gbrain: sync converted org-mode brain files

2026-05-23 06:35:21 +00:00
parent 3f38e87f4f
commit 44299599f9
38 changed files with 1248 additions and 856 deletions
--- a/ideas/compliance-framework-mapping.org
+++ b/ideas/compliance-framework-mapping.org
@@ -1,846 +1,48 @@
 :PROPERTIES:
 :ID:       e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
 :CREATED:  [2026-05-23 Sat]
 :UPDATED:  [2026-05-23 Sat]
 :END:
-#+title: Compliance Framework Mapping — Global Regulated Industries (Triad-Wide)
+#+title: Compliance Framework Mapping — Global Regulated Industries
-#+filetags: :passepartout:triad:compliance:global:oecd:regulation:mapping:
+#+filetags: :passepartout:triad:compliance:global:index:
-
+
-The verification monopoly and domain gate package revenue streams depend on
+This file has been split into atomic framework notes under [[file:compliance/][compliance/]].
-selling into regulated industries. These industries buy compliance, not software.
+
-The four frameworks below are the most commonly referenced across the triad
+See [[file:compliance/_index.org][Compliance framework index]] for the hub with per-framework links.
-knowledge base. This file defines each one, the economic pressure it creates,
+See [[file:compliance/first-mover-window.org][First-mover window analysis]] for timing.
-and where it maps to the revenue model.
+See [[file:compliance/revenue-table.org][Revenue table]] for pricing and TAM.
-
+
-* HIPAA (Health Insurance Portability and Accountability Act)
+Each framework is its own file in [[file:compliance/][compliance/]]:
-
+- [[file:compliance/hipaa.org][HIPAA]]
-** What it is
+- [[file:compliance/soc2.org][SOC 2]]
-
+- [[file:compliance/gdpr.org][GDPR]]
-US federal law enacted 1996. Governs how protected health information (PHI)
+- [[file:compliance/fedramp.org][FedRAMP]]
-is stored, transmitted, and accessed. Two relevant rules:
+- [[file:compliance/sox.org][SOX]]
-
+- [[file:compliance/glba.org][GLBA]]
- **Privacy Rule:** controls use and disclosure of PHI. Patients have rights
+- [[file:compliance/ny-dfs-500.org][NY DFS 500]]
-  to access, amend, and request accounting of disclosures. Minimum necessary
+- [[file:compliance/ccpa-cpra.org][CCPA/CPRA]]
-  standard — only the minimum PHI needed for the task may be used.
+- [[file:compliance/quebec-law-25.org][Quebec Law 25]]
- **Security Rule:** administrative, physical, and technical safeguards for
+- [[file:compliance/uk-gdpr.org][UK GDPR]]
-  electronic PHI (ePHI). Requires access controls, audit controls, integrity
+- [[file:compliance/nis2.org][NIS2]]
-  controls, person/entity authentication, and transmission security.
+- [[file:compliance/eu-ai-act.org][EU AI Act]]
-
+- [[file:compliance/dora.org][DORA]]
-** Who must comply
+- [[file:compliance/eidas2.org][eIDAS 2.0]]
-
+- [[file:compliance/cra.org][CRA]]
-Covered entities (health plans, healthcare clearinghouses, healthcare providers
+- [[file:compliance/appi.org][APPI]]
-who transmit any ePHI) and business associates (any vendor handling PHI on behalf
+- [[file:compliance/ismap.org][ISMAP]]
-of a covered entity). Business Associate Agreements (BAAs) are mandatory.
+- [[file:compliance/pipa.org][PIPA]]
-
+- [[file:compliance/privacy-act-aus.org][Privacy Act Australia]]
-** Penalties
+- [[file:compliance/apra-cps-234.org][APRA CPS 234]]
-
+- [[file:compliance/irap.org][IRAP]]
-Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per
+- [[file:compliance/dpdp-act.org][DPDP Act India]]
-violation category. Criminal penalties for knowing misuse (up to 10 years
+- [[file:compliance/lgpd.org][LGPD Brazil]]
-imprisonment). State AGs can also bring civil actions.
+- [[file:compliance/lfp-dppp.org][LFPDPPP Mexico]]
-
+- [[file:compliance/iso-27001.org][ISO 27001]]
-** Why it matters for the triad
+- [[file:compliance/iso-27701.org][ISO 27701]]
-
+- [[file:compliance/basel-iii.org][Basel III]]
-HIPAA is the largest single compliance market in US healthcare — every hospital,
+- [[file:compliance/fatf.org][FATF AML/CFT]]
-clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]]
+- [[file:compliance/ifrs.org][IFRS]]
-($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
+- [[file:compliance/oecd.org][OECD Privacy/AI]]
-constraints. Every PHI access attempt passes through the gate stack, producing
+- [[file:compliance/world-bank-esf.org][World Bank ESF]]
-a machine-checkable audit trail that satisfies the Security Rule's audit control
+- [[file:compliance/ifc-ps.org][IFC PS]]
-requirement automatically. No separate logging infrastructure needed. Over a
+- [[file:compliance/un-cefact.org][UN/CEFACT]]
 five-year deployment, the accumulated fact store and proof history create
 [[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
 * SOC 2 (System and Organization Controls 2)
 ** What it is
 An auditing standard developed by AICPA (American Institute of CPAs). Not a law.
 Certifies that a service organization's controls over security, availability,
 processing integrity, confidentiality, and privacy meet defined criteria.
 Five Trust Service Criteria (TSC):
 - **Security** (mandatory): protection against unauthorized access (firewall,
  access control, intrusion detection)
 - **Availability** (optional): system available for operation and use as
  committed (uptime, redundancy, disaster recovery)
 - **Processing Integrity** (optional): system processing is complete, valid,
  accurate, timely, and authorized
 - **Confidentiality** (optional): information designated as confidential is
  protected as committed
 - **Privacy** (optional): personal information is collected, used, retained,
  disclosed, and disposed of in conformity with commitments
 Two types:
 - **Type I:** controls are suitably designed at a specific point in time
 - **Type II:** controls operated effectively over a period (6-12 months)
 ** Who must comply
 Any SaaS or cloud service provider whose enterprise customers require audited
 vendors. Table stakes for B2B — most enterprise procurement contracts require
 SOC 2 Type II.
 ** Penalties
 No direct fines (not a law). But losing SOC 2 certification means losing
 enterprise customers. Misrepresentation of certification status is fraud.
 ** Why it matters for the triad
 SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider
 needs SOC 2 Type II to sell compute to enterprises whose procurement policy
 requires audited vendors. The gate stack itself maps directly to the Security
 criterion (access controls, audit trails) — the Passepartout instance's
 deterministic gate log serves as the evidence artifact for the audit. No
 separate logging SIEM needed. This is the prerequisite to the larger
 [[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
 buy domain-specific gate packages for the same infrastructure.
 * GDPR (General Data Protection Regulation)
 ** What it is
 EU regulation (effective May 2018) governing the processing of personal data of
 natural persons in the EU. Extraterritorial — applies to any organization
 processing EU personal data regardless of where the organization is based.
 Key requirements:
 - Lawful basis for processing (consent, contract, legal obligation, vital
  interests, public task, legitimate interests)
 - Data minimization — collect only what is necessary
 - Purpose limitation — do not reuse data for incompatible purposes
 - Storage limitation — delete when no longer needed
 - Right of access, rectification, erasure (right to be forgotten),
  data portability, restriction, objection
 - Data Protection Impact Assessment (DPIA) for high-risk processing
 - Breach notification within 72 hours to supervisory authority
 - Data Protection Officer (DPO) appointment for certain controllers/processors
 - Data Processing Agreements (DPAs) between controllers and processors
 ** Who must comply
 Any organization that processes personal data of EU residents. Includes
 controllers (determine purposes and means) and processors (process on behalf
 of controller). Non-EU organizations with EU data subjects are in scope.
 ** Penalties
 Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered
 system. Supervisory authorities in each member state enforce. Private right
 of action for damages.
 ** Why it matters for the triad
 GDPR is the most extraterritorial and aggressively enforced privacy framework.
 The gate stack's principle of least privilege maps naturally to GDPR's data
 minimization requirement. Every data access is gated by a verified rule that
 states the purpose — the proof log is a built-in DPIA artifact. For the
 [[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
 maintain DPAs with all clients. Proof logs themselves may constitute personal
 data if they reference natural persons (names in access rules, etc.), creating
 a demand for privacy-preserving proof techniques. This is why the
 [[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
 purpose-boundary gate rules that are independently verified by the provider's
 [[file:evaluation-harness.org][evaluation harness]].
 * FedRAMP (Federal Risk and Authorization Management Program)
 ** What it is
 US federal government's standardized approach to security assessment,
 authorization, and continuous monitoring for cloud services. OMB policy
 mandate — federal agencies must use FedRAMP-authorized services when available.
 Three impact levels based on data sensitivity:
 | Level   | Data type | Examples                        | Cost to achieve | Timeline |
 |---------|-----------|---------------------------------|-----------------|----------|
 | Low     | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
 | Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
 | High    | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
 Two authorization paths:
 - **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA,
  DOD. Hardest path, most reusable across agencies.
 - **Agency:** authorization by a single federal agency for its own use. Faster
  but less portable.
 Requires continuous monitoring (monthly scans, annual assessments, POA&M
 for findings).
 ** Who must comply
 Any cloud service provider that sells to US federal agencies. Including
 IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies
 are strongly discouraged from using non-authorized services.
 ** Penalties
 No direct fines. Non-authorized providers are simply ineligible for federal
 contracts. FedRAMP is a procurement gate, not a regulatory one.
 ** Why it matters for the triad
 FedRAMP is the highest bar and the most expensive certification to obtain.
 Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
 But those that do capture the US government market with minimal competition.
 For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
 authorization can sell to every federal agency. The gate stack's deterministic
 audit trail maps directly to FedRAMP's continuous monitoring requirement —
 producing verifiable evidence of control effectiveness on every access, not
 just during the annual assessment. This is what justifies the
 [[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
 package, it is the evidence pipeline for a certification that costs $1M-$5M
 and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument
 applies hardest here: an agency that has relied on a FedRAMP-authorized compute
 provider for five years cannot switch without re-running the entire authorization
 process with a new provider.
 * US — Financial and Corporate Frameworks
 ** SOX (Sarbanes-Oxley Act)
 US federal law (2002). Mandates internal controls over financial reporting
 (ICFR) for publicly traded companies. Section 404 requires management to assess
 and auditors to attest to the effectiveness of internal controls.
 Who must comply: All US public companies; foreign issuers trading on US exchanges.
 ~6,000 public companies + foreign filers.
 Penalties: Up to $5M fines and 20 years imprisonment for certifying false
 financial statements. CEO and CFO personally liable.
 Why it matters: Every financial control is a gate rule — who can approve a
 journal entry, who can release a payment, who can modify a vendor record. The
 gate stack encodes these as ACL2-verified rules and produces the audit trail
 that the external auditor needs for Section 404 attestation. First-mover
 advantage: SOX is mature (24 years old) but the audit market is $4B+ and
 entirely manual — no competitor has automated the evidence pipeline.
 ** GLBA (Gramm-Leach-Bliley Act)
 US federal law governing financial institutions' handling of nonpublic personal
 information (NPI). Requires privacy notices, opt-out rights, and a Safeguards
 Rule requiring an information security program.
 Who must comply: Banks, credit unions, insurance companies, securities firms,
 financial advisers. ~20,000 institutions.
 Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers
 and directors personally liable.
