Promote compliance mapping to triad-wide scope at ideas/ root

Moved from ideas/passepartout-economics/compliance-framework-reference.org to ideas/compliance-framework-mapping.org. This is a cross-cutting document — compliance frameworks affect Logos (gate certification), Stoa (hardware attestation), and Agora (marketplace/pds certification), not just economics. Updated filetags to reflect triad-wide scope. Updated all internal file: links with passepartout-economics/ prefix. Expanded from 4 to ~33 frameworks across US, UK/EU, Asia-Pacific, Latin America, and international organizations (World Bank, IFC, FATF, OECD, UN).
2026-05-23 06:06:13 +00:00
parent fce952e900
commit 9f09d39232
1 changed files with 13 additions and 13 deletions
--- a/ideas/passepartout-economics/compliance-framework-reference.org
+++ b/ideas/passepartout-economics/compliance-framework-reference.org
@@ -2,8 +2,8 @@
 :ID:       e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
 :CREATED:  [2026-05-23 Sat]
 :END:
-#+title: Compliance Framework Mapping — Global Regulated Industries
+#+title: Compliance Framework Mapping — Global Regulated Industries (Triad-Wide)
-#+filetags: :passepartout:compliance:reference:regulation:global:oecd:
+#+filetags: :passepartout:triad:compliance:global:oecd:regulation:mapping:
 The verification monopoly and domain gate package revenue streams depend on
 selling into regulated industries. These industries buy compliance, not software.
@@ -40,13 +40,13 @@ imprisonment). State AGs can also bring civil actions.
 ** Why it matters for the triad
 HIPAA is the largest single compliance market in US healthcare — every hospital,
-clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]]
+clinic, insurer, and health-tech vendor must comply. The [[file:passepartout-economics/domain-gate-packages.org][HIPAA gate package]]
 ($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
 constraints. Every PHI access attempt passes through the gate stack, producing
 a machine-checkable audit trail that satisfies the Security Rule's audit control
 requirement automatically. No separate logging infrastructure needed. Over a
 five-year deployment, the accumulated fact store and proof history create
-[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
+[[file:passepartout-economics/infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
 * SOC 2 (System and Organization Controls 2)
@@ -85,13 +85,13 @@ enterprise customers. Misrepresentation of certification status is fraud.
 ** Why it matters for the triad
-SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider
+SOC 2 is the entry-level certification for the [[file:passepartout-economics/compute-marketplace.org][compute marketplace]]. A provider
 needs SOC 2 Type II to sell compute to enterprises whose procurement policy
 requires audited vendors. The gate stack itself maps directly to the Security
 criterion (access controls, audit trails) — the Passepartout instance's
 deterministic gate log serves as the evidence artifact for the audit. No
 separate logging SIEM needed. This is the prerequisite to the larger
-[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
+[[file:passepartout-economics/verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
 buy domain-specific gate packages for the same infrastructure.
 * GDPR (General Data Protection Regulation)
@@ -133,13 +133,13 @@ GDPR is the most extraterritorial and aggressively enforced privacy framework.
 The gate stack's principle of least privilege maps naturally to GDPR's data
 minimization requirement. Every data access is gated by a verified rule that
 states the purpose — the proof log is a built-in DPIA artifact. For the
-[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
+[[file:passepartout-economics/compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
 maintain DPAs with all clients. Proof logs themselves may constitute personal
 data if they reference natural persons (names in access rules, etc.), creating
 a demand for privacy-preserving proof techniques. This is why the
-[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
+[[file:passepartout-economics/domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
 purpose-boundary gate rules that are independently verified by the provider's
-[[file:evaluation-harness.org][evaluation harness]].
+[[file:passepartout-economics/evaluation-harness.org][evaluation harness]].
 * FedRAMP (Federal Risk and Authorization Management Program)
@@ -182,14 +182,14 @@ contracts. FedRAMP is a procurement gate, not a regulatory one.
 FedRAMP is the highest bar and the most expensive certification to obtain.
 Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
 But those that do capture the US government market with minimal competition.
-For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
+For the triad: a [[file:passepartout-economics/compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
 authorization can sell to every federal agency. The gate stack's deterministic
 audit trail maps directly to FedRAMP's continuous monitoring requirement —
 producing verifiable evidence of control effectiveness on every access, not
 just during the annual assessment. This is what justifies the
-[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
+[[file:passepartout-economics/domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
 package, it is the evidence pipeline for a certification that costs $1M-$5M
-and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument
+and 12-36 months to obtain independently. The [[file:passepartout-economics/verification-monopoly.org][verification monopoly]] argument
 applies hardest here: an agency that has relied on a FedRAMP-authorized compute
 provider for five years cannot switch without re-running the entire authorization
 process with a new provider.
@@ -345,7 +345,7 @@ Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR).
 Why it matters: The EU AI Act's conformity assessment requirement creates an
 instant certification market. Passepartout's gate stack can serve as the
 human oversight and accuracy/robustness infrastructure for any AI system
-deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum
+deployed through it. The [[file:passepartout-economics/verification-monopoly.org][verification monopoly]] argument applies at maximum
 force: an ACL2-verified gate stack is the most defensible approach to AI Act
 compliance. First-mover advantage: the regulation takes effect August 2026.
 No certification body or tool vendor has an ACL2-based compliance pipeline.