File size: 17,427 Bytes
1433da0 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 | # Regulatory β Ξ-Axis Mapping Reference
## Doctrine v6 Β· R3 Vertical Governance Receipts
> **Purpose**: Comprehensive cross-reference of all 10 Doctrine v6 Ξ-axes to their primary regulatory grounding across the 10 vertical policy domains. Each axis lists 3β5 representative regulations with precise citations. Weight annotation (β
= high, β = medium, Β· = advisory).
---
## Doctrine v6 Ξ-Axis Definitions
| ID | Axis | Description |
|-----|----------------|------------------------------------------------------------------------|
| Ξ1 | Transparency | Obligations to disclose AI system capabilities, limitations, and logic |
| Ξ2 | Accountability | Assignment of legal and operational responsibility for AI decisions |
| Ξ3 | Privacy | Protection of personal and sensitive data processed by AI systems |
| Ξ4 | Fairness | Non-discrimination, equity, and representative coverage requirements |
| Ξ5 | Safety | Prevention of physical, operational, and systemic harm |
| Ξ6 | Security | Protection against unauthorized access, adversarial manipulation |
| Ξ7 | Auditability | Tamper-evident logging and verifiable record-keeping |
| Ξ8 | Robustness | Resistance to distribution shift, adversarial perturbation, failure |
| Ξ9 | Explainability | Human-interpretable rationale for AI outputs |
| Ξ10 | Sovereignty | Jurisdictional control over data and AI system deployment |
---
## Ξ1 β Transparency
**Core Obligation**: AI systems must disclose their nature, capabilities, limitations, and decision logic to affected parties and regulators.
| Regulation | Citation | Vertical | Weight | Mechanism |
|-----------|----------|----------|--------|-----------|
| EU AI Act Art. 13 β Transparency for deployers | Regulation (EU) 2024/1689 Art. 13 | LegalTech, Pharma | β
mandatory | Instructions-for-use document; capabilities/limitations disclosure; IFU hash in receipt |
| GDPR Art. 5(1)(a) β Lawfulness and transparency | Regulation (EU) 2016/679 Art. 5(1)(a) | LegalTech, Academic | β
mandatory | Privacy notice; algorithmic transparency statement; processing basis disclosure |
| SOX Β§ 404 β Internal controls transparency | Pub. L. 107-204 Β§ 404; 17 CFR Β§ 240.13a-15(f) | Financial | β
mandatory | ICFR documentation; AI model control evidence in Merkle DAG |
| DO-178C Β§ 5.5 β Traceability | RTCA DO-178C Β§ 5.5; SAE ARP4754B Β§ 5.2 | Aviation | β
mandatory | Requirements-to-code traceability matrix; receipt annotation |
| NIST SP 800-171 Rev 3 Β§ 3.12.4 β System Security Plans | NIST SP 800-171 Rev 3 Control 3.12.4 | Defense | β mandatory | AI system security plan; architecture and provenance documentation |
**Ξ1 Receipt Requirements**: Receipt chain entry must include `disclosure_hash` (SHA3-256 of disclosure document), `disclosure_type` enum, and `target_audience` field.
---
## Ξ2 β Accountability
**Core Obligation**: Named human or institutional principals must be legally responsible for AI system decisions; accountability must be traceable through the receipt chain.
| Regulation | Citation | Vertical | Weight | Mechanism |
|-----------|----------|----------|--------|-----------|
| SOX Β§ 302 β CEO/CFO certification | Pub. L. 107-204 Β§ 302; 17 CFR Β§ 240.13a-15 | Financial | β
mandatory | Named signatory in receipt chain root; qualified electronic signature |
| COPE AI Authorship (2023) β Disclosure of AI use | COPE Position Statement (2023) | Academic | β
mandatory | AI system version + inference timestamp in authorship disclosure receipt |
| eIDAS 2.0 Art. 25 β QES legal equivalence | Regulation (EU) 2024/1183 Art. 25 | LegalTech | β
mandatory | QES via EUDIW; certificate hash in receipt leaf node |
| 21 CFR Β§ 11.50 β Electronic signature manifestations | 21 C.F.R. Β§ 11.50 | Pharma | β
mandatory | Name, date/time, and signature meaning in receipt metadata |
| SAE J3016 Level 4 ADS accountability | SAE J3016_202104 Β§ 3.14 | Automotive | β
mandatory | ADS as accountable entity; scene hash + fallback state in decision receipt |
**Ξ2 Receipt Requirements**: Receipt must carry `principal_id` (DID or X.509 distinguished name), `role` (operator/provider/deployer), `signature_algorithm`, and `delegation_chain` if accountability is delegated.
