{
 "schema_version": "1.0.0",
 "published": "2026-07-02",
 "description": "Machine-readable registry of all normative sources, standards, frameworks, and regulations referenced in Apeiris control matrices. Includes source_id, publisher, version, canonical URL, effective date, jurisdiction, normative force, and update cadence.",
 "total_sources": 300,
 "sources": [
  {
   "source_id": "eu_ai_act",
   "title": "EU AI Act",
   "full_title": "Regulation (EU) 2024/1689 on Artificial Intelligence",
   "publisher": "European Union",
   "publisher_type": "government",
   "version": "2024/1689",
   "canonical_url": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng",
   "published_date": "2024-07-12",
   "effective_date": "2024-08-01",
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "model",
    "privacy",
    "compliance",
    "identity",
    "agentic",
    "ethics",
    "resilience",
    "finance",
    "authority",
    "knowledge"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_42001",
   "title": "ISO/IEC 42001:2023",
   "full_title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2023",
   "canonical_url": "https://www.iso.org/standard/81230.html",
   "published_date": "2023-12-01",
   "effective_date": "2023-12-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "model",
    "compliance",
    "ethics",
    "finance",
    "authority",
    "agentic",
    "knowledge",
    "security",
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_rmf",
   "title": "NIST AI RMF 1.0",
   "full_title": "NIST AI 100-1: Artificial Intelligence Risk Management Framework",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "government-agency",
   "version": "1.0",
   "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
   "published_date": "2023-01-26",
   "effective_date": "2023-01-26",
   "jurisdiction": [
    "us",
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "model",
    "agentic",
    "ethics",
    "resilience",
    "finance",
    "authority",
    "knowledge",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "dora",
   "title": "EU DORA",
   "full_title": "Regulation (EU) 2022/2554 \u2014 Digital Operational Resilience Act",
   "publisher": "European Union",
   "publisher_type": "government",
   "version": "2022/2554",
   "canonical_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj",
   "published_date": "2022-12-27",
   "effective_date": "2025-01-17",
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "compliance",
    "resilience",
    "finance"
   ],
   "status": "current"
  },
  {
   "source_id": "sr26_2",
   "title": "Federal Reserve SR 26-2",
   "full_title": "SR 26-2: Revised Guidance on Model Risk Management",
   "publisher": "Federal Reserve System",
   "publisher_type": "government-agency",
   "version": "2026",
   "canonical_url": "https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm",
   "published_date": "2026-04-17",
   "effective_date": "2026-04-17",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "model",
    "compliance",
    "finance"
   ],
   "status": "current",
   "notes": "Supersedes SR 11-7 and SR 21-8"
  },
  {
   "source_id": "gdpr",
   "title": "GDPR",
   "full_title": "Regulation (EU) 2016/679 \u2014 General Data Protection Regulation",
   "publisher": "European Union",
   "publisher_type": "government",
   "version": "2016/679",
   "canonical_url": "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
   "published_date": "2016-04-27",
   "effective_date": "2018-05-25",
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_27001",
   "title": "ISO/IEC 27001:2022",
   "full_title": "ISO/IEC 27001:2022 \u2014 Information Security Management Systems",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2022",
   "canonical_url": "https://www.iso.org/standard/27001",
   "published_date": "2022-10-25",
   "effective_date": "2022-10-25",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "identity",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_csf",
   "title": "NIST CSF 2.0",
   "full_title": "NIST Cybersecurity Framework 2.0",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "government-agency",
   "version": "2.0",
   "canonical_url": "https://doi.org/10.6028/NIST.CSWP.29",
   "published_date": "2024-02-26",
   "effective_date": "2024-02-26",
   "jurisdiction": [
    "us",
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "resilience"
   ],
   "status": "current"
  },
  {
   "source_id": "mitre_atlas",
   "title": "MITRE ATLAS",
   "full_title": "MITRE ATLAS \u2014 Adversarial Threat Landscape for AI Systems",
   "publisher": "MITRE Corporation",
   "publisher_type": "industry-body",
   "version": "v2026.06",
   "canonical_url": "https://atlas.mitre.org/",
   "published_date": "2020-01-01",
   "content_release_date": "2026-06-30",
   "data_format_version": "6.0.0",
   "retrieved_on": "2026-07-05",
   "data_checksum": "sha256:b771de8b1489564b2838a709c7429849a9575dbd94073928817fe1a21661e70a",
   "release_commit_sha": "651dad90d3c007e797c89356fa1f4d8732f90c8d",
   "verification_channels": "content hash from raw.githubusercontent.com + release commit sha from api.github.com (distinct); atlas-drift detects a re-pointed tag",
   "data_url": "https://github.com/mitre-atlas/atlas-data/blob/v2026.06/dist/v6/ATLAS-2026.06.yaml",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "continuous",
   "primary_domains": [
    "security",
    "model",
    "agentic"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_ai_600_1",
   "title": "NIST AI 600-1",
   "full_title": "NIST AI 600-1: Artificial Intelligence Risk Management Framework for Generative AI",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "government-agency",
