source/docs/regulatory_to_lambda.md

Regulatory → Λ-Axis Mapping Reference

Doctrine v6 · R3 Vertical Governance Receipts

Purpose: Comprehensive cross-reference of all 10 Doctrine v6 Λ-axes to their primary regulatory grounding across the 10 vertical policy domains. Each axis lists 3–5 representative regulations with precise citations. Weight annotation (★ = high, ○ = medium, · = advisory).

---

Doctrine v6 Λ-Axis Definitions

ID	Axis	Description
Λ1	Transparency	Obligations to disclose AI system capabilities, limitations, and logic
Λ2	Accountability	Assignment of legal and operational responsibility for AI decisions
Λ3	Privacy	Protection of personal and sensitive data processed by AI systems
Λ4	Fairness	Non-discrimination, equity, and representative coverage requirements
Λ5	Safety	Prevention of physical, operational, and systemic harm
Λ6	Security	Protection against unauthorized access, adversarial manipulation
Λ7	Auditability	Tamper-evident logging and verifiable record-keeping
Λ8	Robustness	Resistance to distribution shift, adversarial perturbation, failure
Λ9	Explainability	Human-interpretable rationale for AI outputs
Λ10	Sovereignty	Jurisdictional control over data and AI system deployment

---

Λ1 — Transparency

Core Obligation: AI systems must disclose their nature, capabilities, limitations, and decision logic to affected parties and regulators.

Regulation	Citation	Vertical	Weight	Mechanism
EU AI Act Art. 13 — Transparency for deployers	Regulation (EU) 2024/1689 Art. 13	LegalTech, Pharma	★ mandatory	Instructions-for-use document; capabilities/limitations disclosure; IFU hash in receipt
GDPR Art. 5(1)(a) — Lawfulness and transparency	Regulation (EU) 2016/679 Art. 5(1)(a)	LegalTech, Academic	★ mandatory	Privacy notice; algorithmic transparency statement; processing basis disclosure
SOX § 404 — Internal controls transparency	Pub. L. 107-204 § 404; 17 CFR § 240.13a-15(f)	Financial	★ mandatory	ICFR documentation; AI model control evidence in Merkle DAG
DO-178C § 5.5 — Traceability	RTCA DO-178C § 5.5; SAE ARP4754B § 5.2	Aviation	★ mandatory	Requirements-to-code traceability matrix; receipt annotation
NIST SP 800-171 Rev 3 § 3.12.4 — System Security Plans	NIST SP 800-171 Rev 3 Control 3.12.4	Defense	○ mandatory	AI system security plan; architecture and provenance documentation

Λ1 Receipt Requirements: Receipt chain entry must include disclosure_hash (SHA3-256 of disclosure document), disclosure_type enum, and target_audience field.

---

Λ2 — Accountability

Core Obligation: Named human or institutional principals must be legally responsible for AI system decisions; accountability must be traceable through the receipt chain.

Regulation	Citation	Vertical	Weight	Mechanism
SOX § 302 — CEO/CFO certification	Pub. L. 107-204 § 302; 17 CFR § 240.13a-15	Financial	★ mandatory	Named signatory in receipt chain root; qualified electronic signature
COPE AI Authorship (2023) — Disclosure of AI use	COPE Position Statement (2023)	Academic	★ mandatory	AI system version + inference timestamp in authorship disclosure receipt
eIDAS 2.0 Art. 25 — QES legal equivalence	Regulation (EU) 2024/1183 Art. 25	LegalTech	★ mandatory	QES via EUDIW; certificate hash in receipt leaf node
21 CFR § 11.50 — Electronic signature manifestations	21 C.F.R. § 11.50	Pharma	★ mandatory	Name, date/time, and signature meaning in receipt metadata
SAE J3016 Level 4 ADS accountability	SAE J3016_202104 § 3.14	Automotive	★ mandatory	ADS as accountable entity; scene hash + fallback state in decision receipt

Λ2 Receipt Requirements: Receipt must carry principal_id (DID or X.509 distinguished name), role (operator/provider/deployer), signature_algorithm, and delegation_chain if accountability is delegated.

---

Λ3 — Privacy

Core Obligation: Personal and sensitive data processed by AI systems must be subject to purpose limitation, data minimisation, consent, and access controls.