---
## Ξ3 β Privacy
**Core Obligation**: Personal and sensitive data processed by AI systems must be subject to purpose limitation, data minimisation, consent, and access controls.
| Regulation | Citation | Vertical | Weight | Mechanism |
|-----------|----------|----------|--------|-----------|
| HIPAA 45 CFR Β§ 164.502 β PHI use and disclosure | 45 C.F.R. Β§ 164.502(a) | Healthcare | β
mandatory | Minimum-necessary gating on AI inference; purpose-limited receipt |
| HIPAA 45 CFR Β§ 164.514(b) β De-identification | 45 C.F.R. Β§ 164.514(b) | Healthcare | β
mandatory | Expert Determination or Safe Harbor; re-ID risk β€ 0.05 |
| GDPR Art. 5 β Data protection principles | Regulation (EU) 2016/679 Art. 5(1)(c)(e) | LegalTech | β
mandatory | Data minimisation; storage limitation; processing basis receipt |
| Common Rule 45 CFR Β§ 46.111(a)(7) β Privacy safeguards | 45 C.F.R. Β§ 46.111(a)(7) | Academic | β
mandatory | k-anonymity kβ₯5 or DP Ξ΅β€1.0; privacy parameter receipt per dataset epoch |
| ISO TR 4804:2020 β In-vehicle telemetry GDPR compliance | ISO TR 4804:2020 Β§ 6.3 | Automotive | β mandatory | Consent-receipted trip data; pseudonymisation before ML training |
**Ξ3 Receipt Requirements**: Receipt must include `lawful_basis` (Art. 6 / Art. 9 basis or HIPAA exception), `data_category`, `retention_limit_days`, and `de_id_method` where applicable.
---
## Ξ4 β Fairness
**Core Obligation**: AI systems must not discriminate against protected groups; training data and model outputs must demonstrate representative and equitable coverage.
| Regulation | Citation | Vertical | Weight | Mechanism |
|-----------|----------|----------|--------|-----------|
| ECOA/FCRA Adverse Action β Credit decisions | 15 U.S.C. Β§ 1681m; 12 CFR Β§ 202.9 | Financial | β
mandatory | Machine-readable reason codes; CFPB guidance on AI credit models |
| Common Rule 45 CFR Β§ 46.111 β Equitable subject selection | 45 C.F.R. Β§ 46.111(a)(3) | Academic | β
mandatory | Demographic stratification; IRB equity review; receipt with demographic hash |
| EU AI Act Art. 53 β GPAI fairness for research | Regulation (EU) 2024/1689 Art. 53 | Academic, LegalTech | β mandatory | Training data summary; evaluation results published; EU AI Act database |
| ISO 21448:2022 Β§ 8 β SOTIF triggering conditions (pedestrian bias) | ISO 21448:2022 Β§ 8 | Automotive | Β· recommended | Pedestrian detection equity across skin tone/age; bias receipts |
| DOE AI Strategy 2024 Β§ 3.2 β Energy equity | U.S. DOE AI Strategy (2024) Β§ 3.2 | Energy | Β· recommended | Demand response equity; census-tract metadata in receipt |
**Ξ4 Receipt Requirements**: Receipt must include `fairness_metric` (e.g., demographic_parity, equalized_odds), `protected_attributes` list, `metric_value` (float), and `test_dataset_hash`.