   "version": "1.0",
   "canonical_url": "https://doi.org/10.6028/NIST.AI.600-1",
   "published_date": "2024-07-26",
   "effective_date": "2024-07-26",
   "jurisdiction": [
    "us",
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "model",
    "ethics",
    "agentic",
    "security"
   ],
   "status": "current",
   "notes": "GenAI companion/profile for NIST AI RMF 1.0"
  },
  {
   "source_id": "owasp_llm10",
   "title": "OWASP LLM Top 10 2025",
   "full_title": "OWASP Top 10 for Large Language Model Applications 2025 v2.0",
   "publisher": "OWASP Foundation",
   "publisher_type": "industry-body",
   "version": "2.0",
   "canonical_url": "https://genai.owasp.org/llm-top-10/",
   "published_date": "2025-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "agentic"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_800_53",
   "title": "NIST SP 800-53 Rev 5",
   "full_title": "NIST SP 800-53 Rev 5 \u2014 Security and Privacy Controls for Information Systems",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "government-agency",
   "version": "Rev 5",
   "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
   "published_date": "2020-09-23",
   "effective_date": "2020-09-23",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "agentic",
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_8000",
   "title": "ISO 8000 Data Quality",
   "full_title": "ISO 8000 \u2014 Data Quality (Parts 8, 61, 110, 120)",
   "publisher": "ISO",
   "publisher_type": "standards-body",
   "version": "multi-part (8:2015, 61:2016, 110:2021, 120:2016)",
   "canonical_url": "https://www.iso.org/standard/60805.html",
   "published_date": "2022-01-01",
   "effective_date": "2022-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "knowledge",
    "data"
   ],
   "status": "current",
   "url_verified": true
  },
  {
   "source_id": "iso_5259",
   "title": "ISO/IEC 5259",
   "full_title": "ISO/IEC 5259 \u2014 Artificial intelligence \u2014 Data quality for analytics and machine learning (Part 1: overview, terminology and examples)",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2024",
   "canonical_url": "https://www.iso.org/standard/81088.html",
   "published_date": "2024-01-01",
   "effective_date": "2024-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "knowledge",
    "data"
   ],
   "status": "current",
   "url_verified": true
  },
  {
   "source_id": "w3c_prov",
   "title": "W3C PROV Data Model",
   "full_title": "W3C PROV-DM: The PROV Data Model",
   "publisher": "World Wide Web Consortium",
   "publisher_type": "standards-body",
   "version": "1.0",
   "canonical_url": "https://www.w3.org/TR/prov-dm/",
   "published_date": "2013-04-30",
   "effective_date": "2013-04-30",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "knowledge",
    "data"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_sp800_188",
   "title": "NIST SP 800-188",
   "full_title": "NIST SP 800-188 \u2014 De-Identification of Government Datasets",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "government-agency",
   "version": "2",
   "canonical_url": "https://doi.org/10.6028/NIST.SP.800-188",
   "published_date": "2023-05-01",
   "effective_date": "2023-05-01",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "knowledge",
    "data",
    "privacy"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "ccpa",
   "title": "CCPA/CPRA",
   "full_title": "California Consumer Privacy Act (2018) + California Privacy Rights Act (2020)",
   "publisher": "State of California",
   "publisher_type": "government",
   "version": "CPRA 2020",
   "canonical_url": "https://cppa.ca.gov/regulations/",
   "published_date": "2020-11-03",
   "effective_date": "2023-01-01",
   "jurisdiction": [
    "us-ca"
   ],
   "normative_force": "regulation",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "dpdp",
   "title": "India DPDP Act 2023",
   "full_title": "Digital Personal Data Protection Act 2023 + DPDP Rules 2025",
   "publisher": "Government of India",
   "publisher_type": "government",
   "version": "Act 2023 + DPDP Rules 2025 (G.S.R. 846(E), notified 2025-11-13)",
   "canonical_url": "https://www.meity.gov.in/data-protection-framework",
   "published_date": "2023-08-11",
   "effective_date": "2025-01-01",
   "jurisdiction": [
    "in"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy",
    "compliance"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "lgpd",
   "title": "Brazil LGPD",
   "full_title": "Lei Geral de Prote\u00e7\u00e3o de Dados (Law 13,709/2018)",
   "publisher": "Government of Brazil",
   "publisher_type": "government",
   "version": "13709/2018",
   "canonical_url": "https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm",
   "published_date": "2018-08-14",
   "effective_date": "2020-09-18",
   "jurisdiction": [
    "br"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "pipeda",
   "title": "Canada PIPEDA",
   "full_title": "Personal Information Protection and Electronic Documents Act (Canada)",
   "publisher": "Government of Canada",
   "publisher_type": "government",
   "version": "2000",
   "canonical_url": "https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/",
   "published_date": "2000-04-13",
   "effective_date": "2001-01-01",
   "jurisdiction": [
    "ca"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy",
    "compliance"
   ],
   "status": "current",
   "notes": "Track C-36 (successor bill) for in-force date"
  },
  {
   "source_id": "iso_27701",
   "title": "ISO/IEC 27701:2019",
