diff --git a/ideas/passepartout-economics/compliance-framework-reference.org b/ideas/compliance-framework-mapping.org similarity index 96% rename from ideas/passepartout-economics/compliance-framework-reference.org rename to ideas/compliance-framework-mapping.org index 48ae5a8..c8a856d 100644 --- a/ideas/passepartout-economics/compliance-framework-reference.org +++ b/ideas/compliance-framework-mapping.org @@ -2,8 +2,8 @@ :ID: e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c :CREATED: [2026-05-23 Sat] :END: -#+title: Compliance Framework Mapping — Global Regulated Industries -#+filetags: :passepartout:compliance:reference:regulation:global:oecd: +#+title: Compliance Framework Mapping — Global Regulated Industries (Triad-Wide) +#+filetags: :passepartout:triad:compliance:global:oecd:regulation:mapping: The verification monopoly and domain gate package revenue streams depend on selling into regulated industries. These industries buy compliance, not software. @@ -40,13 +40,13 @@ imprisonment). State AGs can also bring civil actions. ** Why it matters for the triad HIPAA is the largest single compliance market in US healthcare — every hospital, -clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]] +clinic, insurer, and health-tech vendor must comply. The [[file:passepartout-economics/domain-gate-packages.org][HIPAA gate package]] ($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate constraints. Every PHI access attempt passes through the gate stack, producing a machine-checkable audit trail that satisfies the Security Rule's audit control requirement automatically. No separate logging infrastructure needed. Over a five-year deployment, the accumulated fact store and proof history create -[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it. +[[file:passepartout-economics/infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it. * SOC 2 (System and Organization Controls 2) @@ -85,13 +85,13 @@ enterprise customers. Misrepresentation of certification status is fraud. ** Why it matters for the triad -SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider +SOC 2 is the entry-level certification for the [[file:passepartout-economics/compute-marketplace.org][compute marketplace]]. A provider needs SOC 2 Type II to sell compute to enterprises whose procurement policy requires audited vendors. The gate stack itself maps directly to the Security criterion (access controls, audit trails) — the Passepartout instance's deterministic gate log serves as the evidence artifact for the audit. No separate logging SIEM needed. This is the prerequisite to the larger -[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they +[[file:passepartout-economics/verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they buy domain-specific gate packages for the same infrastructure. * GDPR (General Data Protection Regulation) @@ -133,13 +133,13 @@ GDPR is the most extraterritorial and aggressively enforced privacy framework. The gate stack's principle of least privilege maps naturally to GDPR's data minimization requirement. Every data access is gated by a verified rule that states the purpose — the proof log is a built-in DPIA artifact. For the -[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must +[[file:passepartout-economics/compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must maintain DPAs with all clients. Proof logs themselves may constitute personal data if they reference natural persons (names in access rules, etc.), creating a demand for privacy-preserving proof techniques. This is why the -[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and +[[file:passepartout-economics/domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and purpose-boundary gate rules that are independently verified by the provider's -[[file:evaluation-harness.org][evaluation harness]]. +[[file:passepartout-economics/evaluation-harness.org][evaluation harness]]. * FedRAMP (Federal Risk and Authorization Management Program) @@ -182,14 +182,14 @@ contracts. FedRAMP is a procurement gate, not a regulatory one. FedRAMP is the highest bar and the most expensive certification to obtain. Few cloud providers achieve it (fewer than 300 authorized products as of 2025). But those that do capture the US government market with minimal competition. -For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High +For the triad: a [[file:passepartout-economics/compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High authorization can sell to every federal agency. The gate stack's deterministic audit trail maps directly to FedRAMP's continuous monitoring requirement — producing verifiable evidence of control effectiveness on every access, not just during the annual assessment. This is what justifies the -[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software +[[file:passepartout-economics/domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software package, it is the evidence pipeline for a certification that costs $1M-$5M -and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument +and 12-36 months to obtain independently. The [[file:passepartout-economics/verification-monopoly.org][verification monopoly]] argument applies hardest here: an agency that has relied on a FedRAMP-authorized compute provider for five years cannot switch without re-running the entire authorization process with a new provider. @@ -345,7 +345,7 @@ Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR). Why it matters: The EU AI Act's conformity assessment requirement creates an instant certification market. Passepartout's gate stack can serve as the human oversight and accuracy/robustness infrastructure for any AI system -deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum +deployed through it. The [[file:passepartout-economics/verification-monopoly.org][verification monopoly]] argument applies at maximum force: an ACL2-verified gate stack is the most defensible approach to AI Act compliance. First-mover advantage: the regulation takes effect August 2026. No certification body or tool vendor has an ACL2-based compliance pipeline.