 Why it matters: The Safeguards Rule maps directly to gate stack access controls.
 Every NPI access is gated; the proof log is the security program's evidence.
 First-mover advantage is narrow (GLBA is well-understood) but the market is
 large because every financial institution that dodges HIPAA still faces GLBA.
 ** NY DFS 500 (23 NYCRR 500)
 New York State Department of Financial Services cybersecurity regulation for
 financial services. The most aggressive US state-level financial cybersecurity
 rule. Requires: risk assessment, penetration testing, multi-factor authentication,
 incident response plan, annual certification of compliance by the board.
 Who must comply: Any entity regulated by NY DFS — banks, insurers, mortgage
 brokers, virtual currency companies operating in New York. ~3,000 institutions.
 Penalties: $200K-$1M per violation; business license revocation possible.
 Why it matters: The annual board certification requirement creates demand for
 verifiable evidence of control effectiveness — exactly what the gate stack
 produces. First-mover advantage is significant (few vendors target NY DFS 500
 specifically) and the regulation is a template that other states are adopting.
 * US — State Privacy Frameworks
 ** CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
 California's comprehensive privacy law — the closest US analogue to GDPR.
 CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to
 know, delete, opt out of sale/sharing, correct inaccurate data, limit use
 of sensitive PI. Private right of action for data breaches.
 Who must comply: For-profit businesses with >$25M revenue, or handling >100K
 consumer records, or deriving >50% revenue from selling PI. Extraterritorial —
 applies to any business collecting CA resident data.
 Penalties: $2,500 per violation (intentional: $7,500). Private right of action
 for breaches: $100-$750 per incident per consumer. CPRA created the California
 Privacy Protection Agency (CPPA) for enforcement.
 Why it matters: The opt-out/sale/sharing requirements create complex data flow
 gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"
 and automatically enforce the opt-out at every data access. First-mover
 advantage is moderate (many CCPA tools exist) but none provide a deterministic,
 verifiable audit trail — they are all document-based.
 ** Canadian provincial privacy (Quebec Law 25, Ontario PHIPA)
 Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy
 regulation — closer to GDPR than PIPEDA. Requires: privacy officer appointment,
 privacy impact assessments, consent modernization, data portability, right to
 de-index, algorithm transparency (automated decision-making disclosures).
 Penalties up to $25M CAD or 4% of global revenue.
 Why it matters: The algorithm transparency requirement is unique — organizations
 must disclose how automated decision systems work. The gate stack's ACL2 proof
 log is a natural algorithm transparency artifact. First-mover advantage: this
 is a new requirement with no established vendor tooling.
 * UK and EU — Additional Frameworks
 ** UK GDPR / Data Protection Act 2018
 Post-Brexit, the UK maintains its own version of GDPR via the Data Protection
 Act 2018. Substantively identical to EU GDPR but diverging over time. The UK
 has announced separate reforms targeting AI and digital identity. ICO (Information
 Commissioner's Office) enforces. Maximum fines: 17.5M GBP or 4% of global turnover.
 Why it matters: UK GDPR is EU GDPR's twin market — any gate package designed
 for EU GDPR ports directly with verified translation of terminology (supervisory
 authority → ICO, DPA → equivalent UK contract clauses). The gate stack's ACL2
 prover can verify that the UK version's rules are consistent with the EU version
 (and alert when they diverge). This is a concrete ACL2 application.
 ** NIS2 (Network and Information Security Directive)
 EU directive (effective October 2024, member states transpose by October 2025).
 Replaces NIS (2016). Expands scope from 7 sectors to 15, covering: energy,
 transport, banking, financial market infrastructure, health, drinking water,
 wastewater, digital infrastructure, ICT service management, public administration,
 space, postal services, food, chemicals, manufacturing (critical products).
 Key requirements: risk management measures (supply chain security, incident
 handling, business continuity), incident notification (24-hour early warning,
 72-hour full report), C-level accountability (management can be held personally
 liable for non-compliance), supply chain security for critical vendors.
 Who must comply: ~160,000 entities across EU (up from ~30,000 under NIS).
 Two tiers: essential (strict) and important (moderate). Extraterritorial — any
 organization providing services to EU entities in covered sectors.
 Penalties: Up to 10M EUR or 2% of global turnover (essential entities). Personal
 liability for management.
 Why it matters: NIS2 is the largest European cybersecurity mandate ever.
 Every requirement maps to a gate rule: supply chain access verification,
 incident notification triggers, business continuity approval chains. First-mover
 advantage is urgent — the transposition deadline is October 2025 (17 months).
 Organizations need gate packages now. No competitor has a declarative gate
 model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell.
 ** EU AI Act
 First comprehensive AI regulation globally (effective August 2026). Risk-based
 tiers: unacceptable (banned), high-risk (conformity assessment), limited
 (transparency), minimal (code of conduct). High-risk systems require: risk
 management, data governance, technical documentation, transparency, human
 oversight, accuracy/robustness/cybersecurity. Third-party conformity assessment
 for some high-risk systems (notified bodies).
 Who must comply: Providers and deployers of AI systems in the EU. Extraterritorial
 if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI)
 with additional obligations for systemic-risk GPAI.
 Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR).
 Why it matters: The EU AI Act's conformity assessment requirement creates an
 instant certification market. Passepartout's gate stack can serve as the
 human oversight and accuracy/robustness infrastructure for any AI system
 deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum
 force: an ACL2-verified gate stack is the most defensible approach to AI Act
 compliance. First-mover advantage: the regulation takes effect August 2026.
 No certification body or tool vendor has an ACL2-based compliance pipeline.
 First to market captures the standard-setting role.
 ** DORA (Digital Operational Resilience Act)
 EU regulation (effective January 2025) for the financial sector. Requires:
 ICT risk management, incident reporting, digital operational resilience testing,
 ICT third-party risk management (including contractual access and audit rights
 for critical ICT providers), information sharing, threat-led penetration testing
 (TLPT) for systemic institutions.
 Who must comply: 22,000+ financial entities in the EU (banks, investment firms,
 payment processors, crypto-asset providers, insurance companies). Also ICT
 third-party providers deemed critical.
 Penalties: Up to 2% of average daily turnover × number of days breached, or
 10M EUR for legal entities. Personal liability for management.
 Why it matters: DORA's third-party risk management requirement is a natural gate
 stack use case — every ICT provider access must be gated, logged, and auditable.
 TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover
 advantage is extremely time-sensitive: DORA is already in effect (January 2025).
 Financial institutions are scrambling for compliance tooling. A DORA gate package
 at $50K/yr with zero incremental cost per additional user is an immediate sale.
 ** eIDAS 2.0 (Electronic Identification, Authentication and Trust Services)
 EU regulation (amended 2024). Creates the EU Digital Identity Wallet — mandatory
 for member states to offer, optional for citizens. Requires: qualified electronic
 signatures/seals/timestamps, qualified trust service providers (QTSPs), and the
 EU Digital Identity Wallet for identity verification across borders.
 Who must comply: Trust service providers, government digital identity systems,
 any organization accepting eIDAS-qualified identities. 27 member states must
 provide wallets by 2026.
 Penalties: Member state enforcement; penalties vary but non-compliance blocks
 access to the EU digital identity market.
 Why it matters: eIDAS 2.0 creates a verified digital identity layer across the
 EU. The gate stack can integrate with eIDAS wallets as the identity provider
 for gate rules — "only X, authenticated via eIDAS wallet, may approve this
 transaction." First-mover advantage: wallets are being built now; the provider
 that integrates with the wallet standard first locks in the identity gate
 integration.
 ** CRA (Cyber Resilience Act)
 EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements
 for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM
 (software bill of materials) disclosure, CE marking for cybersecurity.
 Who must comply: Manufacturers, importers, and distributors of connected products
 sold in the EU. Categories: default (self-declaration), Class I (third-party
 audit), Class II (notified body assessment).
 Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with
 reporting obligations.
 Why it matters: CRA's CE marking requirement creates a certification pipeline
 that the verification appliance can supply. If Passepartout's gate stack is
 itself CRA-compliant (verified by the evaluation harness), it becomes the
 compliance infrastructure for any product built on it. First-mover advantage:
 Class II products require notified body assessment — the bottleneck is notified
 body capacity. The gate stack's automated evidence pipeline bypasses the
 bottleneck.
 * Japan
 ** APPI (Act on Protection of Personal Information)
 Japan's comprehensive privacy law (amended 2022, fully effective 2023).
 Applies to any business handling personal information of Japanese residents.
 Key requirements: consent, purpose specification, data retention limits,
 cross-border transfer restrictions (opt-in required), mandatory breach reporting,
 data subject access/deletion rights, pseudonymized/anonymized data provisions.
 Personal Information Protection Commission (PPC) enforces.
 Penalties: Up to 100M JPY (~$700K) for violations; criminal penalties up to
 1 year imprisonment. Orders to suspend data processing or delete data.
 Who must comply: All businesses handling personal information of Japanese
 residents. Extraterritorial — applies to non-Japanese businesses targeting
 Japanese residents.
 Why it matters: APPI's cross-border transfer restrictions require fine-grained
 control over which data leaves Japan. The gate stack can encode "this data has
 APPI cross-border consent flag = false → block egress." First-mover advantage
 is moderate — few non-Japanese vendors target APPI specifically, and the 2022
 amendments added requirements that created compliance gaps.
 ** ISMAP (Government Information System Security Management and Assessment Program)
 Japan's government cloud security program — analogous to FedRAMP. Cloud services
 used by Japanese government agencies must be ISMAP-authorized. Managed by the
 Digital Agency and the Information-technology Promotion Agency (IPA).
 Who must comply: Cloud service providers selling to Japanese national and local
 government agencies.
 Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is
 time-consuming and expensive. A compute marketplace provider with ISMAP
 authorization has exclusive access to the Japanese government market. First-mover
 advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered.
 * South Korea
 ** PIPA (Personal Information Protection Act)
 South Korea's comprehensive privacy law (enacted 2011, major amendments 2023
 and 2024). One of the strictest privacy regimes globally. Key requirements:
 consent, data minimization, purpose limitation, mandatory privacy impact
 assessment, data protection officer, breach notification within 72 hours,
 cross-border transfer restrictions, right to request data transmission
 (portability). The Personal Information Protection Commission (PIPC) enforces
 aggressively.
 Penalties: Up to 3% of revenue (raised from 0.5% in 2024 amendments). Criminal
 penalties up to 5 years imprisonment. PIPC has levied fines of 100B+ KRW (~$75M)
 against major tech companies. Class action lawsuits permitted.
 Who must comply: Any organization handling personal information of South Korean
 residents. Extraterritorial scope is broad and actively enforced.
 Why it matters: PIPA is structurally similar to GDPR but with stricter
 enforcement and higher penalties relative to market size. The gate stack's
 purpose-boundary gates map directly to PIPA's purpose limitation requirement.
 First-mover advantage is large — PIPA has fewer compliance automation vendors
 than GDPR, and the 2024 amendments (stricter consent, higher fines) are still
 settling.
 * Australia
 ** Privacy Act 1988 / Notifiable Data Breaches (NDB) scheme
 Australia's federal privacy law (amended 2023-2025). Comprehensive reform in
 progress — the Privacy Act Review (2023) proposes significant expansion:
 tiered penalties up to $50M AUD (or 30% of turnover, or 3x benefit obtained),
 direct right of action for individuals, new tort of serious invasion of privacy,
 children's privacy code, automated decision-making transparency.