   "full_title": "ISO/IEC 27701:2019 \u2014 Privacy Information Management System",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2019 (superseded by ISO/IEC 27701:2025, published 2025-10-14; 24-36 month certification transition)",
   "canonical_url": "https://www.iso.org/standard/71670.html",
   "published_date": "2019-08-06",
   "effective_date": "2019-08-06",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "privacy",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_pf",
   "title": "NIST Privacy Framework 1.0",
   "full_title": "NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "government-agency",
   "version": "1.0",
   "canonical_url": "https://www.nist.gov/privacy-framework",
   "published_date": "2020-01-16",
   "effective_date": "2020-01-16",
   "jurisdiction": [
    "us",
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "privacy",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_29100",
   "title": "ISO/IEC 29100:2011",
   "full_title": "ISO/IEC 29100:2011 \u2014 Information Technology Privacy Framework",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2011",
   "canonical_url": "https://www.iso.org/standard/45123.html",
   "published_date": "2011-12-15",
   "effective_date": "2011-12-15",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "uk_duaa",
   "title": "UK Data (Use and Access) Act 2025",
   "full_title": "Data (Use and Access) Act 2025",
   "publisher": "UK Parliament",
   "publisher_type": "government",
   "version": "2025 c. 18",
   "canonical_url": "https://www.legislation.gov.uk/ukpga/2025/18",
   "published_date": "2025-06-19",
   "effective_date": "2025-06-19",
   "jurisdiction": [
    "uk"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy",
    "compliance"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "edpb_opinion_28_2024",
   "title": "EDPB Opinion 28/2024",
   "full_title": "Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models",
   "publisher": "European Data Protection Board",
   "publisher_type": "government-agency",
   "version": "28/2024",
   "canonical_url": "https://www.edpb.europa.eu/documents/opinion-of-the-board-art-64/opinion-282024-on-certain-data-protection-aspects-related-to_en",
   "published_date": "2024-12-17",
   "effective_date": "2024-12-17",
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_800_63",
   "title": "NIST SP 800-63-4",
   "full_title": "NIST SP 800-63-4 \u2014 Digital Identity Guidelines",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "government-agency",
   "version": "4",
   "canonical_url": "https://doi.org/10.6028/NIST.SP.800-63-4",
   "published_date": "2025-07-31",
   "effective_date": "2025-07-31",
   "jurisdiction": [
    "us",
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "identity",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_zt",
   "title": "NIST SP 800-207",
   "full_title": "NIST SP 800-207 \u2014 Zero Trust Architecture",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "government-agency",
   "version": "1",
   "canonical_url": "https://doi.org/10.6028/NIST.SP.800-207",
   "published_date": "2020-08-11",
   "effective_date": "2020-08-11",
   "jurisdiction": [
    "us",
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "identity",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "openid",
   "title": "OpenID Connect + OAuth 2.0 + RFC 9396",
   "full_title": "OpenID Connect 1.0 + OAuth 2.0 (RFC 6749) + RFC 9396 Rich Authorization Requests + RFC 8693 Token Exchange + RFC 9449 DPoP",
   "publisher": "IETF / OpenID Foundation",
   "publisher_type": "standards-body",
   "version": "1.0 / RFC 9396",
   "canonical_url": "https://www.rfc-editor.org/rfc/rfc9396",
   "published_date": "2023-08-01",
   "effective_date": "2023-08-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "identity",
    "security",
    "agentic",
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "w3c_did",
   "title": "W3C DID v1.0",
   "full_title": "W3C Decentralized Identifiers (DIDs) v1.0",
   "publisher": "World Wide Web Consortium",
   "publisher_type": "standards-body",
   "version": "1.0",
   "canonical_url": "https://www.w3.org/TR/did-core/",
   "published_date": "2022-07-19",
   "effective_date": "2022-07-19",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "scim",
   "title": "SCIM 2.0",
   "full_title": "SCIM 2.0 \u2014 System for Cross-domain Identity Management (RFC 7643, RFC 7644)",
   "publisher": "IETF",
   "publisher_type": "standards-body",
   "version": "2.0",
   "canonical_url": "https://www.rfc-editor.org/rfc/rfc7644",
   "published_date": "2015-09-01",
   "effective_date": "2015-09-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "eidas2",
   "title": "eIDAS 2.0",
   "full_title": "Regulation (EU) 2024/1183 \u2014 eIDAS 2.0 (Electronic Identification and Trust Services)",
   "publisher": "European Union",
   "publisher_type": "government",
   "version": "2024/1183",
   "canonical_url": "https://eur-lex.europa.eu/eli/reg/2024/1183/oj",
   "published_date": "2024-04-11",
   "effective_date": "2024-05-20",
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_24760",
   "title": "ISO/IEC 24760 series",
   "full_title": "ISO/IEC 24760 \u2014 IT Security Techniques: Identity Management",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2019",
   "canonical_url": "https://www.iso.org/standard/77582.html",
   "published_date": "2019-05-29",
   "effective_date": "2019-06-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "identity"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "ISO/IEC 24760-1:2019 was withdrawn 2025-09-16 and replaced by ISO/IEC 24760-1:2025. Governance/audit citations in control matrices reference ISO/IEC 24760-2:2015 (Reference architecture and requirements)."
