:ID:       auto-ifrs
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:ifrs:
+
+
+Who must comply: IFC investees and clients; any project finance deal under
+the Equator Principles.
+
+Why it matters: The Equator Principles affect $100B+/yr in project finance.
+Compliance verification is done by external consultants. The gate stack can
+automate the evidence collection and provide verifiable proof that each PS
+requirement has been met before financial close. First-mover advantage: no
+vendor serves this market with automation — it is entirely consultant-delivered.
+
+** IFRS (International Financial Reporting Standards)
+
+International accounting standards (IFRS Foundation, 166 jurisdictions). IFRS 17
+(insurance contracts, effective 2023) and IFRS 9 (financial instruments) are the
+most rule-complex — requiring actuarial models, expected credit loss calculations,
+and contract classification algorithms.
+
+Who must comply: Publicly listed companies in 166 jurisdictions including the
+EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most

ideas/compliance/irap.org

@@ -0,0 +1,23 @@
+:PROPERTIES:
+:ID:       auto-irap
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:irap:
+
+
+** IRAP (Infosec Registered Assessors Program)
+
+Australian government's cloud security assessment program — analogous to
+FedRAMP. Cloud services used by Australian government agencies must have an
+IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC).
+Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM.
+
+Who must comply: Cloud providers selling to Australian federal, state, and
+local government agencies. Also critical infrastructure providers.
+
+Why it matters: Like FedRAMP and ISMAP, IRAP is a procurement gate. An IRAP
+Protected-level assessment is expensive and takes 6-12 months. First-mover
+advantage: the gate stack's deterministic audit trail can be the primary
+evidence artifact, reducing assessment scope/cost.
+

ideas/compliance/ismap.org

@@ -0,0 +1,24 @@
+:PROPERTIES:
+:ID:       auto-ismap
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: is moderate — few non-Japanese vendors target APPI specifically, and the 2022
+#+filetags: :passepartout:compliance:framework:ismap:
+
+is moderate — few non-Japanese vendors target APPI specifically, and the 2022
+amendments added requirements that created compliance gaps.
+
+** ISMAP (Government Information System Security Management and Assessment Program)
+
+Japan's government cloud security program — analogous to FedRAMP. Cloud services
+used by Japanese government agencies must be ISMAP-authorized. Managed by the
+Digital Agency and the Information-technology Promotion Agency (IPA).
+
+Who must comply: Cloud service providers selling to Japanese national and local
+government agencies.
+
+Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is
+time-consuming and expensive. A compute marketplace provider with ISMAP
+authorization has exclusive access to the Japanese government market. First-mover
+advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered.
+

ideas/compliance/iso-27001.org

@@ -0,0 +1,31 @@
+:PROPERTIES:
+:ID:       auto-iso-27001
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:iso:
+
+
+International standard for information security management systems (ISMS).
+The most widely adopted security certification globally — ~60,000 certified
+organizations. Requires: risk assessment, security controls (Annex A, 93
+controls across 4 domains), continuous improvement (Plan-Do-Check-Act),
+management review, internal audit.
+
+Who must comply: Self-selected — enterprises pursue ISO 27001 certification
+because supply chain partners and regulators require it. Increasingly mandatory
+for: cloud providers, government contractors, critical infrastructure, and
+regulated financial institutions in multiple jurisdictions.
+
+Penalties: No direct fines. Losing certification means losing business.
+
+Why it matters: ISO 27001 is the universal baseline. It is the entry-level
+certification that opens every other regulated market. The gate stack maps
+to Annex A controls directly (A.9 access control, A.12 operations security,
+A.16 incident management, A.18 compliance). First-mover advantage: the ISO
+27001 audit market is mature ($68B) and entirely manual (auditors flip through
+binders). A gate stack that produces audit evidence automatically is not
+competing with other software — it is competing with binders.
+
+** ISO 27701 (Privacy Information Management — PIMS extension to ISO 27001)
+

ideas/compliance/iso-27701.org

@@ -0,0 +1,20 @@
+:PROPERTIES:
+:ID:       auto-iso-27701
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:iso:
+
+
+International standard extending ISO 27001 for privacy information management.
+Aligns with GDPR requirements. Provides a framework for PII (personally
+identifiable information) controllers and processors.
+
+Why it matters: ISO 27701 bridges information security and privacy compliance.
+An organization with ISO 27001 + ISO 27701 certification has a unified
+audit framework. The gate stack's access control gates + privacy gates satisfy
+both standards from the same infrastructure. First-mover advantage: adoption is
+growing but still low (~1,000 certifications). Early gate package captures the
+growth market.
+
+** Basel III (Bank for International Settlements — Basel Committee)