 Who must comply: Most Australian businesses with >$3M AUD turnover; all
 health service providers; all businesses handling tax file numbers. Extraterritorial
 — applies to any organization with an Australian link.
 Penalties: Current maximum $50M AUD (from amendments effective late 2024).
 OAIC (Office of the Australian Information Commissioner) enforces. New direct
 right of action will increase private litigation.
 Why it matters: The Privacy Act Review's proposed automated decision-making
 transparency requirements are unique — organizations must disclose the logic
 and expected outcomes of AI decisions. The gate stack's ACL2 proof log is the
 most defensible transparency artifact available. First-mover advantage: the
 reforms are being legislated now; early adoption positions the gate stack as
 the reference implementation.
 ** APRA CPS 234 (Prudential Standard — Information Security)
 Australian Prudential Regulation Authority standard for regulated financial
 institutions. Requires: clearly defined information security roles and
 responsibilities, periodic cybersecurity capability assessments, robust control
 testing, timely remediation of control weaknesses, mandatory notification of
 material incidents to APRA within 72 hours.
 Who must comply: Banks, insurers, superannuation funds regulated by APRA.
 ~500 entities.
 Penalties: APRA can impose capital requirements, license conditions, or
 license cancellation for non-compliance. Personal liability for board and
 senior management.
 Why it matters: CPS 234's control testing requirement creates demand for
 continuous verification — exactly what the gate stack and evaluation harness
 provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is
 escalating. No vendor provides a deterministic control-testing pipeline.
 ** IRAP (Infosec Registered Assessors Program)
 Australian government's cloud security assessment program — analogous to
 FedRAMP. Cloud services used by Australian government agencies must have an
 IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC).
 Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM.
 Who must comply: Cloud providers selling to Australian federal, state, and
 local government agencies. Also critical infrastructure providers.
 Why it matters: Like FedRAMP and ISMAP, IRAP is a procurement gate. An IRAP
 Protected-level assessment is expensive and takes 6-12 months. First-mover
 advantage: the gate stack's deterministic audit trail can be the primary
 evidence artifact, reducing assessment scope/cost.
 * India
 ** DPDP Act 2023 (Digital Personal Data Protection Act)
 India's first comprehensive federal privacy law (enacted August 2023, rules
 drafting in progress, enforcement expected 2026-2027). Key features: consent
 for personal data processing, data processor obligations, data principal rights
 (right to access, correction, erasure, grievance redressal), Data Protection
 Board of India (DPBI) enforcement, significant penalties, exempted government
 processing for sovereignty/national security.
 Penalties: Up to 250 Cr INR (~$30M) per breach. Data fiduciary bears primary
 responsibility regardless of processor fault.
 Who must comply: Any organization processing personal data of Indian residents,
 where the data is collected in India or used to profile Indian residents.
 Offshore data processors are in scope.
 Why it matters: DPDP is a greenfield privacy regime — India had no comprehensive
 privacy law before 2023. The rules (implementation details) are being drafted
 now. This is the widest first-mover window in the global privacy landscape:
 organizations need compliance tooling that doesn't exist yet. The gate stack's
 consent-managed data access model maps directly to DPDP's consent framework.
 A DPDP gate package at $30K/yr (discounted for India market) captures a market
 of hundreds of thousands of businesses with no incumbent vendor.
 * Brazil
 ** LGPD (Lei Geral de Proteção de Dados — Law 13,709/2018)
 Brazil's comprehensive privacy law (effective 2020, fines effective 2023).
 Modeled on GDPR but with differences: LGPD defines "data processing agents"
 (controller and operator), requires appointment of DPO (data protection officer),
 mandates breach notification to ANPD (National Data Protection Authority) and
 affected data subjects. 10 legal bases for processing (vs 6 in GDPR).
 Penalties: Up to 2% of revenue in Brazil per violation, capped at 50M BRL
 (~$10M) per violation. ANPD can also order suspension of processing, partial
 or total prohibition of database operation.
 Who must comply: Any organization (public or private) processing personal data
 of Brazilian residents, regardless of where the organization is based. No
 revenue threshold.
 Why it matters: LGPD affects every business operating in Latin America's largest
 economy. The 2% revenue penalty structure creates strong economic incentive.
 First-mover advantage: fewer compliance automation vendors in the Portuguese
 market. A Portuguese-language gate package with LGPD-specific consent and data
 subject rights gates captures a market of 210M people.
 * Mexico
 ** LFPDPPP (Federal Law on Protection of Personal Data Held by Private Parties)
 Mexico's federal privacy law (effective 2010, reformed 2024). Key requirements:
 consent, notice (privacy notice must specify the "responsible party"), purpose
 limitation, data subject rights (ARCO — access, rectification, cancellation,
 opposition + deletion, portability), cross-border data transfer limitations,
 security breach notification. INAI (National Institute for Transparency,
 Access to Information and Personal Data Protection) enforces.
 Penalties: Up to 1.9M days of minimum wage (~$5M USD); INAI can also
 suspend data processing.
 Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are
 pushing toward privacy regime interoperability. A bilingual (Spanish/English)
 gate package covering both LFPDPPP and US frameworks serves the massive
 US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is
 less automated than GDPR; the market has fewer vendors and lower expectations.
 * International Frameworks
 ** ISO 27001 (Information Security Management)
 International standard for information security management systems (ISMS).
 The most widely adopted security certification globally — ~60,000 certified
 organizations. Requires: risk assessment, security controls (Annex A, 93
 controls across 4 domains), continuous improvement (Plan-Do-Check-Act),
 management review, internal audit.
 Who must comply: Self-selected — enterprises pursue ISO 27001 certification
 because supply chain partners and regulators require it. Increasingly mandatory
 for: cloud providers, government contractors, critical infrastructure, and
 regulated financial institutions in multiple jurisdictions.
 Penalties: No direct fines. Losing certification means losing business.
 Why it matters: ISO 27001 is the universal baseline. It is the entry-level
 certification that opens every other regulated market. The gate stack maps
 to Annex A controls directly (A.9 access control, A.12 operations security,
 A.16 incident management, A.18 compliance). First-mover advantage: the ISO
 27001 audit market is mature ($68B) and entirely manual (auditors flip through
 binders). A gate stack that produces audit evidence automatically is not
 competing with other software — it is competing with binders.
 ** ISO 27701 (Privacy Information Management — PIMS extension to ISO 27001)
 International standard extending ISO 27001 for privacy information management.
 Aligns with GDPR requirements. Provides a framework for PII (personally
 identifiable information) controllers and processors.
 Why it matters: ISO 27701 bridges information security and privacy compliance.
 An organization with ISO 27001 + ISO 27701 certification has a unified
 audit framework. The gate stack's access control gates + privacy gates satisfy
 both standards from the same infrastructure. First-mover advantage: adoption is
 growing but still low (~1,000 certifications). Early gate package captures the
 growth market.
 ** Basel III (Bank for International Settlements — Basel Committee)
 International banking regulatory framework (BIS Basel Committee). Sets minimum
 capital requirements, liquidity coverage ratio (LCR), net stable funding ratio
 (NSFR), leverage ratio, and counterparty credit risk requirements. National
 implementation via local regulators (Federal Reserve, ECB, PRA, BOJ, etc.).
 Who must comply: All internationally active banks. Systemically important
 financial institutions (G-SIBs) face additional surcharges.
 Penalties: Capital adequacy violations trigger regulatory intervention at
 increasing severity — restrictions on dividends, mandatory capital raising,
 management replacement, resolution.
 Why it matters: Basel's risk-weight calculation is rule-heavy and
 verification-friendly. The gate stack can encode credit risk weight mappings
 and produce auditable proof that capital calculations follow the correct
 methodology. First-mover advantage: Basel compliance is done via spreadsheets
 and specialized risk platforms. No platform uses formal verification for
 risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
 is a trivial expense relative to the capital requirement penalty of getting the
 mapping wrong.
 ** FATF (Financial Action Task Force) — AML/CFT Standards
 International standard-setter for anti-money laundering and counter-terrorism
 financing. 40 Recommendations covering: risk assessment, customer due diligence
 (CDD), beneficial ownership transparency, suspicious transaction reporting,
 targeted financial sanctions, proliferation financing. National implementation
 varies by jurisdiction.
 Who must comply: Financial institutions, DNFBPs (designated non-financial
 businesses and professions), virtual asset service providers (VASPs). In
 practice: every bank, money service business, crypto exchange, and high-value
 dealer globally.
 Penalties: National enforcement varies. Systemic failures lead to FATF grey-list
 (monitoring) or black-list (counter-measures). Grey-listing increases transaction
 costs — Iran and North Korea are black-listed.
 Why it matters: FATF's CDD requirements are the most widespread and
 rule-complex compliance obligation globally. The gate stack can encode
 tiered CDD rules, prove that every customer onboarding followed the correct
 verification path, and produce an auditable trail for every suspicion
 determination. First-mover advantage: AML compliance is a $50B+ market
 dominated by legacy vendors (LexisNexis, Thomson Reuters, FICO). None use
 formal verification. The gate stack's proof log is a "deterministic audit
 trail" that regulators would recognize as superior to the current paper-trail
 approach.
 ** OECD Privacy Guidelines and AI Principles
 OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation,
 data quality, purpose specification, use limitation, security safeguards,
 openness, individual participation, accountability. Non-binding but foundational
 — the basis for GDPR, APPI, LGPD, and most other privacy laws.
 OECD AI Principles (adopted 2019, updated 2024): Five values-based principles
 — inclusive growth and well-being, human-centered values and fairness,
 transparency and explainability, robustness and safety, accountability.
 Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI
 guidelines all cite them.
 Why it matters: The OECD frameworks are indirect revenue drivers. Regulatory
 alignment with OECD principles is often a procurement requirement for
 international organizations and development finance institutions. First-mover
 advantage is about standard-setting: the gate package that maps to OECD
 principles first becomes the reference implementation.
 ** World Bank Environmental and Social Framework (ESF)
 The World Bank's framework for managing environmental and social risk in
 investment projects. Ten standards: ESS1 (assessment), ESS2 (labor), ESS3
 (resource efficiency), ESS4 (community health), ESS5 (land/resettlement),
 ESS6 (biodiversity), ESS7 (indigenous peoples), ESS8 (cultural heritage),
 ESS9 (financial intermediaries), ESS10 (stakeholder engagement).
 Who must comply: Borrowers and project implementers across World Bank-financed
 projects in 100+ countries. Also adopted by many multilateral development banks
 (MDBs) as their standard.
 Why it matters: ESF compliance is condition precedent to World Bank disbursement.
 Delays in compliance verification delay project funding. The gate stack's
 deterministic rule system can encode ESF standards as execution gates — "no
 disbursement unless ESS5 resettlement plan is verified complete." First-mover
 advantage: World Bank compliance is entirely document-based (reports, audits,
 site visits). A verified gate system is unprecedented.
 ** IFC Performance Standards (PS)
 International Finance Corporation's standards for environmental and social
 sustainability in private sector investment. Eight standards: PS1 (risk
 management), PS2 (labor), PS3 (resource efficiency), PS4 (community health),
 PS5 (land/resettlement), PS6 (biodiversity), PS7 (indigenous peoples), PS8
 (cultural heritage). Adopted by over 80 Equator Principles financial
 institutions (project finance lenders).
 Who must comply: IFC investees and clients; any project finance deal under
 the Equator Principles.
 Why it matters: The Equator Principles affect $100B+/yr in project finance.