  },
  {
   "source_id": "cisa_zt",
   "title": "CISA Zero Trust Maturity Model v2.0",
   "full_title": "CISA Zero Trust Maturity Model Version 2.0",
   "publisher": "Cybersecurity and Infrastructure Security Agency",
   "publisher_type": "government-agency",
   "version": "2.0",
   "canonical_url": "https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model",
   "published_date": "2023-04-11",
   "effective_date": "2023-04-11",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "best-practice",
   "update_cadence": "versioned",
   "primary_domains": [
    "identity",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "hashicorp_vault_aar_2026",
   "title": "HashiCorp Vault AI Agent Authorization Pattern",
   "full_title": "HashiCorp Vault: Advancing AI Agent Security with OAuth 2.0 Rich Authorization Requests",
   "publisher": "HashiCorp (IBM)",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://www.hashicorp.com/en/blog/advancing-ai-agent-security-in-vault",
   "published_date": "2026-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity",
    "authority",
    "agentic",
    "security"
   ],
   "status": "current",
   "notes": "Enterprise implementation pattern for per-request agent authorization via OAuth 2.0 RAR (RFC 9396). Normative anchor: openid (RFC 9396). Use as implementation signal only.",
   "url_verified": false
  },
  {
   "source_id": "nis2",
   "title": "EU NIS2 Directive",
   "full_title": "Directive (EU) 2022/2555 \u2014 Network and Information Security 2",
   "publisher": "European Union",
   "publisher_type": "government",
   "version": "2022/2555",
   "canonical_url": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj",
   "published_date": "2022-12-27",
   "effective_date": "2023-01-16",
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "directive-transposed-nationally",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "compliance",
    "resilience",
    "security"
   ],
   "status": "current",
   "notes": "Member states had until Oct 17 2024 to transpose"
  },
  {
   "source_id": "fedramp",
   "title": "FedRAMP",
   "full_title": "Federal Risk and Authorization Management Program",
   "publisher": "US General Services Administration",
   "publisher_type": "government-agency",
   "version": "Rev 5",
   "canonical_url": "https://www.fedramp.gov/",
   "published_date": "2023-01-01",
   "effective_date": "2023-01-01",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "versioned",
   "primary_domains": [
    "compliance",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "hipaa",
   "title": "HIPAA",
   "full_title": "Health Insurance Portability and Accountability Act (1996) + HITECH",
   "publisher": "US Congress / US HHS",
   "publisher_type": "government",
   "version": "1996",
   "canonical_url": "https://www.hhs.gov/hipaa/",
   "published_date": "1996-08-21",
   "effective_date": "2003-04-14",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "compliance",
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "soc2",
   "title": "SOC 2 TSC",
   "full_title": "SOC 2 Trust Service Criteria (AICPA)",
   "publisher": "AICPA",
   "publisher_type": "standards-body",
   "version": "2022",
   "canonical_url": "https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria",
   "published_date": "2022-04-01",
   "effective_date": "2022-04-01",
   "jurisdiction": [
    "us",
    "global"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "compliance",
    "security"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "iso_37301",
   "title": "ISO 37301:2021",
   "full_title": "ISO 37301:2021 \u2014 Compliance Management Systems",
   "publisher": "ISO",
   "publisher_type": "standards-body",
   "version": "2021",
   "canonical_url": "https://www.iso.org/standard/75080.html",
   "published_date": "2021-04-13",
   "effective_date": "2021-04-13",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "authority",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "cobit_2019",
   "title": "COBIT 2019",
   "full_title": "ISACA COBIT 2019 \u2014 Governance and Management of Enterprise IT",
   "publisher": "ISACA",
   "publisher_type": "industry-body",
   "version": "2019",
   "canonical_url": "https://www.isaca.org/resources/cobit",
   "published_date": "2018-11-12",
   "effective_date": "2018-11-12",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "compliance",
    "data"
   ],
   "status": "current"
  },
  {
   "source_id": "ecoa",
   "title": "ECOA + Regulation B",
   "full_title": "Equal Credit Opportunity Act + Federal Reserve Regulation B",
   "publisher": "US Congress / Federal Reserve",
   "publisher_type": "government",
   "version": "current",
   "canonical_url": "https://www.consumerfinance.gov/rules-policy/regulations/1002/",
   "published_date": "1974-10-28",
   "effective_date": "1974-10-28",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance",
    "ethics"
   ],
   "status": "current"
  },
  {
   "source_id": "fcra",
   "title": "FCRA",
   "full_title": "Fair Credit Reporting Act",
   "publisher": "US Congress",
   "publisher_type": "government",
   "version": "current",
   "canonical_url": "https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act",
   "published_date": "1970-10-26",
   "effective_date": "1970-10-26",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance",
    "ethics"
   ],
   "status": "current"
  },
  {
   "source_id": "eba_gl_2020_06",
   "title": "EBA GL/2020/06",
   "full_title": "EBA Guidelines on ICT and Security Risk Management",
   "publisher": "European Banking Authority",
   "publisher_type": "government-agency",
   "version": "2020",
   "canonical_url": "https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management",
   "published_date": "2019-11-28",
   "effective_date": "2020-06-30",
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance",
    "security"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "cfpb_ai",
   "title": "CFPB AI Guidance",
   "full_title": "CFPB Guidance on AI and Automated Decision-Making in Consumer Finance",
   "publisher": "Consumer Financial Protection Bureau",
