For Compliance · the method
How we solve it.Piece by piece, with provenance.
How one control spine answers many regimes — the crosswalk method, and where the genuine deltas come from.
Piece 1
One spine
Inputs
- The CSA AICM: 18 domains, 247 control objectives, reconciled verbatim against the CSA source at every build
Mechanism
- Every control question lives in exactly one domain (a MECE partition, machine-enforced); every regime is a lens onto that partition, never a second catalog
Outputs
- One implementation surface — controls get built once, evidenced once
Provenance: lib/aicm-taxonomy.ts + the validate-mece build gate; CSA attribution preserved verbatim.
1 deeper item · owner-gated · shown in a walkthrough
Piece 2
The crosswalk & the real deltas
Inputs
- 3 regimes mapped authoritatively (AI-native) and 3 inherited through the CCM bridge
Mechanism
- Each regime maps to the spine with a gap profile: fully covered, partially covered, genuinely uncovered
- Inherited (pre-AI) frameworks additionally carry an AI-delta: the AI-only controls they never reach — that delta is your genuinely new work
Outputs
- Per-regime coverage plus a named delta list — what you already satisfy, what needs a mapping argument, what is new
Provenance: lib/standards-crosswalk.ts, generated from the CSA source files and guard-checked.
2 deeper items · owner-gated · shown in a walkthrough
Piece 3
Who owns each control
Inputs
- The SSRM (Shared Security Responsibility Model) read of every objective
Mechanism
- Each control resolves to provider-owned, shared, or deployer-owned — so audit effort lands only on what is actually yours to evidence
Outputs
- An ownership split you can hand to an auditor next to the coverage read
Provenance: The SSRM ownership map, rendered at /library/ownership.
1 deeper item · owner-gated · shown in a walkthrough
Piece 4
The stack & instruments
Inputs
- 15 published instruments in three lanes — 13 testers, 3 corpora, 5 controls — validated at every build
- Python 3 stdlib-only tooling — nothing to install to reproduce a claim
Mechanism
- Control-lane instruments evidence objectives directly — the artifact an auditor sees names the instrument that produced it, so evidence reuse across regimes is mechanical, not argumentative
- Lane integrity is machine-enforced: an instrument never grades its own lane, and nothing on this site says "tested" without a named instrument behind it
Outputs
- A named, reproducible instrument behind every tested claim you read here
Provenance: lib/tools-registry.ts, guarded by validate-tools in the prebuild chain; instrument detail renders in the /controls drill.
2 deeper items · owner-gated · shown in a walkthrough
The exhibits
The working surfaces behind the answer.
Hover a layer to highlight its mappings. Click any node to walk its crosswalk. NIST is given visual primacy because US enterprises audit against NIST; the international ISO equivalents sit beside as parallel structure.
Canonical surfaces