ideas/compliance/lfp-dppp.org

@@ -0,0 +1,24 @@
+:PROPERTIES:
+:ID:       auto-lfp-dppp
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:lfp:
+
+
+Mexico's federal privacy law (effective 2010, reformed 2024). Key requirements:
+consent, notice (privacy notice must specify the "responsible party"), purpose
+limitation, data subject rights (ARCO — access, rectification, cancellation,
+opposition + deletion, portability), cross-border data transfer limitations,
+security breach notification. INAI (National Institute for Transparency,
+Access to Information and Personal Data Protection) enforces.
+
+Penalties: Up to 1.9M days of minimum wage (~$5M USD); INAI can also
+suspend data processing.
+
+Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are
+pushing toward privacy regime interoperability. A bilingual (Spanish/English)
+gate package covering both LFPDPPP and US frameworks serves the massive
+US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is
+less automated than GDPR; the market has fewer vendors and lower expectations.
+

ideas/compliance/lgpd.org

@@ -0,0 +1,28 @@
+:PROPERTIES:
+:ID:       auto-lgpd
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:lgpd:
+
+
+Brazil's comprehensive privacy law (effective 2020, fines effective 2023).
+Modeled on GDPR but with differences: LGPD defines "data processing agents"
+(controller and operator), requires appointment of DPO (data protection officer),
+mandates breach notification to ANPD (National Data Protection Authority) and
+affected data subjects. 10 legal bases for processing (vs 6 in GDPR).
+
+Penalties: Up to 2% of revenue in Brazil per violation, capped at 50M BRL
+(~$10M) per violation. ANPD can also order suspension of processing, partial
+or total prohibition of database operation.
+
+Who must comply: Any organization (public or private) processing personal data
+of Brazilian residents, regardless of where the organization is based. No
+revenue threshold.
+
+Why it matters: LGPD affects every business operating in Latin America's largest
+economy. The 2% revenue penalty structure creates strong economic incentive.
+First-mover advantage: fewer compliance automation vendors in the Portuguese
+market. A Portuguese-language gate package with LGPD-specific consent and data
+subject rights gates captures a market of 210M people.
+

ideas/compliance/nis2.org

@@ -0,0 +1,34 @@
+:PROPERTIES:
+:ID:       auto-nis2
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:nis2:
+
+
+EU directive (effective October 2024, member states transpose by October 2025).
+Replaces NIS (2016). Expands scope from 7 sectors to 15, covering: energy,
+transport, banking, financial market infrastructure, health, drinking water,
+wastewater, digital infrastructure, ICT service management, public administration,
+space, postal services, food, chemicals, manufacturing (critical products).
+
+Key requirements: risk management measures (supply chain security, incident
+handling, business continuity), incident notification (24-hour early warning,
+72-hour full report), C-level accountability (management can be held personally
+liable for non-compliance), supply chain security for critical vendors.
+
+Who must comply: ~160,000 entities across EU (up from ~30,000 under NIS).
+Two tiers: essential (strict) and important (moderate). Extraterritorial — any
+organization providing services to EU entities in covered sectors.
+
+Penalties: Up to 10M EUR or 2% of global turnover (essential entities). Personal
+liability for management.
+
+Why it matters: NIS2 is the largest European cybersecurity mandate ever.
+Every requirement maps to a gate rule: supply chain access verification,
+incident notification triggers, business continuity approval chains. First-mover
+advantage is urgent — the transposition deadline is October 2025 (17 months).
+Organizations need gate packages now. No competitor has a declarative gate
+model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell.
+
+** EU AI Act

ideas/compliance/ny-dfs-500.org

@@ -0,0 +1,25 @@
+:PROPERTIES:
+:ID:       auto-ny-dfs-500
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:ny:
+
+
+** NY DFS 500 (23 NYCRR 500)
+
+New York State Department of Financial Services cybersecurity regulation for
+financial services. The most aggressive US state-level financial cybersecurity
+rule. Requires: risk assessment, penetration testing, multi-factor authentication,
+incident response plan, annual certification of compliance by the board.
+
+Who must comply: Any entity regulated by NY DFS — banks, insurers, mortgage
+brokers, virtual currency companies operating in New York. ~3,000 institutions.
+
+Penalties: $200K-$1M per violation; business license revocation possible.
+
+Why it matters: The annual board certification requirement creates demand for
+verifiable evidence of control effectiveness — exactly what the gate stack
+produces. First-mover advantage is significant (few vendors target NY DFS 500
+specifically) and the regulation is a template that other states are adopting.
+