   "publisher_type": "government-agency",
   "version": "2024",
   "canonical_url": "https://www.consumerfinance.gov/compliance/supervisory-guidance/",
   "published_date": "2024-01-01",
   "effective_date": "2024-01-01",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance",
    "ethics"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "bcbs_239",
   "title": "BCBS 239",
   "full_title": "BCBS 239 \u2014 Principles for Effective Risk Data Aggregation and Risk Reporting",
   "publisher": "Basel Committee on Banking Supervision",
   "publisher_type": "government-agency",
   "version": "2013",
   "canonical_url": "https://www.bis.org/publ/bcbs239.htm",
   "published_date": "2013-01-09",
   "effective_date": "2016-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance",
    "data"
   ],
   "status": "current"
  },
  {
   "source_id": "sox",
   "title": "Sarbanes-Oxley Act",
   "full_title": "Sarbanes-Oxley Act of 2002 \u2014 \u00a7\u00a7301 (audit committees), 302 (corporate responsibility for financial reports), 404 (management assessment of internal controls), 409 (real-time issuer disclosures), 802 (records retention)",
   "publisher": "US Congress",
   "publisher_type": "government",
   "version": "2002",
   "canonical_url": "https://www.govinfo.gov/content/pkg/PLAW-107publ204/pdf/PLAW-107publ204.pdf",
   "published_date": "2002-07-30",
   "effective_date": "2002-07-30",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance",
    "compliance",
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "coso_icfr",
   "title": "COSO ICFR 2013",
   "full_title": "COSO Internal Control \u2014 Integrated Framework 2013",
   "publisher": "Committee of Sponsoring Organizations (COSO)",
   "publisher_type": "industry-body",
   "version": "2013",
   "canonical_url": "https://www.coso.org/Guidance/Pages/Internal-Control.aspx",
   "published_date": "2013-05-14",
   "effective_date": "2013-05-14",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance",
    "compliance"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "omb_a_123",
   "title": "OMB Circular A-123",
   "full_title": "OMB Circular A-123 \u2014 Management's Responsibility for Enterprise Risk Management",
   "publisher": "US Office of Management and Budget",
   "publisher_type": "government-agency",
   "version": "2016",
   "canonical_url": "https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A123/a123_rev.pdf",
   "published_date": "2016-07-15",
   "effective_date": "2016-07-15",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance",
    "compliance"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "pcaob_as_2201",
   "title": "PCAOB AS 2201",
   "full_title": "PCAOB AS 2201 \u2014 Auditing Internal Control Over Financial Reporting",
   "publisher": "Public Company Accounting Oversight Board",
   "publisher_type": "government-agency",
   "version": "2020",
   "canonical_url": "https://pcaobus.org/Standards/Auditing/Pages/AS2201.aspx",
   "published_date": "2020-01-01",
   "effective_date": "2020-01-01",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance",
    "compliance"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "iso_22301",
   "title": "ISO 22301:2019",
   "full_title": "ISO 22301:2019 \u2014 Business Continuity Management Systems",
   "publisher": "ISO",
   "publisher_type": "standards-body",
   "version": "2019",
   "canonical_url": "https://www.iso.org/standard/75106.html",
   "published_date": "2019-10-31",
   "effective_date": "2019-10-31",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "resilience",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_27031",
   "title": "ISO/IEC 27031:2025",
   "full_title": "ISO/IEC 27031:2025 \u2014 ICT Readiness for Business Continuity",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2025",
   "canonical_url": "https://www.iso.org/obp/ui/en/#iso:std:iso-iec:27031:ed-2:v1:en",
   "published_date": "2025-05-01",
   "effective_date": "2025-05-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "resilience"
   ],
   "status": "current",
   "notes": "Second edition (May 2025); replaces ISO/IEC 27031:2011, which is withdrawn. Clause numbering follows the 2025 edition: Cl. 8 RTO/RPO, Cl. 9 IRBC strategies, Cl. 10 IRBC plans, Cl. 11 testing/exercising/audit, Cl. 13 management evaluation."
  },
  {
   "source_id": "nist_sp800_34",
   "title": "NIST SP 800-34 Rev 1",
   "full_title": "NIST SP 800-34 Rev 1 \u2014 Contingency Planning Guide for Federal Information Systems",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "government-agency",
   "version": "Rev 1",
   "canonical_url": "https://doi.org/10.6028/NIST.SP.800-34r1",
   "published_date": "2010-05-01",
   "effective_date": "2010-05-01",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "resilience"
   ],
   "status": "current",
   "notes": "2010 \u2014 predates AI; informative only"
  },
  {
   "source_id": "iec_62443",
   "title": "IEC 62443",
   "full_title": "IEC 62443 \u2014 Industrial Automation and Control Systems Security",
   "publisher": "IEC",
   "publisher_type": "standards-body",
   "version": "2018",
   "canonical_url": "https://www.iec.ch/homepage",
   "published_date": "2018-01-01",
   "effective_date": "2018-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "resilience",
    "security"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "OT/cyber-physical systems focus"
  },
  {
   "source_id": "cobit_dss04",
   "title": "COBIT DSS04",
   "full_title": "ISACA COBIT DSS04 \u2014 Managed Continuity",
   "publisher": "ISACA",
   "publisher_type": "industry-body",
   "version": "2024",
   "canonical_url": "https://www.isaca.org/resources/cobit",
   "published_date": "2024-01-01",
   "effective_date": "2024-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "resilience",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "cis_controls_v8",
   "title": "CIS Controls v8",
   "full_title": "CIS Critical Security Controls Version 8",
   "publisher": "Center for Internet Security",
   "publisher_type": "industry-body",
   "version": "8",
   "canonical_url": "https://www.cisecurity.org/controls/v8",