 Compliance verification is done by external consultants. The gate stack can
 automate the evidence collection and provide verifiable proof that each PS
 requirement has been met before financial close. First-mover advantage: no
 vendor serves this market with automation — it is entirely consultant-delivered.
 ** IFRS (International Financial Reporting Standards)
 International accounting standards (IFRS Foundation, 166 jurisdictions). IFRS 17
 (insurance contracts, effective 2023) and IFRS 9 (financial instruments) are the
 most rule-complex — requiring actuarial models, expected credit loss calculations,
 and contract classification algorithms.
 Who must comply: Publicly listed companies in 166 jurisdictions including the
 EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
 of Asia and Africa. The US (GAAP) is the major holdout.
 Why it matters: IFRS 17 and IFRS 9 are algorithmically complex rule sets.
 Getting an actuarial model or credit loss calculation wrong is a financial
 reporting error. The gate stack's ACL2 prover can verify that the calculation
 implementations match the standard's mathematical requirements. First-mover
 advantage: IFRS 17 was the largest accounting change in a decade. Implementation
 was a crisis for insurers. The next wave (IFRS 18, sustainability disclosures
 via ISSB) is coming. A verified IFRS gate package is a unique value proposition.
 ** UN/CEFACT (UN Centre for Trade Facilitation and Electronic Business)
 UN standards for electronic data interchange (EDI), trade facilitation, and
 cross-border data exchange. Key standards: UN/EDIFACT (trade data), Core
 Component Library (CCL), Multi-Modal Transport Reference Data Model. Basis
 for WTO Trade Facilitation Agreement compliance.
 Who must comply: Customs authorities, logistics providers, trade finance banks,
 exporters/importers in 170+ WTO member countries.
 Why it matters: Cross-border trade data exchange is rule-intensive (tariff
 classification, rules of origin, customs valuation, sanitary/phytosanitary
 requirements). The gate stack can encode trade compliance rules and prove that
 every cross-border data exchange satisfies the applicable regulation. First-mover
 advantage: trade compliance is a $15B market dominated by legacy SAP/Oracle
 modules and customs brokerages. None use verification.
 * First-Mover Window Analysis
 The first-mover window is the time in which a new compliance tool can establish
 dominance before incumbents respond or the market settles on a standard approach.
 | Window | Frameworks | Rationale |
 |--------|-----------|-----------|
 | **Critical (<12 months)** | EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. |
 | **Wide (12-36 months)** | DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. |
 | **Mature (commodity)** | GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. |
 | **Latent (undiscovered)** | OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. |
 * Expanded Revenue Table
 | Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type |
 |-----------|--------|--------------|------------------|-------------------|---------------------|----------------|
 | HIPAA | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control |
 | SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit |
 | GDPR | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent |
 | FedRAMP | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring |
 | SOX | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls |
 | GLBA | US | $40K | 20K | $800M | Moderate | Financial privacy |
 | NY DFS 500 | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls |
 | CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows |
 | NIS2 | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain |
 | EU AI Act | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management |
 | DORA | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience |
 | eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates |
 | CRA | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security |
 | UK GDPR | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy |
 | APPI | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy |
 | ISMAP | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment |
 | PIPA | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent |
 | Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency |
 | APRA CPS 234 | Australia | $40K | 500 | $20M | Moderate | Info security controls |
 | IRAP | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment |
 | DPDP Act | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent |
 | LGPD | Brazil | $30K | 200K+ | $6B | Moderate | Privacy |
 | LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy |
 | ISO 27001 | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls |
 | ISO 27701 | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management |
 | Basel III | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy |
 | FATF AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening |
 | IFRS 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification |
 | UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules |
 | World Bank ESF | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates |
 | IFC PS | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates |
 A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + 
 ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
 for regulated cloud globally. The gate package portfolio alone — a mid-size
 enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
 At 10,000 such enterprises: $5B/yr. The first-mover advantage is not about any
 single framework — it is about being the first to offer a unified gate stack
 that maps to all of them.
--- a/ideas/compliance/_index.org
+++ b/ideas/compliance/_index.org
@@ -0,0 +1,79 @@
 :PROPERTIES:
 :ID:       e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
 :CREATED:  [2026-05-23 Sat]
 :UPDATED:  [2026-05-23 Sat]
 :END:
 #+title: Compliance Framework Index — Global Regulated Industries
 #+filetags: :passepartout:triad:compliance:global:index:hub:
 The verification monopoly and domain gate package revenue streams depend on
 selling into regulated industries. These industries buy compliance, not software.
 Each framework below maps to a gate package the triad can sell — ACL2-verified
 gate rules that produce deterministic audit trails.
 See [[file:first-mover-window.org][First-mover window analysis]] and [[file:revenue-table.org][Revenue table]] for the consolidated view.
 * US Frameworks
 - [[file:hipaa.org][HIPAA]] — Health privacy ($50K/yr, 500K+ orgs)
 - [[file:soc2.org][SOC 2]] — Service organization controls ($50K/yr, 100K+ orgs)
 - [[file:fedramp.org][FedRAMP]] — Federal cloud authorization ($100K/yr, 1K providers)
 - [[file:sox.org][SOX]] — Financial controls ($50K/yr, 10K orgs)
 - [[file:glba.org][GLBA]] — Financial privacy ($40K/yr, 20K orgs)
 - [[file:ny-dfs-500.org][NY DFS 500]] — NY financial cybersecurity ($30K/yr, 3K orgs)
 - [[file:ccpa-cpra.org][CCPA/CPRA]] — California privacy ($40K/yr, 50K+ orgs)
 * Canada
 - [[file:quebec-law-25.org][Quebec Law 25]] — Provincial privacy ($25K/yr, 10K+ orgs)
 * UK and EU
 - [[file:gdpr.org][GDPR]] — EU privacy ($50K/yr, 500K+ orgs)
 - [[file:uk-gdpr.org][UK GDPR]] — UK privacy ($40K/yr, 100K+ orgs)
 - [[file:nis2.org][NIS2]] — Network security ($50K/yr, 160K orgs)
 - [[file:eu-ai-act.org][EU AI Act]] — AI regulation ($75K/yr, 100K+ orgs)
 - [[file:dora.org][DORA]] — Financial resilience ($50K/yr, 22K+ orgs)
 - [[file:eidas2.org][eIDAS 2.0]] — Digital identity ($30K/yr, 10K+ orgs)
 - [[file:cra.org][CRA]] — Product cybersecurity ($40K/yr, 50K+ orgs)
 * Asia-Pacific
 - [[file:appi.org][APPI]] — Japan privacy ($40K/yr, 100K+ orgs)
 - [[file:ismap.org][ISMAP]] — Japan cloud authorization ($75K/yr, 500 providers)
 - [[file:pipa.org][PIPA]] — South Korea privacy ($35K/yr, 50K+ orgs)
 - [[file:privacy-act-aus.org][Privacy Act]] — Australia privacy ($35K/yr, 50K+ orgs)
 - [[file:apra-cps-234.org][APRA CPS 234]] — Australian financial security ($40K/yr, 500 orgs)
 - [[file:irap.org][IRAP]] — Australian cloud authorization ($75K/yr, 300 providers)
 - [[file:dpdp-act.org][DPDP Act]] — India privacy ($30K/yr, 500K+ orgs)
 * Latin America
 - [[file:lgpd.org][LGPD]] — Brazil privacy ($30K/yr, 200K+ orgs)
 - [[file:lfp-dppp.org][LFPDPPP]] — Mexico privacy ($25K/yr, 50K+ orgs)
 * International
 - [[file:iso-27001.org][ISO 27001]] — ISMS ($40K/yr, 60K+ orgs)
 - [[file:iso-27701.org][ISO 27701]] — Privacy management ($35K/yr, 1K+ orgs)
 - [[file:basel-iii.org][Basel III]] — Banking capital ($100K/yr, 500 G-SIBs)
 - [[file:fatf.org][FATF]] — AML/CFT ($50K/yr, 50K+ orgs)
 - [[file:ifrs.org][IFRS 17]] — Insurance accounting ($75K/yr, 5K+ orgs)
 - [[file:oecd.org][OECD Guidelines]] — Privacy/AI principles (indirect)
 - [[file:world-bank-esf.org][World Bank ESF]] — Development finance ($50K/yr)
 - [[file:ifc-ps.org][IFC PS]] — Project finance ($50K/yr)
 - [[file:un-cefact.org][UN/CEFACT]] — Trade facilitation ($30K/yr, 50K+ orgs)
 * Strategic View
 | Region | Frameworks | Total TAM | First-mover priority |
 |--------|-----------|-----------|---------------------|
 | US | 7 | ~$33B | FedRAMP (procurement gate), NY DFS 500 (growing) |
 | UK/EU | 7 | ~$24B | NIS2 (2025 deadline), AI Act (Aug 2026), DORA (in effect) |
 | Asia-Pacific | 7 | ~$9B | DPDP (rules drafting), ISMAP/IRAP (gov cloud gates) |
 | Latin America | 2 | ~$7B | LGPD (largest LATAM market) |
 | International | 9 | ~$4.5B | ISO 27001 (universal baseline), World Bank/IFC (no market exists) |
 Next: [[file:first-mover-window.org][First-mover window analysis]] | [[file:revenue-table.org][Full revenue table]]
 See also: [[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/domain-gate-packages.org][Domain gate packages]],
 [[file:../../ideas/compute-marketplace.org][Compute marketplace]], [[file:../../ideas/infrastructure-lock-in.org][Infrastructure lock-in]]
--- a/ideas/compliance/appi.org
+++ b/ideas/compliance/appi.org
@@ -0,0 +1,26 @@
 :PROPERTIES:
 :ID:       auto-appi
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:appi:
 Japan's comprehensive privacy law (amended 2022, fully effective 2023).
 Applies to any business handling personal information of Japanese residents.
 Key requirements: consent, purpose specification, data retention limits,
 cross-border transfer restrictions (opt-in required), mandatory breach reporting,
 data subject access/deletion rights, pseudonymized/anonymized data provisions.
 Personal Information Protection Commission (PPC) enforces.
 Penalties: Up to 100M JPY (~$700K) for violations; criminal penalties up to
 1 year imprisonment. Orders to suspend data processing or delete data.
 Who must comply: All businesses handling personal information of Japanese
 residents. Extraterritorial — applies to non-Japanese businesses targeting
 Japanese residents.
 Why it matters: APPI's cross-border transfer restrictions require fine-grained
 control over which data leaves Japan. The gate stack can encode "this data has
 APPI cross-border consent flag = false → block egress." First-mover advantage
 is moderate — few non-Japanese vendors target APPI specifically, and the 2022
--- a/ideas/compliance/apra-cps-234.org
+++ b/ideas/compliance/apra-cps-234.org
@@ -0,0 +1,27 @@
 :PROPERTIES:
 :ID:       auto-apra-cps-234
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: APRA CPS 234 (Prudential Standard — Information Security)
 #+filetags: :passepartout:compliance:framework:apra:
 ** APRA CPS 234 (Prudential Standard — Information Security)
 Australian Prudential Regulation Authority standard for regulated financial
 institutions. Requires: clearly defined information security roles and
 responsibilities, periodic cybersecurity capability assessments, robust control
 testing, timely remediation of control weaknesses, mandatory notification of
 material incidents to APRA within 72 hours.
 Who must comply: Banks, insurers, superannuation funds regulated by APRA.
 ~500 entities.
