@connexum/ai-governance 1.0.0-beta.11

package/dist/packs/registry-expanded.js

@@ -0,0 +1,2354 @@
+"use strict";
+/**
+ * Expanded Compliance Pack Registry
+ *
+ * Defines all compliance frameworks that My Compliance Center supports or plans to support.
+ * Organized by vertical: Fintech, Healthcare, Pharma, Legal, Retail, AI-Specific.
+ *
+ * Pack counts (updated 2026-05-12, reconciliation per F-NEW-CLAIM-MARKETING-DRIFT-2026-05-12 DRIFT-6):
+ *   - ACTIVE: 143 fully implemented packs
+ *   - PLANNED: 0
+ *
+ * The 143 figure is verified two independent ways and they agree:
+ *   (a) strict-regex per-line count `grep -cE "^\s+status: 'ACTIVE',\s*$"` against
+ *       this file = 143
+ *   (b) individual pack source files under `src/packs/` minus 5 helpers
+ *       (_base-classifiers, check-registry, index, migration-manifest,
+ *        registry-expanded) = 143
+ * `build-inventory.mjs` uses (b) as the marketing-facing canonical
+ * `sourceFileCount` and that count flows to `site/v2/data/inventory.json`.
+ *
+ * 2026-05-12 additions vs the 2026-05-10 inventory snapshot (10 packs):
+ *   - Industrial / OT: iec-62443, nist-sp-800-82
+ *   - Aerospace:       as-9100, do-178c
+ *   - Automotive:      iso-26262
+ *   - Medical device:  iec-62304, iso-15189, iso-iec-80001,
+ *                      fda-21-cfr-820, fda-samd-precert
+ *
+ * NOTE: This file's ACTIVE_PACKS array is the documentary registry used by
+ * getPackSummary() / getPacksByStatus(). The runtime source of truth is
+ * src/packs/index.ts (PackRegistry + individual pack files). If these diverge,
+ * src/packs/index.ts wins. Consider a future cleanup pass to remove this file
+ * and derive the summary directly from the runtime registry (Pax backlog item).
+ *
+ * Status levels:
+ *   - ACTIVE: Fully implemented pack with controls and validation
+ *   - PLANNED: Defined and scoped, ready for implementation
+ *   - RESEARCH: Framework analyzed, pack spec in progress
+ *
+ * Priority levels:
+ *   - P0: Must-have for target vertical launch
+ *   - P1: High value, implement within 2 sprints of vertical launch
+ *   - P2: Nice-to-have, implement based on customer demand
+ *
+ * @connexum/ai-governance
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ALL_COMPLIANCE_PACKS = void 0;
+exports.getPacksByVertical = getPacksByVertical;
+exports.getPacksByStatus = getPacksByStatus;
+exports.getPacksByPriority = getPacksByPriority;
+exports.getPackSummary = getPackSummary;
+// ---------------------------------------------------------------------------
+// ACTIVE PACKS (already implemented in src/packs/)
+// ---------------------------------------------------------------------------
+const ACTIVE_PACKS = [
+    {
+        id: 'hipaa',
+        name: 'Health Insurance Portability and Accountability Act',
+        shortName: 'HIPAA',
+        vertical: 'Healthcare',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'PHI detection, access audit trails, encryption requirements, BAA tracking, breach notification (60-day)',
+        keyRequirements: ['PHI safeguards', 'Access controls', 'Encryption', 'BAA management', 'Breach notification'],
+        aiRelevance: 'AI agents processing PHI must enforce minimum necessary, audit all access, encrypt data at rest and in transit',
+        controlCount: 18,
+    },
+    {
+        id: 'soc2',
+        name: 'SOC 2 Type II',
+        shortName: 'SOC 2',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Access controls, audit logging, change management, incident response',
+        keyRequirements: ['Trust Service Criteria', 'Access management', 'Monitoring', 'Change control', 'Incident response'],
+        aiRelevance: 'AI systems must demonstrate continuous operational controls across all Trust Service Criteria',
+        controlCount: 15,
+    },
+    // ---- Medical device QSR pack (FDA 21 CFR Part 820 + QMSR final rule) ----
+    {
+        id: 'fda-21-cfr-820',
+        name: 'FDA 21 CFR Part 820 — Quality System Regulation (QSR / QMSR)',
+        shortName: 'FDA QSR',
+        vertical: 'Healthcare',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'FDA 21 CFR Part 820 — Quality System Regulation governing medical device design, production, and post-market surveillance for devices marketed in the United States. The 2024 Quality Management System Regulation (QMSR) final rule incorporates ISO 13485:2016 by reference, replacing many former QSR-specific clauses while preserving 820.30 (Design Controls), 820.180 (Records), 820.198 (Complaint Files), and the MDR 21 CFR Part 803 5-day reporting clock. Mandatory for any device marketed in the US under 510(k), De Novo, PMA, or HDE pathways.',
+        keyRequirements: ['Design History File (DHF) per device under 820.30(j)', 'Device Master Record (DMR) per device under 820.181', 'Device History Record (DHR) per production unit under 820.184', 'CAPA system under 820.100 + closure documentation', 'MDR 5-day adverse-event reporting (21 CFR 803.10/.20)', 'Document control + design change review (820.40 + 820.30(i))', 'Management review at planned intervals (820.20)', 'Design V&V before commercial distribution (820.30(g))', 'Purchasing controls + supplier qualification (820.50)', 'Complaint files + investigation (820.198)', 'Nonconforming product handling (820.90)', 'Production + process controls (820.70)', 'Device traceability for implantable + life-sustaining (820.65)', 'Records retention (typically design lifetime + 2 years; complaints + DHR per device specs)'],
+        aiRelevance: 'AI agents touching medical device software must respect Design History File integrity (DHF entries are tamper-evident), the MDR 5-day clock for adverse events, the CAPA initiation gate for nonconformances, and the design change review board (DCR) gate for any modification to a marketed device. AI-generated design changes default to BLOCK pending human design review per 820.30(i). Pairs with FDA SaMD pack and IEC 62304 for software-life-cycle overlay.',
+        controlCount: 19,
+    },
+    // ---- Medical device software life cycle pack (IEC 62304) ----
+    {
+        id: 'iec-62304',
+        name: 'IEC 62304 — Medical Device Software Life Cycle Processes',
+        shortName: 'IEC 62304',
+        vertical: 'Healthcare',
+        jurisdiction: 'International',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'IEC 62304 — international standard for medical device software life cycle processes. Three software safety classes (A: no injury possible; B: non-serious injury possible; C: serious injury or death possible) drive process intensity. Required by FDA recognized consensus standards database for SaMD submissions, by EU MDR (Annex I §17.2 + Annex II) for software components of medical devices, and by EMA software guidance. Pairs with FDA 21 CFR Part 820 (US QSR/QMSR) and ISO 13485 (international QMS).',
+        keyRequirements: ['Software safety class (A/B/C) assignment with rationale', 'SOUP (Software Of Unknown Provenance) inventory + evaluation + errata monitoring', 'Class B + C development plan, requirements analysis, architecture', 'Class C unit verification evidence', 'Integration + system testing per class', 'Software release attestation + records (Annex C)', 'Configuration management + anomaly resolution', 'Class C SOUP introduction approval gate', 'Maintenance plan + post-release problem reports'],
+        aiRelevance: 'AI agents touching medical device software must respect the software safety class. Class C unverified changes trigger immediate escalation. Class B anomaly closure requires approval-queue gate. SOUP introduction by AI defaults to BLOCK pending evaluation evidence. Pairs with FDA 21 CFR 820 (US QSR overlay) and FDA SaMD pack (intended-use level overlay).',
+        controlCount: 15,
+    },
+    // ---- IEC 62443 industrial control systems / OT cybersecurity pack ----
+    {
+        id: 'iec-62443',
+        name: 'IEC 62443 — Industrial Automation and Control Systems Security',
+        shortName: 'IEC 62443',
+        vertical: 'Industrial / OT',
+        jurisdiction: 'International',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'IEC 62443 (formerly ISA-99) — international multi-part cybersecurity standard family for Industrial Automation and Control Systems (IACS). 14 published parts covering asset owners (62443-2-1 CSMS), service providers (62443-2-4), system design (62443-3-2 zone/conduit + SL assignment; 62443-3-3 system controls), and product suppliers (62443-4-1 SDL; 62443-4-2 component requirements). Four Security Levels (SL 1: casual — SL 4: nation-state/Stuxnet-class). 7 Foundational Requirements (FR1-FR7) mapped to validators. 7-year retention (NIS2 OES baseline). 24h NIS2 + sectoral incident notification.',
+        keyRequirements: ['Security Level Target (SL 1-4) assignment per zone/conduit with risk rationale', 'Zone and conduit model per IEC 62443-3-2 §5.5', 'CSMS (Cyber Security Management System) per IEC 62443-2-1', 'FR1 Identification & Authentication Control (SR 1.x)', 'FR2 Use Control (SR 2.x)', 'FR3 System Integrity (SR 3.x)', 'FR4 Data Confidentiality (SR 4.x)', 'FR5 Restricted Data Flow / zone segmentation (SR 5.x)', 'FR6 Timely Response to Events (SR 6.x)', 'FR7 Resource Availability (SR 7.x)', 'Secure Development Lifecycle per IEC 62443-4-1', 'Component security requirements per IEC 62443-4-2', 'Patch management per IEC 62443-2-3', 'SL 3/4 behavioral validator for unverified-change escalation'],
+        aiRelevance: 'AI agents generating or modifying IACS software or configuration must declare Security Level. SL 4 unverified changes are blocked; SL 3 triggers immediate escalation. AI code generation in OT environments requires supply-chain evaluation for OT-specific impacts. PRC providers blocked for NIS2 OES data sovereignty compliance.',
+        controlCount: 15,
+    },
+    // ---- NIST SP 800-82 US federal operational technology security pack ----
+    {
+        id: 'nist-sp-800-82',
+        name: 'NIST SP 800-82 Rev 3 — Operational Technology Security',
+        shortName: 'NIST SP 800-82',
+        vertical: 'Industrial / OT',
+        jurisdiction: 'US Federal',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NIST SP 800-82 Rev 3 (September 2023) — US federal guide for securing OT environments (ICS, SCADA, DCS, PLC, RTU, building automation, transportation, IIoT). OT-specific overlay on NIST SP 800-53 Rev 5 controls. Three FIPS 199 impact levels (LOW / MODERATE / HIGH; defaults MODERATE). Purdue model segmentation (Levels 0-5 + industrial DMZ). Safety-Instrumented System (SIS) protection per §5.7 + IEC 61511. 8 NIST 800-53 control families: AC, AU, CM, CP, IR, SC, SI, SR. 7-year retention (FISMA + SP 800-92). 24h CISA + EO 14028 incident notification. Mandatory for US federal OT via FISMA + FAR/DFARS.',
+        keyRequirements: ['FIPS 199 impact level (LOW/MODERATE/HIGH) assignment per OT system/zone', 'Purdue model network segmentation (Levels 0-5 + industrial DMZ Level 3.5)', 'OT cybersecurity program per §3 (charter, roles, workforce training)', 'Risk management per §4 + SP 800-30 + SP 800-39', 'AC controls (SP 800-53): RBAC, least privilege, MFA for remote OT access', 'AU controls (SP 800-53): audit logging, centralized SIEM, 7-year retention', 'CM controls (SP 800-53): OT baseline configs, formal change control', 'CP controls (SP 800-53): OT contingency plan, backup, tested annually', 'IR controls (SP 800-53): OT IR plan, 24h CISA reporting, CIRCIA integration', 'SC controls (SP 800-53): Purdue segmentation, industrial DMZ, encrypted OT comms', 'SI controls (SP 800-53): malware protection, integrity verification, ICS-CERT monitoring', 'SR controls (SP 800-53): OT SBOM (EO 14028), supplier risk assessment, CMMC', 'Safety-Instrumented System (SIS) isolation per §5.7 + IEC 61511', 'HIGH impact behavioral validator for unverified-change CRITICAL escalation'],
+        aiRelevance: 'AI agents generating or modifying OT software or configuration must declare FIPS 199 impact level. HIGH impact unverified changes are blocked; SIS modifications are an absolute block. AI code generation in OT environments requires supply-chain evaluation (EO 14028 SBOM) before acceptance. PRC providers blocked for US federal OT sovereignty compliance (FISMA + CMMC + EO 14028). Sister to IEC 62443 (international); run together for US-multinational customers.',
+        controlCount: 15,
+    },
+    // ---- AS9100D / AS9110C / AS9120B aerospace quality management systems pack ----
+    {
+        id: 'as-9100',
+        name: 'AS9100D / AS9110C / AS9120B — Aerospace Quality Management Systems',
+        shortName: 'AS9100',
+        vertical: 'Aerospace',
+        jurisdiction: 'International',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'AS9100D / AS9110C / AS9120B (2016, aligned to ISO 9001:2015) — aerospace QMS standard family published by SAE International + IAQG. AS9100D for manufacturing, AS9110C for MRO, AS9120B for distribution. Required by Boeing, Airbus, Lockheed Martin, Northrop Grumman, Raytheon, BAE Systems, Embraer, Bombardier, Honeywell, Pratt & Whitney, GE Aerospace. Recognized by FAA Order 8100.16, EASA Part 21G + 21J, Transport Canada, JCAB, ANAC. Aerospace-specific additions to ISO 9001:2015: §5.1.1.1 Product Safety Policy, §8.1.4 Counterfeit Parts Prevention, §8.1.2 Configuration Management, §8.5.1.2 Special Processes (NADCAP), §8.5.4 FOD Prevention, §9.1.1 OTD + Product Conformity metrics. 18-year airworthiness retention. 24h FAA SDR + EASA Part 21J reporting. Sister to DO-178C (avionics software — run together for software-bearing LRUs).',
+        keyRequirements: ['Product Safety Policy per §5.1.1.1 (mandatory written policy + training — no ISO 9001:2015 equivalent)', 'Counterfeit Parts Prevention plan per §8.1.4 (ASL + quarantine + ERAI/GIDEP reporting)', 'Configuration Management baseline per §8.1.2 (CM baseline + change control + CM records)', 'Special Processes per §8.5.1.2 (NADCAP accreditation — heat treat, weld, NDT, composites, plating)', 'FOD Prevention program per §8.5.4 (plan + training + inspections + event reporting)', 'Risk + Opportunity Management per §6.1 (FMEA/FTA mandatory per §6.1.2.1)', 'Design + Development Controls per §8.3 (FAI per AS9102; design change per §8.3.6)', 'Purchasing Controls per §8.4 (ASL enforcement + customer-approved sources + incoming inspection)', 'Product Realisation per §8.5 (controlled conditions + travellers + SPC where required)', 'Identification + Traceability per §8.5.2 (serialized / lot-controlled for aviation-safety parts)', 'Customer + External Property per §8.5.3 (CFE/CFM + ITAR/EAR IP protection)', 'Post-Delivery Support per §8.5.5 (airworthiness data + warranty + field surveillance)', 'On-Time Delivery + Product Conformity metrics per §9.1.1 (OTD + first-pass yield + PPM escapes)', 'CAPA per §10.2 (RCA + effectiveness verification + safety-impact escalation + FAA SDR / EASA Part 21J)', 'Behavioral validator: counterfeit-parts-detected immediate CRITICAL escalation'],
+        aiRelevance: 'AI agents generating aerospace QMS records must disclose provenance for FAA/EASA airworthiness accountability. Counterfeit-parts-detected is an absolute CRITICAL block. AI-generated configuration changes require CM lead + design authority approval before proceeding. Safety-impacting CAPA requires product safety officer + DER/CVE liaison review. PRC providers blocked for ITAR + EAR + FAA Order 8100.16 + EASA Part 21J supply-chain compliance. Sister to DO-178C — run together for software-bearing LRUs.',
+        controlCount: 15,
+    },
+    // ---- FDA Software Pre-Cert + SaMD TPLC + AI/ML Action Plan pack ----
+    {
+        id: 'fda-samd-precert',
+        name: 'FDA Software Pre-Cert + SaMD TPLC + AI/ML Action Plan',
+        shortName: 'FDA SaMD Pre-Cert',
+        vertical: 'Medical Device / SaMD',
+        jurisdiction: 'US (FDA)',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'FDA Software Pre-Certification (Pre-Cert) Pilot Program (2017–2022) principles + ongoing FDA Total Product Lifecycle (TPLC) approach + AI/ML SaMD Action Plan (2021) + Pre-Determined Change Control Plan (PCCP) Guidance (2024). Five Pre-Cert Excellence Principles: (1) Patient Safety, (2) Product Quality (ISO 13485 + IEC 62304), (3) Clinical Responsibility (IMDRF N41 clinical evaluation), (4) Cybersecurity Responsibility (FDA Premarket Cybersecurity Guidance 2023, SBOM, VEX, PATCH Act §524B), (5) Proactive Culture. Algorithm Change Protocol (ACP) for bounded AI/ML changes. IMDRF SaMD risk categorization (Category I–IV). CRITICAL behavioral validator for out-of-PCCP-bounds change immediate-escalation. 30-year life-of-device retention. 5-day FDA MDR notification (21 CFR 803). PRC providers blocked.',
+        keyRequirements: ['IMDRF SaMD risk categorization (Category I–IV) per N12 (2014)', 'Patient Safety Excellence Principle 1: risk management + MDR signal detection + 5-day escalation', 'Product Quality Excellence Principle 2: QMS per ISO 13485 + IEC 62304 software lifecycle', 'Clinical Responsibility Principle 3: clinical evaluation per IMDRF N41 (2017) + intended-use scoping', 'Cybersecurity Responsibility Principle 4: SBOM + VEX + PATCH Act §524B + FDA Cybersecurity Guidance (2023)', 'Proactive Culture Principle 5: CAPA + RCA + FDA transparency + Q-Sub engagement', 'TPLC monitoring: post-market monitoring plan + real-world performance tracking', 'Real-World Performance (RWP): metrics, thresholds, drift detection, performance reports', 'FDA AI/ML Action Plan alignment (2021): GMLP 10 principles + transparency + RWP + regulatory science', 'PCCP change control (2024 guidance): modification protocol + development protocols + performance evaluation', 'Algorithm Change Protocol (ACP): bounded change envelope + change log + performance evidence', 'Clinical evaluation per IMDRF N41: analytical validation + clinical validation + CER', 'Intended-use scoping: medical purpose + patient population + clinical setting + out-of-scope definition', 'Post-market signal detection: Sentinel Initiative principles + signal thresholds + MDR escalation path', 'Behavioral validator: out-of-PCCP-bounds change — absolute CRITICAL block, no compensating control path'],
+        aiRelevance: 'AI agents generating SaMD clinical outputs, model updates, or PCCP-governed changes must be assessed against the pre-cleared PCCP modification envelope before deployment. Out-of-PCCP-bounds changes are an absolute CRITICAL block. AI-generated clinical evaluation content requires clinical evaluation officer attestation. Category IV SaMD AI outputs require human-in-loop review. PRC providers blocked: FDA Pre-Cert cybersecurity-responsibility provisions incompatible with PRC CSL/DSL data localisation obligations. Sister packs: FDA 21 CFR 820 (QMSR), IEC 62304, ISO 13485, ISO 14971, HIPAA.',
+        controlCount: 15,
+    },
+    // ---- ISO 15189:2022 Medical Laboratory Quality and Competence pack ----
+    {
+        id: 'iso-15189',
+        name: 'ISO 15189:2022 Medical Laboratory Quality and Competence',
+        shortName: 'ISO 15189',
+        vertical: 'Medical Laboratory / Clinical Diagnostics',
+        jurisdiction: 'International (CAP / UKAS / DAkkS / ANAB / A2LA + CMS/CLIA US-aligned)',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'ISO 15189:2022 (4th edition) — international standard for quality and competence in medical laboratories. Recognized by CAP, UKAS, DAkkS, COLA, ANAB, A2LA, DANAK, COFRAC, NATA, and all ILAC MRA signatories. CMS/CLIA-aligned via CAP deemed-status programme for US high-complexity labs. 8 main clauses: §4 General requirements (impartiality + confidentiality), §5 Structural requirements (legal entity + lab director), §6 Resource requirements (personnel, facilities, equipment, reagents, service agreements), §7 Process requirements (pre-examination, examination, post-examination, reporting, interpretation), §8 Management system (Option A: ISO 9001 QMS alignment; Option B: ISO 15189-internal QMS). Annex A: risk management (ISO 14971 + ISO 22367). Annex B: patient safety + ethics. Annex C: examiner competence. CRITICAL behavioral validator for IQC-out-of-control immediate-escalation — absolute block, no patient results released. 20-year patient-record retention (7300 days). 72h CAP/CLIA event-reporting baseline. PRC providers blocked.',
+        keyRequirements: ['Impartiality policy per §4.1 (conflicts of interest + commercial pressure management)', 'Confidentiality controls per §4.2 (PHI protection + HIPAA BAA + GDPR Art. 9 alignment)', 'Lab Director responsibility per §5.1 (CLIA-qualified director + management accountability)', 'Personnel competence per §6.2 + Annex C (initial + ongoing assessment + lab-director authorisation)', 'Equipment calibration + metrological traceability per §6.4.9 (SI traceability chain + calibration records)', 'Reagents + consumables management per §6.5 (receipt inspection + lot verification + expiry management)', 'Pre-examination process per §7.2 (request + patient preparation + sample collection + reception criteria)', 'Examination validation per §7.3.2 (in-house procedures: AMR, precision, trueness, interference, uncertainty)', 'Examination verification per §7.3.3 (commercially-supplied: precision, trueness, reference interval verification)', 'Internal Quality Control per §7.3.7 (Westgard rules + IQC policy: BLOCK patient results when OOC)', 'External Proficiency Testing per §7.3.4 (CAP PT / RCPA QAP / UKNEQAS + corrective action)', 'Result reporting per §7.4 (authorised release + critical value notification + amended report traceability)', 'Post-examination + clinical interpretation per §7.5 + Annex C (pathologist review + AI disclosure)', 'Risk management per Annex A (ISO 14971 + ISO 22367 for lab processes including AI-introduced risks)', 'Behavioral validator: IQC-out-of-control — absolute CRITICAL block, no compensating control path'],