   "published_date": "2021-05-18",
   "effective_date": "2021-05-18",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "resilience",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_800_160_v2",
   "title": "NIST SP 800-160 Vol 2",
   "full_title": "NIST SP 800-160 Vol 2 Rev 1 \u2014 Developing Cyber-Resilient Systems",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "government-agency",
   "version": "Rev 1",
   "canonical_url": "https://doi.org/10.6028/NIST.SP.800-160v2r1",
   "published_date": "2021-12-01",
   "effective_date": "2021-12-01",
   "jurisdiction": [
    "us",
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "resilience",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "ieee_7000",
   "title": "IEEE 7000:2021",
   "full_title": "IEEE 7000:2021 \u2014 Model Process for Addressing Ethical Concerns During System Design",
   "publisher": "IEEE",
   "publisher_type": "standards-body",
   "version": "2021",
   "canonical_url": "https://standards.ieee.org/ieee/7000/6781/",
   "published_date": "2021-06-29",
   "effective_date": "2021-06-29",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "ethics"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_24027",
   "title": "ISO/IEC 24027:2021",
   "full_title": "ISO/IEC 24027:2021 \u2014 Artificial Intelligence: Bias in AI Systems and AI Aided Decision Making",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2021",
   "canonical_url": "https://www.iso.org/standard/77607.html",
   "published_date": "2021-10-12",
   "effective_date": "2021-10-12",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "ethics",
    "model"
   ],
   "status": "current"
  },
  {
   "source_id": "nyc_ll144",
   "title": "NYC Local Law 144",
   "full_title": "NYC Local Law 144 (2021) \u2014 Automated Employment Decision Tools",
   "publisher": "New York City",
   "publisher_type": "government",
   "version": "2021",
   "canonical_url": "https://www.nyc.gov/site/dca/about/automated-employment-decision-tools.page",
   "published_date": "2021-12-11",
   "effective_date": "2023-07-05",
   "jurisdiction": [
    "us-ny"
   ],
   "normative_force": "regulation",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "co_ai_act",
   "title": "Colorado AI Act SB 26-189",
   "full_title": "Colorado AI Act \u2014 Senate Bill 26-189",
   "publisher": "State of Colorado",
   "publisher_type": "government",
   "version": "SB 26-189",
   "canonical_url": "https://leg.colorado.gov/",
   "published_date": "2026-01-01",
   "effective_date": "2027-01-01",
   "jurisdiction": [
    "us-co"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics",
    "compliance"
   ],
   "status": "current",
   "notes": "Replaces SB 24-205 (repealed 2026-05-14). Verify at leg.colorado.gov.",
   "url_verified": false
  },
  {
   "source_id": "acm_ethics",
   "title": "ACM Code of Ethics 2018",
   "full_title": "ACM Code of Ethics and Professional Conduct 2018",
   "publisher": "Association for Computing Machinery",
   "publisher_type": "industry-body",
   "version": "2018",
   "canonical_url": "https://www.acm.org/code-of-ethics",
   "published_date": "2018-07-22",
   "effective_date": "2018-07-22",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "ethics"
   ],
   "status": "current"
  },
  {
   "source_id": "eu_charter",
   "title": "EU Charter of Fundamental Rights",
   "full_title": "Charter of Fundamental Rights of the European Union (2012/C 326/02)",
   "publisher": "European Union",
   "publisher_type": "government",
   "version": "2012",
   "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT",
   "published_date": "2012-10-26",
   "effective_date": "2009-12-01",
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "oecd_ai_principles",
   "title": "OECD AI Principles",
   "full_title": "OECD Recommendation on Artificial Intelligence (2019, updated 2024)",
   "publisher": "OECD",
   "publisher_type": "industry-body",
   "version": "2024",
   "canonical_url": "https://oecd.ai/en/ai-principles",
   "published_date": "2024-05-03",
   "effective_date": "2024-05-03",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "ethics",
    "model",
    "governance"
   ],
   "status": "current"
  },
  {
   "source_id": "un_ethics_ai",
   "title": "UNESCO AI Ethics Recommendation",
   "full_title": "UNESCO Recommendation on the Ethics of Artificial Intelligence",
   "publisher": "UNESCO",
   "publisher_type": "industry-body",
   "version": "2021",
   "canonical_url": "https://unesdoc.unesco.org/ark:/48223/pf0000381137",
   "published_date": "2021-11-24",
   "effective_date": "2021-11-24",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "ethics"
   ],
   "status": "current"
  },
  {
   "source_id": "coso_erm",
   "title": "COSO ERM 2017",
   "full_title": "COSO Enterprise Risk Management \u2014 Integrating with Strategy and Performance 2017",
   "publisher": "Committee of Sponsoring Organizations (COSO)",
   "publisher_type": "industry-body",
   "version": "2017",
   "canonical_url": "https://www.coso.org/guidance-erm",
   "published_date": "2017-09-06",
   "effective_date": "2017-09-06",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "authority",
    "compliance",
    "finance"
   ],
   "status": "current",
   "url_verified": true
  },
  {
   "source_id": "oecd_cg",
   "title": "G20/OECD Principles of Corporate Governance 2023",
   "full_title": "G20/OECD Principles of Corporate Governance 2023",
   "publisher": "OECD",
   "publisher_type": "industry-body",
   "version": "2023",
   "canonical_url": "https://www.oecd.org/en/publications/2023/09/g20-oecd-principles-of-corporate-governance-2023_60836fcb.html",
   "published_date": "2023-09-11",
   "effective_date": "2023-09-11",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "authority",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "owasp_aisvs",
   "title": "OWASP AISVS 1.0",
   "full_title": "OWASP AI Security Verification Standard 1.0",
   "publisher": "OWASP Foundation",
   "publisher_type": "industry-body",
   "version": "1.0",
   "canonical_url": "https://github.com/OWASP/AISVS/tree/main/1.0/en",