 Penalties: APRA can impose capital requirements, license conditions, or
 license cancellation for non-compliance. Personal liability for board and
 senior management.
 Why it matters: CPS 234's control testing requirement creates demand for
 continuous verification — exactly what the gate stack and evaluation harness
 provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is
 escalating. No vendor provides a deterministic control-testing pipeline.
--- a/ideas/compliance/basel-iii.org
+++ b/ideas/compliance/basel-iii.org
@@ -0,0 +1,27 @@
 :PROPERTIES:
 :ID:       auto-basel-iii
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: Basel III (Bank for International Settlements — Basel Committee)
 #+filetags: :passepartout:compliance:framework:basel:
 ** Basel III (Bank for International Settlements — Basel Committee)
 International banking regulatory framework (BIS Basel Committee). Sets minimum
 capital requirements, liquidity coverage ratio (LCR), net stable funding ratio
 (NSFR), leverage ratio, and counterparty credit risk requirements. National
 implementation via local regulators (Federal Reserve, ECB, PRA, BOJ, etc.).
 Who must comply: All internationally active banks. Systemically important
 financial institutions (G-SIBs) face additional surcharges.
 Penalties: Capital adequacy violations trigger regulatory intervention at
 increasing severity — restrictions on dividends, mandatory capital raising,
 management replacement, resolution.
 Why it matters: Basel's risk-weight calculation is rule-heavy and
 verification-friendly. The gate stack can encode credit risk weight mappings
 and produce auditable proof that capital calculations follow the correct
 methodology. First-mover advantage: Basel compliance is done via spreadsheets
 and specialized risk platforms. No platform uses formal verification for
 risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
--- a/ideas/compliance/ccpa-cpra.org
+++ b/ideas/compliance/ccpa-cpra.org
@@ -0,0 +1,23 @@
 :PROPERTIES:
 :ID:       auto-ccpa-cpra
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:ccpa:
 California's comprehensive privacy law — the closest US analogue to GDPR.
 CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to
 know, delete, opt out of sale/sharing, correct inaccurate data, limit use
 of sensitive PI. Private right of action for data breaches.
 Who must comply: For-profit businesses with >$25M revenue, or handling >100K
 consumer records, or deriving >50% revenue from selling PI. Extraterritorial —
 applies to any business collecting CA resident data.
 Penalties: $2,500 per violation (intentional: $7,500). Private right of action
 for breaches: $100-$750 per incident per consumer. CPRA created the California
 Privacy Protection Agency (CPPA) for enforcement.
 Why it matters: The opt-out/sale/sharing requirements create complex data flow
 gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"
--- a/ideas/compliance/cra.org
+++ b/ideas/compliance/cra.org
@@ -0,0 +1,32 @@
 :PROPERTIES:
 :ID:       auto-cra
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: transaction." First-mover advantage: wallets are being built now; the provider
 #+filetags: :passepartout:compliance:framework:cra:
 transaction." First-mover advantage: wallets are being built now; the provider
 that integrates with the wallet standard first locks in the identity gate
 integration.
 ** CRA (Cyber Resilience Act)
 EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements
 for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM
 (software bill of materials) disclosure, CE marking for cybersecurity.
 Who must comply: Manufacturers, importers, and distributors of connected products
 sold in the EU. Categories: default (self-declaration), Class I (third-party
 audit), Class II (notified body assessment).
 Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with
 reporting obligations.
 Why it matters: CRA's CE marking requirement creates a certification pipeline
 that the verification appliance can supply. If Passepartout's gate stack is
 itself CRA-compliant (verified by the evaluation harness), it becomes the
 compliance infrastructure for any product built on it. First-mover advantage:
 Class II products require notified body assessment — the bottleneck is notified
 body capacity. The gate stack's automated evidence pipeline bypasses the
 bottleneck.
--- a/ideas/compliance/dora.org
+++ b/ideas/compliance/dora.org
@@ -0,0 +1,29 @@
 :PROPERTIES:
 :ID:       auto-dora
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: DORA (Digital Operational Resilience Act)
 #+filetags: :passepartout:compliance:framework:dora:
 ** DORA (Digital Operational Resilience Act)
 EU regulation (effective January 2025) for the financial sector. Requires:
 ICT risk management, incident reporting, digital operational resilience testing,
 ICT third-party risk management (including contractual access and audit rights
 for critical ICT providers), information sharing, threat-led penetration testing
 (TLPT) for systemic institutions.
 Who must comply: 22,000+ financial entities in the EU (banks, investment firms,
 payment processors, crypto-asset providers, insurance companies). Also ICT
 third-party providers deemed critical.
 Penalties: Up to 2% of average daily turnover × number of days breached, or
 10M EUR for legal entities. Personal liability for management.
 Why it matters: DORA's third-party risk management requirement is a natural gate
 stack use case — every ICT provider access must be gated, logged, and auditable.
 TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover
 advantage is extremely time-sensitive: DORA is already in effect (January 2025).
 Financial institutions are scrambling for compliance tooling. A DORA gate package
 at $50K/yr with zero incremental cost per additional user is an immediate sale.
--- a/ideas/compliance/dpdp-act.org
+++ b/ideas/compliance/dpdp-act.org
@@ -0,0 +1,30 @@
 :PROPERTIES:
 :ID:       auto-dpdp-act
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:dpdp:
 India's first comprehensive federal privacy law (enacted August 2023, rules
 drafting in progress, enforcement expected 2026-2027). Key features: consent
 for personal data processing, data processor obligations, data principal rights
 (right to access, correction, erasure, grievance redressal), Data Protection
 Board of India (DPBI) enforcement, significant penalties, exempted government
 processing for sovereignty/national security.
 Penalties: Up to 250 Cr INR (~$30M) per breach. Data fiduciary bears primary
 responsibility regardless of processor fault.
 Who must comply: Any organization processing personal data of Indian residents,
 where the data is collected in India or used to profile Indian residents.
 Offshore data processors are in scope.
 Why it matters: DPDP is a greenfield privacy regime — India had no comprehensive
 privacy law before 2023. The rules (implementation details) are being drafted
 now. This is the widest first-mover window in the global privacy landscape:
 organizations need compliance tooling that doesn't exist yet. The gate stack's
 consent-managed data access model maps directly to DPDP's consent framework.
 A DPDP gate package at $30K/yr (discounted for India market) captures a market
 of hundreds of thousands of businesses with no incumbent vendor.
--- a/ideas/compliance/eidas2.org
+++ b/ideas/compliance/eidas2.org
@@ -0,0 +1,26 @@
 :PROPERTIES:
 :ID:       auto-eidas2
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:eidas2:
 ** eIDAS 2.0 (Electronic Identification, Authentication and Trust Services)
 EU regulation (amended 2024). Creates the EU Digital Identity Wallet — mandatory
 for member states to offer, optional for citizens. Requires: qualified electronic
 signatures/seals/timestamps, qualified trust service providers (QTSPs), and the
 EU Digital Identity Wallet for identity verification across borders.
 Who must comply: Trust service providers, government digital identity systems,
 any organization accepting eIDAS-qualified identities. 27 member states must
 provide wallets by 2026.
 Penalties: Member state enforcement; penalties vary but non-compliance blocks
 access to the EU digital identity market.
 Why it matters: eIDAS 2.0 creates a verified digital identity layer across the
 EU. The gate stack can integrate with eIDAS wallets as the identity provider
 for gate rules — "only X, authenticated via eIDAS wallet, may approve this
 transaction." First-mover advantage: wallets are being built now; the provider
--- a/ideas/compliance/eu-ai-act.org
+++ b/ideas/compliance/eu-ai-act.org
@@ -0,0 +1,32 @@
 :PROPERTIES:
 :ID:       auto-eu-ai-act
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: EU AI Act
 #+filetags: :passepartout:compliance:framework:eu:
 ** EU AI Act
 First comprehensive AI regulation globally (effective August 2026). Risk-based
 tiers: unacceptable (banned), high-risk (conformity assessment), limited
 (transparency), minimal (code of conduct). High-risk systems require: risk
 management, data governance, technical documentation, transparency, human
 oversight, accuracy/robustness/cybersecurity. Third-party conformity assessment
 for some high-risk systems (notified bodies).
 Who must comply: Providers and deployers of AI systems in the EU. Extraterritorial
 if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI)
 with additional obligations for systemic-risk GPAI.
 Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR).
 Why it matters: The EU AI Act's conformity assessment requirement creates an
 instant certification market. Passepartout's gate stack can serve as the
 human oversight and accuracy/robustness infrastructure for any AI system
 deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum
 force: an ACL2-verified gate stack is the most defensible approach to AI Act
 compliance. First-mover advantage: the regulation takes effect August 2026.
 No certification body or tool vendor has an ACL2-based compliance pipeline.
 First to market captures the standard-setting role.
 ** DORA (Digital Operational Resilience Act)
--- a/ideas/compliance/fatf.org
+++ b/ideas/compliance/fatf.org
@@ -0,0 +1,32 @@
 :PROPERTIES:
 :ID:       auto-fatf
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
 #+filetags: :passepartout:compliance:framework:fatf:
 risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
 is a trivial expense relative to the capital requirement penalty of getting the
 mapping wrong.
 ** FATF (Financial Action Task Force) — AML/CFT Standards
 International standard-setter for anti-money laundering and counter-terrorism
 financing. 40 Recommendations covering: risk assessment, customer due diligence
 (CDD), beneficial ownership transparency, suspicious transaction reporting,
 targeted financial sanctions, proliferation financing. National implementation
 varies by jurisdiction.
 Who must comply: Financial institutions, DNFBPs (designated non-financial
 businesses and professions), virtual asset service providers (VASPs). In
 practice: every bank, money service business, crypto exchange, and high-value
 dealer globally.
 Penalties: National enforcement varies. Systemic failures lead to FATF grey-list
 (monitoring) or black-list (counter-measures). Grey-listing increases transaction
 costs — Iran and North Korea are black-listed.
 Why it matters: FATF's CDD requirements are the most widespread and
 rule-complex compliance obligation globally. The gate stack can encode
 tiered CDD rules, prove that every customer onboarding followed the correct
 verification path, and produce an auditable trail for every suspicion
--- a/ideas/compliance/fedramp.org
+++ b/ideas/compliance/fedramp.org
@@ -0,0 +1,60 @@
 :PROPERTIES:
 :ID:       auto-fedramp
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: FedRAMP (Federal Risk and Authorization Management Program)
 #+filetags: :passepartout:compliance:framework:fedramp:
 * FedRAMP (Federal Risk and Authorization Management Program)
 ** What it is
 US federal government's standardized approach to security assessment,
 authorization, and continuous monitoring for cloud services. OMB policy
 mandate — federal agencies must use FedRAMP-authorized services when available.
 Three impact levels based on data sensitivity:
 | Level   | Data type | Examples                        | Cost to achieve | Timeline |
 |---------|-----------|---------------------------------|-----------------|----------|
 | Low     | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
 | Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
 | High    | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
 Two authorization paths:
 - **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA,
  DOD. Hardest path, most reusable across agencies.
 - **Agency:** authorization by a single federal agency for its own use. Faster
  but less portable.
 Requires continuous monitoring (monthly scans, annual assessments, POA&M
 for findings).
 ** Who must comply
 Any cloud service provider that sells to US federal agencies. Including
 IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies
 are strongly discouraged from using non-authorized services.
 ** Penalties
 No direct fines. Non-authorized providers are simply ineligible for federal
 contracts. FedRAMP is a procurement gate, not a regulatory one.