+        aiRelevance: 'AI agents assisting with examination interpretation (Annex C), IQC rule application (§7.3.7), or QMS documentation (§8) must disclose AI provenance and route outputs through clinical-pathologist + lab-director review before patient release. IQC-out-of-control is an absolute CRITICAL block — no AI bypass permitted. AI-generated examination procedures require full validation per §7.3.2. PRC providers blocked: ISO 15189 §4.2 confidentiality requirements for clinical laboratory PHI are incompatible with PRC data localisation law (CSL/DSL/PIPL). Pack pairings: HIPAA (US PHI), GDPR (EU patient data), CLIA/CAP (US regulatory + accreditation), ISO 22870 (POCT), ISO 17025 (general lab competence).',
+        controlCount: 15,
+    },
+    // ---- ISO/IEC 80001 Medical IT Network Risk Management pack ----
+    {
+        id: 'iso-iec-80001',
+        name: 'ISO/IEC 80001 Medical IT Network Risk Management',
+        shortName: 'ISO/IEC 80001',
+        vertical: 'Hospital IT / Medical Device Networks',
+        jurisdiction: 'International (FDA / MHRA / Health Canada / TGA / NIS2 health sector)',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'ISO/IEC 80001 multipart family — risk management for IT-networks incorporating medical devices. Distinct from IEC 62304 (medical-device SOFTWARE development) — 80001 governs DEPLOYMENT, OPERATION, and MAINTENANCE of medical devices on hospital/health-system IT networks. Multipart: 80001-1:2021 (general principles + risk management process), 80001-2-1:2012 (step-by-step risk management), 80001-2-2:2012 (security capabilities — SECURE/MDS2 template), 80001-2-3:2012 (wireless networks), 80001-2-5:2014 (distributed alarm systems). Three KEY PROPERTIES per §4.2: (1) SAFETY — no patient harm from network-mediated failure; (2) EFFECTIVENESS — medical purpose still achieved; (3) DATA + SYSTEM SECURITY — integrity, availability, confidentiality of clinical data + system function. Every device added to network → formal risk assessment on all three KEY PROPERTIES → residual risk documentation → operational lifecycle monitoring. Designated Medical IT-Network Risk Manager (MITN-RM) per §5. Responsibility Agreements per §6. CRITICAL behavioral validator for key-property-impact detected — immediate escalation. 20-year patient-record retention (7300 days). 72h cross-jurisdictional incident notification. PRC providers blocked.',
+        keyRequirements: ['KEY PROPERTY: SAFETY — no patient harm from network-mediated failure (§4.2.1)', 'KEY PROPERTY: EFFECTIVENESS — medical purpose still achieved on network (§4.2.2)', 'KEY PROPERTY: DATA + SYSTEM SECURITY — integrity, availability, confidentiality of clinical data (§4.2.3)', 'Designated Medical IT-Network Risk Manager (MITN-RM) per §5 with documented authority', 'Responsibility Agreements per §6 (RO + device manufacturer + IT operator)', 'Step-by-step risk management per 80001-2-1 (hazard identification + risk estimation + control)', 'Medical device inventory per §7 (device ID, network ID, clinical context, risk status)', 'Network change management per §8 (pre-change risk assessment, MITN-RM approval gate, NO unilateral changes)', 'Incident management per §9 (incident classification, manufacturer notification, key property impact resolution)', 'Monitoring + event handling per §9 + 80001-2-2 §6 (continuous three KEY PROPERTIES monitoring)', 'Security capabilities communication per 80001-2-2 (MDS2/SECURE template per device)', 'Wireless network controls per 80001-2-3 (RF site survey, SSID/VLAN segmentation, roaming)', 'Distributed alarm systems per 80001-2-5 (alarm delivery risk, redundancy, end-to-end testing)', 'ISO 14971 alignment per §4.4 (network-mediated risks linked to device-intrinsic risk files)', 'Behavioral validator: key-property-impact detected — absolute CRITICAL block on network changes'],
+        aiRelevance: 'AI agents operating on or monitoring medical IT networks must enforce immediate key-property-impact escalation with NO compensating control path. KEY PROPERTY SAFETY impact is an absolute CRITICAL block on all network change operations until formally resolved by MITN-RM + patient-safety-officer attestation. AI-generated network risk assessments require MITN-RM + biomedical-engineering-lead review before any risk management decision. AI-assisted distributed alarm monitoring must disclose model provenance to patient-safety-officer. PRC providers blocked: ISO/IEC 80001-2-2 security-capabilities requirements for clinical IT networks handling PHI are incompatible with PRC data localisation law (CSL/DSL/PIPL). Pack pairings: IEC 62304 (device software dev), FDA 21 CFR 820 (QSR), ISO 14971 (device risk), ISO 27799 (health informatics security), HIPAA, GDPR, NIST SP 800-66, NIST SP 800-82.',
+        controlCount: 15,
+    },
+    // ---- ISO 26262 automotive functional safety pack ----
+    {
+        id: 'iso-26262',
+        name: 'ISO 26262 — Automotive Functional Safety',
+        shortName: 'ISO 26262',
+        vertical: 'Automotive',
+        jurisdiction: 'International',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'ISO 26262:2018 — international standard for functional safety of E/E systems in road vehicles. Five ASIL levels (D: maximum — steering/braking/airbag; C: adaptive cruise / eCall; B: lane-keep / TPMS; A: lighting / climate; QM: outside functional safety scope). Validators cover HARA + item definition + functional + technical safety concepts, software safety requirements + architecture + unit verification (ASIL D: MC/DC mandatory), ASIL decomposition, FMEA/FTA, tool confidence level (TCL), configuration + change management. 20-year vehicle-lifetime retention. 30-day NHTSA defect notification.',
+        keyRequirements: ['ASIL (A/B/C/D/QM) classification with HARA rationale (S × E × C)', 'Item definition per ISO 26262-3 §5', 'Hazard Analysis and Risk Assessment (HARA) per ISO 26262-3 §6', 'Functional safety concept (FSC) + FSR per ISO 26262-3 §7', 'Technical safety concept (TSC) + TSR per ISO 26262-4 §6', 'Software safety requirements (SSR) per ISO 26262-6 §6', 'Software architectural design per ISO 26262-6 §7', 'ASIL D unit verification + MC/DC at 100% per ISO 26262-6 §9 Table 12', 'ASIL decomposition rules per ISO 26262-9 §5', 'FMEA + fault-tree analysis per ISO 26262-9 §8', 'Tool Confidence Level (TCL) classification per ISO 26262-8 §11', 'Configuration + change management per ISO 26262-8 §7+§8'],
+        aiRelevance: 'AI agents generating or modifying safety-critical automotive E/E software must declare ASIL. ASIL D unverified changes are blocked; ASIL C triggers immediate escalation. ASIL D requires MC/DC coverage at 100%. AI code generation tools must be TCL-classified (typically TCL 2 or TCL 3 for ASIL B/C/D). PRC providers blocked for UNECE WP.29 / EU type-approval data-handling compliance.',
+        controlCount: 15,
+    },
+    {
+        id: 'gdpr',
+        name: 'General Data Protection Regulation',
+        shortName: 'GDPR',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Data subject rights (Art. 15-22), PII classification, retention policies, 72-hour breach notification',
+        keyRequirements: ['Lawful basis', 'Data subject rights', 'DPO', 'DPIA', 'Breach notification'],
+        aiRelevance: 'AI processing personal data must implement Art. 22 automated decision-making safeguards, DPIAs for high-risk processing',
+        controlCount: 14,
+    },
+    {
+        id: 'pci-dss',
+        name: 'Payment Card Industry Data Security Standard',
+        shortName: 'PCI DSS',
+        vertical: 'Fintech',
+        jurisdiction: 'Global',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'PAN detection, encryption validation, access restrictions, transaction audit',
+        keyRequirements: ['Network security', 'Data protection', 'Vulnerability management', 'Access control', 'Monitoring'],
+        aiRelevance: 'AI accessing cardholder data must enforce PCI scope isolation, encryption, and transaction logging',
+        controlCount: 12,
+    },
+    {
+        id: 'eu-ai-act',
+        name: 'EU AI Act',
+        shortName: 'EU AI Act',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Risk classification, prohibited practices, transparency obligations, post-market monitoring',
+        keyRequirements: ['Risk classification', 'Prohibited practices', 'Transparency', 'Human oversight', 'Post-market monitoring'],
+        aiRelevance: 'Core AI governance regulation. Mandatory for any AI system deployed in or serving EU markets',
+        controlCount: 16,
+    },
+    {
+        id: 'iso27001',
+        name: 'ISO/IEC 27001',
+        shortName: 'ISO 27001',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'Global',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Information security controls, risk assessment, access management, incident handling',
+        keyRequirements: ['ISMS', 'Risk assessment', 'Access controls', 'Incident management', 'Business continuity'],
+        aiRelevance: 'AI systems must be within ISMS scope with controls for data handling, access, and incident response',
+        controlCount: 14,
+    },
+    {
+        id: 'dora',
+        name: 'Digital Operational Resilience Act',
+        shortName: 'DORA',
+        vertical: 'Fintech',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'ICT risk management, incident reporting (4-hour), resilience testing, third-party oversight',
+        keyRequirements: ['ICT risk management', 'Incident reporting', 'Resilience testing', 'Third-party oversight'],
+        aiRelevance: 'AI as critical ICT service must meet resilience testing, 4-hour incident reporting, third-party risk management',
+        controlCount: 10,
+    },
+    {
+        id: 'nist_ai_rmf',
+        name: 'NIST AI Risk Management Framework',
+        shortName: 'NIST AI RMF',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'AI risk management, governance, mapping, measurement, management functions',
+        keyRequirements: ['GOVERN', 'MAP', 'MEASURE', 'MANAGE'],
+        aiRelevance: 'Primary US federal AI risk framework. Referenced in executive orders and agency guidance',
+        controlCount: 12,
+    },
+    {
+        id: 'iso_42001',
+        name: 'ISO/IEC 42001',
+        shortName: 'ISO 42001',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'Global',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'AI management systems, responsible AI, organizational AI governance',
+        keyRequirements: ['AIMS', 'AI policy', 'Risk management', 'Performance evaluation', 'Improvement'],
+        aiRelevance: 'Certification standard for AI management systems. Growing adoption alongside ISO 27001',
+        controlCount: 10,
+    },
+    {
+        id: 'soc1',
+        name: 'SOC 1 / SSAE 18',
+        shortName: 'SOC 1',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'US (ISAE 3402 international equivalent)',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Service Organisation Control over Internal Control over Financial Reporting (ICFR). Applies when service organisation controls affect user entities financial statements.',
+        keyRequirements: [
+            'Change management',
+            'Segregation of duties',
+            'ITGC access provisioning',
+            'Data integrity (hash chain)',
+            'Sub-service organisation disclosure',
+            'CUEC register',
+            'Control testing evidence',
+        ],
+        aiRelevance: 'AI systems processing payroll, transactions, revenue recognition, or other financial data must enforce change gating, segregation of duties, and tamper-evident audit trails. Sub-service organisations (LLM providers) must be registered under inclusive or carve-out method.',
+        controlCount: 9,
+    },
+    {
+        id: 'ccpa',
+        name: 'CCPA / CPRA',
+        shortName: 'CCPA/CPRA',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'US (California)',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'California Consumer Privacy Act / California Privacy Rights Act including 2024-2026 CPPA rulemaking on ADMT, cybersecurity audits, risk assessments, SB 362 universal delete, and AB 2013 generative-AI training-data transparency.',
+        keyRequirements: [
+            'Notice at collection',
+            'Right to Know / Delete / Correct / Opt-Out / Limit SPI / Opt-Out ADMT',
+            'SPI handling restriction',
+            'Service provider / contractor / third-party contract clauses',
+            'Annual cybersecurity audit',
+            'Risk assessment for high-risk processing',
+            'Global Privacy Control (GPC) honour',
+            'Generative-AI training data transparency (AB 2013)',
+        ],
+        aiRelevance: 'AI agents that process PI of California consumers must support ADMT opt-out for significant decisions, honour GPC and sale/sharing opt-out, restrict SPI use to disclosed purposes, respect the 45-day consumer request deadline, and participate in universal delete mechanism if a data broker. Generative-AI providers available in California must document training-data provenance from Jan 2026.',
+        controlCount: 11,
+    },
+    {
+        id: 'hitech',
+        name: 'HITECH Act',
+        shortName: 'HITECH',
+        vertical: 'Healthcare',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'HITECH Act (2009) as amended by the HIPAA Omnibus Rule (2013) and HR 7898 Safe Harbor Law (2021). Always activates alongside HIPAA.',
+        keyRequirements: [
+            '60-day breach notification (individuals + HHS; 500+ records also media)',
+            'Annual HHS small-breach report by 1 March',
+            'BA chain tracking (BA subcontractors need BAAs too)',
+            'Tiered penalty classification (Tier 1-4)',
+            'Recognised-security-practices attestation (HR 7898 Safe Harbor)',
+            'Sale of PHI authorisation gating',
+            'Marketing use of PHI authorisation gating',
+            'OCR audit-readiness bundle export',
+        ],
+        aiRelevance: 'AI agents handling PHI as Business Associates (or subcontractors of BAs) are directly liable under HITECH. Breaches of unsecured PHI trigger the 60-day clock; evidence of recognised security practices (NIST CSF, HITRUST, HICP 405(d)) for 12+ months mitigates HHS enforcement outcomes under HR 7898.',
+        controlCount: 11,
+    },
+    {
+        id: 'glba',
+        name: 'Gramm-Leach-Bliley Act',
+        shortName: 'GLBA',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'GLBA compliance with the 2021 Safeguards Rule amendment (WISP, MFA, qualified individual, encryption, service-provider oversight) and the 2024 Notice of Security Event rule (30-day FTC notification for 500+ consumer events).',
+        keyRequirements: [
+            'Written Information Security Program (WISP)',
+            'Qualified individual designated',
+            'Written risk assessment',
+            'Encryption at rest and in transit',
+            'MFA on every agent accessing consumer info',
+            'Annual penetration test + semiannual vuln scan (or continuous monitoring)',
+            'Service provider oversight with contractual safeguards',
+            'Initial + annual privacy notice with opt-out',
+            '30-day FTC notification for 500+ consumer events',
+            'Annual board report from qualified individual',
+        ],
+        aiRelevance: 'AI agents at financial institutions handling consumer NPI must enforce MFA on every agent access, encrypt NPI at rest and in transit, block sharing to non-affiliated third parties without opt-out, gate service providers by contractual safeguards, and escalate pretexting attempts. 2024 rule adds 30-day FTC notification for events affecting 500+ consumers.',
+        controlCount: 12,
+    },
+    {
+        id: 'aba',
+        name: 'ABA Model Rules (Opinion 512)',
+        shortName: 'ABA Model Rules',
+        vertical: 'Legal',
+        jurisdiction: 'US (state bar adoption varies)',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'ABA Model Rules of Professional Conduct for generative AI, anchored by ABA Formal Opinion 512 (July 2024). Covers competence, confidentiality, supervision, communication, candor, conflicts, UPL, fees, and marketing for lawyers using AI.',
+        keyRequirements: [
+            'Cite-check on AI-drafted court filings',
+            'Confidentiality gate (block privileged to training / retaining providers)',
+            'Supervising lawyer per agent',
+            'Human review on court filings',
+            'Client informed consent',
+            'Per-matter isolation + conflict check',
+            'UPL / jurisdiction scope enforcement',
+            'Fee reasonableness review for AI time entries',
+            'AI-marketing truthfulness review',
+            'Vendor zero-retention + zero-training-on-inputs',
+        ],
+        aiRelevance: 'Law firms using AI agents must enforce confidentiality protection for privileged client data, have a supervising lawyer for each agent, require human-lawyer review on any court filing drafted with AI, verify vendor terms preclude training on inputs, and track client informed consent. Hallucinated citations expose attorneys to Rule 3.3, Rule 11, and 28 USC 1927 sanctions.',
+        controlCount: 10,
+    },
+    {
+        id: 'ftc5',
+        name: 'FTC Act §5',
+        shortName: 'FTC §5',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'FTC Act Section 5 (15 USC 45) framework for unfair or deceptive AI practices, including Operation AI Comply (2024), 16 CFR Part 465 fake-review rule, algorithmic disgorgement, and COPPA-intersecting under-13 protections.',
+        keyRequirements: [
+            'Claim substantiation registry',
+            'Fake / AI-generated review prohibition',
+            'AI-generation disclosure on synthetic content and endorsements',
+            'Dark pattern UX block',
+            'Chatbot fraud detection',
+            'Under-13 age gate + VPC',
+            'Data minimisation',
+            'Algorithmic disgorgement readiness (training-data provenance + deletion capability)',
+            'Disparate impact monitoring',
+            'AI-washing label evidence',
+        ],
+        aiRelevance: 'Any AI interacting with US consumers is subject to FTC §5. Unsubstantiated AI claims, fake AI-generated reviews, undisclosed synthetic endorsements, chatbot fraud scripts, under-13 data collection, and dark-pattern UX all create §5 exposure. The FTC uses algorithmic disgorgement (delete the model + delete the data) as a structural remedy.',
+        controlCount: 10,
+    },
+    {
+        id: 'sr11-7',
+        name: 'SR 11-7 Model Risk Management',
+        shortName: 'SR 11-7',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Federal Reserve SR 11-7 / OCC 2011-12 / FDIC FIL-22-2017 Model Risk Management, reinforced by 2024 interagency AI/ML supervisory guidance. Three pillars: robust development, independent validation, governance controls.',
+        keyRequirements: [
+            'Enterprise model inventory',
+            'Validation independence (developer != validator)',
+            'Tier-based validation cadence (CRITICAL/HIGH monthly, MEDIUM quarterly, LOW annually)',
+            'Challenger/benchmark models for CRITICAL tier',
+            'Ongoing drift monitoring',
+            'Retirement enforcement',
+            'Documentation (assumptions, limitations, intended use, data ranges)',
+            'Material-change revalidation',
+            'Enterprise governance reporting',
+        ],
+        aiRelevance: '2024 interagency AI/ML supervisory statements treat every AI/ML system in banking decisions as a "model" under SR 11-7. Credit scoring, fraud detection, pricing, capital, reserves, stress testing, and AML transaction monitoring AI all trigger MRM obligations.',
+        controlCount: 10,
+    },
+    {
+        id: 'part11',
+        name: '21 CFR Part 11',
+        shortName: 'Part 11',
+        vertical: 'Pharmaceutical',
+        jurisdiction: 'US (FDA); EU Annex 11 equivalent',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: '21 CFR Part 11 Electronic Records and Electronic Signatures for FDA-regulated predicate records, under 2003 Scope & Application Guidance, EU Annex 11 alignment, and 2024 FDA GenAI guidance for clinical records. Enforces ALCOA+ data integrity.',
+        keyRequirements: [
+            'Validation (IQ/OQ/PQ) before regulated-record creation',
+            'Qualified e-signature on every record modification',
+            'Append-only audit trail (no delete, no modify)',
+            'Authority-to-sign matrix',
+            'Signature bound to record hash',
+            'NTP-synced timestamps',
+            'AI provenance for AI-generated content',
+            'Contemporaneous capture (no backdating)',
+            'Event sequencing',
+            'Predicate-rule retention',
+            'ALCOA+ principles',
+        ],
+        aiRelevance: 'AI agents in pharma / biotech / med device / lab / CRO / clinical trial environments that create, modify, or transmit records required by an FDA predicate rule must meet Part 11. The 2024 FDA GenAI guidance adds provenance requirements for AI-generated content in regulated records.',
+        controlCount: 11,
+    },
+    {
+        id: 'sox404',
+        name: 'SOX 404',
+        shortName: 'SOX 404',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Sarbanes-Oxley §404 Internal Control over Financial Reporting (ICFR) under SEC Rule 13a-15/15d-15, PCAOB AS 2201, and COSO 2013. Includes 2024-2026 PCAOB focus on AI/ML in financial reporting.',
+        keyRequirements: [
+            'Annual §404(a) management ICFR assessment',
+            'AI model control-inventory mapping',
+            'Material-change reassessment',
+            'Segregation of duties',
+            'Human review of AI output hitting GL',
+            'Deficiency classification + remediation',
