Promote compliance mapping to triad-wide scope at ideas/ root
Moved from ideas/passepartout-economics/compliance-framework-reference.org to ideas/compliance-framework-mapping.org. This is a cross-cutting document — compliance frameworks affect Logos (gate certification), Stoa (hardware attestation), and Agora (marketplace/pds certification), not just economics. Updated filetags to reflect triad-wide scope. Updated all internal file: links with passepartout-economics/ prefix. Expanded from 4 to ~33 frameworks across US, UK/EU, Asia-Pacific, Latin America, and international organizations (World Bank, IFC, FATF, OECD, UN).
This commit is contained in:
Hermes
@@ -2,8 +2,8 @@
|
||||
:ID: e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: Compliance Framework Mapping — Global Regulated Industries
|
||||
#+filetags: :passepartout:compliance:reference:regulation:global:oecd:
|
||||
#+title: Compliance Framework Mapping — Global Regulated Industries (Triad-Wide)
|
||||
#+filetags: :passepartout:triad:compliance:global:oecd:regulation:mapping:
|
||||
|
||||
The verification monopoly and domain gate package revenue streams depend on
|
||||
selling into regulated industries. These industries buy compliance, not software.
|
||||
@@ -40,13 +40,13 @@ imprisonment). State AGs can also bring civil actions.
|
||||
** Why it matters for the triad
|
||||
|
||||
HIPAA is the largest single compliance market in US healthcare — every hospital,
|
||||
clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]]
|
||||
clinic, insurer, and health-tech vendor must comply. The [[file:passepartout-economics/domain-gate-packages.org][HIPAA gate package]]
|
||||
($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
|
||||
constraints. Every PHI access attempt passes through the gate stack, producing
|
||||
a machine-checkable audit trail that satisfies the Security Rule's audit control
|
||||
requirement automatically. No separate logging infrastructure needed. Over a
|
||||
five-year deployment, the accumulated fact store and proof history create
|
||||
[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
|
||||
[[file:passepartout-economics/infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
|
||||
|
||||
* SOC 2 (System and Organization Controls 2)
|
||||
|
||||
@@ -85,13 +85,13 @@ enterprise customers. Misrepresentation of certification status is fraud.
|
||||
|
||||
** Why it matters for the triad
|
||||
|
||||
SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider
|
||||
SOC 2 is the entry-level certification for the [[file:passepartout-economics/compute-marketplace.org][compute marketplace]]. A provider
|
||||
needs SOC 2 Type II to sell compute to enterprises whose procurement policy
|
||||
requires audited vendors. The gate stack itself maps directly to the Security
|
||||
criterion (access controls, audit trails) — the Passepartout instance's
|
||||
deterministic gate log serves as the evidence artifact for the audit. No
|
||||
separate logging SIEM needed. This is the prerequisite to the larger
|
||||
[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
|
||||
[[file:passepartout-economics/verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
|
||||
buy domain-specific gate packages for the same infrastructure.
|
||||
|
||||
* GDPR (General Data Protection Regulation)
|
||||
@@ -133,13 +133,13 @@ GDPR is the most extraterritorial and aggressively enforced privacy framework.
|
||||
The gate stack's principle of least privilege maps naturally to GDPR's data
|
||||
minimization requirement. Every data access is gated by a verified rule that
|
||||
states the purpose — the proof log is a built-in DPIA artifact. For the
|
||||
[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
|
||||
[[file:passepartout-economics/compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
|
||||
maintain DPAs with all clients. Proof logs themselves may constitute personal
|
||||
data if they reference natural persons (names in access rules, etc.), creating
|
||||
a demand for privacy-preserving proof techniques. This is why the
|
||||
[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
|
||||
[[file:passepartout-economics/domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
|
||||
purpose-boundary gate rules that are independently verified by the provider's
|
||||
[[file:evaluation-harness.org][evaluation harness]].
|
||||
[[file:passepartout-economics/evaluation-harness.org][evaluation harness]].
|
||||
|
||||
* FedRAMP (Federal Risk and Authorization Management Program)
|
||||
|
||||
@@ -182,14 +182,14 @@ contracts. FedRAMP is a procurement gate, not a regulatory one.
|
||||
FedRAMP is the highest bar and the most expensive certification to obtain.
|
||||
Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
|
||||
But those that do capture the US government market with minimal competition.
|
||||
For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
|
||||
For the triad: a [[file:passepartout-economics/compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
|
||||
authorization can sell to every federal agency. The gate stack's deterministic
|
||||
audit trail maps directly to FedRAMP's continuous monitoring requirement —
|
||||
producing verifiable evidence of control effectiveness on every access, not
|
||||
just during the annual assessment. This is what justifies the
|
||||
[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
|
||||
[[file:passepartout-economics/domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
|
||||
package, it is the evidence pipeline for a certification that costs $1M-$5M
|
||||
and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument
|
||||
and 12-36 months to obtain independently. The [[file:passepartout-economics/verification-monopoly.org][verification monopoly]] argument
|
||||
applies hardest here: an agency that has relied on a FedRAMP-authorized compute
|
||||
provider for five years cannot switch without re-running the entire authorization
|
||||
process with a new provider.
|
||||
@@ -345,7 +345,7 @@ Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR).
|
||||
Why it matters: The EU AI Act's conformity assessment requirement creates an
|
||||
instant certification market. Passepartout's gate stack can serve as the
|
||||
human oversight and accuracy/robustness infrastructure for any AI system
|
||||
deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum
|
||||
deployed through it. The [[file:passepartout-economics/verification-monopoly.org][verification monopoly]] argument applies at maximum
|
||||
force: an ACL2-verified gate stack is the most defensible approach to AI Act
|
||||
compliance. First-mover advantage: the regulation takes effect August 2026.
|
||||
No certification body or tool vendor has an ACL2-based compliance pipeline.
|
||||
Reference in New Issue
Block a user