Regulation	Citation	Vertical	Weight	Mechanism
HIPAA 45 CFR § 164.502 — PHI use and disclosure	45 C.F.R. § 164.502(a)	Healthcare	★ mandatory	Minimum-necessary gating on AI inference; purpose-limited receipt
HIPAA 45 CFR § 164.514(b) — De-identification	45 C.F.R. § 164.514(b)	Healthcare	★ mandatory	Expert Determination or Safe Harbor; re-ID risk ≤ 0.05
GDPR Art. 5 — Data protection principles	Regulation (EU) 2016/679 Art. 5(1)(c)(e)	LegalTech	★ mandatory	Data minimisation; storage limitation; processing basis receipt
Common Rule 45 CFR § 46.111(a)(7) — Privacy safeguards	45 C.F.R. § 46.111(a)(7)	Academic	★ mandatory	k-anonymity k≥5 or DP ε≤1.0; privacy parameter receipt per dataset epoch
ISO TR 4804:2020 — In-vehicle telemetry GDPR compliance	ISO TR 4804:2020 § 6.3	Automotive	○ mandatory	Consent-receipted trip data; pseudonymisation before ML training

Λ3 Receipt Requirements: Receipt must include lawful_basis (Art. 6 / Art. 9 basis or HIPAA exception), data_category, retention_limit_days, and de_id_method where applicable.

---

Λ4 — Fairness

Core Obligation: AI systems must not discriminate against protected groups; training data and model outputs must demonstrate representative and equitable coverage.

Regulation	Citation	Vertical	Weight	Mechanism
ECOA/FCRA Adverse Action — Credit decisions	15 U.S.C. § 1681m; 12 CFR § 202.9	Financial	★ mandatory	Machine-readable reason codes; CFPB guidance on AI credit models
Common Rule 45 CFR § 46.111 — Equitable subject selection	45 C.F.R. § 46.111(a)(3)	Academic	★ mandatory	Demographic stratification; IRB equity review; receipt with demographic hash
EU AI Act Art. 53 — GPAI fairness for research	Regulation (EU) 2024/1689 Art. 53	Academic, LegalTech	○ mandatory	Training data summary; evaluation results published; EU AI Act database
ISO 21448:2022 § 8 — SOTIF triggering conditions (pedestrian bias)	ISO 21448:2022 § 8	Automotive	· recommended	Pedestrian detection equity across skin tone/age; bias receipts
DOE AI Strategy 2024 § 3.2 — Energy equity	U.S. DOE AI Strategy (2024) § 3.2	Energy	· recommended	Demand response equity; census-tract metadata in receipt

Λ4 Receipt Requirements: Receipt must include fairness_metric (e.g., demographic_parity, equalized_odds), protected_attributes list, metric_value (float), and test_dataset_hash.

---

Λ5 — Safety

Core Obligation: AI systems must identify, assess, and mitigate risks of physical, operational, or systemic harm to humans or critical infrastructure.

Regulation	Citation	Vertical	Weight	Mechanism
ISO 26262-4:2018 § 7 — Technical safety requirements	ISO 26262-4:2018 § 7; ISO 26262-3:2018 § 7	Automotive	★ mandatory	ASIL-D safety goals; probability of failure < 10^-8/h; safety case receipt
DO-178C § 6.4 / DO-333 — Structural coverage (MC/DC)	RTCA DO-178C § 6.4; RTCA DO-333 § FM.6.4	Aviation	★ mandatory	MC/DC coverage for DAL-B; formal method proofs; coverage receipt
E.O. 14110 § 4.2 — National security AI safety	E.O. 14110 § 4.2 (Oct 2023)	Defense	★ mandatory	Human-on-the-loop kill switch; HotL token in autonomous decision receipt
NERC CIP-009-6 R1 — BES recovery plans	NERC CIP-009-6 Requirement R1	Energy	★ mandatory	AI-assisted restoration with human override; operator confirmation token
HITECH Act § 13402 / 45 CFR § 164.400 — Breach notification	Pub. L. 111-5 § 13402	Healthcare	○ mandatory	AI re-identification anomaly detection; 60-day notification trigger

Λ5 Receipt Requirements: Receipt must include hazard_id, safety_integrity_level (ASIL/DAL), risk_reduction_factor, and verification_method (testing/formal_proof/analysis).