+            'Quarterly control testing cadence',
+            'Complete change management log',
+            'CUEC register from SOC 1 reports',
+            'IT General Controls matrix',
+        ],
+        aiRelevance: 'Any AI/ML system producing or influencing a figure that lands in the consolidated financial statements triggers SOX 404. PCAOB 2024-2026 focus requires documented controls around model design, validation, and ongoing monitoring of AI-involved financial processes.',
+        controlCount: 10,
+    },
+    {
+        id: 'bsa-aml',
+        name: 'BSA / AML',
+        shortName: 'BSA/AML',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Bank Secrecy Act / Anti-Money Laundering compliance: CIP, CDD (2016 Rule), SAR / CTR reporting, OFAC sanctions, Corporate Transparency Act BOI reporting, five-pillar AML program. Reinforced by 2023-2026 FinCEN AI/ML guidance.',
+        keyRequirements: [
+            'Customer Identification Program',
+            'Customer Due Diligence + Beneficial Ownership',
+            'OFAC sanctions screening',
+            '30-day SAR filing',
+            '$10K CTR filing',
+            'BSA officer designation',
+            'Annual training',
+            'Annual independent testing',
+            'Corporate Transparency Act BOI reporting',
+            'AI explainability for SAR narrative',
+            'AML bias monitoring',
+        ],
+        aiRelevance: 'AI transaction monitoring must be explainable for SAR narratives, must avoid disparate impact in risk scoring, and must integrate with OFAC screening. Model governance aligns with SR 11-7.',
+        controlCount: 11,
+    },
+    {
+        id: 'nydfs500',
+        name: 'NY DFS 23 NYCRR Part 500',
+        shortName: 'NY DFS 500',
+        vertical: 'Fintech',
+        jurisdiction: 'US (New York)',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'NY DFS Cybersecurity Regulation 23 NYCRR Part 500 with Second Amendment (Nov 2023, phased April 2025). Class A tier, 72-hour cyber event notice, 24-hour ransomware notice, CISO board reporting, MFA expansion, AI-specific risk assessment.',
+        keyRequirements: [
+            'CISO designation + annual board report',
+            'MFA on privileged + remote access',
+            'Encryption of NPI',
+            '72-hour cybersecurity event notification',
+            '24-hour ransomware payment notification',
+            'Annual risk assessment',
+            'Annual pentest + bi-annual vuln scan',
+            'Third-party service provider policy',
+            'Asset inventory + EOL tracking',
+            'AI-specific risk assessment',
+            'Cybersecurity training',
+        ],
+        aiRelevance: 'AI systems at NY-DFS-covered entities must undergo AI-specific risk assessment (2023 amendment) and feed into the cybersecurity event clock. CISO board reporting now must cover AI-specific risks.',
+        controlCount: 11,
+    },
+    {
+        id: 'cfpb-2023-03',
+        name: 'CFPB Circular 2023-03',
+        shortName: 'CFPB 2023-03',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'CFPB Circular 2023-03 adverse action requirements for AI / complex algorithms in credit decisions. Interprets ECOA §701 + Regulation B (12 CFR 1002); supplemented by CFPB 2024 Advisory Opinion.',
+        keyRequirements: [
+            '30-day adverse action notification',
+            'Specific principal-factor reasons (no generic rationale)',
+            'Creditor-level documentation of vendor scoring',
+            'Regulation B sample-form code validation',
+            'Reason-derivation methodology per model',
+            'ECOA anti-discrimination monitoring',
+            'Conflicting reason code detection',
+            '25+ month record retention',
+        ],
+        aiRelevance: 'AI/ML credit decisions must produce specific principal-factor reasons. Generic rationale ("algorithm decided") is non-compliant. Creditors retain responsibility for reasoning regardless of vendor-supplied scoring.',
+        controlCount: 10,
+    },
+    {
+        id: 'bipa',
+        name: 'Illinois BIPA',
+        shortName: 'BIPA',
+        vertical: 'Retail / Consumer',
+        jurisdiction: 'US (Illinois, extraterritorial)',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Illinois Biometric Information Privacy Act (740 ILCS 14/) with 2024 SB 2979 amendment. Written consent, public policy, no sale, retention + destruction schedule, private right of action with statutory damages.',
+        keyRequirements: [
+            'Written consent per subject before collection',
+            'Public policy + retention + destruction guidelines',
+            'No sale / lease / trade / profit',
+            'Disclosure requires consent',
+            'Reasonable care (encryption + access controls)',
+            'Per-person violation aggregation (post-SB 2979)',
+            'Subject deletion support',
+        ],
+        aiRelevance: 'Facial recognition, voice prints, fingerprints, retina / iris scans used by AI systems on Illinois residents trigger BIPA. Private right of action with $1K / $5K statutory damages makes BIPA one of the highest-risk privacy laws for AI deployments.',
+        controlCount: 9,
+    },
+    {
+        id: 'fda-samd',
+        name: 'FDA SaMD (AI/ML)',
+        shortName: 'FDA SaMD',
+        vertical: 'Healthcare',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'FDA Software as a Medical Device for AI/ML under FD&C Act §201(h) + 21 CFR 807/820/821. QMSR effective Feb 2026, 2024 PCCP Guidance, 2024 AI/ML Lifecycle Guidance, GMLP Principles, 21 CFR 803 MDR, PATCH Act cybersecurity.',
+        keyRequirements: [
+            'QMSR validation (effective Feb 2026)',
+            'PCCP for AI/ML model updates',
+            'SBOM (PATCH Act)',
+            'Clinical validation per IMDRF category',
+            'Real-world performance monitoring',
+            '21 CFR 803 MDR reporting',
+            'Post-market surveillance plan',
+            'GMLP 10-principle evaluation',
+            'IMDRF SaMD category tracking',
+            'Intended-use scope enforcement',
+            'Demographic bias monitoring',
+        ],
+        aiRelevance: 'AI/ML medical devices must validate under QMSR, use PCCP for model updates (avoiding new 510(k) per iteration), monitor real-world performance, and report adverse events via MDR. 2024 FDA AI/ML Lifecycle Guidance + GMLP are the de facto baseline.',
+        controlCount: 11,
+    },
+    {
+        id: 'part2',
+        name: '42 CFR Part 2 (SUD Records)',
+        shortName: '42 CFR Part 2',
+        vertical: 'Healthcare',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: '42 CFR Part 2 Confidentiality of Substance Use Disorder Patient Records with 2024 Final Rule (compliance 16 Feb 2026). Stricter than HIPAA for SUD data; preserves legal-proceedings restrictions despite 2024 TPO alignment.',
+        keyRequirements: [
+            'Single written consent for TPO disclosures',
+            'Legal-proceedings court order + consent requirement',
+            'Part 2 segmentation in combined EHRs',
+            'Prohibition on Redisclosure notice',
+            'Consent revocation continuity',
+            'QSO agreement for contractors',
+            'Minimum necessary (stricter than HIPAA)',
+            'Research IRB + patient consent',
+            '60-day breach notification (HIPAA-aligned)',
+            '2024 anti-discrimination monitoring',
+        ],
+        aiRelevance: 'AI agents in substance-use-disorder treatment programs, HIEs, and QSOs must gate every SUD record access on patient consent, segment Part 2 data from non-Part 2 records, and inject the Prohibition on Redisclosure notice on outgoing records. Stricter than HIPAA minimum-necessary applies.',
+        controlCount: 11,
+    },
+    {
+        id: 'gxp',
+        name: 'GxP (GMP/GLP/GCP)',
+        shortName: 'GxP',
+        vertical: 'Pharmaceutical',
+        jurisdiction: 'Global (FDA, EMA, ICH)',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'GxP Good Practice covering GMP (21 CFR 210-211 + EU GMP Annex 11), GLP (21 CFR 58), GCP (21 CFR 312 + ICH E6(R3) 2024). ALCOA+ data integrity enforced across all three branches.',
+        keyRequirements: [
+            'AI validation gate per GxP branch (IQ/OQ/PQ)',
+            'ALCOA+ data integrity',
+            'GMP batch release QA',
+            'GLP raw-data preservation',
+            'GCP eligibility + informed consent',
+            'IND safety reports (7-day / 15-day)',
+            'FAR 3-day Field Alert Report',
+            'Protocol deviation review',
+            'OOS investigation',
+            'QAA + supplier GxP audit',
+        ],
+        aiRelevance: 'AI/ML in pharma manufacturing QC, batch release, nonclinical safety studies, clinical trial screening, and adverse event detection all trigger GxP. Always couples with 21 CFR Part 11.',
+        controlCount: 11,
+    },
+    {
+        id: 'nyc-ll-144',
+        name: 'NYC LL 144 (AEDT Bias Audit)',
+        shortName: 'NYC LL 144',
+        vertical: 'Retail / Consumer',
+        jurisdiction: 'US (New York City)',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'NYC Local Law 144 AEDT Bias Audit. Annual independent bias audit + public disclosure + 10-business-day candidate notice + alternative-process option. NYCRR 5-300 methodology.',
+        keyRequirements: [
+            'Annual independent bias audit',
+            'Public disclosure of audit summary',
+            '10-business-day candidate notice',
+            'Alternative selection process option',
+            'AEDT scope classification',
+            'Impact ratios per demographic (intersectional)',
+            'NYC demographic data tagging',
+            '365-day audit renewal with 60-day early warning',
+            '3-year record retention',
+        ],
+        aiRelevance: 'AI/ML AEDT used in NYC hiring / promotion / employment decisions must undergo annual independent bias audit with impact ratios per demographic category. $500-$1,500 per-violation-per-day DCWP penalties.',
+        controlCount: 10,
+    },
+    {
+        id: 'eu-ai-liability',
+        name: 'EU AI Liability (PLD 2024)',
+        shortName: 'EU AI Liability',
+        vertical: 'AI-Specific',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'EU Product Liability Directive (EU) 2024/2853 covering software + AI as products. Entered into force 8 Dec 2024; Member State transposition by 9 Dec 2026. AI Liability Directive proposal withdrawn Feb 2025.',
+        keyRequirements: [
+            'PLD-ready documentation',
+            'Art. 9 evidence disclosure readiness',
+            'Art. 4(6) substantial modification tracking',
+            'Post-market monitoring (coupled to EU AI Act Art. 72)',
+            'Art. 8 economic operator liability position',
+            'Art. 14 latent defect window (10-25 years)',
+            'Art. 6(1)(c) data damage tracking',
+            'Withdrawn ALD guard',
+            'Open-source / SME exception',
+        ],
+        aiRelevance: 'AI systems placed on the EU market are treated as "products" under PLD 2024. Plaintiffs may seek disclosure of AI model information (Art. 9); failure to disclose triggers presumption of defectiveness (Art. 10).',
+        controlCount: 11,
+    },
+    {
+        id: 'iso-23894',
+        name: 'ISO/IEC 23894 (AI Risk Management)',
+        shortName: 'ISO 23894',
+        vertical: 'AI-Specific',
+        jurisdiction: 'Global',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'ISO/IEC 23894:2023 AI Risk Management Guidance. Applies ISO 31000 principles to AI-specific risks. Companion to ISO/IEC 42001 AIMS.',
+        keyRequirements: [
+            'AI risk management framework (Clause 5)',
+            'Risk management process (§6.1-6.7)',
+            'AI risk register',
+            'Training data quality + fairness',
+            'Robustness monitoring',
+            'Human oversight levels',
+            'Transparency / explainability',
+            'Societal + environmental impact',
+            'Risk treatment decisions',
+            'Annual risk review',
+            'Stakeholder communication',
+        ],
+        aiRelevance: 'Guidance-only standard (not certifiable on its own) widely cited as evidence of mature AI risk practice. Maps to NIST AI RMF and complements ISO 42001.',
+        controlCount: 11,
+    },
+    {
+        id: 'lgpd',
+        name: 'LGPD (Brazil)',
+        shortName: 'LGPD',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'Brazil',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Brazilian General Data Protection Law (Lei 13.709/2018) with 2024 ANPD guidance on automated decision-making and SCCs.',
+        keyRequirements: [
+            'Legal basis per processing activity (Art. 7 + Art. 11)',
+            'Encarregado (DPO) designation',
+            'RIPD (DPIA) for high-risk processing',
+            'Arts. 17-22 DSR workflow (8 rights)',
+            'Art. 20 ADM review right',
+            'Sensitive data + child data gating',
+            'International transfer mechanism',
+            '48-72h breach notification',
+            'Records of Processing Activities',
+            'Non-discriminatory processing',
+        ],
+        aiRelevance: 'LGPD Art. 20 grants data subjects review rights over automated decisions. AI systems affecting Brazilian individuals must support explainability and human review.',
+        controlCount: 11,
+    },
+    {
+        id: 'pipl',
+        name: 'PIPL (China)',
+        shortName: 'PIPL',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'China',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'PRC Personal Information Protection Law (1 Nov 2021) with 2024 CAC CBDT Provisions and Interim Measures for Generative AI Services (Aug 2023).',
+        keyRequirements: [
+            'Art. 13 legal basis',
+            'Separate consent for sensitive / CBDT / ADM',
+            'PIPO designation',
+            'Art. 24 ADM explanation + opt-out',
+            'CAC security assessment / SCC / certification for CBDT',
+            'CAC GenAI registration',
+            'Important Data DSL gating',
+            'Children (under 14) specific consent',
+            'Arts. 44-50 DSR (7 rights)',
+            '72h breach notification',
+        ],
+        aiRelevance: 'AI systems processing Chinese individuals\' personal data must obtain separate consent for ADM, register with CAC if generative AI, and verify CBDT mechanism.',
+        controlCount: 11,
+    },
+    // X2 disaggregation (2026-04-24): pipeda.ts split into ca-pipeda + ca-qc-law25
+    // per Thomas's one-country-one-regulation principle.
+    {
+        id: 'ca-pipeda',
+        name: 'PIPEDA (Canada -- Federal)',
+        shortName: 'CA PIPEDA',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'Canada',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Canadian federal PIPEDA (SC 2000, c 5). OPC-enforced. Bill C-27 (CPPA/AIDA) withdrawn Jan 2025. For Quebec-resident data, activate alongside ca-qc-law25.',
+        keyRequirements: [
+            'Meaningful consent (PIPEDA Principle 3)',
+            'Collection limiting (Principle 4)',
+            'Accountability program (Principle 1)',
+            'RROSH breach notification to OPC',
+            '24-month breach log retention',
+            'Access + correction + challenge (Principles 9, 10)',
+            'Cross-border safeguards',
+            'Withdrawn CPPA/AIDA guard',
+        ],
+        aiRelevance: 'Canadian federal privacy law for commercial activity. OPC 2025 guidance on generative AI. CPPA/AIDA withdrawn; withdrawn-law guard maintained.',
+        controlCount: 8,
+    },
+    {
+        id: 'ca-qc-law25',
+        name: 'Quebec Law 25 (Canada -- Provincial Quebec)',
+        shortName: 'QC Law 25',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'Canada (Quebec)',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Quebec Law 25 (SQ 2021 c 25). CAI-enforced. Fully in force September 2024. Adds s. 12.1 ADM disclosure, s. 3.3 high-risk PIA gate, enhanced consent. Activate alongside ca-pipeda.',
+        keyRequirements: [
+            'Enhanced consent (explicit opt-in)',
+            's. 3.3 PIA for high-risk processing',
+            's. 12.1 ADM information obligations',
+            's. 17 cross-border transfer safeguards',
+            'CAI breach notification',
+            'Access + correction + portability + human review of ADM',
+            'Privacy Management Program',
+        ],
+        aiRelevance: 'Quebec provincial privacy law with AI-specific provisions. s. 12.1 requires disclosing automated decision-making use and providing human review right. High-risk AI processing requires PIA.',
+        controlCount: 8,
+    },
+    {
+        id: 'colorado-ai',
+        name: 'Colorado AI Act',
+        shortName: 'Colorado AI',
+        vertical: 'AI-Specific',
+        jurisdiction: 'US (Colorado)',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Colorado AI Act (SB 24-205, Colo. Rev. Stat. 6-1-1701 et seq.). First comprehensive US state AI law. Effective 1 February 2026. Regulates developers and deployers of high-risk AI making consequential decisions in 8 domains.',
+        keyRequirements: [
+            'Reasonable care to prevent algorithmic discrimination',
+            'Annual impact assessment (plus within 90d of material modification)',
+            'Consumer notice before consequential decision',
+            'Adverse-decision reasons statement, correction, appeal to human reviewer',
+            'Developer statement to deployers',
+            'Risk management policy and program (NIST AI RMF or ISO/IEC 42001 acceptable as affirmative defence)',
+            '90-day discrimination disclosure to Colorado AG',
+            'Public statement on high-risk systems in use',
+        ],
+        aiRelevance: 'AI agents making or substantially contributing to consequential decisions (education, employment, finance, government, healthcare, housing, insurance, legal) for Colorado consumers must implement bias monitoring, impact assessment, consumer notice, adverse-decision appeal workflow, and risk management program. Affirmative defence available if also compliant with NIST AI RMF or ISO/IEC 42001.',
+        controlCount: 10,
+    },
+    {
+        id: 'mifid2',
+        name: 'MiFID II / MiFIR',
+        shortName: 'MiFID II',
+        vertical: 'Fintech',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Best-execution, suitability/appropriateness, product governance, algorithmic trading controls, and investor protection obligations for AI in investment services.',
+        keyRequirements: ['Best execution', 'Suitability assessment', 'Product governance', 'Algo trading kill-switch', 'Record retention (5+ years)', 'AI advice disclosure'],
+        aiRelevance: 'AI systems routing orders, generating investment advice, or operating as algorithmic trading systems must enforce best-execution, per-client suitability, and disclose AI involvement to clients.',
+        controlCount: 9,
+    },
+    {
+        id: 'naic-mdl',
+        name: 'NAIC MDL-668 (Insurance Data Security)',
+        shortName: 'NAIC MDL',
+        vertical: 'Financial',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NAIC Insurance Data Security Model Law plus 2024 AI Model Bulletin obligations for insurance AI: bias testing, adverse action explanation, vendor accountability.',
+        keyRequirements: ['Information Security Program', 'Board oversight', 'TPSP due diligence', '72-hour notification', 'Annual certification', 'AI bias testing'],
+        aiRelevance: 'Insurance AI systems (pricing, underwriting, claims, fraud detection) must implement ISP, bias testing, and adverse action explanation per NAIC 2024 AI Bulletin.',
+        controlCount: 9,
+    },
+    {
+        id: 'frcp26',
+        name: 'FRCP Rule 26 (E-Discovery)',
+        shortName: 'FRCP 26',
+        vertical: 'Legal',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Federal Rules of Civil Procedure Rule 26 proportionality, ESI preservation, legal hold, work-product protection, and expert disclosure obligations for AI-assisted document review.',
+        keyRequirements: ['Legal hold', 'Privilege screen', 'Proportionality', 'Attorney review gate', 'Chain of custody', 'Methodology disclosure'],
+        aiRelevance: 'AI e-discovery systems must implement legal hold workflows, privilege classification, defensible collection methodology, and pre-production attorney review.',
+        controlCount: 8,
+    },
+    {
+        id: 'foia',
+        name: 'FOIA (5 USC 552)',
+        shortName: 'FOIA',
+        vertical: 'Government',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Freedom of Information Act compliance for federal agency AI systems processing FOIA requests: 20-day response clock, nine exemption classifications, Vaughn index, and proactive disclosure.',
+        keyRequirements: ['20-day response clock', 'Nine-exemption classification', 'Vaughn review gate', 'PII redaction', 'Proactive disclosure', 'Annual report'],
+        aiRelevance: 'AI systems processing federal FOIA requests must classify documents against all nine exemptions, require human attorney review of withholding decisions, and maintain audit trails.',
+        controlCount: 8,
+    },
+    {
+        id: 'lpo2024',
+        name: 'LPO 2024 AI Disclosure (Legal Practitioners)',
+        shortName: 'LPO 2024',
+        vertical: 'Legal',
+        jurisdiction: 'Global (HK/UK primary)',
+        // PLACEHOLDER: Pack bundles 3 jurisdictions (HK Law Society PD-P, SRA UK, Law Society E&W).
+        // Per-jurisdiction obligations require Vera (CXNI-008) + counsel sign-off before promotion to ACTIVE.
+        // F-NEW-VERA-PACK-FINAL-004 (2026-05-03): status downgraded from ACTIVE to PLACEHOLDER.