 ** Why it matters for the triad
 FedRAMP is the highest bar and the most expensive certification to obtain.
 Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
 But those that do capture the US government market with minimal competition.
 For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
 authorization can sell to every federal agency. The gate stack's deterministic
 audit trail maps directly to FedRAMP's continuous monitoring requirement —
 producing verifiable evidence of control effectiveness on every access, not
 just during the annual assessment. This is what justifies the
 [[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
 package, it is the evidence pipeline for a certification that costs $1M-$5M
 and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument
 applies hardest here: an agency that has relied on a FedRAMP-authorized compute
 provider for five years cannot switch without re-running the entire authorization
 process with a new provider.
--- a/ideas/compliance/first-mover-window.org
+++ b/ideas/compliance/first-mover-window.org
@@ -0,0 +1,23 @@
 :PROPERTIES:
 :ID:       auto-first-mover-window
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: First-Mover Window Analysis
 #+filetags: :passepartout:compliance:strategy:first-mover:
 * First-Mover Window Analysis
 The first-mover window is the time in which a new compliance tool can establish
 dominance before incumbents respond or the market settles on a standard approach.
 | Window | Frameworks | Rationale |
 |--------|-----------|-----------|
 | **Critical (<12 months)** | EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. |
 | **Wide (12-36 months)** | DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. |
 | **Mature (commodity)** | GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. |
 | **Latent (undiscovered)** | OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. |
 See also: [[file:_index.org][Compliance index]], [[file:revenue-table.org][Revenue table]],
 [[file:../../ideas/verification-appliance.org][Verification appliance]], [[file:../../ideas/verification-monopoly.org][Verification monopoly]]
--- a/ideas/compliance/gdpr.org
+++ b/ideas/compliance/gdpr.org
@@ -0,0 +1,54 @@
 :PROPERTIES:
 :ID:       auto-gdpr
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: GDPR (General Data Protection Regulation)
 #+filetags: :passepartout:compliance:framework:gdpr:
 * GDPR (General Data Protection Regulation)
 ** What it is
 EU regulation (effective May 2018) governing the processing of personal data of
 natural persons in the EU. Extraterritorial — applies to any organization
 processing EU personal data regardless of where the organization is based.
 Key requirements:
 - Lawful basis for processing (consent, contract, legal obligation, vital
  interests, public task, legitimate interests)
 - Data minimization — collect only what is necessary
 - Purpose limitation — do not reuse data for incompatible purposes
 - Storage limitation — delete when no longer needed
 - Right of access, rectification, erasure (right to be forgotten),
  data portability, restriction, objection
 - Data Protection Impact Assessment (DPIA) for high-risk processing
 - Breach notification within 72 hours to supervisory authority
 - Data Protection Officer (DPO) appointment for certain controllers/processors
 - Data Processing Agreements (DPAs) between controllers and processors
 ** Who must comply
 Any organization that processes personal data of EU residents. Includes
 controllers (determine purposes and means) and processors (process on behalf
 of controller). Non-EU organizations with EU data subjects are in scope.
 ** Penalties
 Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered
 system. Supervisory authorities in each member state enforce. Private right
 of action for damages.
 ** Why it matters for the triad
 GDPR is the most extraterritorial and aggressively enforced privacy framework.
 The gate stack's principle of least privilege maps naturally to GDPR's data
 minimization requirement. Every data access is gated by a verified rule that
 states the purpose — the proof log is a built-in DPIA artifact. For the
 [[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
 maintain DPAs with all clients. Proof logs themselves may constitute personal
 data if they reference natural persons (names in access rules, etc.), creating
 a demand for privacy-preserving proof techniques. This is why the
 [[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
 purpose-boundary gate rules that are independently verified by the provider's
 [[file:evaluation-harness.org][evaluation harness]].
--- a/ideas/compliance/glba.org
+++ b/ideas/compliance/glba.org
@@ -0,0 +1,23 @@
 :PROPERTIES:
 :ID:       auto-glba
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:glba:
 US federal law governing financial institutions' handling of nonpublic personal
 information (NPI). Requires privacy notices, opt-out rights, and a Safeguards
 Rule requiring an information security program.
 Who must comply: Banks, credit unions, insurance companies, securities firms,
 financial advisers. ~20,000 institutions.
 Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers
 and directors personally liable.
 Why it matters: The Safeguards Rule maps directly to gate stack access controls.
 Every NPI access is gated; the proof log is the security program's evidence.
 First-mover advantage is narrow (GLBA is well-understood) but the market is
 large because every financial institution that dodges HIPAA still faces GLBA.
--- a/ideas/compliance/hipaa.org
+++ b/ideas/compliance/hipaa.org
@@ -0,0 +1,44 @@
 :PROPERTIES:
 :ID:       auto-hipaa
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: HIPAA (Health Insurance Portability and Accountability Act)
 #+filetags: :passepartout:compliance:framework:hipaa:
 * HIPAA (Health Insurance Portability and Accountability Act)
 ** What it is
 US federal law enacted 1996. Governs how protected health information (PHI)
 is stored, transmitted, and accessed. Two relevant rules:
 - **Privacy Rule:** controls use and disclosure of PHI. Patients have rights
  to access, amend, and request accounting of disclosures. Minimum necessary
  standard — only the minimum PHI needed for the task may be used.
 - **Security Rule:** administrative, physical, and technical safeguards for
  electronic PHI (ePHI). Requires access controls, audit controls, integrity
  controls, person/entity authentication, and transmission security.
 ** Who must comply
 Covered entities (health plans, healthcare clearinghouses, healthcare providers
 who transmit any ePHI) and business associates (any vendor handling PHI on behalf
 of a covered entity). Business Associate Agreements (BAAs) are mandatory.
 ** Penalties
 Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per
 violation category. Criminal penalties for knowing misuse (up to 10 years
 imprisonment). State AGs can also bring civil actions.
 ** Why it matters for the triad
 HIPAA is the largest single compliance market in US healthcare — every hospital,
 clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]]
 ($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
 constraints. Every PHI access attempt passes through the gate stack, producing
 a machine-checkable audit trail that satisfies the Security Rule's audit control
 requirement automatically. No separate logging infrastructure needed. Over a
 five-year deployment, the accumulated fact store and proof history create
 [[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
--- a/ideas/compliance/ifc-ps.org
+++ b/ideas/compliance/ifc-ps.org
@@ -0,0 +1,26 @@
 :PROPERTIES:
 :ID:       auto-ifc-ps
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: projects in 100+ countries. Also adopted by many multilateral development banks
 #+filetags: :passepartout:compliance:framework:ifc:
 projects in 100+ countries. Also adopted by many multilateral development banks
 (MDBs) as their standard.
 Why it matters: ESF compliance is condition precedent to World Bank disbursement.
 Delays in compliance verification delay project funding. The gate stack's
 deterministic rule system can encode ESF standards as execution gates — "no
 disbursement unless ESS5 resettlement plan is verified complete." First-mover
 advantage: World Bank compliance is entirely document-based (reports, audits,
 site visits). A verified gate system is unprecedented.
 ** IFC Performance Standards (PS)
 International Finance Corporation's standards for environmental and social
 sustainability in private sector investment. Eight standards: PS1 (risk
 management), PS2 (labor), PS3 (resource efficiency), PS4 (community health),
 PS5 (land/resettlement), PS6 (biodiversity), PS7 (indigenous peoples), PS8
 (cultural heritage). Adopted by over 80 Equator Principles financial
 institutions (project finance lenders).
--- a/ideas/compliance/ifrs.org
+++ b/ideas/compliance/ifrs.org
@@ -0,0 +1,26 @@
 :PROPERTIES:
 :ID:       auto-ifrs
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:ifrs:
 Who must comply: IFC investees and clients; any project finance deal under
 the Equator Principles.
 Why it matters: The Equator Principles affect $100B+/yr in project finance.
 Compliance verification is done by external consultants. The gate stack can
 automate the evidence collection and provide verifiable proof that each PS
 requirement has been met before financial close. First-mover advantage: no
 vendor serves this market with automation — it is entirely consultant-delivered.
 ** IFRS (International Financial Reporting Standards)
 International accounting standards (IFRS Foundation, 166 jurisdictions). IFRS 17
 (insurance contracts, effective 2023) and IFRS 9 (financial instruments) are the
 most rule-complex — requiring actuarial models, expected credit loss calculations,
 and contract classification algorithms.
 Who must comply: Publicly listed companies in 166 jurisdictions including the
 EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
--- a/ideas/compliance/irap.org
+++ b/ideas/compliance/irap.org
@@ -0,0 +1,23 @@
 :PROPERTIES:
 :ID:       auto-irap
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:irap:
 ** IRAP (Infosec Registered Assessors Program)
 Australian government's cloud security assessment program — analogous to
 FedRAMP. Cloud services used by Australian government agencies must have an
 IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC).
 Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM.
 Who must comply: Cloud providers selling to Australian federal, state, and
 local government agencies. Also critical infrastructure providers.
 Why it matters: Like FedRAMP and ISMAP, IRAP is a procurement gate. An IRAP
 Protected-level assessment is expensive and takes 6-12 months. First-mover
 advantage: the gate stack's deterministic audit trail can be the primary
 evidence artifact, reducing assessment scope/cost.
--- a/ideas/compliance/ismap.org
+++ b/ideas/compliance/ismap.org
@@ -0,0 +1,24 @@
 :PROPERTIES:
 :ID:       auto-ismap
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: is moderate — few non-Japanese vendors target APPI specifically, and the 2022
 #+filetags: :passepartout:compliance:framework:ismap:
 is moderate — few non-Japanese vendors target APPI specifically, and the 2022
 amendments added requirements that created compliance gaps.
 ** ISMAP (Government Information System Security Management and Assessment Program)
 Japan's government cloud security program — analogous to FedRAMP. Cloud services
 used by Japanese government agencies must be ISMAP-authorized. Managed by the
 Digital Agency and the Information-technology Promotion Agency (IPA).
 Who must comply: Cloud service providers selling to Japanese national and local
 government agencies.
 Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is
 time-consuming and expensive. A compute marketplace provider with ISMAP
 authorization has exclusive access to the Japanese government market. First-mover
 advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered.
--- a/ideas/compliance/iso-27001.org
+++ b/ideas/compliance/iso-27001.org
@@ -0,0 +1,31 @@
 :PROPERTIES:
 :ID:       auto-iso-27001
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:iso:
 International standard for information security management systems (ISMS).
 The most widely adopted security certification globally — ~60,000 certified
 organizations. Requires: risk assessment, security controls (Annex A, 93
 controls across 4 domains), continuous improvement (Plan-Do-Check-Act),
 management review, internal audit.
 Who must comply: Self-selected — enterprises pursue ISO 27001 certification
 because supply chain partners and regulators require it. Increasingly mandatory
 for: cloud providers, government contractors, critical infrastructure, and
 regulated financial institutions in multiple jurisdictions.
 Penalties: No direct fines. Losing certification means losing business.
 Why it matters: ISO 27001 is the universal baseline. It is the entry-level
 certification that opens every other regulated market. The gate stack maps
 to Annex A controls directly (A.9 access control, A.12 operations security,
 A.16 incident management, A.18 compliance). First-mover advantage: the ISO
 27001 audit market is mature ($68B) and entirely manual (auditors flip through
 binders). A gate stack that produces audit evidence automatically is not
 competing with other software — it is competing with binders.
