@blamejs/exceptd-skills 0.13.18 → 0.13.20

package/data/framework-control-gaps.json

@@ -48,7 +48,9 @@
         "provider changelog review log with reviewer identity + timestamp"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "ALL-MCP-TOOL-TRUST": {
     "framework": "ALL",
@@ -80,7 +82,9 @@
         "tool-grant audit log for one randomly selected developer over 30 days"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
     "framework": "ALL",
@@ -112,7 +116,9 @@
         "policy text defining prompt-level scope for each agent role"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "AU-Essential-8-App-Hardening": {
     "framework": "ASD Essential Eight (AU)",
@@ -144,7 +150,9 @@
         "test-induced modification on a non-production endpoint to confirm alert fires"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "AU-Essential-8-Backup": {
     "framework": "ASD Essential Eight (AU)",
@@ -175,7 +183,9 @@
         "per-document hash diff between restored and production corpus"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "AU-Essential-8-MFA": {
     "framework": "ASD Essential Eight (AU)",
@@ -207,7 +217,9 @@
         "documented credential rotation policy"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "AU-Essential-8-Patch": {
     "framework": "ASD Essential Eight (AU)",
@@ -236,7 +248,9 @@
         "fleet coverage rollup per CVE"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "CIS-Controls-v8-Control7": {
     "framework": "CIS Controls v8",
@@ -336,7 +350,9 @@
         "cross-walk document for joint programmes (if any)"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "CWE-Top-25-2024-meta": {
     "framework": "CWE Top 25 Most Dangerous Software Weaknesses (2024 list)",
@@ -370,7 +386,9 @@
         "scan report against the fixture"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "CycloneDX-v1.6-SBOM": {
     "framework": "CycloneDX v1.6 (OWASP SBOM standard)",
@@ -404,7 +422,9 @@
         "MCP server manifest from build environment"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "DORA-Art28": {
     "framework": "EU DORA (Regulation 2022/2554)",
@@ -472,7 +492,9 @@
         "exit-strategy evidence per critical AI sub-processor"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "DORA-ITS-TLPT": {
     "framework": "EU DORA (Regulation 2022/2554) — ITS on threat-led penetration testing under Art. 26",
@@ -507,7 +529,9 @@
         "TLPT team CVs covering AI/MCP red-team experience"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "DORA-RTS-Incident-Classification": {
     "framework": "EU DORA (Regulation 2022/2554) — RTS on classification of major ICT-related incidents under Art. 18(3)",
@@ -541,7 +565,9 @@
         "synthetic AI-incident classification dry-run record"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "DORA-IA-CTPP-Oversight": {
     "framework": "EU DORA (Regulation 2022/2554) — Implementing Acts for critical-third-party-provider (CTPP) oversight under Art. 31-44",
@@ -574,7 +600,9 @@
         "AI-provider concentration analysis"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "EU-AI-Act-Art-15": {
     "framework": "EU Artificial Intelligence Act (2024/1689)",
@@ -642,7 +670,9 @@
         "per-corpus copyright-policy attestations"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "EU-AI-Act-Art-55-Systemic": {
     "framework": "EU Artificial Intelligence Act (2024/1689) — GPAI with systemic risk",
@@ -678,7 +708,9 @@
         "incident-clock cross-walk to DORA"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "EU-AI-Act-Annex-IX-Conformity": {
     "framework": "EU Artificial Intelligence Act (2024/1689) — Annex IX conformity assessment",
@@ -709,7 +741,9 @@
         "change log showing modifications assessed against the policy"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "EU-AI-Act-GPAI-CoP": {
     "framework": "EU Artificial Intelligence Act (2024/1689) — Code of Practice for GPAI",
@@ -741,7 +775,9 @@
         "AI Office enforcement-deference reference"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "EU-CRA-Art13": {
     "framework": "EU Cyber Resilience Act (2024/2847)",
@@ -821,7 +857,9 @@
         "SSP excerpts showing AI shared-responsibility language"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "HIPAA-Security-Rule-164.312(a)(1)": {
     "framework": "HIPAA Security Rule (45 CFR § 164.312)",
@@ -855,7 +893,9 @@