+        status: 'PLACEHOLDER',
+        priority: 'P1',
+        description: 'Synthesised AI disclosure framework for legal practitioners in common-law jurisdictions (primary reference: Hong Kong Law Society Practice Direction P 2024 + SRA UK 2024 AI Guidance). Covers client disclosure of AI use, practitioner competence obligations, confidentiality of client data in AI tools, supervised review of AI output, citation verification, and billing transparency. PLACEHOLDER STATUS -- pack bundles 3 jurisdictions (HK Law Society PD-P, SRA UK, Law Society E&W); Vera + counsel sign-off required per jurisdiction before production activation.',
+        keyRequirements: ['Client disclosure of AI use', 'Practitioner supervision gate', 'Confidentiality gate', 'Vendor DPA', 'Citation verification', 'Billing transparency'],
+        aiRelevance: 'Law firms using AI must disclose AI use to clients, require qualified practitioner review before delivery, enforce confidentiality gates, and verify citations.',
+        controlCount: 8,
+    },
+    {
+        id: 'appi',
+        name: 'APPI (Japan)',
+        shortName: 'APPI',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'Japan',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Japanese Act on the Protection of Personal Information (2003, amended 2020/2022) with PPC AI Guidelines 2023. Covers purpose specification, cross-border transfers, breach notification (3-5 business days to PPC), and ADM explanation right.',
+        keyRequirements: ['Purpose specification', 'Sensitive personal information gate', 'Cross-border transfer controls', 'Breach notification (3-5 business days)', 'Data subject rights', 'ADM explanation'],
+        aiRelevance: 'AI systems processing Japanese personal data must specify purpose, gate sensitive personal information, control cross-border transfers, and provide ADM explanation rights for significant automated decisions.',
+        controlCount: 8,
+    },
+    {
+        id: 'ferpa',
+        name: 'FERPA (Student Privacy)',
+        shortName: 'FERPA',
+        vertical: 'Education',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Family Educational Rights and Privacy Act for AI systems at educational institutions: school-official exception, prior written consent, student rights, COPPA age gate for under-13 students.',
+        keyRequirements: ['Prior written consent gate', 'School-official exception agreement', 'COPPA age gate', 'Education record classification', 'Disclosure log', 'Annual FERPA notice'],
+        aiRelevance: 'EdTech AI systems must hold valid school-official exception agreements, enforce prior consent for disclosure, gate under-13 data under COPPA, and maintain per-student disclosure logs.',
+        controlCount: 8,
+    },
+    {
+        id: 'fedramp',
+        name: 'FedRAMP (Rev 5)',
+        shortName: 'FedRAMP',
+        vertical: 'Government',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Federal Risk and Authorization Management Program (NIST SP 800-53 Rev 5 Moderate baseline) for AI systems serving federal agencies: FIPS 140 encryption, PIV/CAC MFA, continuous monitoring, annual penetration testing.',
+        keyRequirements: ['FIPS 140 encryption', 'PIV/CAC MFA', 'Continuous monitoring', 'Annual penetration test', 'Supply chain marketplace verification', 'POA&M management'],
+        aiRelevance: 'AI cloud services used by federal agencies must achieve FedRAMP Authorization, maintain continuous monitoring, pass annual assessments, and use FIPS-validated cryptography.',
+        controlCount: 9,
+    },
+    {
+        id: 'stateramp',
+        name: 'StateRAMP',
+        shortName: 'StateRAMP',
+        vertical: 'Government',
+        jurisdiction: 'US (state)',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'State government cloud security authorisation (NIST SP 800-53 Rev 5 Moderate baseline) for AI systems serving US state agencies. FedRAMP reciprocity supported.',
+        keyRequirements: ['FIPS 140 encryption', 'MFA for state access', 'Continuous monitoring', 'StateRAMP marketplace verification', 'Annual penetration test', 'POA&M management'],
+        aiRelevance: 'AI systems deployed to state agencies in StateRAMP-adopting states must achieve StateRAMP Authorization or demonstrate FedRAMP reciprocity.',
+        controlCount: 9,
+    },
+    {
+        id: 'cjis',
+        name: 'CJIS Security Policy v5.9.5',
+        shortName: 'CJIS',
+        vertical: 'Government',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'FBI CJIS Security Policy for AI systems handling Criminal Justice Information: FIPS 140 encryption, Advanced Authentication (MFA), 1-hour breach notification, audit logging, Information Exchange Agreements.',
+        keyRequirements: ['FIPS 140 encryption', 'Advanced Authentication (MFA)', '1-hour incident notification', 'Audit trail (2.5 years)', 'IEA on file', 'Security training (2 years)', 'Need-to-know access'],
+        aiRelevance: 'AI systems in law enforcement, courts, corrections, or public safety that access CJI must meet CJIS Security Policy requirements including advanced authentication and 1-hour breach notification.',
+        controlCount: 9,
+    },
+    // Mortgage-industry packs (MORTGAGE-PACKS-01, 2026-04-22; X3 split 2026-04-24)
+    // tila-trid split into us-trid + us-tila; respa renamed to us-respa
+    {
+        id: 'us-respa',
+        name: 'Real Estate Settlement Procedures Act',
+        shortName: 'RESPA',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'RESPA (12 USC §2601, Regulation X 12 CFR Part 1024) LLM-egress policy. Blocks referral-steering signals and escrow balances from reaching LLMs. Requires named-human review on all Loan Estimate / Closing Disclosure AI-generated content. Renamed from respa to us-respa (X3 2026-04-24).',
+        keyRequirements: ['§8 anti-kickback referral block', '§10 escrow balance LLM block', '§6 QWR response clocks', 'Named-human review on LE/CD', 'Settlement provider registry'],
+        aiRelevance: 'Mortgage AI agents cannot embed settlement-service provider names or referral-steering signals in LLM prompts. Any AI-generated Loan Estimate or Closing Disclosure content requires named human reviewer before issuance.',
+        controlCount: 10,
+    },
+    {
+        id: 'hmda',
+        name: 'Home Mortgage Disclosure Act',
+        shortName: 'HMDA',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'HMDA (12 USC §2801, Regulation C 12 CFR Part 1003) LLM-egress policy. Absolutely blocks GMI data (race, ethnicity, sex, age) from credit-decision LLMs. Allows aggregated LAR data post-decision only. Enforces annual LAR submission attestation.',
+        keyRequirements: ['GMI absolute block in credit-decision LLMs', 'LAR aggregation-only for LLM report generation', 'Annual LAR attestation (March 1)', 'Disparate impact monitoring', 'Proxy detection'],
+        aiRelevance: 'HMDA GMI data is the most strictly gated data class in the mortgage pack catalogue. Feeding race/ethnicity/sex/age to a credit-decision LLM is a simultaneous HMDA + ECOA violation.',
+        controlCount: 9,
+    },
+    {
+        id: 'us-trid',
+        name: 'TRID (TILA-RESPA Integrated Disclosure)',
+        shortName: 'TRID',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'TRID (12 CFR §1026.19(e)/(f)) LLM-egress policy for Loan Estimate and Closing Disclosure forms. Blocks LLMs from computing APR, finance charge, amount financed, total loan costs. Enforces 3-business-day LE delivery and 3-business-day pre-consummation CD windows. Changed-circumstance re-disclosure workflow. Split from tila-trid (X3 2026-04-24).',
+        keyRequirements: ['APR/finance-charge LLM compute block (LE/CD forms)', '3-day LE delivery clock (§1026.19(e))', '3-day CD pre-consummation clock (§1026.19(f))', 'Human APR verification gate', 'Changed-circumstance re-disclosure workflow'],
+        aiRelevance: 'No LLM may generate, compute, or place numeric fields (APR, finance charge, amount financed) on a Loan Estimate or Closing Disclosure. LLMs may explain TRID concepts but not compute regulated figures.',
+        controlCount: 6,
+    },
+    {
+        id: 'us-tila',
+        name: 'TILA / Regulation Z (Non-TRID Provisions)',
+        shortName: 'TILA',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'TILA (15 USC §1601, Regulation Z 12 CFR Part 1026) LLM-egress policy for all Reg Z provisions other than the TRID integrated disclosure forms. Blocks LLM ATR/QM determinations. Gates rescission notices (12 CFR §1026.23). Detects advertising trigger terms (§§1026.16, 1026.24). Covers credit cards, ARM/HELOC disclosures, consumer leases. Split from tila-trid (X3 2026-04-24).',
+        keyRequirements: ['ATR/QM LLM determination blocked (§1026.43)', 'Rescission 3-day clock (§1026.23)', 'Advertising trigger-term detection (§§1026.16, 1026.24)', 'ARM/HELOC disclosure gate', 'Credit-card change-in-terms clock'],
+        aiRelevance: 'LLMs cannot make ATR/QM creditworthiness determinations. Rescission notices require human review before delivery. Advertising copy with trigger terms must be accompanied by full required disclosure set.',
+        controlCount: 6,
+    },
+    {
+        id: 'ecoa',
+        name: 'ECOA / Regulation B (Equal Credit Opportunity Act)',
+        shortName: 'ECOA',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'ECOA (15 USC §1691, Regulation B 12 CFR Part 1002) full statutory framework. Absolutely blocks all Reg B prohibited bases from credit-decision LLMs. Requires specific adverse-action reasons and named-reviewer attribution. Companion to cfpb-2023-03 pack.',
+        keyRequirements: ['Prohibited-basis absolute block (race, color, religion, national origin, sex, marital status, age, public assistance, CCPA exercise)', 'Specific adverse-action reasons', 'Named-reviewer attribution', '25-month retention', 'Appraisal 3-day delivery'],
+        aiRelevance: 'No Reg B prohibited basis may reach any LLM in a credit-decision path. AI adverse-action notices must include specific top principal reasons; generic rationale ("automated decision") is non-compliant.',
+        controlCount: 10,
+    },
+    {
+        id: 'fcra',
+        name: 'Fair Credit Reporting Act',
+        shortName: 'FCRA',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'FCRA (15 USC §1681) LLM-egress policy. Requires declared permissible purpose (§604) before consumer report data reaches any LLM. Blocks cross-vendor consumer report egress without purpose chain. Enforces §615 adverse-action notice generation.',
+        keyRequirements: ['Permissible-purpose tag on all consumer-report LLM egress', 'Cross-vendor block without purpose chain', '§615 adverse-action notice with CRA identity', '§611 30-day dispute workflow', '§623 furnisher accuracy', '7-year retention'],
+        aiRelevance: 'Consumer report data cannot reach an LLM without a declared permissible purpose per §604. Any AI decision producing adverse action based on consumer report data triggers §615 notice requirements.',
+        controlCount: 10,
+    },
+    {
+        id: 'cmmc2',
+        name: 'CMMC 2.0 (Level 2)',
+        shortName: 'CMMC 2.0',
+        vertical: 'Defense',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Cybersecurity Maturity Model Certification 2.0 Level 2 (32 CFR Part 170, effective Dec 2024) for DoD contractor AI systems handling CUI: 110 NIST SP 800-171 Rev 2 practices, MFA, FIPS 140 encryption, 72-hour DFARS incident reporting.',
+        keyRequirements: ['FIPS 140 encryption', 'MFA for CUI access', 'CUI classification', 'Audit trail', '72-hour DFARS incident reporting', 'FedRAMP Moderate CSP', 'System Security Plan', 'Configuration management'],
+        aiRelevance: 'DoD contractor AI systems processing CUI must achieve CMMC Level 2, enforce MFA, classify and flow-control CUI, and use FedRAMP-authorized AI-as-a-service providers.',
+        controlCount: 9,
+    },
+    // Education packs P4 (2026-04-24) -- UF Health vertical expansion
+    {
+        id: 'coppa',
+        name: 'COPPA (Children\'s Online Privacy Protection Act)',
+        shortName: 'COPPA',
+        vertical: 'Education',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'FTC Children\'s Online Privacy Protection Act (15 USC 6501-6506; 16 CFR Part 312) -- verifiable parental consent gate, persistent-identifier block before consent, 90-day child data retention limit, no-training-on-child-inputs attestation, and parental access/deletion rights for AI systems collecting data from under-13 users.',
+        keyRequirements: ['Verifiable parental consent gate', 'Persistent identifier block', '90-day child data retention', 'No training on child inputs', 'Parental access and deletion rights', 'COPPA vendor contract'],
+        aiRelevance: 'AI systems with actual knowledge they collect personal information from children under 13 must gate all processing on verifiable parental consent. Pediatric clinical AI (patient portals, health bots) and K-12 edtech outside the FERPA school-official exception are primary targets.',
+        controlCount: 8,
+    },
+    {
+        id: 'common-rule',
+        name: 'Common Rule (Human Subjects Research Protection)',
+        shortName: 'Common Rule',
+        vertical: 'Education',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'HHS Protection of Human Subjects (45 CFR Part 46; 2018 Revised Common Rule) -- IRB approval gate, informed consent verification, withdrawn-consent subject exclusion, Subpart D/C/B vulnerable population gates, Certificate of Confidentiality block (42 USC 241(d)), and Data Use Agreement enforcement for AI systems processing identifiable human subjects research data.',
+        keyRequirements: ['IRB approval gate', 'Informed consent verification', 'Withdrawn-consent exclusion', 'Subpart D dual-consent gate (children)', 'CoC block (42 USC 241(d))', 'DUA required before AI access', 'OHRP UPIRTSO reporting'],
+        aiRelevance: 'AI instruments used in NIH-funded or FWA-covered research on human subjects must be within the scope of an approved IRB protocol. Data from withdrawn-consent subjects is an absolute block. CoC prohibits disclosure in any legal proceeding.',
+        controlCount: 9,
+    },
+    {
+        id: 'title-ix',
+        name: 'Title IX (Sex Discrimination in Federally-Funded Education)',
+        shortName: 'Title IX',
+        vertical: 'Education',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Title IX of the Education Amendments of 1972 (20 USC 1681-1688; 34 CFR Part 106) -- investigation record block, retaliation guard, Title IX Coordinator routing for sex discrimination complaints, admissions disparate-impact audit, pregnancy accommodation gate (2024 Rule), gender identity human-review escalation (2024 Rule litigation status uncertain Aug 2025), and 7-year AI-record retention.',
+        keyRequirements: ['Investigation record block', 'Retaliation guard (absolute)', 'Coordinator routing for complaints', 'Admissions disparate-impact audit', 'Pregnancy accommodation gate', 'Gender identity human review', '7-year record retention'],
+        aiRelevance: 'AI in admissions, student conduct investigations, athletics, and grievance procedures at federally-funded institutions must block autonomous investigation record processing, prevent retaliation against complainants, and route sex discrimination complaints to the Title IX Coordinator.',
+        controlCount: 8,
+    },
+    // X2 disaggregation (2026-04-24): nih-data-sharing.ts split into 4 packs
+    // per Thomas's one-country-one-regulation principle.
+    {
+        id: 'us-nih-dms',
+        name: 'NIH Data Management and Sharing Policy (2023)',
+        shortName: 'NIH DMS',
+        vertical: 'Education',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NIH DMS Policy (NOT-OD-21-013, effective January 25, 2023). Applies to all NIH-funded research generating scientific data. DMSP scope enforcement, data sharing to maximum extent possible, no-training-on-research-data attestation.',
+        keyRequirements: ['DMSP scope gate', 'No training on NIH scientific data', 'Audit log with NIH award number', 'US data residency', 'DMSP documentation'],
+        aiRelevance: 'AI systems in NIH-funded research must operate within DMSP-approved scope. De-identification for avoidance is prohibited. Consent scope limits override sharing obligations.',
+        controlCount: 5,
+    },
+    {
+        id: 'us-nih-gds',
+        name: 'NIH Genomic Data Sharing Policy',
+        shortName: 'NIH GDS',
+        vertical: 'Education',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NIH GDS Policy (NOT-OD-14-124, effective January 25, 2015). Requires controlled-access repository deposit (dbGaP), active DAC approval listing the AI system, no re-identifiable genomic data in public repositories.',
+        keyRequirements: ['DAC approval for controlled-access (dbGaP)', 'Active DUC required at all times', 'Re-identifiable genomic data blocked', 'DUA incorporating DUC terms', 'FISMA Moderate for controlled-access'],
+        aiRelevance: 'Controlled-access genomic data (dbGaP) requires an active Data Use Certificate listing the AI system and operator. Expired DAC approvals trigger immediate blocking.',
+        controlCount: 6,
+    },
+    {
+        id: 'us-nih-coc',
+        name: 'NIH Certificate of Confidentiality Policy',
+        shortName: 'NIH CoC',
+        vertical: 'Education',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NIH Certificate of Confidentiality Policy (42 USC 241(d); NOT-OD-17-109, effective October 1, 2017). CoC prohibits disclosure of identifiable research data in any civil, criminal, administrative, or legislative proceeding. CoC governs the disclosure side; DMS governs the deposit side.',
+        keyRequirements: ['CoC block on identifiable research data', 'DUA CoC clause required', 'AI vendor CoC acknowledgment', 'Immediate escalation on CoC violation', 'Indefinite CoC record retention'],
+        aiRelevance: 'AI outputs that could constitute disclosure in a legal proceeding must be blocked. CoC protection attaches automatically to all NIH-funded sensitive research and survives study end.',
+        controlCount: 5,
+    },
+    {
+        id: 'us-nih-it-security',
+        name: 'NIH IT Security Policy (FISMA Moderate)',
+        shortName: 'NIH IT Sec',
+        vertical: 'Education',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NIH IT Security Policy (NIH Manual Chapter 2800 series). FISMA Moderate baseline required for systems processing controlled-access NIH research data. Covers encryption, vendor security attestation, DUA security clauses, and 1-hour US-CERT major incident reporting.',
+        keyRequirements: ['FISMA Moderate / FedRAMP Moderate for vendors', 'FIPS 140-2 validated encryption', 'DUA security clause', 'NIST SP 800-53 AU audit controls', '1-hour US-CERT major incident reporting'],
+        aiRelevance: 'AI systems processing controlled-access NIH data must demonstrate FISMA Moderate or FedRAMP Moderate. FIPS 140-2 validated encryption required. Major incidents reported to US-CERT within 1 hour.',
+        controlCount: 5,
+    },
+    {
+        id: 'florida-student-privacy',
+        name: 'Florida Student Privacy (State Overlay)',
+        shortName: 'FL Student Privacy',
+        vertical: 'Education',
+        jurisdiction: 'US (Florida)',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Florida state student privacy law overlay (Chapter 1002.22, Section 1002.222, HB 3/Section 1014, Section 1006.52, FIPA Section 501.171) -- behavioral profiling block, targeted advertising block, no data sale, parental notification gate, vendor listing check, and 30-day FIPA breach notification clock. Applies to AI operators serving Florida public K-12 students and UF P.K. Yonge Developmental Research School.',
+        keyRequirements: ['No behavioral profiling (non-educational)', 'No targeted advertising', 'No sale of student data', 'Parental notification gate (HB 3)', 'Vendor listing verification (Section 1006.52)', 'FIPA 30-day breach clock', 'Deletion on termination (30 days)'],
+        aiRelevance: 'Ed-tech AI operators serving Florida K-12 students must be listed in the district data governance inventory, never build behavioral profiles for non-educational purposes, and comply with FIPA\'s 30-day breach notification clock. UF P.K. Yonge creates direct operator liability.',
+        controlCount: 8,
+    },
+    {
+        id: 'us-fda-21cfr56',
+        name: 'FDA 21 CFR Part 56 (IRB Regulations)',
+        shortName: 'FDA 21 CFR 56',
+        vertical: 'Healthcare',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'FDA 21 CFR Part 56 IRB Regulations for FDA-regulated clinical investigations (drugs, biologics, devices under IND/IDE). Covers IRB composition (56.107 -- >= 5 members, scientific + nonscientific + unaffiliated), quorum (56.108(c) -- majority with nonscientific), conflict-of-interest recusal (56.107(e)), continuing review (56.109(f) -- annually), expedited review criteria (56.110), records retention (56.115(b) -- 3 years), meeting minutes (56.115(a)(2)), and prompt reporting (56.108(b) -- 24h for SAEs). Distinct FDA authority from 45 CFR 46 (Common Rule / OHRP). Both packs may run simultaneously for dual-covered research.',
+        keyRequirements: ['IRB >= 5 members (56.107(a))', 'Majority quorum + nonscientific (56.108(c))', 'COI recusal (56.107(e))', 'Continuing review <= 1 year (56.109(f))', 'Expedited review criteria (56.110)', '3-year records retention (56.115(b))', 'Meeting minutes with votes (56.115(a)(2))', 'Prompt SAE reporting 24h (56.108(b))'],
+        aiRelevance: 'AI tools used in FDA-regulated clinical investigations must be documented in the IRB-approved protocol. AI-generated outputs contributing to unanticipated problems must be reported promptly to FDA and the sponsor. IRB records including AI tool documentation retained >= 3 years.',
+        controlCount: 8,
+    },
+    {
+        id: 'uk-equality-act-ai-bias',
+        name: 'UK Equality Act 2010 + ICO-EHRC Joint AI Bias Guidance',
+        shortName: 'UK Equality AI Bias',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Equality Act 2010 AI-bias enforcement layer (GB: England, Scotland, Wales). Nine protected characteristics (ss.4-12). Indirect discrimination / disparate impact (s.19). Public Sector Equality Duty (s.149). ICO-EHRC joint guidance (2024): 80% (4/5ths) disparate-impact rule; mandatory EIA before public-sector AI deployment; T2 human review for high-bias-risk decisions; 7-year audit retention.',
+        keyRequirements: ['9 protected characteristics (ss.4-12)', 'Disparate-impact gate 80% rule (s.19)', 'EIA before public-sector deployment (s.149)', 'T2 human review for high-bias-risk decisions', 'BLOCKED on sub-80% disparate-impact ratio', 'ICO-EHRC joint guidance (2024) compliance', '7-year retention'],
+        aiRelevance: 'AI systems whose outputs affect persons in GB must scan for protected-characteristic proxies, enforce the 80% disparate-impact threshold, complete mandatory EIA before public-sector deployment, and route high-bias-risk decisions to T2 human review.',
+        controlCount: 17,
+    },
+    // ---- EU bloc descriptors (batched 2026-05-10) ----
+    {
+        id: 'de-bdsg',
+        name: 'German BDSG (Federal Data Protection Act)',
+        shortName: 'DE BDSG',
+        vertical: 'EU',
+        jurisdiction: 'DE',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) — national supplement to EU GDPR. Specific German overlays: video surveillance (s.4), employee data (s.26), credit-scoring (s.31), automated individual decisions (s.37), DPO appointment threshold (s.38, 20 persons or 9 in regular processing of sensitive data). BfDI (federal) + 16 Länder DPAs enforcement.',
+        keyRequirements: ['BDSG s.26 employee data special regime', 'DPO appointment threshold (s.38)', 'Credit-scoring restrictions (s.31)', 'Automated individual decisions (s.37)', 'BfDI + Länder DPA dual enforcement', 'Video surveillance (s.4)', 'Pairs with EU GDPR'],
+        aiRelevance: 'AI agents acting on German personal data must apply BDSG-specific overlays — particularly s.26 employee data, s.31 credit-scoring restrictions, and s.37 automated decisions. Pairs with EU GDPR pack.',
+        controlCount: 7,
+    },
+    {
+        id: 'eu-cra',
+        name: 'EU Cyber Resilience Act (Regulation (EU) 2024/2847)',
+        shortName: 'EU CRA',
+        vertical: 'EU',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'EU Cyber Resilience Act 2024/2847 — horizontal cybersecurity requirements for products with digital elements placed on the EU market. Manufacturer obligations: secure-by-design + by-default; vulnerability handling for product lifetime; mandatory CE marking; conformity assessment per criticality class. 24-hour ENISA + national CSIRT notification of actively-exploited vulnerabilities. Penalties up to 2.5% global turnover.',
+        keyRequirements: ['Secure-by-design + by-default', 'Vulnerability handling for product lifetime', 'CE marking conformity', 'Critical / important product class', '24-hour ENISA + CSIRT notification (actively exploited)', 'Up to 2.5% global turnover penalty', 'Pairs with NIS2'],
+        aiRelevance: 'AI agents shipped as products with digital elements into the EU market must surface CRA-aligned secure-by-design evidence, route actively-exploited vulnerabilities into the 24-hour ENISA + CSIRT clock, and produce CE-marking conformity evidence. Pairs with EU AI Act for AI-specific overlays.',
+        controlCount: 7,
+    },
+    {
+        id: 'eu-data-act',
+        name: 'EU Data Act (Regulation (EU) 2023/2854)',
+        shortName: 'EU Data Act',
+        vertical: 'EU',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'EU Data Act 2023/2854 (in force from 12 Sep 2025) — data-access + portability rules for IoT + connected products + cloud services. Right of users to access raw and pre-processed data they generate; sharing with third parties; cloud-switching obligations (notice + cooperation + interoperability); B2G data sharing in exceptional circumstances; international transfer + access protection.',
+        keyRequirements: ['IoT user data-access right', 'Third-party data sharing on user request', 'Cloud-switching notice + cooperation', 'Cloud-switching interoperability', 'B2G data sharing (exceptional)', 'International data transfer protection', 'Pairs with EU GDPR + EU DGA'],
+        aiRelevance: 'AI agents inside IoT or connected-product workflows must surface user-data-access endpoints, support third-party sharing on user request, and implement cloud-switching cooperation when the AI is a cloud service. Pairs with EU GDPR.',
+        controlCount: 7,
+    },
+    {
+        id: 'eu-dma',
+        name: 'EU Digital Markets Act (Regulation (EU) 2022/1925)',
+        shortName: 'EU DMA',
+        vertical: 'EU',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'EU Digital Markets Act 2022/1925 — gatekeeper obligations for designated core platform services. Self-preferencing prohibition; interoperability requirements; data-portability; restrictions on bundling + tying; sideloading + alternative app stores; advertising transparency. Up to 10% global turnover penalty (20% repeat).',
+        keyRequirements: ['Self-preferencing prohibition', 'Interoperability obligations', 'Data portability for users', 'No bundling / tying restrictions', 'Sideloading + alternative app stores', 'Advertising transparency', 'Up to 10-20% global turnover penalty'],
+        aiRelevance: 'AI agents operating gatekeeper-designated core platform services in the EU must surface DMA-aligned interoperability + data-portability + advertising-transparency evidence. Self-preferencing prohibition applies to AI ranking + recommendation outputs.',
+        controlCount: 7,
+    },
+    {
+        id: 'eu-dsa',
+        name: 'EU Digital Services Act (Regulation (EU) 2022/2065)',
+        shortName: 'EU DSA',