---
## Ξ5 β Safety
**Core Obligation**: AI systems must identify, assess, and mitigate risks of physical, operational, or systemic harm to humans or critical infrastructure.
| Regulation | Citation | Vertical | Weight | Mechanism |
|-----------|----------|----------|--------|-----------|
| ISO 26262-4:2018 Β§ 7 β Technical safety requirements | ISO 26262-4:2018 Β§ 7; ISO 26262-3:2018 Β§ 7 | Automotive | β
mandatory | ASIL-D safety goals; probability of failure < 10^-8/h; safety case receipt |
| DO-178C Β§ 6.4 / DO-333 β Structural coverage (MC/DC) | RTCA DO-178C Β§ 6.4; RTCA DO-333 Β§ FM.6.4 | Aviation | β
mandatory | MC/DC coverage for DAL-B; formal method proofs; coverage receipt |
| E.O. 14110 Β§ 4.2 β National security AI safety | E.O. 14110 Β§ 4.2 (Oct 2023) | Defense | β
mandatory | Human-on-the-loop kill switch; HotL token in autonomous decision receipt |
| NERC CIP-009-6 R1 β BES recovery plans | NERC CIP-009-6 Requirement R1 | Energy | β
mandatory | AI-assisted restoration with human override; operator confirmation token |
| HITECH Act Β§ 13402 / 45 CFR Β§ 164.400 β Breach notification | Pub. L. 111-5 Β§ 13402 | Healthcare | β mandatory | AI re-identification anomaly detection; 60-day notification trigger |
**Ξ5 Receipt Requirements**: Receipt must include `hazard_id`, `safety_integrity_level` (ASIL/DAL), `risk_reduction_factor`, and `verification_method` (testing/formal_proof/analysis).
---
## Ξ6 β Security
**Core Obligation**: AI systems and their data must be protected against unauthorized access, adversarial manipulation, supply-chain compromise, and cyber incidents.
| Regulation | Citation | Vertical | Weight | Mechanism |
|-----------|----------|----------|--------|-----------|
| HIPAA 45 CFR Β§ 164.312(a)(2)(i) β Unique user ID | 45 C.F.R. Β§ 164.312(a)(2)(i) | Healthcare | β
mandatory | Cryptographically bound identity token in receipt chain per PHI access |
| NERC CIP-007-6 R4 β Security event monitoring | NERC CIP-007-6 Requirement R4; 18 CFR Β§ 40.7 | Energy | β
mandatory | Anomaly detection receipts within 15 min; Merkle DAG integrity |
| DFARS 252.204-7012 β Covered defense information | DFARS 252.204-7012(b); 48 CFR Β§ 252.204-7012 | Defense | β
mandatory | 72-hour incident reporting; AI IOC hash receipt within 1 hour |
| UNECE R 155 β Automotive CSMS | UNECE Regulation No. 155 (2021) | Automotive | β
mandatory | TARA for AI attack surfaces; threat analysis security receipt |
| 21 CFR Β§ 11.10(e) β Secure audit trails | 21 C.F.R. Β§ 11.10(e) | Pharma | β
mandatory | Tamper-evident TAI64N-timestamped Merkle DAG |
**Ξ6 Receipt Requirements**: Receipt must include `threat_model_version`, `authentication_method` (FIDO2/PIV/password), `encryption_algorithm`, `key_rotation_epoch`, and `incident_id` if triggered.