         "agent-session control configuration"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "HIPAA-Security-Rule-2026-NPRM-164.308": {
     "framework": "HIPAA Security Rule (45 CFR § 164.308) — 2026 Notice of Proposed Rulemaking",
@@ -889,7 +929,9 @@
         "tabletop exercise catalogue with execution dates"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "HIPAA-Security-Rule-2026-NPRM-164.310": {
     "framework": "HIPAA Security Rule (45 CFR § 164.310) — 2026 Notice of Proposed Rulemaking",
@@ -922,7 +964,9 @@
         "departed-user credential-revocation evidence"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "HIPAA-Security-Rule-2026-NPRM-164.312": {
     "framework": "HIPAA Security Rule (45 CFR § 164.312) — 2026 Notice of Proposed Rulemaking",
@@ -958,7 +1002,9 @@
         "prompt-injection / RAG-poisoning detection rule export"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "HIPAA-Security-Rule-2026-NPRM-164.314": {
     "framework": "HIPAA Security Rule (45 CFR § 164.314) — 2026 Notice of Proposed Rulemaking",
@@ -991,7 +1037,9 @@
         "sub-processor disclosure inventories"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "HITRUST-CSF-v11.4-09.l": {
     "framework": "HITRUST CSF v11.4",
@@ -1024,7 +1072,9 @@
         "endpoint scan for self-signup AI tools"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "IEC-62443-3-3": {
     "framework": "IEC 62443-3-3 (Industrial communication networks — security for IACS)",
@@ -1060,7 +1110,9 @@
         "threat-model document covering AI conduit threats"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "ISO-27001-2022-A.8.16": {
     "framework": "ISO/IEC 27001:2022",
@@ -1092,7 +1144,9 @@
         "telemetry volume report by source class"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "ISO-27001-2022-A.8.22": {
     "framework": "ISO/IEC 27001:2022",
@@ -1517,7 +1571,9 @@
         "review-cadence schedule"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "ISO-IEC-42001-2023-clause-6.1.2": {
     "framework": "ISO/IEC 42001:2023 (AI Management System)",
@@ -1552,7 +1608,9 @@
         "AIMS internal audit report"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NERC-CIP-007-6-R4": {
     "framework": "NERC CIP-007-6 (BES Cyber System Security Management)",
@@ -1588,7 +1646,9 @@
         "NIS2 alignment document where applicable"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NIS2-Art21-incident-handling": {
     "framework": "EU NIS2 Directive (2022/2555)",
@@ -1706,7 +1766,9 @@
         "tester competency CV/credentials"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NIST-800-218-SSDF": {
     "framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
@@ -2097,7 +2159,9 @@
         "deletion verification log"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NIST-800-53-SI-2": {
     "framework": "NIST SP 800-53 Rev 5",
@@ -2503,7 +2567,9 @@
         "service-account token lifecycle export"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NIST-800-82r3": {
     "framework": "NIST SP 800-82 Rev 3 (Guide to OT Security)",
@@ -2539,7 +2605,9 @@
         "engineering workstation MCP-server scan"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NIST-AI-RMF-MAP-3.4": {
     "framework": "NIST AI RMF 1.0",
@@ -2605,7 +2673,9 @@
         "ATLAS/OWASP coverage matrix"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "OWASP-ASVS-v5.0-V14": {
     "framework": "OWASP ASVS v5.0",
@@ -2638,7 +2708,9 @@
         "prompt-isolation design document"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "OWASP-LLM-Top-10-2025-LLM01": {
     "framework": "OWASP Top 10 for LLM Applications 2025",
@@ -2709,7 +2781,9 @@
         "test cases proving validation fires on malicious payloads"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "OWASP-LLM-Top-10-2025-LLM06": {
     "framework": "OWASP Top 10 for LLM Applications 2025",
@@ -2744,7 +2818,9 @@
         "data classification policy"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "OWASP-LLM-Top-10-2025-LLM08": {
     "framework": "OWASP Top 10 for LLM Applications 2025",
@@ -2780,7 +2856,9 @@
         "destructive-action confirmation flow evidence"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "OWASP-Pen-Testing-Guide-v5": {
     "framework": "OWASP Web Security Testing Guide v5 (WSTG)",
@@ -2818,7 +2896,9 @@
         "scope-of-engagement document"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "OWASP-Top-10-2021-A06": {