+        vertical: 'EU',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'EU Digital Services Act 2022/2065 — intermediary, hosting, online platform, and VLOP/VLOSE obligations for content moderation. Notice-and-action mechanism; trusted flaggers; transparency reporting (s.15 + s.42); recommender-system explainability; targeted advertising restrictions (no minors, no special-category data); risk assessment + mitigation for VLOPs/VLOSEs; independent audits. Up to 6% global turnover penalty.',
+        keyRequirements: ['Notice-and-action mechanism', 'Trusted flagger framework', 'Transparency reporting (s.15 + s.42)', 'Recommender-system explainability', 'Targeted advertising restrictions', 'VLOP/VLOSE risk assessment + mitigation', 'Independent audits + Up to 6% turnover penalty'],
+        aiRelevance: 'AI agents that recommend, rank, or moderate content for EU users must surface DSA-aligned recommender explainability, route content actions into the notice-and-action mechanism, and produce transparency reports. VLOP/VLOSE designation triggers risk assessment + audit obligations. Pairs with uk-online-safety-act for cross-jurisdictional overlap.',
+        controlCount: 7,
+    },
+    {
+        id: 'eu-lpp',
+        name: 'EU Legal Professional Privilege (Akzo Nobel Standard)',
+        shortName: 'EU LPP',
+        vertical: 'EU',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'EU Legal Professional Privilege per Akzo Nobel v Commission (C-550/07 P) — protection limited to communications with independent EU-qualified outside counsel for the purpose of providing legal advice in defence of the client. Excludes in-house counsel + non-EEA-qualified lawyers. Covers EC investigations + EU competition + EU-administered enforcement. Distinct from US attorney-client privilege and from broader UK / UK-jurisdiction LPP.',
+        keyRequirements: ['Outside-counsel-only privilege scope', 'EU-qualified counsel requirement (Akzo Nobel)', 'Communications-with-counsel scope', 'Excludes in-house communications', 'EC investigation + EU competition application', 'Distinct from UK + US privilege', 'Documentation chain-of-custody'],
+        aiRelevance: 'AI agents handling legal communications subject to EU competition or EC investigation contexts must apply Akzo-Nobel-standard privilege boundaries — only outside-counsel-with-EU-qualification communications get the privilege gate. In-house communications do not. Pairs with aba (US MRPC) and uk-equivalent privilege packs.',
+        controlCount: 7,
+    },
+    {
+        id: 'eu-mdr-ivdr',
+        name: 'EU MDR + IVDR (Medical Device Regulations)',
+        shortName: 'EU MDR/IVDR',
+        vertical: 'EU',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'EU Medical Device Regulation 2017/745 (MDR) + In-Vitro Diagnostic Regulation 2017/746 (IVDR). Risk-classification (I / IIa / IIb / III for MDR; A / B / C / D for IVDR); CE marking via Notified Body conformity assessment; clinical evaluation evidence; UDI (Unique Device Identifier); EUDAMED registration; vigilance + post-market surveillance + Periodic Safety Update Report (PSUR); Authorised Representative for non-EU manufacturers. Distinct from MHRA UK SaMD/UKCA pack (post-Brexit divergence).',
+        keyRequirements: ['Risk classification (MDR I-III, IVDR A-D)', 'CE marking via Notified Body', 'Clinical evaluation evidence', 'UDI + EUDAMED registration', 'PSUR + post-market surveillance', 'Authorised Representative (non-EU manufacturers)', 'Distinct from MHRA UK SaMD/UKCA'],
+        aiRelevance: 'AI agents acting as Software as a Medical Device in the EU market must declare MDR/IVDR risk class, surface CE marking + Notified Body conformity, register in EUDAMED, and route adverse events through the vigilance system. Distinct from MHRA UK SaMD/UKCA — post-Brexit jurisdictions diverge.',
+        controlCount: 7,
+    },
+    {
+        id: 'nis2',
+        name: 'EU NIS2 Directive (Directive 2022/2555)',
+        shortName: 'EU NIS2',
+        vertical: 'EU',
+        jurisdiction: 'EU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'EU NIS2 Directive 2022/2555 — significantly expanded cybersecurity duty across 18 sectors (essential + important entities). Risk management measures (Art 21); incident reporting 24-hour early-warning + 72-hour intermediate + 1-month final (Art 23); cooperation with CSIRT + competent authority (Art 24-25); supply-chain security; management body responsibility (Art 20); criminal penalty backstop. Distinct from UK NIS Regulations 2018 (separate pack).',
+        keyRequirements: ['18 sectors (essential + important)', 'Risk management measures (Art 21)', '24h early warning + 72h intermediate + 1mo final reporting', 'Cooperation with CSIRT + competent authority', 'Supply-chain security obligations', 'Management body responsibility (Art 20)', 'Distinct from UK NIS Regulations'],
+        aiRelevance: 'AI agents inside an essential or important entity boundary must run risk-management measures under Art 21, route incidents into the 24h/72h/1mo reporting cadence, and surface supply-chain security evidence. Stricter and broader than the UK NIS pack.',
+        controlCount: 7,
+    },
+    // ---- UK additional sector packs ----
+    {
+        id: 'cma-ai-foundation-models',
+        name: 'UK CMA AI Foundation Models + DMCC Act 2024',
+        shortName: 'UK CMA AI Foundation',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'UK Competition and Markets Authority AI Foundation Models initial review (2023) + Update Paper (2024) + Digital Markets, Competition and Consumers Act 2024 (DMCC). Six guiding principles: accountability, access, diversity, choice, flexibility, fair-dealing. CMA SMS designation regime under DMCC for digital activities; Conduct Requirements; Pro-Competition Interventions. Particular focus on FM market concentration, vertical integration risks (compute / data / talent / infrastructure).',
+        keyRequirements: ['Six CMA principles (accountability / access / diversity / choice / flexibility / fair-dealing)', 'DMCC SMS designation surface', 'DMCC Conduct Requirements', 'Pro-Competition Interventions', 'Foundation-model vertical integration disclosure', 'Compute + data + talent concentration evidence', 'Pairs with uk-ai-framework + EU DMA'],
+        aiRelevance: 'AI agents built on or marketed as foundation models in the UK market must surface CMA-principle-aligned evidence, disclose vertical-integration posture, and (where SMS-designated under DMCC) comply with Conduct Requirements. Pairs with uk-ai-framework (DSIT principles overlap) and EU DMA (gatekeeper overlay).',
+        controlCount: 7,
+    },
+    {
+        id: 'fca-consumer-duty',
+        name: 'FCA Consumer Duty (PS22/9)',
+        shortName: 'FCA Consumer Duty',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'UK FCA Consumer Duty (Policy Statement PS22/9, in force July 2023 for new + open products, July 2024 for closed products). Higher and clearer standard of consumer protection. Cross-cutting rules: act in good faith, avoid foreseeable harm, enable customers to pursue financial objectives. Four outcomes: products + services; price + value; consumer understanding; consumer support. Senior Manager + Certification Regime accountability.',
+        keyRequirements: ['Cross-cutting good faith rule', 'Foreseeable harm avoidance', 'Products + services outcome', 'Price + value outcome', 'Consumer understanding outcome', 'Consumer support outcome', 'SMCR accountability tagging'],
+        aiRelevance: 'AI agents operating in UK consumer financial services must surface Consumer Duty evidence on every customer-facing decision: foreseeable-harm test, price + value justification, comprehension support, and named-SMF accountability. Pairs with FCA Op Resilience (PS21/3) and uk-gdpr.',
+        controlCount: 7,
+    },
+    {
+        id: 'fca-op-resilience',
+        name: 'FCA Operational Resilience (PS21/3)',
+        shortName: 'FCA Op Resilience',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'UK FCA Operational Resilience (Policy Statement PS21/3, end of 3-year transition March 2025). Important Business Services identification; impact tolerance setting (max disruption); mapping (resources, dependencies, suppliers); scenario testing; lessons learned. Joint with PRA SS1/21 + BoE for dual-regulated firms. Material outsourcing per FG16/5 + IRRBB + cloud-specific guidance.',
+        keyRequirements: ['Important Business Services identification', 'Impact tolerance setting (max disruption)', 'Mapping resources + dependencies + suppliers', 'Scenario testing', 'Lessons-learned cycle', 'Material outsourcing FG16/5 alignment', 'Pairs with PRA SS1/21 + BoE for dual-regulated'],
+        aiRelevance: 'AI agents inside a UK financial services Important Business Service boundary must contribute to mapping (as a resource + supplier dependency), participate in scenario testing, and surface impact-tolerance evidence. Particularly relevant where AI is the dependency for the IBS.',
+        controlCount: 7,
+    },
+    // ---- US state AI laws ----
+    {
+        id: 'california-ab2930',
+        name: 'California AB 2930 Automated Decision Tool Act',
+        shortName: 'CA AB 2930',
+        vertical: 'US',
+        jurisdiction: 'US-CA',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'California AB 2930 (Automated Decision Tool Act) — restricts deployers + developers from using ADTs that contribute to algorithmic discrimination in consequential decisions (employment, education, housing, essential goods + services, healthcare, financial services, criminal justice, legal services, voting, reproductive services). Pre-deployment + annual impact assessments; notice to subjects; right to opt-out + alternative selection process; CRD enforcement.',
+        keyRequirements: ['ADT scope: consequential decisions', 'Pre-deployment impact assessment', 'Annual impact assessment', 'Subject notice', 'Opt-out + alternative selection process', 'CRD enforcement surface', 'Bias audit substrate'],
+        aiRelevance: 'AI agents operating as ADTs in California must complete pre-deployment + annual impact assessments, surface subject notice, and route opt-out requests to a human alternative. Pairs with NYC Local Law 144 (NYC AEDT) and Colorado AI Act for state-overlay AI obligations.',
+        controlCount: 7,
+    },
+    {
+        id: 'illinois-aivia',
+        name: 'Illinois AI Video Interview Act (AIVIA)',
+        shortName: 'IL AIVIA',
+        vertical: 'US',
+        jurisdiction: 'US-IL',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Illinois AI Video Interview Act (820 ILCS 42/) — employer obligations when using AI to analyse video interviews. Notice-before-use, explanation of how AI works + characteristics evaluated, candidate consent, demographic data reporting (race/ethnicity for race-significant decisions), 30-day deletion of video on candidate request. Goes beyond GDPR-shape consent in the AI-specific notice + explanation requirements.',
+        keyRequirements: ['Notice before AI use in interview', 'Explanation of AI characteristics + workings', 'Candidate consent', 'Demographic data reporting (where AI race-significant)', '30-day deletion on candidate request', 'Distinct from EEOC general bias enforcement', 'Pairs with NYC LL 144'],
+        aiRelevance: 'AI agents analysing video interviews of Illinois candidates must surface notice + explanation, route consent through the audit chain, and delete video on candidate request inside 30 days. Pairs with NYC Local Law 144 (NYC AEDT).',
+        controlCount: 7,
+    },
+    {
+        id: 'maryland-hb1202',
+        name: 'Maryland HB 1202 Facial Recognition Employment Act',
+        shortName: 'MD HB 1202',
+        vertical: 'US',
+        jurisdiction: 'US-MD',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Maryland HB 1202 — facial recognition in employment. Prohibits employers from using facial recognition technology during pre-hire interviews unless the candidate consents in writing. Distinct from BIPA (Illinois biometric); distinct from facial-recognition-in-public-space restrictions.',
+        keyRequirements: ['Facial recognition in pre-hire prohibition (default)', 'Written candidate consent exception', 'Recordkeeping of consent', 'Distinct from BIPA Illinois', 'Distinct from public-space facial-recognition restrictions', 'Maryland AG enforcement', 'Pre-hire-only scope'],
+        aiRelevance: 'AI agents using facial recognition in Maryland pre-hire workflows must obtain + retain written candidate consent before each interview. Default-deny posture pre-consent. Pairs with bipa pack for biometric-data overlay.',
+        controlCount: 7,
+    },
+    {
+        id: 'tennessee-elvis',
+        name: 'Tennessee ELVIS Act (TCA §47-25-1101)',
+        shortName: 'TN ELVIS',
+        vertical: 'US',
+        jurisdiction: 'US-TN',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Tennessee Ensuring Likeness Voice and Image Security (ELVIS) Act — first US state law explicitly protecting voice + likeness from unauthorised AI replication. Civil + criminal liability for distributing unauthorised AI-generated voice or likeness. Particularly aimed at music industry but applies broadly. Distinct private right of action.',
+        keyRequirements: ['Voice + likeness protection from AI replication', 'Civil liability for unauthorised distribution', 'Criminal liability', 'Private right of action', 'Distinct from federal right of publicity', 'Music industry focus + general applicability', 'AI-specific scope'],
+        aiRelevance: 'AI agents generating voice + likeness output that touches Tennessee jurisdiction (resident, performance) must surface ELVIS-aligned consent evidence, default-deny on unverified likeness use. Particularly relevant for voice-clone + image-generation models.',
+        controlCount: 7,
+    },
+    {
+        id: 'texas-hb4',
+        name: 'Texas TDPSA (HB 4 — Data Privacy and Security Act)',
+        shortName: 'TX TDPSA',
+        vertical: 'US',
+        jurisdiction: 'US-TX',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Texas Data Privacy and Security Act (HB 4, in force July 2024) — Texas comprehensive privacy law. Controller obligations: data inventory, consumer rights (access / deletion / portability / opt-out for sale + targeted advertising / appeal), DPIAs for high-risk processing, sensitive-data category, data-broker registration. AG-enforced; 30-day cure period for non-recurring violations.',
+        keyRequirements: ['Consumer rights (access / deletion / portability / opt-out / appeal)', 'DPIA for high-risk processing', 'Sensitive-data special category', 'Data-broker registration', 'Privacy notice content', 'AG enforcement + 30-day cure', 'Distinct from CCPA + CDPA'],
+        aiRelevance: 'AI agents acting on Texas-resident personal data must surface TDPSA-aligned consumer rights endpoints, run DPIAs on high-risk AI processing, and route data-broker activity through the registration surface. Stronger than CCPA in some areas; weaker in others.',
+        controlCount: 7,
+    },
+    {
+        id: 'utah-ai-policy',
+        name: 'Utah AI Policy Act (SB 149, 2024)',
+        shortName: 'UT AI Policy',
+        vertical: 'US',
+        jurisdiction: 'US-UT',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Utah Artificial Intelligence Policy Act (SB 149, 2024) — first US state law specifically requiring disclosure of AI use in regulated occupations + consumer interactions. Healthcare provider AI-use disclosure on patient request; consumer-facing AI-use disclosure on consumer request; UCPA (consumer protection) liability for failure-to-disclose. Office of AI Policy oversight + Utah AI Learning Laboratory regulatory mitigation pathway.',
+        keyRequirements: ['Healthcare AI-use disclosure on patient request', 'Consumer-facing AI-use disclosure on request', 'UCPA failure-to-disclose liability', 'Office of AI Policy oversight surface', 'Utah AI Learning Laboratory pathway', 'Distinct from other state AI laws', 'Disclosure-by-default posture'],
+        aiRelevance: 'AI agents interacting with Utah consumers (especially in regulated occupations + healthcare) must surface use-disclosure on request. Failure-to-disclose creates UCPA liability. Pairs with the Office of AI Policy + Learning Laboratory mitigation pathway for novel use cases.',
+        controlCount: 7,
+    },
+    // ---- Aerospace pack (DO-178C avionics software life cycle) ----
+    {
+        id: 'do-178c',
+        name: 'RTCA DO-178C / EUROCAE ED-12C — Software Considerations in Airborne Systems',
+        shortName: 'DO-178C',
+        vertical: 'Aerospace',
+        jurisdiction: 'International',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'RTCA DO-178C / EUROCAE ED-12C — the mandatory software life-cycle standard for civil avionics certification. Accepted means of compliance under FAA 14 CFR §21.31, EASA CS-25.1309, Transport Canada AWM 525, ANAC RBHA, and CASA CASR Part 21. Software-Level (A through E) failure-condition categories from catastrophic (Level A) to no-effect (Level E) drive process intensity. Pairs with DO-330 (tool qualification), DO-331 (model-based dev), DO-332 (object-oriented), DO-333 (formal methods), DO-326A (airworthiness security), SAE ARP4754A (system development), SAE ARP4761 (safety assessment).',
+        keyRequirements: ['Software level (A/B/C/D/E) assignment from system safety assessment', 'PSAC + SDP + SVP plans active per level', 'MC/DC coverage for Level A (100%); decision coverage for Level B', 'DO-330 tool qualification (TQL-1 to TQL-5) tracking', 'Configuration management + Software Quality Assurance (SQA)', 'Conformity review sign-off + Software Accomplishment Summary (SAS)', 'Problem Reports (PRs) feeding anomaly detection + DER review for Level A/B'],
+        aiRelevance: 'AI agents involved in avionics software development must respect the software level of each artifact they touch. Level A unverified changes trigger immediate escalation. MC/DC coverage shortfall on Level A code requires DER + SQA review. Tool-qualification level (TQL) tracking required when AI tools generate or verify code that contributes to the certification basis (DO-330). Pairs with FDA SaMD packs for life-critical software lineage.',
+        controlCount: 15,
+    },
+    // ---- US sector packs (healthcare + finance) ----
+    {
+        id: 'cms-interoperability',
+        name: 'CMS Interoperability and Patient Access (CMS-9115-F)',
+        shortName: 'CMS Interop',
+        vertical: 'Healthcare',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'CMS Interoperability and Patient Access Final Rule (CMS-9115-F, 2020 + subsequent updates). Patient Access API + Provider Directory API + Payer-to-Payer Data Exchange + Improving the Electronic Exchange of Healthcare Data (CMS-0057-F). FHIR R4 + USCDI standards mandatory; Da Vinci Project payer reference implementations. Applies to Medicare Advantage, state Medicaid, CHIP, QHP issuers on FFEs.',
+        keyRequirements: ['Patient Access API (FHIR R4 + USCDI)', 'Provider Directory API', 'Payer-to-Payer Data Exchange', 'CMS-0057-F prior authorisation API', 'USCDI alignment', 'Da Vinci Project IGs', 'CMS enforcement surface'],
+        aiRelevance: 'AI agents in US payer-side healthcare must surface FHIR-R4 + USCDI-aligned data exchange, support Patient Access API + Provider Directory API endpoints, and (post CMS-0057-F) the prior authorisation API. Pairs with hipaa + hitech for the underlying privacy + security baseline.',
+        controlCount: 7,
+    },
+    {
+        id: 'finra-3110',
+        name: 'FINRA Broker-Dealer Supervision and Records',
+        shortName: 'FINRA 3110',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'FINRA Rule 3110 (Supervision) + 3120 (Supervisory Control) + 4510-series (Books and Records). Written supervisory procedures (WSPs); designated supervisors; review of business-related communications + transactions; risk-based supervision systems. AI overlay: automated communication review + automated transaction surveillance must be designed + tested + monitored under the WSPs. Pairs with SEC 17a-4 records retention + SR 11-7 model risk.',
+        keyRequirements: ['Written Supervisory Procedures (WSPs)', 'Designated supervisor identification', 'Business communications review', 'Transaction review (risk-based)', '4510 books + records compliance', 'AI surveillance model design + test + monitor', 'Pairs with SEC 17a-4 + SR 11-7'],
+        aiRelevance: 'AI agents performing supervisory functions in a US broker-dealer must be documented in the WSPs as the supervisory mechanism, retain evidence of review + design + test + monitor, and route exceptions to a designated supervisor. Pairs with sox-404 + soc-1 for control-environment alignment.',
+        controlCount: 7,
+    },
+    {
+        id: 'iso20022',
+        name: 'ISO 20022 Financial Messaging Standard',
+        shortName: 'ISO 20022',
+        vertical: 'Fintech',
+        jurisdiction: 'Global',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'ISO 20022 — global financial messaging standard adopted by SWIFT, Fedwire, CHIPS, TARGET2, CHAPS, and most modern payment rails. Structured + machine-readable XML/JSON message data. Mandatory migration deadlines (SWIFT cross-border end of co-existence Nov 2025). Improves anti-fraud + compliance signal density vs legacy MT formats.',
+        keyRequirements: ['ISO 20022 message schema conformance', 'Structured remittance information', 'BIC + LEI population', 'Sanctions + AML signal field population', 'Migration from legacy MT', 'Pairs with bsa-aml + au-aml-ctf', 'SWIFT + Fedwire + CHIPS + TARGET2 alignment'],
+        aiRelevance: 'AI agents generating or processing payment messages must produce ISO-20022-conformant structured fields, populate sanctions + AML signal fields, and align with the active payment-rail schedule. Pairs with bsa-aml for sanctions screening overlay.',
+        controlCount: 7,
+    },
+    {
+        id: 'reg-e',
+        name: 'Regulation E / Electronic Fund Transfer Act (EFTA)',
+        shortName: 'Reg E / EFTA',
+        vertical: 'Fintech',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Federal Reserve Regulation E implementing the Electronic Fund Transfer Act (EFTA, 15 USC §1693). Consumer protections for electronic fund transfers — including ACH, debit card, ATM, prepaid card. Error resolution procedures (10-business-day investigation; 45 days extended); unauthorised-transfer liability limits ($50 if reported within 2 business days; $500 within 60; unlimited after); receipt + periodic statement requirements. CFPB + Fed enforcement.',
+        keyRequirements: ['Error resolution 10-business-day investigation', 'Provisional credit during extended investigation', 'Unauthorised-transfer liability tiers ($50 / $500 / unlimited)', 'Receipt + periodic statement', 'Recurring transfer authorisation', 'Pairs with fcra + cfpb-2023-03', 'CFPB + Fed enforcement'],
+        aiRelevance: 'AI agents handling consumer EFT disputes in US financial services must route into the Reg E error-resolution clock, surface liability-tier evidence, and produce receipt + statement compliance. Pairs with fcra (consumer report data) and cfpb-2023-03 (consumer-finance enforcement).',
+        controlCount: 7,
+    },
+    // ---- Security frameworks ----
+    {
+        id: 'hitrust-csf',
+        name: 'HITRUST Common Security Framework (CSF) v11',
+        shortName: 'HITRUST CSF',
+        vertical: 'Healthcare',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'HITRUST CSF v11 (2023) — comprehensive security + privacy framework that harmonises HIPAA + HITECH + 21 CFR Part 11 + COBIT + NIST 800-53 + ISO 27001 + state breach laws into one assessable control set. e1 / i1 / r2 assessment levels. Particularly common in US healthcare + healthcare payer + healthcare ISV contexts; HITRUST certification often required by hospitals + payers.',
+        keyRequirements: ['e1 (essentials) assessment', 'i1 (implemented) assessment', 'r2 (risk-based, 2-year) assessment', 'Harmonises HIPAA + HITECH + NIST 800-53 + ISO 27001', 'Annual or 2-year recertification cadence', 'External assessor requirement', 'HITRUST AI assurance program'],
+        aiRelevance: 'AI agents operating in US healthcare + payer environments often need HITRUST CSF certification at e1 / i1 / r2 levels — HITRUST harmonises the underlying frameworks the agent already implements. AI assurance program covers AI-specific controls.',
+        controlCount: 7,
+    },
+    {
+        id: 'iso27701',
+        name: 'ISO/IEC 27701:2019 Privacy Information Management System (PIMS)',
+        shortName: 'ISO 27701',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'Global',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'ISO/IEC 27701:2019 — privacy extension of ISO/IEC 27001 ISMS. PIMS (Privacy Information Management System) covering controller + processor responsibilities, mapped to GDPR + similar frameworks. Annex A (controller) + Annex B (processor) controls. Enables a single certifiable PIMS instead of separate GDPR / CCPA / etc. compliance evidence packs.',
+        keyRequirements: ['Extension of ISO 27001 ISMS', 'PIMS scope definition', 'Controller responsibilities (Annex A)', 'Processor responsibilities (Annex B)', 'GDPR + similar framework mapping', 'External certification surface', 'Annual surveillance audits'],
+        aiRelevance: 'AI agents inside an organisation pursuing privacy certification benefit from ISO 27701 PIMS substrate — single certifiable framework that maps to GDPR / UK GDPR / CCPA / LGPD / etc. Pairs with iso27001 (parent ISMS).',
+        controlCount: 7,
+    },
+    {
+        id: 'nist-800-53',
+        name: 'NIST SP 800-53 Rev. 5 — Security and Privacy Controls',
+        shortName: 'NIST 800-53',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NIST SP 800-53 Rev. 5 (2020 + Errata 2023) — comprehensive security + privacy controls catalog for federal information systems and organisations. 20 control families covering AC / AT / AU / CA / CM / CP / IA / IR / MA / MP / PE / PL / PM / PS / PT / RA / SA / SC / SI / SR. Foundational reference for FedRAMP + CMMC + StateRAMP + sector-specific overlays. Also widely used in private sector as a reference baseline.',
+        keyRequirements: ['20 control families (AC through SR)', 'Control baseline selection (low / mod / high / privacy)', 'Tailoring + supplementation', 'Control parameter values', 'Foundational reference for FedRAMP + CMMC', 'OSCAL machine-readable representation', 'Continuous monitoring strategy'],
+        aiRelevance: 'AI agents in federal + cleared environments must align with the selected NIST 800-53 baseline. AI-specific overlays (NIST AI RMF) reference back to 800-53 controls for technical implementation. Foundational reference for the security stack.',
+        controlCount: 7,
+    },
+    {
+        id: 'nist-csf',
+        name: 'NIST Cybersecurity Framework 2.0',
+        shortName: 'NIST CSF 2.0',
+        vertical: 'Cross-Industry',
+        jurisdiction: 'US',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NIST Cybersecurity Framework 2.0 (Feb 2024). Six functions: Govern (NEW in 2.0), Identify, Protect, Detect, Respond, Recover. Outcome-driven; not prescriptive controls. Tier-based maturity (1-4); profile-based gap assessment. CSF 2.0 added the Govern function explicitly to address supply chain + AI + governance maturity. Widely referenced by NIS2 + UK CAF + sector regulators.',
+        keyRequirements: ['Govern function (NEW in 2.0)', 'Identify function', 'Protect function', 'Detect function', 'Respond function', 'Recover function', 'Tier-based maturity + profile-based gap assessment'],
+        aiRelevance: 'AI agents inside an organisation following NIST CSF 2.0 must surface evidence against each of the six functions, particularly the new Govern function which explicitly covers AI + supply chain. Pairs with nist-ai-rmf for AI-specific overlay and ncsc-caf for the UK equivalent.',
+        controlCount: 7,
+    },
+    // ---- Devolved-nations + remaining UK pack descriptors (batch) ----
+    // All pack files exist; descriptor was missing for each. Same Step 1-9
+    // pattern as Wave 1/2/3 closures. UK / Scotland / Wales / Northern
+    // Ireland devolved overlays + foundational uk-gdpr + uk-equality-act.
