Open specification · Version 0.1 · Apache-2.0

ReguNav Compliance-to-Architecture Framework™

A machine-readable control, evidence and architecture ontology for regulated AI, data and software systems.

The navigation layer between regulation, controls, software architecture and audit evidence.

Why this exists

Most companies have legal teams reading regulations, compliance teams building spreadsheets, engineers building systems without knowing control intent, auditors asking for evidence, vendors producing random documents, and AI teams deploying models with weak governance.

These groups speak different vocabularies. Compliance-to-Architecture is the shared graph that lets each group ask the question they care about and get an answer the others can verify.

Scope of v0.1

This specification covers eight typed layers that combine into a single graph. Implementations are free to extend any layer; they SHOULD NOT remove fields. Optional fields are explicitly marked ?.

Assign IDs from the canonical prefix space (OBL-…, CTRL-…, EV-…, ARCH-…, POL-…).
Treat every relationship as an immutable, versioned edge with provenance.
Expose the entire graph through a JSON API that mirrors the type definitions in packages/ontology/src/types.ts.
Treat any deviation from a published authority's text as a derivative obligation with explicit reasoning, not a silent rewrite.

Authority versions tracked in v0.1

eu-ai-act@2024-1689 — in force 1 Aug 2024, applicable 2 Aug 2026 for high-risk
iso-42001@2023
iso-27001@2022
gdpr@2016-679
soc2@2017 (revised 2022)
dora@2022-2554 — applicable 17 Jan 2025
nist-ai-rmf@1.0
pci-dss@4.0.1 — June 2024 limited revision
hipaa@1996 (amended)

How to extend

Open a PR against packages/ontology/src/seed.ts adding your authority, obligation, control, evidence, architecture or policy.
Cite the source clause inline.
Run pnpm --filter @regunav/ontology build — fails loudly if you violate the type contract.
The merged change auto-deploys to the public /v1/ontology API surface on api.regunav.com.

Citation

ReguNav Compliance-to-Architecture Framework™, v0.1 (2026).
Regunav Inc. https://framework.regunav.com

Scope of openness

The artefacts published here are structural only: the eight typed layers, their public field names, a small end-to-end seed dataset, JSON Schemas for evidence objects, and the citation + extension procedure.

Everything that makes the running system non-trivial — regulatory-scope inference, applicability decision trees, confidence scoring, document-ingestion pipelines, AI-assisted classification, control-ranking logic, architecture recommendation, evidence inference, policy-as-code generation, regulatory change diffing, and the operational dashboards/agents that consume this graph — is not within the scope of this open specification. Those layers live in the ReguNav™ commercial engine and are not licensed by this Apache-2.0 publication.

Implementations of this open framework do not confer any licence under patents or other intellectual-property rights held by Regunav Inc. that cover the commercial engine. Apache-2.0's patent grant covers only the contributions made through this repository.

Trademark

ReguNav™ and Compliance-to-Architecture Framework™ are trademarks of Regunav Inc. The framework is published openly under Apache-2.0; the trademarks are reserved for use by the maintainer in authoritative releases. Forks may use the data but should not invoke the trademarks on derivative or competing implementations.

Canonical source: github.com/Compliance-to-Architecture/framework/blob/main/SPEC.md