---

Λ6 — Security

Core Obligation: AI systems and their data must be protected against unauthorized access, adversarial manipulation, supply-chain compromise, and cyber incidents.

Regulation	Citation	Vertical	Weight	Mechanism
HIPAA 45 CFR § 164.312(a)(2)(i) — Unique user ID	45 C.F.R. § 164.312(a)(2)(i)	Healthcare	★ mandatory	Cryptographically bound identity token in receipt chain per PHI access
NERC CIP-007-6 R4 — Security event monitoring	NERC CIP-007-6 Requirement R4; 18 CFR § 40.7	Energy	★ mandatory	Anomaly detection receipts within 15 min; Merkle DAG integrity
DFARS 252.204-7012 — Covered defense information	DFARS 252.204-7012(b); 48 CFR § 252.204-7012	Defense	★ mandatory	72-hour incident reporting; AI IOC hash receipt within 1 hour
UNECE R 155 — Automotive CSMS	UNECE Regulation No. 155 (2021)	Automotive	★ mandatory	TARA for AI attack surfaces; threat analysis security receipt
21 CFR § 11.10(e) — Secure audit trails	21 C.F.R. § 11.10(e)	Pharma	★ mandatory	Tamper-evident TAI64N-timestamped Merkle DAG

Λ6 Receipt Requirements: Receipt must include threat_model_version, authentication_method (FIDO2/PIV/password), encryption_algorithm, key_rotation_epoch, and incident_id if triggered.

---

Λ7 — Auditability

Core Obligation: AI systems must maintain tamper-evident, time-stamped logs of all significant events; records must be verifiable by external auditors and regulators.

Regulation	Citation	Vertical	Weight	Mechanism
HIPAA 45 CFR § 164.312(b) — Audit controls	45 C.F.R. § 164.312(b)	Healthcare	★ mandatory	Merkle DAG; p50 write ≤ 5 µs per Doctrine v6 §4.7
SOX § 802 / 18 USC § 1519 — Document integrity	Pub. L. 107-204 § 802; 18 U.S.C. § 1519	Financial	★ mandatory	Append-only SHA3-256 Merkle DAG; cryptographic non-alteration proof
NERC CIP-010-4 R1 — Configuration change management	NERC CIP-010-4 Requirement R1	Energy	★ mandatory	Pre/post-update configuration diff receipts
DO-178C § 12.3 / Table A-10 — Configuration management	RTCA DO-178C § 12.3	Aviation	★ mandatory	DER-signed change-control receipts; configuration baseline
21 CFR § 11.10(e) — Time-stamped audit trails	21 C.F.R. § 11.10(e)	Pharma	★ mandatory	GAMP 5 Category 5 validation; audit trail per user/system action

Λ7 Receipt Requirements: Receipt must include event_type, actor_id, timestamp_tai64n, prev_receipt_hash (chain link), merkle_root, and quorum_signatures array.

---

Λ8 — Robustness

Core Obligation: AI systems must withstand distribution shift, adversarial perturbation, hardware faults, and operational stress without unsafe degradation.

Regulation	Citation	Vertical	Weight	Mechanism
SR 11-7 — Model validation and ongoing monitoring	Federal Reserve SR 11-7 § III.C–D	Financial	★ mandatory	Independent adversarial robustness testing; validation epoch in receipt
DO-178C § 6.4 / DO-333 FM.6.3.2 — Formal proof completeness	RTCA DO-178C § 6.4; RTCA DO-333 § FM.6.3.2	Aviation	★ mandatory	Lipschitz bounds; formal proof receipts for inference guarantees
21 CFR § 11.10(a) — GxP system validation	21 C.F.R. § 11.10(a)	Pharma	★ mandatory	ISPE GAMP 5 Category 5; validation protocol hash in receipt
NERC CIP-013-2 R1 — Supply chain risk	NERC CIP-013-2 Requirement R1	Energy	★ mandatory	AI model SBOM receipts; provenance verification before BES deployment
CMMC L3 / NIST 800-171 § 3.11.2 — Vulnerability scanning	NIST SP 800-171 Rev 3 Control 3.11.2	Defense	★ mandatory	Quarterly adversarial robustness scans; scan result commitment receipts

Λ8 Receipt Requirements: Receipt must include robustness_metric (e.g., PGD_ε, Lipschitz_bound), test_methodology, dataset_hash, pass_threshold, and result (pass/fail/conditional).