---
## Ξ7 β Auditability
**Core Obligation**: AI systems must maintain tamper-evident, time-stamped logs of all significant events; records must be verifiable by external auditors and regulators.
| Regulation | Citation | Vertical | Weight | Mechanism |
|-----------|----------|----------|--------|-----------|
| HIPAA 45 CFR Β§ 164.312(b) β Audit controls | 45 C.F.R. Β§ 164.312(b) | Healthcare | β
mandatory | Merkle DAG; p50 write β€ 5 Β΅s per Doctrine v6 Β§4.7 |
| SOX Β§ 802 / 18 USC Β§ 1519 β Document integrity | Pub. L. 107-204 Β§ 802; 18 U.S.C. Β§ 1519 | Financial | β
mandatory | Append-only SHA3-256 Merkle DAG; cryptographic non-alteration proof |
| NERC CIP-010-4 R1 β Configuration change management | NERC CIP-010-4 Requirement R1 | Energy | β
mandatory | Pre/post-update configuration diff receipts |
| DO-178C Β§ 12.3 / Table A-10 β Configuration management | RTCA DO-178C Β§ 12.3 | Aviation | β
mandatory | DER-signed change-control receipts; configuration baseline |
| 21 CFR Β§ 11.10(e) β Time-stamped audit trails | 21 C.F.R. Β§ 11.10(e) | Pharma | β
mandatory | GAMP 5 Category 5 validation; audit trail per user/system action |
**Ξ7 Receipt Requirements**: Receipt must include `event_type`, `actor_id`, `timestamp_tai64n`, `prev_receipt_hash` (chain link), `merkle_root`, and `quorum_signatures` array.
---
## Ξ8 β Robustness
**Core Obligation**: AI systems must withstand distribution shift, adversarial perturbation, hardware faults, and operational stress without unsafe degradation.
| Regulation | Citation | Vertical | Weight | Mechanism |
|-----------|----------|----------|--------|-----------|
| SR 11-7 β Model validation and ongoing monitoring | Federal Reserve SR 11-7 Β§ III.CβD | Financial | β
mandatory | Independent adversarial robustness testing; validation epoch in receipt |
| DO-178C Β§ 6.4 / DO-333 FM.6.3.2 β Formal proof completeness | RTCA DO-178C Β§ 6.4; RTCA DO-333 Β§ FM.6.3.2 | Aviation | β
mandatory | Lipschitz bounds; formal proof receipts for inference guarantees |
| 21 CFR Β§ 11.10(a) β GxP system validation | 21 C.F.R. Β§ 11.10(a) | Pharma | β
mandatory | ISPE GAMP 5 Category 5; validation protocol hash in receipt |
| NERC CIP-013-2 R1 β Supply chain risk | NERC CIP-013-2 Requirement R1 | Energy | β
mandatory | AI model SBOM receipts; provenance verification before BES deployment |
| CMMC L3 / NIST 800-171 Β§ 3.11.2 β Vulnerability scanning | NIST SP 800-171 Rev 3 Control 3.11.2 | Defense | β
mandatory | Quarterly adversarial robustness scans; scan result commitment receipts |
**Ξ8 Receipt Requirements**: Receipt must include `robustness_metric` (e.g., PGD_Ξ΅, Lipschitz_bound), `test_methodology`, `dataset_hash`, `pass_threshold`, and `result` (pass/fail/conditional).
---
## Ξ9 β Explainability
**Core Obligation**: AI outputs affecting human interests must be accompanied by interpretable, human-understandable explanations at a level of detail proportionate to the decision stakes.
| Regulation | Citation | Vertical | Weight | Mechanism |
|-----------|----------|----------|--------|-----------|
| GDPR Art. 22 / EDPB Guidelines 1/2022 β Automated decision-making | Regulation (EU) 2016/679 Art. 22 | LegalTech | β
mandatory | Meaningful explanation per EDPB Β§ 58; logic + significance + envisaged consequences |
| ECOA / FCRA 15 USC Β§ 1681m β Adverse action notices | 15 U.S.C. Β§ 1681m(a); 12 C.F.R. Β§ 202.9 | Financial | β
mandatory | Principal reason codes; CFPB AI explanation guidance; reason-code receipt |
| EU AI Act Art. 13 β Transparency for deployers | Regulation (EU) 2024/1689 Art. 13 | All high-risk | β
mandatory | IFU with interpretability method; explanation receipt per inference |
| ISO 26262-6:2018 Β§ 9 β ML explainability for ASIL-B+ | ISO 26262-6:2018 Β§ 9; ISO TR 29119-11 | Automotive | β
mandatory | Saliency maps or decision trees as explanation receipts |
| EASA CP No. 2 (2023) β ML explanation for aviation | EASA Concept Paper on ML (Oct 2023) | Aviation | β
mandatory | Level 1/2 ML explanation; operational scenario coverage documented |
**Ξ9 Receipt Requirements**: Receipt must include `explanation_method` (SHAP/LIME/IntGrad/decision_tree), `explanation_hash`, `target_audience` (regulator/operator/subject), and `fidelity_score` (float in [0,1]).
