ComplianceToArchitecture.com
Open specification · Version 0.1 · Apache-2.0

Turn regulations into software architecture.

The Compliance-to-Architecture Framework™ translates the EU AI Act, ISO 27001, ISO 42001, SOC 2, PCI DSS, HIPAA, GDPR, DORA, NIST, FERPA, CCPA and more into controls, evidence, policies, workflows, and software-architecture patterns.

Stop managing compliance as spreadsheets. Build systems that prove compliance by design.

Download Framework v0.1 →Explore the ontology

Published by ReguNav™ — the compliance-to-architecture engine for regulated AI, data and software systems.

Compliance is written for lawyers. Software is built by engineers. The gap is where risk lives.

Most organisations still translate compliance manually through spreadsheets, disconnected control libraries, scattered policies, and inconsistent evidence collection. The result is slow delivery, duplicated work, weak audit readiness, and systems that are difficult to prove compliant.

Five vocabularies, no shared graph
  • Legalneeds obligations
  • Complianceneeds controls
  • Engineeringneeds architecture
  • Auditorsneeds evidence
  • Regulatorsneeds accountability

The Compliance-to-Architecture Framework™ is the shared graph that connects all five.

Compliance-to-Architecture changes the operating model.

A common language between legal, compliance, security, product, engineering, AI governance, and audit teams. Compliance is no longer bolted on after the system is built — it is designed into the system from the start.

  • canonical obligations
  • common controls
  • evidence objects
  • software-architecture requirements
  • policy-as-code rules
  • audit trails
  • control ownership
  • AI-governance requirements
  • vendor + third-party assessment patterns
  • board-ready reporting structures

From legal obligation to runtime evidence.

Each requirement is mapped to: what applies, why it applies, who owns it, what system components are needed, what policies must be enforced, what evidence must be collected, how audit readiness is proven.

§1 · Regulation

Authority document — EU AI Act, GDPR, ISO 27001…

Eight pillars of the framework.

Eight typed layers that combine into a single executable graph.

L1

Authority Document Layer™

Every regulation/standard registered with a precise version. PCI DSS v4.0.1 ≠ v3.2.1; EU AI Act applicable date ≠ in-force date. Versioning is mandatory.

eu-ai-act@2024-1689 · iso-42001@2023 · pci-dss@4.0.1
L2

Obligation Registry™

Authority clauses decomposed into canonical, framework-neutral obligations. The same obligation can originate in multiple authorities.

OBL-PRIV-ACCESS-001 satisfies GDPR Art. 15 + HIPAA §164.524
L3

Common Control Layer

Reusable controls mapped to obligations + an explicit cross-walk array. Implement one control, see exactly which audit clauses are done.

CTRL-IAM-ACCESS-REVIEW-001 → ISO 27001 A.5.18, SOC 2 CC6.3, PCI DSS Req 7.2
L4

Evidence Object Model™

Each control's runtime proof is an EvidenceObject with type, owner, source, frequency, retention, optional JSON Schema.

EV-IAM-001 · type: access-review · quarterly · 6-year retention
L5

Architecture Requirement Layer

The strongest differentiator. Each control declares concrete capabilities the system must have, with reference patterns per cloud.

ARCH-IAM-001 → RBAC/ABAC engine + scheduled review job (Cerbos PEP at every API gateway)
L6

Policy Mapping Layer™

Each control points at one or more policy-as-code bundles — Cerbos, OPA, Cedar, Casbin. Bundles declare decision type + whether passing decisions emit evidence.

POL-IAM-PRIV-001 · engine: cerbos · decisionType: abac · evidenceRequired: true
L7

Audit Pack Model™

Packages proof for internal audit, external audit, customer DDQ, regulator submission, or board reporting.

AP-SOC2-IAM-Q1 · framework: SOC 2 · period: 2026-Q1 · status: audit_ready
L8

Jurisdiction Mapping Model™

Answers the practical launch question: which obligations apply to my company, in this country, for this product, in this sector, serving these users?

JUR-EU × LAW-EU-AI-ACT × applicability test for high-risk systems

Cross-walks across 21 regulations.

Click any framework to see which obligations, controls, and architecture components ReguNav maps it to. Map a control once. Cover every framework that uses it.

Framework
EU AI Act
EU · 113 controls
Sample obligations
  • Art. 9 risk-management system
  • Art. 10 data governance + bias testing
  • Art. 12 event logging
  • Art. 14 human oversight
  • Art. 27 FRIA
  • Art. 73 serious-incident reporting
Architecture impact
  • AI system registry
  • Model-card publisher
  • Drift detector
  • Immutable WORM audit log
  • Approval workflow

Know what applies, where, and why.

The Jurisdiction Mapping Model™ maps obligations across four orthogonal facets. Click each to drill in.

Facet 1 · examples

Geography

country · region · state · economic bloc · regulator territory

EU 🇪🇺
US 🇺🇸
UK 🇬🇧
California
Singapore
Frankfurt eu-central-1

Convert controls into buildable system requirements.

A privacy, security, resilience, or AI-governance control may require concrete capabilities the system must have. The framework makes those requirements explicit.

🔐
Identity & access
⚖️
RBAC / ABAC engine
📝
Consent registry
📨
DSAR workflow
📜
Audit logging
📋
Model inventory
👁️
Human oversight
🚨
Incident management
🗄️
Data retention
🤝
Vendor risk register
📤
Evidence export
🔑
Encryption + KMS

Designed for the AI-regulation era.

AI systems require governance over intended purpose, risk classification, data governance, model monitoring, human oversight, transparency, incident reporting, post-market monitoring, provider/deployer responsibilities, and change management. The framework maps each into operational workflows and software-architecture components.

EU AI Act
Annex III high-risk · Art. 27 FRIA · Art. 4 AI literacy · Art. 12 logging · Art. 14 oversight · Art. 53 GPAI
ISO/IEC 42001
AI management system · §6.1 risk · §7.4 communication · §8.2 impact assessment · §9.1 monitoring
NIST AI RMF
GOVERN · MAP · MEASURE · MANAGE — mapped to control + evidence objects

Use it. Cite it. Extend it.

Apache-2.0. Open repository. Cite the framework version in your audit pack, your DPIA, your conformity dossier, your board pack.

Download Framework v0.1 →Read the specificationBrowse the live API
ReguNav Compliance-to-Architecture Framework™, v0.1 (2026).
Regunav Inc. https://compliancetoarchitecture.com