     "framework": "OWASP Top 10 (2021)",
@@ -2922,7 +3002,9 @@
         "SRI configuration export"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "PCI-DSS-4.0.1-11.6.1": {
     "framework": "PCI DSS 4.0.1 (effective 2025-03-31)",
@@ -2954,7 +3036,9 @@
         "CSP report-uri correlation pipeline"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "PCI-DSS-4.0.1-12.3.3": {
     "framework": "PCI DSS 4.0.1 (effective 2025-03-31)",
@@ -2985,7 +3069,9 @@
         "PQC migration roadmap"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "PCI-DSS-4.0.1-12.10.7": {
     "framework": "PCI DSS 4.0.1 (effective 2025-03-31)",
@@ -3019,7 +3105,9 @@
         "carrier-notification workflow record"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "PSD2-RTS-SCA": {
     "framework": "EU PSD2 Regulatory Technical Standards on Strong Customer Authentication (Commission Delegated Regulation (EU) 2018/389)",
@@ -3053,7 +3141,9 @@
         "audit log sample with AI-mediated indicator"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "PTES-Pre-engagement": {
     "framework": "Penetration Testing Execution Standard (PTES)",
@@ -3088,7 +3178,9 @@
         "tester competency CV"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "SLSA-v1.0-Build-L3": {
     "framework": "SLSA v1.0 (Supply-chain Levels for Software Artifacts) — Build Track",
@@ -3228,7 +3320,9 @@
         "telemetry volume report"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "SOC2-CC9-vendor-management": {
     "framework": "SOC 2 (AICPA Trust Services Criteria)",
@@ -3296,7 +3390,9 @@
         "SPDX↔CycloneDX cross-walk mapping"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "SWIFT-CSCF-v2026-1.1": {
     "framework": "SWIFT Customer Security Controls Framework v2026",
@@ -3331,7 +3427,9 @@
         "DORA Art. 28 cross-walk record"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "UK-CAF-A1": {
     "framework": "UK NCSC Cyber Assessment Framework v3.2",
@@ -3360,7 +3458,9 @@
         "executive accountability matrix"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "UK-CAF-B2": {
     "framework": "UK NCSC Cyber Assessment Framework v3.2",
@@ -3392,7 +3492,9 @@
         "continuous-verification configuration"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "UK-CAF-C1": {
     "framework": "UK NCSC Cyber Assessment Framework v3.2",
@@ -3425,7 +3527,9 @@
         "alert-triage records past 90 days"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "UK-CAF-D1": {
     "framework": "UK NCSC Cyber Assessment Framework v3.2",
@@ -3454,7 +3558,9 @@
         "NIS2 timing integration document"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "VEX-CSAF-v2.1": {
     "framework": "VEX via OASIS CSAF 2.1 (Common Security Advisory Framework)",
@@ -3487,7 +3593,9 @@
         "VEX chain example for base→derived model"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "FCC-CPNI-4.1": {
     "framework": "FCC-CPNI",
@@ -3521,7 +3629,9 @@
         "signaling baseline document"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "FCC-Cyber-Incident-Notification-2024": {
     "framework": "FCC",
@@ -3552,7 +3662,9 @@
         "cross-jurisdiction timing matrix"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NIS2-Annex-I-Telecom": {
     "framework": "NIS2",
@@ -3586,7 +3698,9 @@
         "LI-gateway activation audit log"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "DORA-Art-21-Telecom-ICT": {
     "framework": "DORA",
@@ -3616,7 +3730,9 @@
         "concentration analysis report"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "UK-CAF-B5": {
     "framework": "UK-CAF",
@@ -3647,7 +3763,9 @@
         "LI-gateway audit log"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "AU-ISM-1556": {
     "framework": "au-ism",
@@ -3678,7 +3796,9 @@
         "alert-triage records"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "GSMA-NESAS-Deployment": {
     "framework": "GSMA-NESAS",
@@ -3708,7 +3828,9 @@
         "firmware-update → recertification mapping"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "3GPP-TR-33.926": {
     "framework": "3GPP",
@@ -3738,7 +3860,9 @@
         "LI/signaling threat-treatment document"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "ITU-T-X.805": {
     "framework": "ITU-T",
@@ -3768,7 +3892,9 @@
         "slice-isolation test results"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NIST-800-53-IA-5-Federated": {
