Compliance mapping
Every finding auto-derives which regulatory framework it constitutes evidence for. Today: EU AI Act, NIST AI RMF (incl. GenAI Profile), SOC 2, ISO 27001:2022, PCI-DSS v4.0, HIPAA Security Rule, LGPD/GDPR. No tagging, no taxonomy upkeep — the mapping is deterministic and lives in apps/shared.
Key points
- Per-framework filter on /findings — pull only the findings that constitute evidence for one regime.
- Per-framework SARIF segments in the evidence pack — one .sarif per framework the run produced findings for.
- compliance/coverage.json — auditor-grade summary with control hits + finding IDs.
- Maintenance runbook in docs/COMPLIANCE_MAPPING.md so the mapping evolves with framework versions.
01
Frameworks covered
- EU AI Act Art.10/13/14/15; NIST AI RMF GOVERN-1.5 + MAP-2.3 + MEASURE-2.6/2.7 + MANAGE-4.1 + GAI-1.1.
- SOC 2 CC6.1/CC6.6/CC7.1/CC7.2/CC8.1; ISO 27001 A.5.7/A.8.2/A.8.16/A.8.26/A.8.28.
- PCI-DSS Req.6.2/6.3/7/10; HIPAA §164.308/§164.312; LGPD Art.46 + GDPR Art.32/Art.25/Art.33-34.
02
How the mapping is derived
- Each finding carries an owasp_category (LLM01–LLM10) + attack_technique (MITRE ATT&CK).
- deriveComplianceFrameworks() in apps/shared walks a curated control catalogue per framework.
- Match is deterministic and pure — no LLM in the loop, regenerable on demand.