ideas/compliance/oecd.org

@@ -0,0 +1,23 @@
+:PROPERTIES:
+:ID:       auto-oecd
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: verification path, and produce an auditable trail for every suspicion
+#+filetags: :passepartout:compliance:framework:oecd:
+
+verification path, and produce an auditable trail for every suspicion
+determination. First-mover advantage: AML compliance is a $50B+ market
+dominated by legacy vendors (LexisNexis, Thomson Reuters, FICO). None use
+formal verification. The gate stack's proof log is a "deterministic audit
+trail" that regulators would recognize as superior to the current paper-trail
+approach.
+
+** OECD Privacy Guidelines and AI Principles
+
+OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation,
+data quality, purpose specification, use limitation, security safeguards,
+openness, individual participation, accountability. Non-binding but foundational
+— the basis for GDPR, APPI, LGPD, and most other privacy laws.
+
+OECD AI Principles (adopted 2019, updated 2024): Five values-based principles
+— inclusive growth and well-being, human-centered values and fairness,

ideas/compliance/pipa.org

@@ -0,0 +1,30 @@
+:PROPERTIES:
+:ID:       auto-pipa
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:pipa:
+
+
+South Korea's comprehensive privacy law (enacted 2011, major amendments 2023
+and 2024). One of the strictest privacy regimes globally. Key requirements:
+consent, data minimization, purpose limitation, mandatory privacy impact
+assessment, data protection officer, breach notification within 72 hours,
+cross-border transfer restrictions, right to request data transmission
+(portability). The Personal Information Protection Commission (PIPC) enforces
+aggressively.
+
+Penalties: Up to 3% of revenue (raised from 0.5% in 2024 amendments). Criminal
+penalties up to 5 years imprisonment. PIPC has levied fines of 100B+ KRW (~$75M)
+against major tech companies. Class action lawsuits permitted.
+
+Who must comply: Any organization handling personal information of South Korean
+residents. Extraterritorial scope is broad and actively enforced.
+
+Why it matters: PIPA is structurally similar to GDPR but with stricter
+enforcement and higher penalties relative to market size. The gate stack's
+purpose-boundary gates map directly to PIPA's purpose limitation requirement.
+First-mover advantage is large — PIPA has fewer compliance automation vendors
+than GDPR, and the 2024 amendments (stricter consent, higher fines) are still
+settling.
+

ideas/compliance/privacy-act-aus.org

@@ -0,0 +1,30 @@
+:PROPERTIES:
+:ID:       auto-privacy-act-aus
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:privacy:
+
+
+Australia's federal privacy law (amended 2023-2025). Comprehensive reform in
+progress — the Privacy Act Review (2023) proposes significant expansion:
+tiered penalties up to $50M AUD (or 30% of turnover, or 3x benefit obtained),
+direct right of action for individuals, new tort of serious invasion of privacy,
+children's privacy code, automated decision-making transparency.
+
+Who must comply: Most Australian businesses with >$3M AUD turnover; all
+health service providers; all businesses handling tax file numbers. Extraterritorial
+— applies to any organization with an Australian link.
+
+Penalties: Current maximum $50M AUD (from amendments effective late 2024).
+OAIC (Office of the Australian Information Commissioner) enforces. New direct
+right of action will increase private litigation.
+
+Why it matters: The Privacy Act Review's proposed automated decision-making
+transparency requirements are unique — organizations must disclose the logic
+and expected outcomes of AI decisions. The gate stack's ACL2 proof log is the
+most defensible transparency artifact available. First-mover advantage: the
+reforms are being legislated now; early adoption positions the gate stack as
+the reference implementation.
+
+** APRA CPS 234 (Prudential Standard — Information Security)

ideas/compliance/quebec-law-25.org

@@ -0,0 +1,25 @@
+:PROPERTIES:
+:ID:       auto-quebec-law-25
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"
+#+filetags: :passepartout:compliance:framework:quebec:
+
+gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"
+and automatically enforce the opt-out at every data access. First-mover
+advantage is moderate (many CCPA tools exist) but none provide a deterministic,
+verifiable audit trail — they are all document-based.
+
+** Canadian provincial privacy (Quebec Law 25, Ontario PHIPA)
+
+Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy
+regulation — closer to GDPR than PIPEDA. Requires: privacy officer appointment,
+privacy impact assessments, consent modernization, data portability, right to
+de-index, algorithm transparency (automated decision-making disclosures).
+Penalties up to $25M CAD or 4% of global revenue.
+
+Why it matters: The algorithm transparency requirement is unique — organizations
+must disclose how automated decision systems work. The gate stack's ACL2 proof
+log is a natural algorithm transparency artifact. First-mover advantage: this
+is a new requirement with no established vendor tooling.
+