 ** ISO 27701 (Privacy Information Management — PIMS extension to ISO 27001)
--- a/ideas/compliance/iso-27701.org
+++ b/ideas/compliance/iso-27701.org
@@ -0,0 +1,20 @@
 :PROPERTIES:
 :ID:       auto-iso-27701
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:iso:
 International standard extending ISO 27001 for privacy information management.
 Aligns with GDPR requirements. Provides a framework for PII (personally
 identifiable information) controllers and processors.
 Why it matters: ISO 27701 bridges information security and privacy compliance.
 An organization with ISO 27001 + ISO 27701 certification has a unified
 audit framework. The gate stack's access control gates + privacy gates satisfy
 both standards from the same infrastructure. First-mover advantage: adoption is
 growing but still low (~1,000 certifications). Early gate package captures the
 growth market.
 ** Basel III (Bank for International Settlements — Basel Committee)
--- a/ideas/compliance/lfp-dppp.org
+++ b/ideas/compliance/lfp-dppp.org
@@ -0,0 +1,24 @@
 :PROPERTIES:
 :ID:       auto-lfp-dppp
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:lfp:
 Mexico's federal privacy law (effective 2010, reformed 2024). Key requirements:
 consent, notice (privacy notice must specify the "responsible party"), purpose
 limitation, data subject rights (ARCO — access, rectification, cancellation,
 opposition + deletion, portability), cross-border data transfer limitations,
 security breach notification. INAI (National Institute for Transparency,
 Access to Information and Personal Data Protection) enforces.
 Penalties: Up to 1.9M days of minimum wage (~$5M USD); INAI can also
 suspend data processing.
 Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are
 pushing toward privacy regime interoperability. A bilingual (Spanish/English)
 gate package covering both LFPDPPP and US frameworks serves the massive
 US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is
 less automated than GDPR; the market has fewer vendors and lower expectations.
--- a/ideas/compliance/lgpd.org
+++ b/ideas/compliance/lgpd.org
@@ -0,0 +1,28 @@
 :PROPERTIES:
 :ID:       auto-lgpd
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:lgpd:
 Brazil's comprehensive privacy law (effective 2020, fines effective 2023).
 Modeled on GDPR but with differences: LGPD defines "data processing agents"
 (controller and operator), requires appointment of DPO (data protection officer),
 mandates breach notification to ANPD (National Data Protection Authority) and
 affected data subjects. 10 legal bases for processing (vs 6 in GDPR).
 Penalties: Up to 2% of revenue in Brazil per violation, capped at 50M BRL
 (~$10M) per violation. ANPD can also order suspension of processing, partial
 or total prohibition of database operation.
 Who must comply: Any organization (public or private) processing personal data
 of Brazilian residents, regardless of where the organization is based. No
 revenue threshold.
 Why it matters: LGPD affects every business operating in Latin America's largest
 economy. The 2% revenue penalty structure creates strong economic incentive.
 First-mover advantage: fewer compliance automation vendors in the Portuguese
 market. A Portuguese-language gate package with LGPD-specific consent and data
 subject rights gates captures a market of 210M people.
--- a/ideas/compliance/nis2.org
+++ b/ideas/compliance/nis2.org
@@ -0,0 +1,34 @@
 :PROPERTIES:
 :ID:       auto-nis2
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:nis2:
 EU directive (effective October 2024, member states transpose by October 2025).
 Replaces NIS (2016). Expands scope from 7 sectors to 15, covering: energy,
 transport, banking, financial market infrastructure, health, drinking water,
 wastewater, digital infrastructure, ICT service management, public administration,
 space, postal services, food, chemicals, manufacturing (critical products).
 Key requirements: risk management measures (supply chain security, incident
 handling, business continuity), incident notification (24-hour early warning,
 72-hour full report), C-level accountability (management can be held personally
 liable for non-compliance), supply chain security for critical vendors.
 Who must comply: ~160,000 entities across EU (up from ~30,000 under NIS).
 Two tiers: essential (strict) and important (moderate). Extraterritorial — any
 organization providing services to EU entities in covered sectors.
 Penalties: Up to 10M EUR or 2% of global turnover (essential entities). Personal
 liability for management.
 Why it matters: NIS2 is the largest European cybersecurity mandate ever.
 Every requirement maps to a gate rule: supply chain access verification,
 incident notification triggers, business continuity approval chains. First-mover
 advantage is urgent — the transposition deadline is October 2025 (17 months).
 Organizations need gate packages now. No competitor has a declarative gate
 model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell.
 ** EU AI Act
--- a/ideas/compliance/ny-dfs-500.org
+++ b/ideas/compliance/ny-dfs-500.org
@@ -0,0 +1,25 @@
 :PROPERTIES:
 :ID:       auto-ny-dfs-500
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:ny:
 ** NY DFS 500 (23 NYCRR 500)
 New York State Department of Financial Services cybersecurity regulation for
 financial services. The most aggressive US state-level financial cybersecurity
 rule. Requires: risk assessment, penetration testing, multi-factor authentication,
 incident response plan, annual certification of compliance by the board.
 Who must comply: Any entity regulated by NY DFS — banks, insurers, mortgage
 brokers, virtual currency companies operating in New York. ~3,000 institutions.
 Penalties: $200K-$1M per violation; business license revocation possible.
 Why it matters: The annual board certification requirement creates demand for
 verifiable evidence of control effectiveness — exactly what the gate stack
 produces. First-mover advantage is significant (few vendors target NY DFS 500
 specifically) and the regulation is a template that other states are adopting.
--- a/ideas/compliance/oecd.org
+++ b/ideas/compliance/oecd.org
@@ -0,0 +1,23 @@
 :PROPERTIES:
 :ID:       auto-oecd
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: verification path, and produce an auditable trail for every suspicion
 #+filetags: :passepartout:compliance:framework:oecd:
 verification path, and produce an auditable trail for every suspicion
 determination. First-mover advantage: AML compliance is a $50B+ market
 dominated by legacy vendors (LexisNexis, Thomson Reuters, FICO). None use
 formal verification. The gate stack's proof log is a "deterministic audit
 trail" that regulators would recognize as superior to the current paper-trail
 approach.
 ** OECD Privacy Guidelines and AI Principles
 OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation,
 data quality, purpose specification, use limitation, security safeguards,
 openness, individual participation, accountability. Non-binding but foundational
 — the basis for GDPR, APPI, LGPD, and most other privacy laws.
 OECD AI Principles (adopted 2019, updated 2024): Five values-based principles
 — inclusive growth and well-being, human-centered values and fairness,
--- a/ideas/compliance/pipa.org
+++ b/ideas/compliance/pipa.org
@@ -0,0 +1,30 @@
 :PROPERTIES:
 :ID:       auto-pipa
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:pipa:
 South Korea's comprehensive privacy law (enacted 2011, major amendments 2023
 and 2024). One of the strictest privacy regimes globally. Key requirements:
 consent, data minimization, purpose limitation, mandatory privacy impact
 assessment, data protection officer, breach notification within 72 hours,
 cross-border transfer restrictions, right to request data transmission
 (portability). The Personal Information Protection Commission (PIPC) enforces
 aggressively.
 Penalties: Up to 3% of revenue (raised from 0.5% in 2024 amendments). Criminal
 penalties up to 5 years imprisonment. PIPC has levied fines of 100B+ KRW (~$75M)
 against major tech companies. Class action lawsuits permitted.
 Who must comply: Any organization handling personal information of South Korean
 residents. Extraterritorial scope is broad and actively enforced.
 Why it matters: PIPA is structurally similar to GDPR but with stricter
 enforcement and higher penalties relative to market size. The gate stack's
 purpose-boundary gates map directly to PIPA's purpose limitation requirement.
 First-mover advantage is large — PIPA has fewer compliance automation vendors
 than GDPR, and the 2024 amendments (stricter consent, higher fines) are still
 settling.
--- a/ideas/compliance/privacy-act-aus.org
+++ b/ideas/compliance/privacy-act-aus.org
@@ -0,0 +1,30 @@
 :PROPERTIES:
 :ID:       auto-privacy-act-aus
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:privacy:
 Australia's federal privacy law (amended 2023-2025). Comprehensive reform in
 progress — the Privacy Act Review (2023) proposes significant expansion:
 tiered penalties up to $50M AUD (or 30% of turnover, or 3x benefit obtained),
 direct right of action for individuals, new tort of serious invasion of privacy,
 children's privacy code, automated decision-making transparency.
 Who must comply: Most Australian businesses with >$3M AUD turnover; all
 health service providers; all businesses handling tax file numbers. Extraterritorial
 — applies to any organization with an Australian link.
 Penalties: Current maximum $50M AUD (from amendments effective late 2024).
 OAIC (Office of the Australian Information Commissioner) enforces. New direct
 right of action will increase private litigation.
 Why it matters: The Privacy Act Review's proposed automated decision-making
 transparency requirements are unique — organizations must disclose the logic
 and expected outcomes of AI decisions. The gate stack's ACL2 proof log is the
 most defensible transparency artifact available. First-mover advantage: the
 reforms are being legislated now; early adoption positions the gate stack as
 the reference implementation.
 ** APRA CPS 234 (Prudential Standard — Information Security)
--- a/ideas/compliance/quebec-law-25.org
+++ b/ideas/compliance/quebec-law-25.org
@@ -0,0 +1,25 @@
 :PROPERTIES:
 :ID:       auto-quebec-law-25
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"
 #+filetags: :passepartout:compliance:framework:quebec:
 gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"
 and automatically enforce the opt-out at every data access. First-mover
 advantage is moderate (many CCPA tools exist) but none provide a deterministic,
 verifiable audit trail — they are all document-based.
 ** Canadian provincial privacy (Quebec Law 25, Ontario PHIPA)
 Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy
 regulation — closer to GDPR than PIPEDA. Requires: privacy officer appointment,
 privacy impact assessments, consent modernization, data portability, right to
 de-index, algorithm transparency (automated decision-making disclosures).
 Penalties up to $25M CAD or 4% of global revenue.
 Why it matters: The algorithm transparency requirement is unique — organizations
 must disclose how automated decision systems work. The gate stack's ACL2 proof
 log is a natural algorithm transparency artifact. First-mover advantage: this
 is a new requirement with no established vendor tooling.
--- a/ideas/compliance/revenue-table.org
+++ b/ideas/compliance/revenue-table.org
@@ -0,0 +1,60 @@
 :PROPERTIES:
 :ID:       auto-revenue-table
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: Compliance Framework Revenue Table
 #+filetags: :passepartout:compliance:revenue:pricing:
 * Expanded Revenue Table
 | Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type |
 |-----------|--------|--------------|------------------|-------------------|---------------------|----------------|
 | HIPAA | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control |
 | SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit |
 | GDPR | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent |
 | FedRAMP | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring |
 | SOX | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls |
 | GLBA | US | $40K | 20K | $800M | Moderate | Financial privacy |
 | NY DFS 500 | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls |
 | CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows |
 | NIS2 | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain |
 | EU AI Act | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management |
 | DORA | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience |
 | eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates |
 | CRA | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security |
 | UK GDPR | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy |
 | APPI | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy |
 | ISMAP | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment |
 | PIPA | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent |
 | Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency |
 | APRA CPS 234 | Australia | $40K | 500 | $20M | Moderate | Info security controls |
 | IRAP | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment |
 | DPDP Act | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent |
 | LGPD | Brazil | $30K | 200K+ | $6B | Moderate | Privacy |
 | LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy |
 | ISO 27001 | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls |
 | ISO 27701 | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management |
 | Basel III | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy |
 | FATF AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening |
 | IFRS 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification |
 | UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules |
 | World Bank ESF | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates |
 | IFC PS | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates |
 A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + 
 ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
 for regulated cloud globally. The gate package portfolio alone — a mid-size
 enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
 At 10,000 such enterprises: $5B/yr. The first-mover advantage is not about any
 single framework — it is about being the first to offer a unified gate stack
 that maps to all of them.