+    {
+        id: 'uk-gdpr',
+        name: 'UK GDPR + Data Protection Act 2018',
+        shortName: 'UK GDPR',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'UK GDPR + Data Protection Act 2018 baseline — lawful basis under Art 6, special-category data Art 9, Right of Access (Art 15) + Erasure (Art 17), DPIAs for high-risk processing (Art 35), 72-hour ICO breach notification, cross-border transfer safeguards (Schrems II + UK adequacy decisions). Foundational pack referenced by uk-ico-open-case (legal-hold posture) and every UK-vertical pack that touches personal data.',
+        keyRequirements: ['Lawful basis (Art 6) + special-category (Art 9)', 'Data subject rights (Art 15-22)', 'DPIA for high-risk processing (Art 35)', '72-hour ICO breach notification', 'Cross-border transfer safeguards', 'Lawful purpose + minimum-necessary at ingress', 'DPA 2018 Part 2 + 3 + 4 overlay'],
+        aiRelevance: 'AI agents processing UK-resident personal data must surface lawful basis at ingress, run a DPIA when the activity is high-risk, and route subject access + erasure requests through the audit chain. Pairs with uk-ico-open-case during open enforcement.',
+        controlCount: 7,
+    },
+    {
+        id: 'uk-equality-act',
+        name: 'UK Equality Act 2010 + Public Sector Equality Duty',
+        shortName: 'UK Equality Act',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'UK Equality Act 2010 broad statute pack covering the 9 protected characteristics (ss.4-12), direct + indirect discrimination, harassment, victimisation, reasonable adjustments duty, and the Public Sector Equality Duty (s.149). Distinct from the AI-specific bias overlay pack (uk-equality-act-ai-bias) — this is the underlying statute pack.',
+        keyRequirements: ['9 protected characteristics (ss.4-12)', 'Direct + indirect discrimination prohibition', 'Harassment + victimisation prohibition', 'Reasonable adjustments duty', 'Public Sector Equality Duty (s.149)', 'EHRC enforcement surface', 'Substrate for uk-equality-act-ai-bias'],
+        aiRelevance: 'AI agents whose decisions affect persons in GB must classify protected-characteristic data, route reasonable-adjustments requests to a named reviewer, and surface PSED evidence for public-sector deployments. The AI-specific 80%-rule + EIA gates live in the uk-equality-act-ai-bias overlay pack.',
+        controlCount: 7,
+    },
+    {
+        id: 'ncsc-caf',
+        name: 'NCSC Cyber Assessment Framework (CAF)',
+        shortName: 'NCSC CAF',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'NCSC Cyber Assessment Framework — outcome-focused security assessment used by UK competent authorities to evaluate Operators of Essential Services (OES) under UK NIS Regulations and increasingly by central government for high-impact systems. Four objectives (A: managing security risk; B: protecting against cyber attack; C: detecting cyber security events; D: minimising the impact of cyber security incidents); 14 principles; per-IGP indicators of good practice. Pairs with uk-nis-regs (statutory duty) and cyber-essentials (lighter SME baseline).',
+        keyRequirements: ['CAF Objective A — managing security risk', 'CAF Objective B — protecting against cyber attack', 'CAF Objective C — detecting cyber security events', 'CAF Objective D — minimising impact', '14 principles + per-IGP indicators', 'Competent-authority assessment surface', 'Pairs with uk-nis-regs + cyber-essentials'],
+        aiRelevance: 'AI agents inside an OES boundary must surface CAF principle-level evidence, route detected security events into the Objective C indicator surface, and produce competent-authority-ready CAF roll-up reports. Higher-tier counterpart to cyber-essentials.',
+        controlCount: 7,
+    },
+    {
+        id: 'nhs-psirf',
+        name: 'NHS Patient Safety Incident Response Framework (PSIRF)',
+        shortName: 'NHS PSIRF',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'NHS England Patient Safety Incident Response Framework (replacing Serious Incident Framework 2015 from autumn 2023). Proportionate response; oversight via PSIRF Patient Safety Partner role; learning-response toolkit (After Action Review, Multidisciplinary Team Review, SWARM huddles, Patient Safety Incident Investigation). AI-overlay: AI-assisted clinical decisions in the incident path are subject to the same response standard. Pairs with nhs-clinical-safety (DCB0129/0160) and MHRA Yellow Card / FSN.',
+        keyRequirements: ['Proportionate response selection (PSIRF toolkit)', 'Patient Safety Partner involvement', 'Learning-response over root-cause-only investigation', 'PSII for highest-severity incidents', 'AI-assisted decision attribution in incident timeline', 'Pairs with nhs-clinical-safety + MHRA Yellow Card', 'NHS England oversight surface'],
+        aiRelevance: 'AI agents contributing to clinical decisions in NHS settings must register in the PSIRF incident timeline, attribute the AI portion of the decision, and surface evidence for the chosen learning-response method. Pairs with nhs-clinical-safety (CSO sign-off) and MHRA Yellow Card / FSN routing for SaMD-overlapping events.',
+        controlCount: 7,
+    },
+    {
+        id: 'nice-esf-dht',
+        name: 'NICE Evidence Standards Framework for Digital Health Technologies',
+        shortName: 'NICE ESF',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'NICE Evidence Standards Framework for Digital Health Technologies (DHTs) — tiered evidence requirements for digital products in the NHS. Tier A (system-impact) / Tier B (informing) / Tier C (active monitoring or treatment). Effective and economic-impact evidence. Pairs with nhs-clinical-safety (clinical safety case) and uk-gdpr (data protection).',
+        keyRequirements: ['Tier classification (A / B / C)', 'Effective evidence per tier', 'Economic-impact evidence per tier', 'Real-world implementation evidence', 'NHS commissioner-facing evidence surface', 'Pairs with nhs-clinical-safety', 'Refreshes via NICE update cadence'],
+        aiRelevance: 'AI agents marketed as DHTs into the NHS must present tier-appropriate effectiveness + economic evidence, with the AI portion of the intervention attributable in the evidence pack. Pairs with nhs-clinical-safety, mhra-samd-ukca (where SaMD), and nhs-dtac (composite).',
+        controlCount: 7,
+    },
+    {
+        id: 'scotland-awi',
+        name: 'Adults with Incapacity (Scotland) Act 2000',
+        shortName: 'Scotland AWI',
+        vertical: 'UK',
+        jurisdiction: 'GB-SCT',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Adults with Incapacity (Scotland) Act 2000 — Scottish statutory framework for decisions affecting adults lacking capacity. Welfare guardian + power of attorney + intervention order routes. Distinct from the Mental Capacity Act 2005 (England + Wales) and Mental Capacity (Northern Ireland) Act 2016. AI-overlay: AI-assisted decisions touching adults-with-incapacity must surface the named decision-maker and route to the appropriate welfare/intervention authority.',
+        keyRequirements: ['Capacity assessment requirement', 'Welfare guardian / POA / intervention-order routing', 'Best-interests principle', 'Least-restrictive option principle', 'Adult-safeguarding referral surface', 'Distinct from MCA 2005 (E+W)', 'OPG Scotland oversight surface'],
+        aiRelevance: 'AI agents acting on Scottish adults-with-incapacity must surface a capacity flag, route consequential decisions to the named welfare guardian / attorney, and seal the named decision-maker into the audit chain.',
+        controlCount: 7,
+    },
+    {
+        id: 'scotland-procurement-reform',
+        name: 'Procurement Reform (Scotland) Act 2014',
+        shortName: 'Scotland Procurement',
+        vertical: 'UK',
+        jurisdiction: 'GB-SCT',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Scotland-specific procurement statute (distinct from UK Procurement Act 2023 which covers England, Wales, NI). Sustainable procurement duty (s.9), community benefit requirements (s.25), Public Contracts Scotland Regulations 2015 + Procurement Reform statutory guidance. AI-specific overlays: model lineage + provenance, foreign-state involvement, sustainability + fair-work practices.',
+        keyRequirements: ['Sustainable procurement duty (s.9)', 'Community benefit requirements (s.25)', 'Public Contracts Scotland conformance', 'Statutory guidance compliance', 'AI model lineage + provenance disclosure', 'Foreign-state involvement disclosure', 'Fair-work first overlay'],
+        aiRelevance: 'AI agents bidding into Scottish public-sector procurement must surface sustainable procurement evidence, community-benefit commitments, and the AI-specific overlays. Distinct from the UK Procurement Act 2023 pack (uk-procurement-act).',
+        controlCount: 7,
+    },
+    {
+        id: 'scotland-psed',
+        name: 'Scotland Specific Duties (PSED Scotland — SSI 2012/162)',
+        shortName: 'Scotland PSED',
+        vertical: 'UK',
+        jurisdiction: 'GB-SCT',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Equality Act 2010 (Specific Duties) (Scotland) Regulations 2012 — Scottish public-sector equality duty. Equality Outcomes (4-yearly), Mainstreaming Reports (biennial), Equality Impact Assessments, employee information + pay-gap reporting (gender + ethnicity + disability), board diversity reporting. Goes beyond the GB-wide PSED in uk-equality-act with stricter cadence + scope.',
+        keyRequirements: ['Equality Outcomes 4-yearly cycle', 'Mainstreaming Report biennial cadence', 'EIAs for new + revised policies', 'Employee + pay-gap reporting (gender / ethnicity / disability)', 'Board diversity reporting', 'Stricter than GB PSED', 'Scottish Government oversight surface'],
+        aiRelevance: 'AI agents in Scottish public-sector bodies must surface EIA evidence on policy + algorithm changes, contribute to Mainstreaming Report data, and tag pay-gap-relevant decisions for inclusion in the statutory reports.',
+        controlCount: 7,
+    },
+    {
+        id: 'wales-future-generations',
+        name: 'Wellbeing of Future Generations (Wales) Act 2015',
+        shortName: 'Wales WFG',
+        vertical: 'UK',
+        jurisdiction: 'GB-WLS',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Wellbeing of Future Generations (Wales) Act 2015 — Welsh-specific sustainable-development duty on public bodies. Seven well-being goals; five sustainable-development principles (long-term, prevention, integration, collaboration, involvement); Future Generations Commissioner oversight. AI-overlay: AI agents acting on behalf of public bodies must surface evidence against each well-being goal + apply the five-ways-of-working principles.',
+        keyRequirements: ['Seven well-being goals evidence', 'Long-term principle', 'Prevention principle', 'Integration principle', 'Collaboration principle', 'Involvement principle', 'Future Generations Commissioner oversight'],
+        aiRelevance: 'AI agents acting on behalf of Welsh public bodies must produce well-being-goal-tagged evidence and surface the five sustainable-development principles in material decisions. Pairs with uk-procurement-act for procurement-side overlays.',
+        controlCount: 7,
+    },
+    {
+        id: 'ni-equality',
+        name: 'Northern Ireland Equality (s.75 NI Act 1998 + Equality NI Orders + FETO)',
+        shortName: 'NI Equality',
+        vertical: 'UK',
+        jurisdiction: 'GB-NIR',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Northern Ireland equality statutes overlay covering Section 75 of the NI Act 1998 (statutory equality duty across 9 categories — religion, political opinion, racial group, age, marital status, sexual orientation, men/women generally, with/without disability, with/without dependants), Equality (Disability) NI Orders, and Fair Employment and Treatment (NI) Order 1998 (FETO — religion + political opinion in employment + goods/services). Goes beyond the GB Equality Act 2010 with NI-specific religion + political-opinion duties.',
+        keyRequirements: ['s.75 9-category equality duty', 'Equality Scheme + EQIA cadence', 'Disability Discrimination NI Orders', 'FETO religion + political-opinion duty', 'Fair Employment monitoring returns', 'ECNI oversight surface', 'Distinct from GB Equality Act 2010'],
+        aiRelevance: 'AI agents acting in NI must surface s.75 9-category evidence, run EQIAs on policies + algorithms, and flag religion + political-opinion data per FETO. Stricter than GB Equality Act for these specific characteristics.',
+        controlCount: 7,
+    },
+    {
+        id: 'ni-hscni',
+        name: 'Health and Social Care Northern Ireland (HSCNI)',
+        shortName: 'NI HSCNI',
+        vertical: 'UK',
+        jurisdiction: 'GB-NIR',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Northern Ireland integrated Health and Social Care system overlay. Distinct governance from NHS England — single integrated HSCNI body covering both health and social care under the Department of Health (NI). Caldicott Guardian role applies; NI-specific patient safety + adult safeguarding routes; NI-specific data-sharing protocols including the Health and Social Care Data Sharing Agreement.',
+        keyRequirements: ['Integrated H+SC governance (HSCNI body)', 'NI Department of Health oversight', 'Caldicott Guardian designation', 'NI-specific patient safety routes', 'NI-specific adult safeguarding referral routes', 'HSC Data Sharing Agreement conformance', 'Distinct from NHS England (separate pack)'],
+        aiRelevance: 'AI agents acting in HSCNI settings must surface the integrated H+SC binding, route patient safety + adult safeguarding events through NI-specific channels, and apply the Caldicott Guardian gate. Pairs with nhs-dspt (NHS data security baseline applicable cross-jurisdiction) and ni-mental-capacity.',
+        controlCount: 7,
+    },
+    {
+        id: 'ni-mental-capacity',
+        name: 'Mental Capacity (Northern Ireland) Act 2016',
+        shortName: 'NI Mental Capacity',
+        vertical: 'UK',
+        jurisdiction: 'GB-NIR',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Mental Capacity (NI) Act 2016 — NI-specific statutory framework integrating mental-health + mental-capacity legislation (unique fusion in UK; NI has no separate Mental Health Act). Best-interests principle; deprivation-of-liberty safeguards (DoLS-equivalent under MCA NI); nominated person + independent advocate routes. Distinct from MCA 2005 (E+W) and AWI (Scotland).',
+        keyRequirements: ['Capacity assessment requirement', 'Best-interests principle', 'Deprivation-of-liberty safeguards (MCA NI)', 'Nominated person designation', 'Independent advocate route', 'Integrated MH+MC fusion (unique in UK)', 'Distinct from MCA 2005 + AWI'],
+        aiRelevance: 'AI agents acting in NI healthcare or social care touching mental-capacity decisions must surface a capacity flag, route to the nominated person / independent advocate, and apply the integrated MH+MC framework. Pairs with ni-hscni and uk-equality-act.',
+        controlCount: 7,
+    },
+    {
+        // TIER 10-UK Wave 4, Pack 17 — UK Computer Misuse Act 1990. Foundational
+        // UK cyber-crime statute. s.1-3A offences; criminal liability for
+        // operators + deploying organisations whose AI agents commit
+        // unauthorised access, impairment, or supply exploit articles.
+        id: 'uk-cma-1990',
+        name: 'UK Computer Misuse Act 1990',
+        shortName: 'UK CMA 1990',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Foundational UK cyber-crime statute (Computer Misuse Act 1990 c.18, as amended by the Police and Justice Act 2006, Serious Crime Act 2015, and Crime and Courts Act 2013). s.1 unauthorised access / s.2 unauthorised access with ulterior intent / s.3 impairment / s.3ZA serious-damage offence (up to life imprisonment) / s.3A making, supplying, or obtaining articles for use in offences. An AI agent that attempts to access third-party systems without authorisation — credential stuffing, paywall bypass, CVE exploitation, lateral movement, evidence tampering — exposes operator AND deploying organisation to criminal liability. Default-deny on unauthorised external-target tool invocation; operator authority is the source of truth, never prompt-derived.',
+        keyRequirements: ['s.1 unauthorised access to computer material', 's.2 unauthorised access with intent to commit further offences', 's.3 unauthorised acts with intent to impair', 's.3ZA serious-damage offence (up to life imprisonment)', 's.3A making, supplying, or obtaining articles for use in offences', 'Default-deny on unauthorised external-target tool invocation', 'Operator-attested authorised-system list (no prompt-derived authority)', 'PACE 1984 s.78 admissible audit chain', 'Indictable-offence retention (no statutory limitation)'],
+        aiRelevance: 'AI agents touching UK customer estates, UK-hosted infrastructure, or UK individuals are within reach of CMA 1990 prosecution. The pack gates tool invocation behind operator-attested authority, blocks data-classifier categories that signal unauthorised access / impairment / exploit tooling / evidence tampering, routes CMA-adjacent actions to T2 approval, and preserves PACE 1984 s.78 admissible evidence. Pairs with uk-nis-regs (statutory cyber-resilience duty), ncsc-caf (assessment evidence), and cyber-essentials (SME baseline).',
+        controlCount: 9,
+    },
+    {
+        // TIER 10-UK Wave 4, Pack 16 (FINAL) — UK Future AI Legislation Horizon-Scan.
+        // MONITOR-tier constitution scaffold for upcoming UK AI statutes (DSIT AI
+        // Safety Bill, DPDI / Data Use and Access Bill, sectoral statutes). Pack is
+        // a placeholder until specific instruments receive Royal Assent — at which
+        // point a sibling ACTIVE pack graduates. Closes the TIER 10-UK 16-pack
+        // build (15 of 16 ACTIVE + 1 MONITOR scaffold).
+        id: 'uk-future-ai-legislation',
+        name: 'UK Future AI Legislation Horizon-Scan',
+        shortName: 'UK Future AI',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Constitution scaffold for upcoming UK AI legislation. No standalone UK AI Act as of May 2026. Tracks DSIT AI Safety Bill, DPDI / Data Use and Access Bill carryover, and sectoral statutes (FCA AI consumer duty, MHRA AI-as-medical-device, CMA Strategic Market Status involving foundation models, Ofcom AI code). MONITOR-tier — validators flag at HIGH/MEDIUM, never CRITICAL. Quarterly horizon-scan attestation locks update discipline. When an instrument is enacted, a sibling ACTIVE pack graduates (status flip) without from-scratch implementation.',
+        keyRequirements: ['Quarterly horizon-scan attestation', 'Draft-bill citation tracking (HORIZON_SCAN_EVIDENCE classifier)', 'Sectoral regulator mapping (FCA / MHRA / CMA / Ofcom / ICO)', 'Pre-enactment evidence retention (6 years per Limitation Act 1980)', 'Tamper-evident audit trail for horizon-scan content', 'Constitution scaffolding — status switch from MONITOR to ACTIVE on Royal Assent'],
+        aiRelevance: 'Forward-looking pack. Customers running AI in regulated sectors (financial services, healthcare, online services) can pre-position controls before UK statute lands. Audit trail proves pre-enactment compliance posture during transition. Pairs with uk-ai-framework (DSIT 2023 principles operative today), uk-equality-act-ai-bias, and uk-online-safety-act.',
+        controlCount: 5,
+    },
+    {
+        // TIER 10-UK Wave 3, Pack 12 — UK NIS Regulations 2018. Statutory
+        // cyber-resilience duty on Operators of Essential Services + Relevant
+        // Digital Service Providers. 72-hour incident notification.
+        id: 'uk-nis-regs',
+        name: 'UK Network and Information Systems Regulations 2018',
+        shortName: 'UK NIS Regs',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'UK transposition of the original EU NIS Directive, retained in UK law post-Brexit (SI 2018/506). Statutory cyber-resilience duty on Operators of Essential Services (energy, water, health, transport, digital infrastructure, banking) and Relevant Digital Service Providers (online marketplaces, search engines, cloud computing). Reg 10 security duty + Reg 11 72-hour incident notification + Reg 12 cooperation duty + Reg 13 registration + Reg 17 penalties (up to £17M or 4% turnover). Distinct from EU NIS2; paired with ncsc-caf and cyber-essentials.',
+        keyRequirements: ['OES / RDSP scoping (Reg 13 registration)', 'Reg 10 security duty (technical + organisational measures)', 'Reg 11 72-hour incident notification clock', 'Reg 12 cooperation duty with competent authority', 'Sector-specific competent authority routing', 'Up to £17M / 4% turnover penalty exposure', 'Distinct from EU NIS2 (separate pack)'],
+        aiRelevance: 'AI agents inside an OES or RDSP boundary must surface incident detection within the 72-hour clock, route notifications to the sector-specific competent authority, and maintain Reg 10 evidence chains. Pairs with ncsc-caf for assessment evidence and cyber-essentials for SME-tier self-assessment.',
+        controlCount: 7,
+    },
+    {
+        // TIER 10-UK Wave 3, Pack 13 — UK Online Safety Act 2023. UGC + search
+        // + pornography services. Senior manager accountability + 10% global
+        // revenue penalty surface.
+        id: 'uk-online-safety-act',
+        name: 'UK Online Safety Act 2023',
+        shortName: 'UK OSA',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'UK comprehensive statute regulating user-generated content (UGC), search services, and pornography services. Any AI-driven product hosting, ranking, surfacing, recommending, generating, or moderating content for UK users may be in scope. Service categorisation (Cat 1, 2A, 2B + other regulated). Illegal content + children safety duties. User empowerment (s.14, Cat 1). Transparency reporting (s.77, Cat 1 + 2A). Senior manager accountability (s.103). Penalties up to 10% of qualifying worldwide revenue or £18M; senior-manager criminal liability (s.110).',
+        keyRequirements: ['Service categorisation (Cat 1 / 2A / 2B / other regulated)', 'Illegal content duty', 'Children safety duty (age-assurance overlay)', 'User empowerment tools (Cat 1, s.14)', 'Transparency reporting (s.77)', 'Senior manager accountability (s.103) + criminal liability (s.110)', 'Up to 10% global revenue or £18M penalty exposure'],
+        aiRelevance: 'AI agents acting as a regulated UK service must classify their service category, run illegal-content + children-safety duty checks at the moderation boundary, attach senior-manager accountability metadata to material decisions, and produce s.77 transparency-report evidence. Pairs with uk-equality-act (anti-discrimination overlap), uk-gdpr (age assurance), uk-ai-framework (DSIT fairness + transparency).',
+        controlCount: 7,
+    },
+    {
+        // TIER 10-UK Wave 3, Pack 14 — UK Procurement Act 2023. Notice regime,
+        // exclusions, conflicts register, MAT replacing MEAT, Central Digital
+        // Platform transparency, AI-specific overlays.