---
## Ξ10 β Sovereignty
**Core Obligation**: Data and AI system deployment must respect jurisdictional boundaries; data subjects and nation-states retain control over cross-border data flows.
| Regulation | Citation | Vertical | Weight | Mechanism |
|-----------|----------|----------|--------|-----------|
| GDPR Art. 44β49 β International transfers | Regulation (EU) 2016/679 Art. 44β49 (SCCs, BCRs, adequacy) | LegalTech | β
mandatory | Transfer mechanism documented in receipt; SCCs/BCR reference |
| DFARS 252.204-7012 β CUI jurisdictional control | DFARS 252.204-7012; 48 CFR Β§ 252.204-7012 | Defense | β
mandatory | CUI enclave attestation; jurisdiction token in receipt chain |
| ISPS Code Part A Β§ 9.4 β SSP flag-state jurisdiction | ISPS Code Part A Β§ 9.4 | Maritime | β
mandatory | Data residency receipt specifying IMO flag-state; SSP access log |
| Dodd-Frank Β§ 1033 / CFPB Rule 1033 β Consumer data portability | Pub. L. 111-203 Β§ 1033; 12 CFR Β§ 1033.201 | Financial | β
mandatory | Consumer-authorized scope token in export receipt |
| eIDAS 2.0 Art. 3 β European Digital Identity Wallet sovereignty | Regulation (EU) 2024/1183 Art. 3 | LegalTech | β
mandatory | EUDIW-bound QES; wallet jurisdiction assertion in receipt |
**Ξ10 Receipt Requirements**: Receipt must include `jurisdiction_code` (ISO 3166-1 alpha-2), `transfer_mechanism` (adequacy/SCC/BCR/none), `data_residency_region`, and `sovereignty_assertion_hash`.
---
## Cross-Vertical Coverage Matrix
| Vertical | Ξ1 | Ξ2 | Ξ3 | Ξ4 | Ξ5 | Ξ6 | Ξ7 | Ξ8 | Ξ9 | Ξ10 | Count |
|-----------------|----|----|----|----|----|----|----|----|----|----|-------|
| Healthcare | β | β
| β
| Β· | β | β
| β
| β | Β· | β | 9 |
| Financial | β
| β
| β | β
| β | β
| β
| β
| β
| β
| 10 |
| Defense | β
| β
| β | β | β
| β
| β
| β
| Β· | β
| 9 |
| Aviation | β
| β
| β | Β· | β
| β | β
| β
| β
| Β· | 8 |
| Automotive | β
| β
| β | β | β
| β
| β
| β
| β
| β
| 10 |
| Pharmaceutical | β
| β
| β | β
| β
| β
| β
| β
| β
| β
| 10 |
| Energy | β | β
| Β· | Β· | β
| β
| β
| β
| Β· | β
| 8 |
| Maritime | β | β
| β | Β· | β
| β
| β
| β
| β
| β
| 9 |
| LegalTech | β
| β
| β
| β
| β | β
| β
| β
| β
| β
| 10 |
| Academic | β
| β
| β
| β
| β | β | β
| Β· | β | β | 8 |
| **Axis total** | 9 | 10 | 8 | 8 | 9 | 10 | 10 | 9 | 8 | 9 | |
β
= mandatory, β = recommended, Β· = advisory, β = not applicable
---
*Generated: Doctrine v6 R3 Adversarial Receipts Β· Receipt chain: SHA3-256 Merkle DAG*
|