 A compute marketplace provider with authorization in 5+ frameworks (FedRAMP +
 ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
 for regulated cloud globally. The gate package portfolio alone — a mid-size
 enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
 At 10,000 such enterprises: $5B/yr.
 See also: [[file:_index.org][Compliance index]], [[file:first-mover-window.org][First-mover window analysis]],
 [[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/compute-marketplace.org][Compute marketplace]]
--- a/ideas/compliance/soc2.org
+++ b/ideas/compliance/soc2.org
@@ -0,0 +1,53 @@
 :PROPERTIES:
 :ID:       auto-soc2
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: SOC 2 (System and Organization Controls 2)
 #+filetags: :passepartout:compliance:framework:soc2:
 * SOC 2 (System and Organization Controls 2)
 ** What it is
 An auditing standard developed by AICPA (American Institute of CPAs). Not a law.
 Certifies that a service organization's controls over security, availability,
 processing integrity, confidentiality, and privacy meet defined criteria.
 Five Trust Service Criteria (TSC):
 - **Security** (mandatory): protection against unauthorized access (firewall,
  access control, intrusion detection)
 - **Availability** (optional): system available for operation and use as
  committed (uptime, redundancy, disaster recovery)
 - **Processing Integrity** (optional): system processing is complete, valid,
  accurate, timely, and authorized
 - **Confidentiality** (optional): information designated as confidential is
  protected as committed
 - **Privacy** (optional): personal information is collected, used, retained,
  disclosed, and disposed of in conformity with commitments
 Two types:
 - **Type I:** controls are suitably designed at a specific point in time
 - **Type II:** controls operated effectively over a period (6-12 months)
 ** Who must comply
 Any SaaS or cloud service provider whose enterprise customers require audited
 vendors. Table stakes for B2B — most enterprise procurement contracts require
 SOC 2 Type II.
 ** Penalties
 No direct fines (not a law). But losing SOC 2 certification means losing
 enterprise customers. Misrepresentation of certification status is fraud.
 ** Why it matters for the triad
 SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider
 needs SOC 2 Type II to sell compute to enterprises whose procurement policy
 requires audited vendors. The gate stack itself maps directly to the Security
 criterion (access controls, audit trails) — the Passepartout instance's
 deterministic gate log serves as the evidence artifact for the audit. No
 separate logging SIEM needed. This is the prerequisite to the larger
 [[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
 buy domain-specific gate packages for the same infrastructure.
--- a/ideas/compliance/sox.org
+++ b/ideas/compliance/sox.org
@@ -0,0 +1,27 @@
 :PROPERTIES:
 :ID:       auto-sox
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:sox:
 US federal law (2002). Mandates internal controls over financial reporting
 (ICFR) for publicly traded companies. Section 404 requires management to assess
 and auditors to attest to the effectiveness of internal controls.
 Who must comply: All US public companies; foreign issuers trading on US exchanges.
 ~6,000 public companies + foreign filers.
 Penalties: Up to $5M fines and 20 years imprisonment for certifying false
 financial statements. CEO and CFO personally liable.
 Why it matters: Every financial control is a gate rule — who can approve a
 journal entry, who can release a payment, who can modify a vendor record. The
 gate stack encodes these as ACL2-verified rules and produces the audit trail
 that the external auditor needs for Section 404 attestation. First-mover
 advantage: SOX is mature (24 years old) but the audit market is $4B+ and
 entirely manual — no competitor has automated the evidence pipeline.
 ** GLBA (Gramm-Leach-Bliley Act)
--- a/ideas/compliance/uk-gdpr.org
+++ b/ideas/compliance/uk-gdpr.org
@@ -0,0 +1,21 @@
 :PROPERTIES:
 :ID:       auto-uk-gdpr
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: 
 #+filetags: :passepartout:compliance:framework:uk:
 Post-Brexit, the UK maintains its own version of GDPR via the Data Protection
 Act 2018. Substantively identical to EU GDPR but diverging over time. The UK
 has announced separate reforms targeting AI and digital identity. ICO (Information
 Commissioner's Office) enforces. Maximum fines: 17.5M GBP or 4% of global turnover.
 Why it matters: UK GDPR is EU GDPR's twin market — any gate package designed
 for EU GDPR ports directly with verified translation of terminology (supervisory
 authority → ICO, DPA → equivalent UK contract clauses). The gate stack's ACL2
 prover can verify that the UK version's rules are consistent with the EU version
 (and alert when they diverge). This is a concrete ACL2 application.
 ** NIS2 (Network and Information Security Directive)
--- a/ideas/compliance/un-cefact.org
+++ b/ideas/compliance/un-cefact.org
@@ -0,0 +1,35 @@
 :PROPERTIES:
 :ID:       auto-un-cefact
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
 #+filetags: :passepartout:compliance:framework:un:
 EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
 of Asia and Africa. The US (GAAP) is the major holdout.
 Why it matters: IFRS 17 and IFRS 9 are algorithmically complex rule sets.
 Getting an actuarial model or credit loss calculation wrong is a financial
 reporting error. The gate stack's ACL2 prover can verify that the calculation
 implementations match the standard's mathematical requirements. First-mover
 advantage: IFRS 17 was the largest accounting change in a decade. Implementation
 was a crisis for insurers. The next wave (IFRS 18, sustainability disclosures
 via ISSB) is coming. A verified IFRS gate package is a unique value proposition.
 ** UN/CEFACT (UN Centre for Trade Facilitation and Electronic Business)
 UN standards for electronic data interchange (EDI), trade facilitation, and
 cross-border data exchange. Key standards: UN/EDIFACT (trade data), Core
 Component Library (CCL), Multi-Modal Transport Reference Data Model. Basis
 for WTO Trade Facilitation Agreement compliance.
 Who must comply: Customs authorities, logistics providers, trade finance banks,
 exporters/importers in 170+ WTO member countries.
 Why it matters: Cross-border trade data exchange is rule-intensive (tariff
 classification, rules of origin, customs valuation, sanitary/phytosanitary
 requirements). The gate stack can encode trade compliance rules and prove that
 every cross-border data exchange satisfies the applicable regulation. First-mover
 advantage: trade compliance is a $15B market dominated by legacy SAP/Oracle
 modules and customs brokerages. None use verification.
--- a/ideas/compliance/world-bank-esf.org
+++ b/ideas/compliance/world-bank-esf.org
@@ -0,0 +1,28 @@
 :PROPERTIES:
 :ID:       auto-world-bank-esf
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: — inclusive growth and well-being, human-centered values and fairness,
 #+filetags: :passepartout:compliance:framework:world:
 — inclusive growth and well-being, human-centered values and fairness,
 transparency and explainability, robustness and safety, accountability.
 Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI
 guidelines all cite them.
 Why it matters: The OECD frameworks are indirect revenue drivers. Regulatory
 alignment with OECD principles is often a procurement requirement for
 international organizations and development finance institutions. First-mover
 advantage is about standard-setting: the gate package that maps to OECD
 principles first becomes the reference implementation.
 ** World Bank Environmental and Social Framework (ESF)
 The World Bank's framework for managing environmental and social risk in
 investment projects. Ten standards: ESS1 (assessment), ESS2 (labor), ESS3
 (resource efficiency), ESS4 (community health), ESS5 (land/resettlement),
 ESS6 (biodiversity), ESS7 (indigenous peoples), ESS8 (cultural heritage),
 ESS9 (financial intermediaries), ESS10 (stakeholder engagement).
 Who must comply: Borrowers and project implementers across World Bank-financed
 projects in 100+ countries. Also adopted by many multilateral development banks
--- a/scripts/org-to-gbrain.py
+++ b/scripts/org-to-gbrain.py
@@ -1,12 +1,47 @@
 #!/usr/bin/env python3
 """Convert brain Org-mode files to markdown + YAML frontmatter and sync into gbrain."""
-import subprocess, re, os, sys
+import subprocess, re, os, sys, glob
 BRAIN = "/root/brain"
 GBRAIN_SRC = "/mnt/hermes/brain"
 PANDOC = "/usr/bin/pandoc"
 BUN = os.path.expanduser("~/.bun/bin/gbrain")
 def find_org_files():
    """Scan ideas/ recursively for all .org files, return (slug, rel_path, abs_path)."""
    files = []
    base = f"{BRAIN}/ideas"
    for root, dirs, filenames in os.walk(base):
        for fn in filenames:
            if not fn.endswith('.org'):
                continue
            abs_path = os.path.join(root, fn)
            rel = os.path.relpath(abs_path, base)
            # rel is like "compliance/hipaa.org" or "triad-overview.org"
            name = fn[:-4]  # remove .org
            files.append((name, rel, abs_path))
    return files
 def gbrain_target(rel_path):
    """Derive gbrain target path from org relative path.
    ideas/compliance/hipaa.org  → concepts/compliance/hipaa.md
    ideas/triad-overview.org    → concepts/triad-overview.md (via routing dict)
    ideas/competitive-analysis...→ ideas/competitive-analysis.md
    """
    parts = rel_path.split('/')
    if len(parts) == 1:
        # Flat file in ideas/ root — use ROUTING dict
        slug = parts[0][:-4] if parts[0].endswith('.org') else parts[0][:-4]
        category = ROUTING.get(slug, "concepts")
        return f"{GBRAIN_SRC}/{category}/{slug}.md"
    else:
        # In a subdirectory: ideas/compliance/foo.org → concepts/compliance/foo.md
        subdir = parts[0]
        slug = parts[1][:-4] if parts[1].endswith('.org') else parts[1][:-4]
        return f"{GBRAIN_SRC}/concepts/{subdir}/{slug}.md"
 def extract_org_properties(src_path):
    """Extract :PROPERTIES: drawer and #+title/#+filetags from an org file."""
    props = {}
@@ -135,20 +170,13 @@ ROUTING = {
 }
 def main():
    # Ensure MECE directories exist
    for d in ["concepts", "ideas"]:
        os.makedirs(f"{GBRAIN_SRC}/{d}", exist_ok=True)
    imported = []
-    for slug, category in ROUTING.items():
+    for slug, rel_path, src_path in find_org_files():
-        src_path = f"{BRAIN}/ideas/{slug}.org"
+        dst_path = gbrain_target(rel_path)
        if not os.path.exists(src_path):
            print(f"  SKIP {slug}: not found")
            continue
-        dst_dir = f"{GBRAIN_SRC}/{category}"
+        # Create parent directories
-        dst_path = f"{dst_dir}/{slug}.md"
+        os.makedirs(os.path.dirname(dst_path), exist_ok=True)
        # Extract frontmatter from org properties
        props = extract_org_properties(src_path)
@@ -168,8 +196,10 @@ def main():
        with open(dst_path, 'w') as f:
            f.write(full)
-        imported.append(f"{category}/{slug}.md")
+        # Show relative path for clarity
-        print(f"  OK  {category}/{slug}")
+        rel_dst = os.path.relpath(dst_path, GBRAIN_SRC)
        imported.append(rel_dst)
        print(f"  OK  {rel_dst}")
    print(f"\nConverted {len(imported)} files.")