   "published_date": "2025-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "agentic",
    "security",
    "model"
   ],
   "status": "current",
   "notes": "12 chapters (C01-C12), 191 requirements. Pin commit hash alongside version.",
   "url_verified": false
  },
  {
   "source_id": "owasp_ai_testing_guide_v1",
   "title": "OWASP AI Testing Guide v1",
   "full_title": "OWASP AI Testing Guide v1.0",
   "publisher": "OWASP Foundation",
   "publisher_type": "industry-body",
   "version": "1.0",
   "canonical_url": "https://owasp.org/www-project-ai-testing-guide/",
   "published_date": "2025-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "model",
    "security",
    "agentic"
   ],
   "status": "current",
   "notes": "Structured testing methodology for AI systems. Companion document to OWASP AISVS 1.0. Covers model behavior testing, adversarial evaluation, data pipeline validation, and agentic system testing procedures.",
   "url_verified": false
  },
  {
   "source_id": "openapi",
   "title": "OpenAPI 3.1",
   "full_title": "OpenAPI Specification 3.1",
   "publisher": "OpenAPI Initiative",
   "publisher_type": "industry-body",
   "version": "3.1",
   "canonical_url": "https://spec.openapis.org/oas/v3.1.0",
   "published_date": "2021-02-15",
   "effective_date": "2021-02-15",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "agentic"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_31000",
   "title": "ISO 31000:2018",
   "full_title": "ISO 31000:2018 \u2014 Risk Management Guidelines",
   "publisher": "ISO",
   "publisher_type": "standards-body",
   "version": "2018",
   "canonical_url": "https://www.iso.org/standard/65694.html",
   "published_date": "2018-02-15",
   "effective_date": "2018-02-15",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "agentic",
    "authority",
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "cisa_ai_guidance",
   "title": "CISA AI Roadmap 2023-2024",
   "full_title": "CISA Roadmap for Artificial Intelligence 2023-2024",
   "publisher": "Cybersecurity and Infrastructure Security Agency",
   "publisher_type": "government-agency",
   "version": "2023",
   "canonical_url": "https://www.cisa.gov/resources-tools/resources/cisa-roadmap-artificial-intelligence",
   "published_date": "2023-11-14",
   "effective_date": "2023-11-14",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "agentic",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "fair_principles",
   "title": "FAIR Data Principles",
   "full_title": "FAIR Guiding Principles for Scientific Data Management and Stewardship",
   "publisher": "FORCE11 / Publishers",
   "publisher_type": "industry-body",
   "version": "2016",
   "canonical_url": "https://www.go-fair.org/fair-principles/",
   "published_date": "2016-03-15",
   "effective_date": "2016-03-15",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "knowledge",
    "data"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_27002",
   "title": "ISO/IEC 27002:2022",
   "full_title": "ISO/IEC 27002:2022 \u2014 Information Security Controls",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2022",
   "canonical_url": "https://www.iso.org/standard/75652.html",
   "published_date": "2022-02-15",
   "effective_date": "2022-02-15",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "knowledge",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_30401",
   "title": "ISO 30401:2018",
   "full_title": "ISO 30401:2018 \u2014 Knowledge Management Systems Requirements",
   "publisher": "ISO",
   "publisher_type": "standards-body",
   "version": "2018",
   "canonical_url": "https://www.iso.org/standard/68683.html",
   "published_date": "2018-11-01",
   "effective_date": "2018-11-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current"
  },
  {
   "source_id": "itil_4",
   "title": "ITIL 4",
   "full_title": "ITIL 4 Foundation \u2014 IT Service Management",
   "publisher": "PeopleCert / Axelos",
   "publisher_type": "industry-body",
   "version": "4",
   "canonical_url": "https://www.axelos.com/certifications/itil-service-management/itil-4-foundation",
   "published_date": "2019-02-28",
   "effective_date": "2019-02-28",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "knowledge",
    "resilience"
   ],
   "status": "current"
  },
  {
   "source_id": "anthropic_transparency",
   "title": "Anthropic Model Card & Knowledge Transparency",
   "full_title": "Anthropic Model Cards and Knowledge Transparency Practices",
   "publisher": "Anthropic PBC",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://www.anthropic.com/transparency",
   "published_date": "2024",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "knowledge",
    "model"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "dama_dmbok",
   "title": "DAMA-DMBOK 2nd Ed",
   "full_title": "DAMA Data Management Body of Knowledge 2nd Edition",
   "publisher": "DAMA International",
   "publisher_type": "industry-body",
   "version": "2 (2nd Edition, Revised 2024)",
   "canonical_url": "https://www.dama.org/cpages/body-of-knowledge",
   "published_date": "2017-07-05",
   "effective_date": "2017-07-05",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "versioned",
   "primary_domains": [
    "data",
    "knowledge"
   ],
   "status": "current"
  },
  {
   "source_id": "snowflake_horizon",
   "title": "Snowflake Horizon",
   "full_title": "Snowflake Horizon \u2014 Data Governance Platform",
   "publisher": "Snowflake Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://www.snowflake.com/en/data-cloud/horizon/",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "continuous",
   "primary_domains": [
    "data"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "dcam",
   "title": "DCAM v2.2",
   "full_title": "DCAM v2.2 \u2014 Data Management Capability Assessment Model (EDM Council)",
   "publisher": "EDM Council",
   "publisher_type": "industry-body",
   "version": "2.2 (DCAM v3 published July 2025; matrix pinned to v2.2)",
   "canonical_url": "https://edmcouncil.org/frameworks/dcam/",
   "published_date": "2022-01-01",
   "effective_date": "2022-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "data",