ideas/compliance/revenue-table.org

@@ -0,0 +1,60 @@
+:PROPERTIES:
+:ID:       auto-revenue-table
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: Compliance Framework Revenue Table
+#+filetags: :passepartout:compliance:revenue:pricing:
+
+* Expanded Revenue Table
+
+| Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type |
+|-----------|--------|--------------|------------------|-------------------|---------------------|----------------|
+| HIPAA | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control |
+| SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit |
+| GDPR | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent |
+| FedRAMP | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring |
+| SOX | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls |
+| GLBA | US | $40K | 20K | $800M | Moderate | Financial privacy |
+| NY DFS 500 | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls |
+| CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows |
+| NIS2 | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain |
+| EU AI Act | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management |
+| DORA | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience |
+| eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates |
+| CRA | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security |
+| UK GDPR | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy |
+| APPI | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy |
+| ISMAP | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment |
+| PIPA | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent |
+| Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency |
+| APRA CPS 234 | Australia | $40K | 500 | $20M | Moderate | Info security controls |
+| IRAP | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment |
+| DPDP Act | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent |
+| LGPD | Brazil | $30K | 200K+ | $6B | Moderate | Privacy |
+| LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy |
+| ISO 27001 | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls |
+| ISO 27701 | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management |
+| Basel III | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy |
+| FATF AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening |
+| IFRS 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification |
+| UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules |
+| World Bank ESF | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates |
+| IFC PS | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates |
+
+A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + 
+ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
+for regulated cloud globally. The gate package portfolio alone — a mid-size
+enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
+At 10,000 such enterprises: $5B/yr. The first-mover advantage is not about any
+single framework — it is about being the first to offer a unified gate stack
+that maps to all of them.
+
+
+A compute marketplace provider with authorization in 5+ frameworks (FedRAMP +
+ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
+for regulated cloud globally. The gate package portfolio alone — a mid-size
+enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
+At 10,000 such enterprises: $5B/yr.
+
+See also: [[file:_index.org][Compliance index]], [[file:first-mover-window.org][First-mover window analysis]],
+[[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/compute-marketplace.org][Compute marketplace]]

ideas/compliance/soc2.org

@@ -0,0 +1,53 @@
+:PROPERTIES:
+:ID:       auto-soc2
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: SOC 2 (System and Organization Controls 2)
+#+filetags: :passepartout:compliance:framework:soc2:
+
+* SOC 2 (System and Organization Controls 2)
+
+** What it is
+
+An auditing standard developed by AICPA (American Institute of CPAs). Not a law.
+Certifies that a service organization's controls over security, availability,
+processing integrity, confidentiality, and privacy meet defined criteria.
+
+Five Trust Service Criteria (TSC):
+- **Security** (mandatory): protection against unauthorized access (firewall,
+  access control, intrusion detection)
+- **Availability** (optional): system available for operation and use as
+  committed (uptime, redundancy, disaster recovery)
+- **Processing Integrity** (optional): system processing is complete, valid,
+  accurate, timely, and authorized
+- **Confidentiality** (optional): information designated as confidential is
+  protected as committed
+- **Privacy** (optional): personal information is collected, used, retained,
+  disclosed, and disposed of in conformity with commitments
+
+Two types:
+- **Type I:** controls are suitably designed at a specific point in time
+- **Type II:** controls operated effectively over a period (6-12 months)
+
+** Who must comply
+
+Any SaaS or cloud service provider whose enterprise customers require audited
+vendors. Table stakes for B2B — most enterprise procurement contracts require
+SOC 2 Type II.
+
+** Penalties
+
+No direct fines (not a law). But losing SOC 2 certification means losing
+enterprise customers. Misrepresentation of certification status is fraud.
+
+** Why it matters for the triad
+
+SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider
+needs SOC 2 Type II to sell compute to enterprises whose procurement policy
+requires audited vendors. The gate stack itself maps directly to the Security
+criterion (access controls, audit trails) — the Passepartout instance's
+deterministic gate log serves as the evidence artifact for the audit. No
+separate logging SIEM needed. This is the prerequisite to the larger
+[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
+buy domain-specific gate packages for the same infrastructure.
+