---

Λ9 — Explainability

Core Obligation: AI outputs affecting human interests must be accompanied by interpretable, human-understandable explanations at a level of detail proportionate to the decision stakes.

Regulation	Citation	Vertical	Weight	Mechanism
GDPR Art. 22 / EDPB Guidelines 1/2022 — Automated decision-making	Regulation (EU) 2016/679 Art. 22	LegalTech	★ mandatory	Meaningful explanation per EDPB § 58; logic + significance + envisaged consequences
ECOA / FCRA 15 USC § 1681m — Adverse action notices	15 U.S.C. § 1681m(a); 12 C.F.R. § 202.9	Financial	★ mandatory	Principal reason codes; CFPB AI explanation guidance; reason-code receipt
EU AI Act Art. 13 — Transparency for deployers	Regulation (EU) 2024/1689 Art. 13	All high-risk	★ mandatory	IFU with interpretability method; explanation receipt per inference
ISO 26262-6:2018 § 9 — ML explainability for ASIL-B+	ISO 26262-6:2018 § 9; ISO TR 29119-11	Automotive	★ mandatory	Saliency maps or decision trees as explanation receipts
EASA CP No. 2 (2023) — ML explanation for aviation	EASA Concept Paper on ML (Oct 2023)	Aviation	★ mandatory	Level 1/2 ML explanation; operational scenario coverage documented

Λ9 Receipt Requirements: Receipt must include explanation_method (SHAP/LIME/IntGrad/decision_tree), explanation_hash, target_audience (regulator/operator/subject), and fidelity_score (float in [0,1]).

---

Λ10 — Sovereignty

Core Obligation: Data and AI system deployment must respect jurisdictional boundaries; data subjects and nation-states retain control over cross-border data flows.

Regulation	Citation	Vertical	Weight	Mechanism
GDPR Art. 44–49 — International transfers	Regulation (EU) 2016/679 Art. 44–49 (SCCs, BCRs, adequacy)	LegalTech	★ mandatory	Transfer mechanism documented in receipt; SCCs/BCR reference
DFARS 252.204-7012 — CUI jurisdictional control	DFARS 252.204-7012; 48 CFR § 252.204-7012	Defense	★ mandatory	CUI enclave attestation; jurisdiction token in receipt chain
ISPS Code Part A § 9.4 — SSP flag-state jurisdiction	ISPS Code Part A § 9.4	Maritime	★ mandatory	Data residency receipt specifying IMO flag-state; SSP access log
Dodd-Frank § 1033 / CFPB Rule 1033 — Consumer data portability	Pub. L. 111-203 § 1033; 12 CFR § 1033.201	Financial	★ mandatory	Consumer-authorized scope token in export receipt
eIDAS 2.0 Art. 3 — European Digital Identity Wallet sovereignty	Regulation (EU) 2024/1183 Art. 3	LegalTech	★ mandatory	EUDIW-bound QES; wallet jurisdiction assertion in receipt

Λ10 Receipt Requirements: Receipt must include jurisdiction_code (ISO 3166-1 alpha-2), transfer_mechanism (adequacy/SCC/BCR/none), data_residency_region, and sovereignty_assertion_hash.

---

Cross-Vertical Coverage Matrix

Vertical	Λ1	Λ2	Λ3	Λ4	Λ5	Λ6	Λ7	Λ8	Λ9	Λ10	Count
Healthcare	○	★	★	·	○	★	★	○	·	○	9
Financial	★	★	○	★	○	★	★	★	★	★	10
Defense	★	★	–	○	★	★	★	★	·	★	9
Aviation	★	★	–	·	★	○	★	★	★	·	8
Automotive	★	★	○	○	★	★	★	★	★	★	10
Pharmaceutical	★	★	○	★	★	★	★	★	★	★	10
Energy	○	★	·	·	★	★	★	★	·	★	8
Maritime	○	★	○	·	★	★	★	★	★	★	9
LegalTech	★	★	★	★	○	★	★	★	★	★	10
Academic	★	★	★	★	○	○	★	·	○	○	8
Axis total	9	10	8	8	9	10	10	9	8	9

★ = mandatory, ○ = recommended, · = advisory, – = not applicable

---

Generated: Doctrine v6 R3 Adversarial Receipts · Receipt chain: SHA3-256 Merkle DAG