     "framework": "NIST 800-53 Rev.5",
@@ -3831,7 +3957,9 @@
         "claim-transformation review cadence document"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "SOC2-CC6-OAuth-Consent": {
     "framework": "SOC 2 (AICPA Trust Services Criteria)",
@@ -3860,7 +3988,9 @@
         "business-purpose attestation samples"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "UK-CAF-B2-IdP-Tenant": {
     "framework": "UK NCSC CAF",
@@ -3891,7 +4021,9 @@
         "token-signing rotation alert configuration"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "AU-ISM-1559-IdP": {
     "framework": "AU ISM",
@@ -3921,7 +4053,9 @@
         "management-API token inventory"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NIS2-Art-21-Federated-Identity": {
     "framework": "EU NIS2 Directive",
@@ -3952,7 +4086,9 @@
         "IdP concentration analysis"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "DORA-Art-19-IdP-4h": {
     "framework": "EU DORA",
@@ -3982,7 +4118,9 @@
         "on-call rota covering 24/7 IdP-incident response"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "OFAC-Sanctions-Threat-Actor-Negotiation": {
     "framework": "US Treasury OFAC + EU sanctions overlay + UK OFSI",
@@ -4012,7 +4150,9 @@
         "tabletop execution log"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "FedRAMP-IL5-IAM-Federated": {
     "framework": "FedRAMP (US)",
@@ -4046,7 +4186,9 @@
         "evidence retention per IL5 cadence"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "CISA-Snowflake-AA24-IdP-Cloud": {
     "framework": "CISA (US) - Cross-framework advisory",
@@ -4080,7 +4222,9 @@
         "network policy configuration"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NIST-800-53-AC-2-Cross-Account": {
     "framework": "NIST 800-53 Rev 5",
@@ -4114,7 +4258,9 @@
         "external-ID enforcement evidence"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "ISO-27017-Cloud-IAM": {
     "framework": "ISO/IEC 27017:2015",
@@ -4146,7 +4292,9 @@
         "assume-role policy document sample"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "SOC2-CC6-Access-Key-Leak-Public-Repo": {
     "framework": "AICPA SOC 2 Trust Services Criteria",
@@ -4178,7 +4326,9 @@
         "leak-to-revocation timing per incident"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "AWS-Security-Hub-Coverage-Gap": {
     "framework": "AWS Security Hub Foundational Security Best Practices (also GCP SCC, Azure Defender for Cloud)",
@@ -4212,7 +4362,9 @@
         "cloud-iam-incident detect-indicator → CloudTrail behavioural-rule mapping"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "UK-CAF-B2-Cloud-IAM": {
     "framework": "UK NCSC CAF (Cyber Assessment Framework) v3.x",
@@ -4244,7 +4396,9 @@
         "cross-account assume-role policy export"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "AU-ISM-1546-Cloud-Service-Account": {
     "framework": "ACSC ISM (Australian Government Information Security Manual)",
@@ -4276,7 +4430,9 @@
         "source-IP allowlist configuration"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "OFAC-SDN-Payment-Block": {
     "framework": "ALL",
@@ -4306,7 +4462,9 @@
         "counsel-signed attestation template"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "Insurance-Carrier-24h-Notification": {
     "framework": "ALL",
@@ -4337,7 +4495,9 @@
         "broker after-hours contact + loss-notice form"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "EU-Sanctions-Reg-2014-833-Cyber": {
     "framework": "EU",
@@ -4367,7 +4527,9 @@
         "tabletop execution log covering EU sanctions inject"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "Immutable-Backup-Recovery": {
     "framework": "ALL",
@@ -4398,7 +4560,9 @@
         "admin-separation policy document"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "Decryptor-Availability-Pre-Decision": {
     "framework": "ALL",
@@ -4429,7 +4593,9 @@
         "quarterly catalogue refresh evidence"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "PHI-Exfil-Before-Encrypt-Breach-Class": {
     "framework": "ALL",
@@ -4461,7 +4627,9 @@
         "tabletop execution log within past 12 months"
       ],
       "verdict_when_failed": "compliance-theater"
-    }
+    },
+    "forward_looking": true,
+    "forward_looking_reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
   },
   "NIS2-Art21-vulnerability-management": {
     "framework": "EU NIS2 Directive (2022/2555)",