+        id: 'uk-procurement-act',
+        name: 'UK Procurement Act 2023',
+        shortName: 'UK Procurement Act',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Procurement Act 2023 (in force 24 Feb 2025). Replaces the pre-Brexit procurement regulations (PCR2015, UCR2016, CCR2016, DSPCR2011) for England, Wales, and Northern Ireland. Notice regime (Part 4) + exclusions and debarment incl. national-security ground (Part 5) + conflicts register (Schedule 5) + Most Advantageous Tender (s.19) replacing MEAT + Central Digital Platform transparency (Part 8) + 30-day payment terms (s.68) + modifications gate (s.74). AI-specific overlays: foreign-state involvement disclosure, model lineage + provenance, data-residency disclosure. Scotland uses Procurement Reform (Scotland) Act 2014 — separate pack.',
+        keyRequirements: ['Notice regime conformance (Part 4)', 'Exclusions and debarment (Part 5, national-security ground)', 'Conflicts register (Schedule 5)', 'Most Advantageous Tender (s.19, replaces MEAT)', 'Central Digital Platform transparency (Part 8)', '30-day payment terms (s.68)', 'AI-specific overlays (foreign-state, model lineage, data residency)'],
+        aiRelevance: 'AI agents bidding into UK central or local government procurement must surface model-lineage evidence, foreign-state involvement disclosure, and data-residency posture against the Central Digital Platform transparency requirements. Pairs with uk-ai-framework (DSIT public-sector AI guidance), cyber-essentials, and ncsc-caf.',
+        controlCount: 7,
+    },
+    {
+        // TIER 10-UK Wave 2, Pack 9 — UK Pro-Innovation AI Framework (DSIT
+        // 2023). 5 cross-sectoral AI principles applied via existing UK
+        // regulators (CMA / ICO / FCA / MHRA / Ofcom / HSE / OFSTED).
+        id: 'uk-ai-framework',
+        name: 'UK Pro-Innovation AI Framework (DSIT 2023)',
+        shortName: 'UK AI Framework',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'UK Department for Science, Innovation and Technology (DSIT) pro-innovation approach to AI regulation (White Paper March 2023, Roadmap Feb 2024). Encodes the 5 cross-sectoral AI principles (safety/security/robustness; transparency/explainability; fairness; accountability/governance; contestability/redress) applied across sectors by existing UK regulators (CMA, ICO, FCA, MHRA, Ofcom, HSE, OFSTED). Includes AI Safety Institute (AISI) coordination obligations for frontier AI. Non-statutory principles-based framework; may require updates as UK statute is enacted.',
+        keyRequirements: ['Safety / security / robustness principle', 'Transparency / explainability principle', 'Fairness principle', 'Accountability / governance principle', 'Contestability / redress principle', 'AISI coordination for frontier AI', 'Sectoral regulator alignment (CMA / ICO / FCA / MHRA / Ofcom / HSE / OFSTED)'],
+        aiRelevance: 'AI agents operating in the UK across regulated sectors must surface evidence against the 5 DSIT principles, route material risk events to the relevant sectoral regulator, and (for frontier AI) coordinate disclosures with the AI Safety Institute. Non-statutory but referenced by procurement frameworks and existing regulator guidance.',
+        controlCount: 7,
+    },
+    {
+        // TIER 10-UK Wave 2, Pack 10 — Caldicott Principles (2020 revision).
+        // National Data Guardian statutory authority. Caldicott Guardian
+        // named-role designation single source of truth — NHS DSPT + DTAC
+        // packs defer to this pack when registered.
+        id: 'caldicott-principles',
+        name: 'Caldicott Principles (2020 revision)',
+        shortName: 'Caldicott',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Caldicott Principles eight (2020 revision) covering NHS-specific patient confidential information handling: purpose justification, necessity test, minimum-necessary decisions, need-to-know access gating, role awareness, lawful-basis compliance, duty-to-share for individual care (principle 7), and patient-facing transparency. Caldicott Guardian named-role designation captured here as the single source of truth — NHS DSPT and DTAC packs defer to this pack for Caldicott Guardian sign-off when registered.',
+        keyRequirements: ['Purpose justification (Principle 1)', 'Necessity test (Principle 2)', 'Minimum-necessary disclosure (Principle 3)', 'Need-to-know access gating (Principle 4)', 'Role awareness (Principle 5)', 'Lawful-basis compliance (Principle 6)', 'Duty-to-share for individual care (Principle 7)', 'Patient-facing transparency (Principle 8)'],
+        aiRelevance: 'AI agents acting on NHS patient confidential information must invoke the eight Caldicott Principles in order, routing non-routine sharing to the named Caldicott Guardian. Single source of truth for the Guardian designation across NHS DSPT (Pack 5) and NHS DTAC (Pack 2) bindings.',
+        controlCount: 8,
+    },
+    {
+        // TIER 10-UK Wave 1, Pack 1 — UK ICO Open Case legal-hold posture.
+        // Overrides UK GDPR Art 17(3)(b) Right to Erasure for tagged data;
+        // default-denies destructive ops; pairs with uk-gdpr pack.
+        id: 'uk-ico-open-case',
+        name: 'UK ICO Open Case (Legal-Hold Posture)',
+        shortName: 'UK ICO Open Case',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Operational legal-hold posture pack for organisations subject to an open ICO investigation, audit, or enforcement action. Overrides UK GDPR Right to Erasure (Art. 17(3)(b)) for tagged data; suspends standard retention; gates cross-border transfers; surfaces legal-hold status on every governance decision touching subject-keyed data. DPA 2018 s.148 criminalises destruction / falsification during an ICO investigation — pack default-denies DELETE / DROP / TRUNCATE on tagged data and routes attempts to T1 mandatory review with audit-chain capture. Registered ALONGSIDE the uk-gdpr pack — both apply during an open case.',
+        keyRequirements: ['Default-deny DELETE / DROP / TRUNCATE on UK_ICO_OPEN_CASE-bound records', 'Legal-hold status surfaced on every governance decision touching subject-keyed data', 'Right-to-Erasure (UK GDPR Art 17(3)(b)) suspended for tagged data', 'Standard retention windows suspended for tagged data', 'Cross-border transfer gate during open case', 'T1 mandatory review on attempted destructive operations', 'DPA 2018 s.148 criminal-liability evidence capture'],
+        aiRelevance: 'AI agents acting against an organisation under an open ICO case must surface legal-hold status before any decision touching subject-keyed data, refuse destructive operations on bound records, and seal every attempted operation to the audit chain so the ICO can read the trail. Pairs with uk-gdpr (concurrent enforcement). First filed pack for the TIER 10-UK Wave 1 cohort (F-NEW-PACK-UK-ICO-OPEN-CASE finding).',
+        controlCount: 7,
+    },
+    {
+        // TIER 10-UK Wave 1, Pack 2 — NHS DTAC composite assessment.
+        // Aggregates clinical safety (DCB0129/0160), data protection (UK GDPR),
+        // technical security (Cyber Essentials), interoperability, and
+        // usability + accessibility into one badge.
+        id: 'nhs-dtac',
+        name: 'NHS Innovation Service — Digital Technology Assessment Criteria (DTAC)',
+        shortName: 'NHS DTAC',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Composite assessment framework owned by NHS England. Aggregates evidence from five domains: clinical safety (DCB0129/0160), data protection (UK GDPR + DPA 2018), technical security (Cyber Essentials), interoperability (NHS Digital FHIR R4 / SNOMED CT / NHS Number / ICD-10), and usability + accessibility (WCAG 2.2 AA + NHS Service Manual). Patient-data sharing additionally governed by the Caldicott Principles. Surfaces a single DTAC compliance badge on the customer dashboard. Composite by design — does not duplicate sub-pack enforcement; tracks aggregate readiness.',
+        keyRequirements: ['Clinical safety evidence (DCB0129 + DCB0160)', 'Data protection evidence (UK GDPR + DPA 2018)', 'Technical security evidence (Cyber Essentials)', 'Interoperability conformance (FHIR R4 + SNOMED CT + NHS Number + ICD-10)', 'Usability + accessibility (WCAG 2.2 AA + NHS Service Manual)', 'Caldicott Guardian named-role attestation', 'Composite DTAC badge surface for customer dashboard'],
+        aiRelevance: 'AI agents in NHS-procurement scope must surface a DTAC composite-readiness badge derived from the five sub-pack states. The DTAC pack does not duplicate enforcement — it inspects the bound sub-packs and produces an aggregate verdict the procurement team reads. Depends on nhs-clinical-safety + uk-gdpr + cyber-essentials packs.',
+        controlCount: 7,
+    },
+    {
+        // TIER 10-UK Wave 1, Pack 4 — MHRA UK SaMD + UKCA marking. UK-specific
+        // medical-device path (post-Brexit). Inherits DCB0129/0160 clinical-
+        // safety spine; distinct from EU MDR/IVDR.
+        id: 'mhra-samd-ukca',
+        name: 'MHRA UK SaMD / UKCA marking',
+        shortName: 'MHRA SaMD',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'MHRA UK Software as a Medical Device + UKCA marking pack covering risk classification (IMDRF I / IIa / IIb / III), UKCA Declaration of Conformity, harmonised standards (ISO 13485, ISO 14971, IEC 62304, IEC 82304, ISO 14155), clinical evaluation evidence per UK MDR 2002 Schedule 2A, post-market surveillance + Periodic Safety Update Report (class-banded cadence), vigilance / serious-incident reporting (15-day MHRA / 10-day immediate-threat-to-life), Field Safety Corrective Action + Field Safety Notice workflows, MHRA SaMD AI Change Programme overlays (Algorithm Change Protocol, Pre-determined Change Control Plan, AI Airlock), device registration + UK Responsible Person designation.',
+        keyRequirements: ['IMDRF risk classification I / IIa / IIb / III', 'UKCA Declaration of Conformity attestation', 'Harmonised standards (ISO 13485 / 14971 / IEC 62304 / IEC 82304 / ISO 14155)', 'Clinical evaluation evidence per UK MDR 2002 Schedule 2A', '15-day MHRA vigilance reporting (10-day for immediate threat to life)', 'Algorithm Change Protocol + Pre-determined Change Control Plan (AI Change Programme)', 'Field Safety Corrective Action + Field Safety Notice workflows'],
+        aiRelevance: 'AI agents acting as SaMD in the UK market must declare UKCA conformity, run under an Algorithm Change Protocol with a Pre-determined Change Control Plan, register a UK Responsible Person, and route serious incidents through MHRA vigilance inside the class-banded clock. Distinct from EU MDR/IVDR (eu-mdr-ivdr pack); inherits DCB0129/0160 clinical-safety-case spine (nhs-clinical-safety pack).',
+        controlCount: 7,
+    },
+    {
+        // TIER 10-UK Wave 1, Pack 7 — NHS Clinical Safety standards
+        // DCB0129 (manufacturer) + DCB0160 (deployer). Depends on NHS DSPT;
+        // unblocks MHRA SaMD UKCA. Pack id 'nhs-clinical-safety' (filename
+        // nhs-dcb0129-dcb0160.ts).
+        id: 'nhs-clinical-safety',
+        name: 'NHS Clinical Safety (DCB0129 manufacturer + DCB0160 deployer)',
+        shortName: 'NHS Clinical Safety',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NHS England clinical safety standards DCB0129 (manufacturer / health IT vendor) and DCB0160 (deployer / NHS trust) covering hazard log, Clinical Safety Case Report (CSCR), Clinical Safety Officer (CSO) named-role sign-off gate, change-control re-review, and clinical incident escalation per PSIRF + MHRA Yellow Card / FSN. Mandatory for any clinical IT system used in the NHS, including AI agents issuing or supporting clinical recommendations. AI overlay: model-version logging, drift monitoring as a named hazard, inference trace retention.',
+        keyRequirements: ['Hazard log + Clinical Safety Case Report (CSCR)', 'Clinical Safety Officer (CSO) named-role sign-off gate', 'Change-control re-review on AI model updates', 'Drift monitoring registered as named hazard', 'Clinical incident escalation per PSIRF', 'MHRA Yellow Card / FSN routing for SaMD-overlapping events', 'Manufacturer (DCB0129) + deployer (DCB0160) dual-binding'],
+        aiRelevance: 'AI agents producing or supporting clinical recommendations must register the model as a hazard line in the CSCR, route material model updates through the CSO sign-off gate, retain inference traces, and surface drift-monitor breaches as named hazards. Depends on NHS DSPT (Pack 5) for NHS-data classification; unblocks MHRA SaMD/UKCA (Pack 4).',
+        controlCount: 7,
+    },
+    {
+        // TIER 10-UK Wave 1, Pack 6 — NCSC Cyber Essentials. Pairs with NHS
+        // DSPT for NHS data partners; required for NHS / central government /
+        // MoD supplier contracts. Annual renewal + patch-SLA enforcement.
+        id: 'cyber-essentials',
+        name: 'UK NCSC Cyber Essentials / Cyber Essentials Plus',
+        shortName: 'Cyber Essentials',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NCSC Cyber Essentials scheme covering the five technical control families (firewalls, secure configuration, security update management, user access control, malware protection). Mandatory for many NHS, central government, and MoD supplier contracts. Pairs with NHS DSPT for NHS data partners. Tracks the self-assessment evidence chain plus the CE+ independent technical verification attestation. Annual renewal cadence; patch SLA enforcement (14 days for critical / high CVEs).',
+        keyRequirements: ['Firewall + boundary defence baseline', 'Secure configuration of all systems', 'Security update management (14-day SLA on critical / high CVEs)', 'User access control (least privilege, MFA for privileged accounts)', 'Malware protection on every endpoint', 'Annual self-assessment submission', 'CE+ independent technical verification (when scope requires)'],
+        aiRelevance: 'AI agents operating inside a UK Cyber Essentials boundary must run on systems passing the five control families; AI-driven configuration changes are recorded to the audit chain; AI updates to controlled software trigger patch-SLA enforcement events. CE+ adds independent verification of the technical controls.',
+        controlCount: 7,
+    },
+    {
+        // TIER 10-UK Wave 1, Pack 5 — first-dependency pack for DCB0129 /
+        // DTAC / MHRA per F-NEW-TIER-10-UK-WAVE1-ROADMAP. Resume item from
+        // 2026-05-09 evening session build-queue.
+        id: 'nhs-dspt',
+        name: 'NHS Data Security and Protection Toolkit',
+        shortName: 'NHS DSPT',
+        vertical: 'UK',
+        jurisdiction: 'GB',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NHS England DSPT compliance pack covering the NDG ten data security standards, NHS Number / SNOMED CT / ICD-10 classification, 8-year clinical record retention (paediatric 25-year / maternity 30-year), Caldicott Guardian sign-off for non-routine sharing, and the cross-NHS-trust transfer HITL gate. Required of every NHS organisation and every supplier processing NHS clinical data.',
+        keyRequirements: ['NHS Number detection + minimum-necessary handling (NDG #1, #4)', 'SNOMED-CT + ICD-10 clinical-code detection', '8-year clinical record retention (25-year paediatric, 30-year maternity)', 'Caldicott Guardian sign-off on non-routine sharing', 'Cross-NHS-trust transfer HITL T2 gate', 'Annual DSPT self-assessment submission tracking', 'CQC + ICO regulator alignment'],
+        aiRelevance: 'AI agents processing NHS-tagged data must classify NHS Number / SNOMED-CT / ICD-10 at ingress, enforce minimum-necessary disclosure, route cross-trust transfers to Caldicott Guardian review, and retain audit chain entries for the bound retention window. Substrate pack for DCB0129/DCB0160 clinical safety + MHRA SaMD + NHS DTAC packs.',
+        controlCount: 10,
+    }
+];
+// ---------------------------------------------------------------------------
+// AU PACKS (Phase 5, 2026-04-24) -- moved from PLANNED to ACTIVE
+// ---------------------------------------------------------------------------
+const AU_PACKS = [
+    {
+        id: 'au-privacy-act',
+        name: 'Australian Privacy Act 1988 (Cth) — APPs + NDB',
+        shortName: 'AU Privacy Act',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Privacy Act 1988 (Cth), Australian Privacy Principles (APPs 1-13), Notifiable Data Breaches scheme, 2024 reform amendments. Covers sensitive PI gate, government ID block, offshore transfer gate, NDB 30-day clock.',
+        keyRequirements: ['APPs 1-13', 'Sensitive PI gate (APP 3)', 'Offshore transfer gate (APP 8)', 'NDB scheme (30-day clock)', 'Government ID block (TFN Rule)', 'Data retention schedule (APP 11)', 'Access + correction rights (APPs 12-13)'],
+        aiRelevance: 'AI agents processing Australian personal information must enforce APPs, gate sensitive and government-ID data, honour NDB 30-day breach notification, and prevent unlawful offshore transfer.',
+        controlCount: 8,
+    },
+    {
+        id: 'au-cdr',
+        name: 'Consumer Data Right (CDR) Act 2019',
+        shortName: 'AU CDR',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'CDR Act 2019 and CDR Privacy Safeguards (PS 1-13). Covers expired consent gate, secondary-use block, marketing-use block, 14-day deletion SLA, offshore transfer gate.',
+        keyRequirements: ['Consent gate (PS 1.4)', 'Secondary use block (PS 6.4)', 'Marketing block (PS 7.5)', 'Deletion SLA 14 days (PS 9.2)', 'Offshore transfer gate (PS 8.11)', 'Accredited data recipient obligations'],
+        aiRelevance: 'AI agents in Open Banking/Energy/Telecoms must enforce CDR consent, block marketing re-use, and comply with the 14-day deletion SLA for expired consent data.',
+        controlCount: 6,
+    },
+    {
+        id: 'au-cps234',
+        name: 'APRA CPS 234 Information Security',
+        shortName: 'CPS 234',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'APRA CPS 234 (effective 1 July 2019). Covers 72-hour incident notification, control weakness notification, third-party gate, information asset register, annual testing.',
+        keyRequirements: ['72-hour incident notification (Para 23)', 'Control weakness notification (Para 22)', 'Third-party arrangement gate (Paras 15-16)', 'Information asset register (Para 10)', 'Annual testing cadence (Paras 20-21)'],
+        aiRelevance: 'AI assets in APRA-regulated entities must be registered, tested annually, and trigger 72-hour APRA notification for material cyber incidents.',
+        controlCount: 6,
+    },
+    {
+        id: 'au-cps230',
+        name: 'APRA CPS 230 Operational Risk Management',
+        shortName: 'CPS 230',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'APRA CPS 230 (effective 1 July 2025). Covers operational incident notification (72h), material provider due diligence, BCP annual test, critical operations register.',
+        keyRequirements: ['72-hour operational incident notification', 'Material provider due diligence', 'Provider contract completeness', 'BCP annual test', 'Critical operations register', 'Post-incident review'],
+        aiRelevance: 'AI systems supporting critical operations in APRA entities require operational resilience governance, provider due diligence, and 72-hour incident notification.',
+        controlCount: 6,
+    },
+    {
+        id: 'au-soci-act',
+        name: 'Security of Critical Infrastructure Act 2018',
+        shortName: 'SOCI Act',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'SOCI Act 2018 across 11 critical infrastructure sectors. Covers 12-hour significant cyber incident notification (s.30BC), 72-hour follow-up (s.30BG), SONS directions, CIRMP obligations.',
+        keyRequirements: ['12-hour cyber incident notification (s.30BC)', '72-hour follow-up (s.30BG)', 'SONS compliance', 'CIRMP annual review', 'Data asset gate'],
+        aiRelevance: 'AI deployed within SOCI-regulated critical infrastructure must enforce 12-hour cyber incident reporting and comply with CIRMP and SONS directions.',
+        controlCount: 5,
+    },
+    {
+        id: 'au-asic-rg-271',
+        name: 'ASIC RG 271 Internal Dispute Resolution',
+        shortName: 'ASIC RG 271',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'ASIC Regulatory Guide 271 IDR (effective 5 October 2021). Covers AI decision reasons disclosure, 30-day standard IDR SLA, 45-day super, 21-day credit hardship, systemic issue escalation.',
+        keyRequirements: ['30-day standard IDR SLA', '45-day super SLA', '21-day credit hardship SLA', 'AI decision reasons disclosure', 'Systemic issue escalation', 'ASIC reporting', '7-year retention'],
+        aiRelevance: 'AI-driven financial product decisions that generate complaints must comply with RG 271 IDR timeframes and provide human-readable reasons when AI was a contributing factor.',
+        controlCount: 6,
+    },
+    {
+        id: 'au-asic-rg-274',
+        name: 'ASIC Design and Distribution Obligations (DDO)',
+        shortName: 'AU DDO',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Corporations Act Part 7.8A DDO (effective 5 October 2021). Covers out-of-target-market block (s.994E), TMD screening, significant dealing 10-BD report (s.994F2), TMD review trigger.',
+        keyRequirements: ['Out-of-target-market block (s.994E)', 'TMD retail client screening', 'Significant dealing report (10 BD, s.994F2)', 'TMD review trigger alert', 'Retail client logging'],
+        aiRelevance: 'AI that recommends or distributes financial products must screen against the TMD at point of recommendation and block or escalate out-of-target distributions.',
+        controlCount: 5,
+    },
+    {
+        id: 'au-aml-ctf',
+        name: 'AML/CTF Act 2006 + 2024 DNFBP Amendments',
+        shortName: 'AU AML/CTF',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Anti-Money Laundering and Counter-Terrorism Financing Act 2006, AUSTRAC obligations. Covers tipping-off block, PEP EDD, high-risk country screening, SMR 24-hour CTF clock, TTR/IFTI 10-BD.',
+        keyRequirements: ['Tipping-off block (s.123)', 'PEP enhanced due diligence', 'High-risk country screening', 'SMR 24-hour CTF clock', 'TTR 10-BD filing', 'IFTI 10-BD filing', 'Programme AI documentation', 'DNFBP registration check'],
+        aiRelevance: 'AI in reporting entities must block tipping-off, enforce PEP and high-risk-country gates, and fire 24-hour CTF SMR notification for suspicious matter detection.',
+        controlCount: 9,
+    },
+    {
+        id: 'au-spam-act',
+        name: 'Spam Act 2003 (Cth)',
+        shortName: 'AU Spam Act',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Spam Act 2003 (Cth). Covers CEM consent gate, unsubscribed address block, harvested address block, 5-BD unsubscribe action SLA, sender identity disclosure.',
+        keyRequirements: ['Consent gate for CEM (s.16)', 'Unsubscribed address block (s.18)', 'Harvested address block (ss.20-22)', '5-BD unsubscribe SLA (s.18(1)(a))', 'Sender identity disclosure (s.17)', 'Consent logging'],
+        aiRelevance: 'AI-driven marketing or outreach that sends commercial electronic messages to Australian recipients must enforce consent, honour unsubscribes within 5 BD, and never use harvested addresses.',
+        controlCount: 6,
+    },
+    {
+        id: 'au-online-safety',
+        name: 'Online Safety Act 2021 (Cth)',
+        shortName: 'AU Online Safety',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Online Safety Act 2021 (Cth). Covers CSAM block, NCII block, cyberbullying child block, Class 2 material block, 48-hour removal obligation, eSafety notice compliance, BOSE.',
+        keyRequirements: ['CSAM block (Part 4)', 'NCII block (Part 5)', 'Cyberbullying child block (Part 3)', 'Class 2 material block (Part 6)', '48-hour removal obligation', 'eSafety notice compliance', 'BOSE coverage attestation'],
+        aiRelevance: 'AI content moderation, generation, or hosting platforms operating in Australia must block CSAM and NCII, respond to eSafety notices within 48 hours, and comply with Basic Online Safety Expectations.',
+        controlCount: 7,
+    },
+    {
+        id: 'au-aiethics-framework',
+        name: 'Australia AI Ethics Framework + Voluntary AI Safety Standard',
+        shortName: 'AU AI Ethics',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'DISR Australia\'s AI Ethics Framework (2019) + Voluntary AI Safety Standard (Sep 2024). 8 voluntary principles. All obligations WARN; no enacted law. Covers accountability, AI disclosure, redress, human oversight.',
+        keyRequirements: ['Accountability defined (Principle 1)', 'AI disclosure (Principle 7)', 'Governance documentation (Principle 9)', 'Testing cadence', 'Redress mechanism (Principle 10)', 'Training data provenance', 'Human override (Principle 8)'],
+        aiRelevance: 'AI operators aligning with Australia\'s voluntary AI ethics and safety standards should demonstrate the 8 core principles. Regulators may treat adherence as a mitigating factor in enforcement actions.',
+        controlCount: 7,
+    },
+    {
+        id: 'au-mandatory-ai-guardrails',
+        name: 'DISR Mandatory AI Guardrails (Proposals Paper Sep 2024)',
+        shortName: 'AU Mandatory AI',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'DISR Proposals Paper September 2024 — NOT enacted law [CITATION TO VERIFY]. Proposes mandatory guardrails for high-risk AI contexts: accountability, transparency, redress, testing, provenance. All validators carry citation-to-verify flags.',
+        keyRequirements: ['High-risk AI gate [CITATION TO VERIFY]', 'Accountability documentation [CITATION TO VERIFY]', 'Transparency disclosure [CITATION TO VERIFY]', 'Redress mechanism [CITATION TO VERIFY]', 'Testing cadence [CITATION TO VERIFY]', 'Training data provenance [CITATION TO VERIFY]'],
+        aiRelevance: 'AI operators in Australia preparing for potential mandatory guardrail legislation should implement these controls proactively. Pack uses WARN actions only until legislation is enacted.',
+        controlCount: 6,
+    },
+    {
+        id: 'au-tga-saimd',
+        name: 'TGA Software as a Medical Device (SaMD)',
+        shortName: 'AU TGA SaMD',
+        vertical: 'APAC',
+        jurisdiction: 'AU',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'Therapeutic Goods Act 1989 + TGA AI/ML SaMD Guidance 2023/2024 + GMLP. Covers ARTG registration block, adverse event block, PCCP change approval, performance monitoring, clinical evidence, 10-day MDR clock, 10-year retention.',
+        keyRequirements: ['ARTG registration gate (s.19D)', 'Adverse event block (TGA MDR)', 'PCCP change approval (TGA AI/ML Guidance 2023)', 'Performance monitoring (GMLP Principle 6)', 'Clinical evidence (TGA ECA)', 'GMLP compliance attestation', 'AI labelling', '10-year retention', '10-day MDR notification clock'],
+        aiRelevance: 'AI/ML software that meets the TGA definition of a medical device must hold ARTG registration, comply with GMLP, report adverse events within 10 calendar days, and maintain 10-year records.',
+        controlCount: 8,
+    },
+    // X1-disaggregation (2026-04-24): au-state-health-privacy umbrella pack removed.