ideas/compliance/sox.org

@@ -0,0 +1,27 @@
+:PROPERTIES:
+:ID:       auto-sox
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:sox:
+
+
+US federal law (2002). Mandates internal controls over financial reporting
+(ICFR) for publicly traded companies. Section 404 requires management to assess
+and auditors to attest to the effectiveness of internal controls.
+
+Who must comply: All US public companies; foreign issuers trading on US exchanges.
+~6,000 public companies + foreign filers.
+
+Penalties: Up to $5M fines and 20 years imprisonment for certifying false
+financial statements. CEO and CFO personally liable.
+
+Why it matters: Every financial control is a gate rule — who can approve a
+journal entry, who can release a payment, who can modify a vendor record. The
+gate stack encodes these as ACL2-verified rules and produces the audit trail
+that the external auditor needs for Section 404 attestation. First-mover
+advantage: SOX is mature (24 years old) but the audit market is $4B+ and
+entirely manual — no competitor has automated the evidence pipeline.
+
+** GLBA (Gramm-Leach-Bliley Act)
+

ideas/compliance/uk-gdpr.org

@@ -0,0 +1,21 @@
+:PROPERTIES:
+:ID:       auto-uk-gdpr
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: 
+#+filetags: :passepartout:compliance:framework:uk:
+
+
+Post-Brexit, the UK maintains its own version of GDPR via the Data Protection
+Act 2018. Substantively identical to EU GDPR but diverging over time. The UK
+has announced separate reforms targeting AI and digital identity. ICO (Information
+Commissioner's Office) enforces. Maximum fines: 17.5M GBP or 4% of global turnover.
+
+Why it matters: UK GDPR is EU GDPR's twin market — any gate package designed
+for EU GDPR ports directly with verified translation of terminology (supervisory
+authority → ICO, DPA → equivalent UK contract clauses). The gate stack's ACL2
+prover can verify that the UK version's rules are consistent with the EU version
+(and alert when they diverge). This is a concrete ACL2 application.
+
+** NIS2 (Network and Information Security Directive)
+

ideas/compliance/un-cefact.org

@@ -0,0 +1,35 @@
+:PROPERTIES:
+:ID:       auto-un-cefact
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
+#+filetags: :passepartout:compliance:framework:un:
+
+EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
+of Asia and Africa. The US (GAAP) is the major holdout.
+
+Why it matters: IFRS 17 and IFRS 9 are algorithmically complex rule sets.
+Getting an actuarial model or credit loss calculation wrong is a financial
+reporting error. The gate stack's ACL2 prover can verify that the calculation
+implementations match the standard's mathematical requirements. First-mover
+advantage: IFRS 17 was the largest accounting change in a decade. Implementation
+was a crisis for insurers. The next wave (IFRS 18, sustainability disclosures
+via ISSB) is coming. A verified IFRS gate package is a unique value proposition.
+
+** UN/CEFACT (UN Centre for Trade Facilitation and Electronic Business)
+
+UN standards for electronic data interchange (EDI), trade facilitation, and
+cross-border data exchange. Key standards: UN/EDIFACT (trade data), Core
+Component Library (CCL), Multi-Modal Transport Reference Data Model. Basis
+for WTO Trade Facilitation Agreement compliance.
+
+Who must comply: Customs authorities, logistics providers, trade finance banks,
+exporters/importers in 170+ WTO member countries.
+
+Why it matters: Cross-border trade data exchange is rule-intensive (tariff
+classification, rules of origin, customs valuation, sanitary/phytosanitary
+requirements). The gate stack can encode trade compliance rules and prove that
+every cross-border data exchange satisfies the applicable regulation. First-mover
+advantage: trade compliance is a $15B market dominated by legacy SAP/Oracle
+modules and customs brokerages. None use verification.
+

ideas/compliance/world-bank-esf.org

@@ -0,0 +1,28 @@
+:PROPERTIES:
+:ID:       auto-world-bank-esf
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: — inclusive growth and well-being, human-centered values and fairness,
+#+filetags: :passepartout:compliance:framework:world:
+
+— inclusive growth and well-being, human-centered values and fairness,
+transparency and explainability, robustness and safety, accountability.
+Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI
+guidelines all cite them.
+
+Why it matters: The OECD frameworks are indirect revenue drivers. Regulatory
+alignment with OECD principles is often a procurement requirement for
+international organizations and development finance institutions. First-mover
+advantage is about standard-setting: the gate package that maps to OECD
+principles first becomes the reference implementation.
+
+** World Bank Environmental and Social Framework (ESF)
+
+The World Bank's framework for managing environmental and social risk in
+investment projects. Ten standards: ESS1 (assessment), ESS2 (labor), ESS3
+(resource efficiency), ESS4 (community health), ESS5 (land/resettlement),
+ESS6 (biodiversity), ESS7 (indigenous peoples), ESS8 (cultural heritage),
+ESS9 (financial intermediaries), ESS10 (stakeholder engagement).
+
+Who must comply: Borrowers and project implementers across World Bank-financed
+projects in 100+ countries. Also adopted by many multilateral development banks