+    // Replaced by three standalone packs: au-nsw-hripa, au-vic-hra, au-act-hrpaa.
+    {
+        id: 'au-nsw-hripa',
+        name: 'NSW Health Records and Information Privacy Act 2002 (HRIPA)',
+        shortName: 'NSW HRIPA',
+        vertical: 'APAC',
+        jurisdiction: 'AU-NSW',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NSW HRIPA 2002: 15 HPPs. IPC NSW administered. HPP 10 transborder transfer BLOCK. HPP 14 research ethics gate. 30-day access/correction SLA. Retention: 7y adult / 10y-from-18 minor (State Records Act 1998 NSW + HRIPA Regulation 2017). Civil penalty: AUD 22,000 per body corporate.',
+        keyRequirements: ['Transborder transfer BLOCK (HPP 10)', 'Research ethics gate (HPP 14)', 'Access SLA 30 days (HPP 11)', 'Correction SLA 30 days (HPP 12)', 'Collection notice (HPP 5)', 'Server location attestation (HPP 10)', 'Minor retention 10y from age 18'],
+        aiRelevance: 'AI systems processing NSW health information must block transfers outside NSW without consent or equivalent-protection confirmation (HPP 10), gate AI training on patient data (HPP 14), and support 30-day access/correction SLAs.',
+        controlCount: 7,
+    },
+    {
+        id: 'au-vic-hra',
+        name: 'VIC Health Records Act 2001 (HRA)',
+        shortName: 'VIC HRA',
+        vertical: 'APAC',
+        jurisdiction: 'AU-VIC',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'VIC HRA 2001: 11 HPPs. HCC + OVIC administered. HPP 2.2 research secondary-use ethics gate. 25-year mental health retention [CITATION TO VERIFY PROV standards]. 30-day access/correction SLA. Retention: 7y adult [CTV] / 25y mental health [CTV] / 10y-from-18 minor. Civil penalty: AUD 10,000 per body corporate (VCAT).',
+        keyRequirements: ['Research ethics gate (HPP 2.2)', '25-year mental health retention [CTV]', 'Access SLA 30 days (HPP 6)', 'Correction SLA 30 days (HPP 7)', 'Collection notice (HPP 1)', 'Minor retention 10y from age 18'],
+        aiRelevance: 'AI systems processing VIC health information must gate research secondary use (HPP 2.2), enforce 25-year retention for mental health records [CITATION TO VERIFY], and support 30-day access/correction SLAs under dual HCC + OVIC enforcement.',
+        controlCount: 6,
+    },
+    {
+        id: 'au-act-hrpaa',
+        name: 'ACT Health Records (Privacy and Access) Act 1997 (HRPAA)',
+        shortName: 'ACT HRPAA',
+        vertical: 'APAC',
+        jurisdiction: 'AU-ACT',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'ACT HRPAA 1997: 12 HPPs. ACT Human Rights Commission administered. HRPAA s.7 positive 30-day access right (stricter procedural framing than federal APP 12). HPP 10 data security. Retention: 7y from last service. Civil penalty: AUD 50,000 per body corporate (highest of three AU state health acts).',
+        keyRequirements: ['HRPAA s.7 access right 30-day SLA (CRITICAL)', 'Collection notice (HPP 5)', 'Data security AES-256 (HPP 10)', 'Correction SLA 30 days (HPP 7)', 'Retention 7y from last service'],
+        aiRelevance: 'AI systems processing ACT health information must support the HRPAA s.7 positive access right (30-day response), enforce HPP 10 data security, and comply with ACT Human Rights Commission enforcement. AUD 50,000 civil penalty is the highest of the three AU state health acts.',
+        controlCount: 5,
+    },
+];
+// ---------------------------------------------------------------------------
+// APAC PACKS (Asia-Pacific data-protection + AI governance, batched 2026-05-10)
+// ---------------------------------------------------------------------------
+const APAC_PACKS = [
+    {
+        id: 'jp-appi',
+        name: 'Japan APPI (Act on Protection of Personal Information)',
+        shortName: 'JP APPI',
+        vertical: 'APAC',
+        jurisdiction: 'JP',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Japan Act on Protection of Personal Information (APPI). 2022 amendments tightened cross-border transfer rules, expanded data subject rights (disclosure / correction / deletion / suspension), and introduced mandatory PPC breach notification for high-risk incidents. PPC (Personal Information Protection Commission) is the regulator. Pseudonymously processed information + anonymously processed information distinction. Sensitive data category. Foreign third-party transfer requires consent or adequacy decision.',
+        keyRequirements: ['Lawful purpose specification', 'Sensitive data special handling', 'Cross-border transfer consent or adequacy', 'Mandatory PPC breach notification', 'Subject rights: disclosure / correction / deletion / suspension', 'Pseudonymously processed information regime', 'PPC enforcement surface'],
+        aiRelevance: 'AI agents handling Japanese personal information must surface PPC-aligned consent or adequacy at cross-border transfer boundaries, route subject rights requests through the audit chain, and support pseudonymously-processed-information workflow when used for analytics + ML.',
+        controlCount: 7,
+    },
+    {
+        id: 'kr-pipa',
+        name: 'South Korea PIPA (Personal Information Protection Act)',
+        shortName: 'KR PIPA',
+        vertical: 'APAC',
+        jurisdiction: 'KR',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'South Korea Personal Information Protection Act + 2023 amendments. PIPC (Personal Information Protection Commission) regulator. One of the strictest APAC frameworks: strict purpose limitation, broad sensitive-data definition (incl. unique identifiers), 24-hour breach notification for serious incidents, mandatory PIA for high-risk processing, restrictive cross-border transfer regime. Heavy penalties (up to 3% of total sales for serious violations).',
+        keyRequirements: ['Strict purpose limitation', 'Broad sensitive-data category', '24-hour PIPC breach notification (serious)', 'Mandatory PIA for high-risk processing', 'Cross-border transfer restrictions', 'Up to 3% of total sales penalty', 'PIPC enforcement surface'],
+        aiRelevance: 'AI agents acting on Korean personal information must run a PIA before high-risk processing, treat unique identifiers as sensitive, and route serious breaches into the 24-hour PIPC clock. Pairs with kr-pipa-isps overlay where information + communication services scope applies.',
+        controlCount: 7,
+    },
+    {
+        id: 'hk-pdpo',
+        name: 'Hong Kong Personal Data (Privacy) Ordinance (Cap. 486)',
+        shortName: 'HK PDPO',
+        vertical: 'APAC',
+        jurisdiction: 'HK',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) + 2021 amendment criminalising doxxing. PCPD (Privacy Commissioner) regulator. Six Data Protection Principles (DPPs) covering collection, accuracy, retention, use, security, and access. AI-specific guidance from PCPD (2021): Ethical Development and Use of AI. Cross-border transfer provisions of s.33 not yet in force.',
+        keyRequirements: ['Six DPPs (collection / accuracy / retention / use / security / access)', 'Doxxing offence overlay (2021 amendment)', 'PCPD AI ethical-use guidance alignment', 'Direct marketing opt-out regime', 'Subject access + correction rights', 'Cross-border transfer (s.33 not in force)', 'PCPD enforcement surface'],
+        aiRelevance: 'AI agents acting on Hong Kong personal data must align with the Six DPPs, route subject access through the audit chain, and apply PCPD AI ethical-use guidance for high-impact decisions. Doxxing-overlay applies to any disclosure of personal data without consent.',
+        controlCount: 7,
+    },
+    {
+        id: 'in-dpdp',
+        name: 'India DPDP Act 2023 (Digital Personal Data Protection Act)',
+        shortName: 'IN DPDP',
+        vertical: 'APAC',
+        jurisdiction: 'IN',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Digital Personal Data Protection Act 2023 (DPDP) — India\'s first comprehensive data protection statute. Data Protection Board of India enforcement. Consent-based regime with grounds-of-legitimate-use exceptions; child data special protection; significant Data Fiduciary classification (additional obligations); cross-border transfer per government notification. Penalties up to INR 250 crore per violation. AI-specific implementing rules in flight.',
+        keyRequirements: ['Consent + grounds-of-legitimate-use', 'Child data special protection (under-18)', 'Significant Data Fiduciary obligations', 'Cross-border transfer per government notification', 'Data Protection Officer designation', 'Up to INR 250 crore per violation', 'Data Protection Board of India enforcement'],
+        aiRelevance: 'AI agents acting on Indian personal data must surface lawful basis (consent or grounds-of-legitimate-use), apply child-data heightened protection, and route cross-border transfers per government notification. Significant Data Fiduciary status triggers DPO + audit + impact-assessment obligations.',
+        controlCount: 7,
+    },
+    {
+        id: 'sg-model-ai-gov',
+        name: 'Singapore PDPC Model AI Governance Framework + AI Verify',
+        shortName: 'SG Model AI Gov',
+        vertical: 'APAC',
+        jurisdiction: 'SG',
+        status: 'ACTIVE',
+        priority: 'P1',
+        description: 'Singapore PDPC Model AI Governance Framework (v2 2020) + AI Verify (2022) — voluntary but procurement-aligned AI governance reference. Eleven principles spanning internal governance, decisions, operations management, and stakeholder communications. AI Verify provides a testing toolkit for fairness + accountability + robustness. Pairs with PDPA (Singapore Personal Data Protection Act).',
+        keyRequirements: ['Internal governance structure principles', 'Decision-making framework principles', 'Operations management principles', 'Stakeholder communications principles', 'AI Verify testing toolkit alignment', 'Pairs with PDPA Singapore', 'IMDA + PDPC oversight'],
+        aiRelevance: 'AI agents marketed in Singapore should align with the PDPC Model AI Governance Framework principles + (where high-impact) run AI Verify tests. Voluntary but increasingly referenced by Singapore public-sector procurement and MAS for financial-services AI.',
+        controlCount: 7,
+    },
+    {
+        id: 'th-pdpa',
+        name: 'Thailand Personal Data Protection Act B.E. 2562 (2019)',
+        shortName: 'TH PDPA',
+        vertical: 'APAC',
+        jurisdiction: 'TH',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Thailand Personal Data Protection Act (PDPA) — modelled on EU GDPR. PDPC Thailand regulator. Lawful bases (consent + 5 GDPR-style alternatives), sensitive data special category, 72-hour PDPC breach notification, cross-border transfer adequacy or appropriate safeguards, DPO designation for large processors. Penalties up to THB 5M + criminal liability for officers.',
+        keyRequirements: ['Lawful basis (consent + GDPR-style alternatives)', 'Sensitive data special category', '72-hour PDPC breach notification', 'Cross-border transfer adequacy / safeguards', 'DPO designation for large processors', 'Subject rights matching EU GDPR shape', 'PDPC Thailand enforcement'],
+        aiRelevance: 'AI agents acting on Thai personal data follow the GDPR-style flow — lawful basis, sensitive-data handling, 72-hour clock, DPO routing. Pack mirrors uk-gdpr / EU GDPR shape with TH-specific regulator + penalty surface.',
+        controlCount: 7,
+    },
+    {
+        id: 'vn-pdpd',
+        name: 'Vietnam Personal Data Protection Decree (Decree 13/2023/ND-CP)',
+        shortName: 'VN PDPD',
+        vertical: 'APAC',
+        jurisdiction: 'VN',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'Vietnam Personal Data Protection Decree 13/2023/ND-CP (in force 1 Jul 2023). Ministry of Public Security (MPS) and A05 cybercrime unit enforcement. Strict consent regime (express + informed + specific + voluntary), sensitive data category, 72-hour MPS breach notification, mandatory data-processing impact assessment + cross-border transfer impact assessment, mandatory in-country data-processing-impact-assessment dossier filed with MPS.',
+        keyRequirements: ['Express + informed + specific consent', 'Sensitive data category', '72-hour MPS breach notification', 'Mandatory DPIA + cross-border TIA', 'Filed dossier with MPS', 'A05 cybercrime unit oversight', 'In-country processing emphasis'],
+        aiRelevance: 'AI agents acting on Vietnamese personal data must collect express + informed + specific consent, file the DPIA + TIA dossier with MPS, and route 72-hour breach notifications through A05. Stricter and more procedural than the GDPR shape.',
+        controlCount: 7,
+    },
+    {
+        id: 'cn-dsl-csl',
+        name: 'China Data Security Law + Cybersecurity Law (DSL + CSL)',
+        shortName: 'CN DSL/CSL',
+        vertical: 'APAC',
+        jurisdiction: 'CN',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'China Data Security Law (2021) + Cybersecurity Law (2017) — companion statutes governing data classification, cross-border transfer, critical-information-infrastructure (CII) operator obligations, and data-export security assessment. CAC (Cyberspace Administration of China) regulator. Cross-border transfer requires CAC security assessment OR Standard Contract OR certification. Important Data + Core Data classifications carry export restrictions. PIPL (separate pack) handles the personal-data overlay.',
+        keyRequirements: ['Data classification (general / important / core)', 'CII operator obligations', 'Cross-border transfer: CAC assessment / Standard Contract / certification', 'Important Data + Core Data export restrictions', 'In-country data-localisation default', 'CAC enforcement surface', 'Pairs with PIPL for personal-data overlay'],
+        aiRelevance: 'AI agents acting on China-resident data must classify against general / important / core categories, route Important Data and Core Data cross-border transfers through CAC security assessment, and apply CII operator obligations where in scope. Pairs with PIPL (Personal Information Protection Law) — separate pack.',
+        controlCount: 7,
+    },
+    {
+        id: 'nz-privacy',
+        name: 'New Zealand Privacy Act 2020',
+        shortName: 'NZ Privacy',
+        vertical: 'APAC',
+        jurisdiction: 'NZ',
+        status: 'ACTIVE',
+        priority: 'P2',
+        description: 'New Zealand Privacy Act 2020 — replaces 1993 Act. OPC (Office of the Privacy Commissioner) regulator. 13 Information Privacy Principles (IPPs); mandatory notifiable privacy breach scheme (notify OPC + affected individuals as soon as practicable when breach causes serious harm); cross-border transfer comparable-protection requirement (IPP 12); access + correction rights. Stronger extra-territorial reach than 1993 Act.',
+        keyRequirements: ['13 IPPs (collection / use / disclosure / security / access / correction etc.)', 'Mandatory notifiable privacy breach scheme', 'Cross-border IPP 12 comparable-protection test', 'Subject access + correction rights', 'OPC compliance notice + access-direction enforcement', 'Extra-territorial reach', 'Pairs with HIPC for health information overlay'],
+        aiRelevance: 'AI agents acting on New Zealand personal information must surface IPP-aligned evidence, run the IPP 12 comparable-protection test before cross-border transfers, and route notifiable privacy breaches into the OPC notification scheme. Pairs with the Health Information Privacy Code where health data is in scope.',
+        controlCount: 7,
+    },
+];
+// ---------------------------------------------------------------------------
+// UK WAVE 2 PACKS (TIER 10-UK Wave 2, 2026-05-09)
+// ---------------------------------------------------------------------------
+const UK_WAVE2_PACKS = [
+    {
+        id: 'ncsc-ai-security',
+        name: 'NCSC Guidelines for Secure AI System Development (2024)',
+        shortName: 'NCSC AI Security',
+        vertical: 'Cybersecurity',
+        jurisdiction: 'UK',
+        status: 'ACTIVE',
+        priority: 'P0',
+        description: 'NCSC (UK) and 16 international partner guidelines covering four phases of secure AI system development: ' +
+            'Phase 1 secure design (threat modelling, supply-chain risk), Phase 2 secure development (dependency integrity, ' +
+            'model provenance), Phase 3 secure deployment (infrastructure hardening, access controls, deployment records), ' +
+            'Phase 4 secure operation and maintenance (monitoring, incident response, vulnerability disclosure, red-teaming). ' +
+            'Referenced by Crown Commercial Service procurement frameworks and Cabinet Office AI procurement guidance. ' +
+            'Source: NCSC Guidelines for secure AI system development (2024).',
+        keyRequirements: [
+            'AI threat model present and approved (Phase 1)',
+            'Model provenance and dataset lineage attested (Phase 1/2)',
+            'Dependency integrity verification active (Phase 2)',
+            'Model-weight integrity hash recorded and verified at deployment (Phase 2/3)',
+            'Secure deployment record with T2 approval gate for model swaps (Phase 3)',
+            'MFA + least-privilege for AI deployment pipelines (Phase 3)',
+            'Adversarial-input and prompt-injection monitoring active (Phase 4)',
+            'Red-team exercise completed annually or after material model changes (Phase 4)',
+            'AI-specific incident response path with 72-hour NCSC notification (Phase 4)',
+            'Responsible-disclosure process for AI-specific vulnerabilities (Phase 4)',
+            '7-year retention of all phase records (public-sector procurement)',
+        ],
+        aiRelevance: 'This pack IS the AI-specific secure-development lifecycle framework from NCSC. Every AI agent ' +
+            'deployment must evidence threat modelling, model provenance, secure deployment approval, and ' +
+            'adversarial monitoring. Model swaps require T2 Approval Queue. Prompt-injection incidents are ' +
+            'a first-class incident category requiring 72-hour NCSC notification.',
+        controlCount: 15,
+    },
+];
+// ---------------------------------------------------------------------------
+// PLANNED PACKS
+// ---------------------------------------------------------------------------
+const PLANNED_PACKS = [
+// All Phase 5 AU packs are now ACTIVE. No entries needed here.
+];
+// ---------------------------------------------------------------------------
+// Combined registry
+// ---------------------------------------------------------------------------
+exports.ALL_COMPLIANCE_PACKS = [
+    ...ACTIVE_PACKS,
+    ...AU_PACKS,
+    ...APAC_PACKS,
+    ...UK_WAVE2_PACKS,
+    ...PLANNED_PACKS,
+];
+function getPacksByVertical(vertical) {
+    return exports.ALL_COMPLIANCE_PACKS.filter(p => p.vertical === vertical);
+}
+function getPacksByStatus(status) {
+    return exports.ALL_COMPLIANCE_PACKS.filter(p => p.status === status);
+}
+function getPacksByPriority(priority) {
+    return exports.ALL_COMPLIANCE_PACKS.filter(p => p.priority === priority);
+}
+function getPackSummary() {
+    const verticals = [...new Set(exports.ALL_COMPLIANCE_PACKS.map(p => p.vertical))];
+    return {
+        totalPacks: exports.ALL_COMPLIANCE_PACKS.length,
+        active: exports.ALL_COMPLIANCE_PACKS.filter(p => p.status === 'ACTIVE').length,
+        planned: exports.ALL_COMPLIANCE_PACKS.filter(p => p.status === 'PLANNED').length,
+        research: exports.ALL_COMPLIANCE_PACKS.filter(p => p.status === 'RESEARCH').length,
+        byVertical: Object.fromEntries(verticals.map(v => [v, exports.ALL_COMPLIANCE_PACKS.filter(p => p.vertical === v).length])),
+        byPriority: {
+            P0: exports.ALL_COMPLIANCE_PACKS.filter(p => p.priority === 'P0').length,
+            P1: exports.ALL_COMPLIANCE_PACKS.filter(p => p.priority === 'P1').length,
+            P2: exports.ALL_COMPLIANCE_PACKS.filter(p => p.priority === 'P2').length,
+        },
+    };
+}
+//# sourceMappingURL=registry-expanded.js.map