    "finance"
   ],
   "status": "current"
  },
  {
   "source_id": "anthropic_rsp",
   "title": "Anthropic Responsible Scaling Policy v3.3",
   "full_title": "Anthropic Responsible Scaling Policy v3.3",
   "publisher": "Anthropic PBC",
   "publisher_type": "vendor",
   "version": "3.3",
   "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
   "published_date": "2026-05-26",
   "effective_date": "2026-05-26",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "versioned",
   "primary_domains": [
    "compliance",
    "ethics",
    "finance",
    "resilience",
    "agentic",
    "identity",
    "privacy",
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "openai_preparedness",
   "title": "OpenAI Preparedness Framework v2",
   "full_title": "OpenAI Preparedness Framework Version 2",
   "publisher": "OpenAI LLC",
   "publisher_type": "vendor",
   "version": "2",
   "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
   "published_date": "2025-04-15",
   "effective_date": "2025-04-15",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "versioned",
   "primary_domains": [
    "resilience",
    "agentic",
    "authority",
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_23894",
   "title": "ISO/IEC 23894:2023",
   "full_title": "ISO/IEC 23894:2023 \u2014 Artificial Intelligence: Guidance on Risk Management",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2023",
   "canonical_url": "https://www.iso.org/standard/77304.html",
   "published_date": "2023-02-07",
   "effective_date": "2023-02-07",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "model",
    "compliance",
    "authority",
    "agentic",
    "ethics"
   ],
   "status": "current",
   "notes": "AI-specific risk management process companion to ISO 31000"
  },
  {
   "source_id": "csa_aicm",
   "title": "CSA AI Controls Matrix",
   "full_title": "CSA AI Controls Matrix v1.1 \u2014 Comprehensive Framework for Trustworthy AI",
   "publisher": "Cloud Security Alliance",
   "publisher_type": "industry-body",
   "version": "1.1",
   "canonical_url": "https://cloudsecurityalliance.org/artifacts/ai-controls-matrix",
   "published_date": "2026-06-22",
   "effective_date": "2026-06-22",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "model",
    "agentic",
    "compliance"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "imda_mgf",
   "title": "IMDA MGF for Agentic AI",
   "full_title": "IMDA Model AI Governance Framework for Agentic AI",
   "publisher": "Infocomm Media Development Authority (Singapore)",
   "publisher_type": "government-agency",
   "version": "1.5",
   "canonical_url": "https://www.imda.gov.sg/-/media/imda/files/about/emerging-tech-and-research/artificial-intelligence/mgf-for-agentic-ai.pdf",
   "published_date": "2026-05-20",
   "effective_date": "2026-05-20",
   "jurisdiction": [
    "sg"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security",
    "model",
    "agentic",
    "compliance"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "csa_aismm",
   "title": "CSA AISMM",
   "full_title": "CSA AI Security Maturity Model (AISMM)",
   "publisher": "Cloud Security Alliance",
   "publisher_type": "industry-body",
   "version": "2026",
   "canonical_url": "https://cloudsecurityalliance.org/artifacts/ai-security-maturity-model",
   "published_date": "2026-05-19",
   "effective_date": "2026-05-19",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "agentic",
    "model"
   ],
   "status": "current",
   "url_verified": false
  },
  {
   "source_id": "a2a_spec",
   "title": "A2A Protocol",
   "full_title": "Agent2Agent (A2A) Protocol Specification",
   "publisher": "Linux Foundation",
   "publisher_type": "industry-body",
   "version": "1.0",
   "canonical_url": "https://github.com/a2aproject/A2A",
   "published_date": "2025-04-09",
   "effective_date": "2026-04-09",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "agentic"
   ],
   "status": "current"
  },
  {
   "source_id": "agent_security_bench",
   "title": "Agent Security Bench (ASB)",
   "full_title": "Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents",
   "publisher": "Ohio State University NLP Group",
   "publisher_type": "academic",
   "version": "2024",
   "canonical_url": "https://arxiv.org/abs/2410.02644",
   "published_date": "2024-10-03",
   "effective_date": "2024-10-03",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "agentdojo",
   "title": "AgentDojo",
   "full_title": "AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents",
   "publisher": "ETH Zurich SPY Lab",
   "publisher_type": "academic",
   "version": "NeurIPS 2024",
   "canonical_url": "https://github.com/ethz-spylab/agentdojo",
   "published_date": "2024-06-19",
   "effective_date": "2024-06-19",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "anthropic_attack_navigator",
   "title": "Anthropic LLM ATT&CK Navigator",
   "full_title": "Mapping AI-Enabled Cyber Threats: LLM ATT&CK Navigator",
   "publisher": "Anthropic",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://www.anthropic.com/research/attack-navigator",
   "published_date": "2026-06-03",
   "effective_date": "2026-06-03",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "anthropic_glasswing",
   "title": "Project Glasswing",
   "full_title": "Project Glasswing: Securing Critical Software for the AI Era",
   "publisher": "Anthropic",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://www.anthropic.com/glasswing",
   "published_date": "2026-04-07",
   "effective_date": "2026-04-07",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "anthropic_gtg1002",
   "title": "Anthropic GTG-1002 Report",
   "full_title": "Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign (GTG-1002)",
   "publisher": "Anthropic",
   "publisher_type": "vendor",
   "version": "2025-11",
   "canonical_url": "https://www.anthropic.com/news/disrupting-AI-espionage",
   "published_date": "2025-11-14",
   "effective_date": "2025-11-14",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "anthropic_mcp",
   "title": "Model Context Protocol",
   "full_title": "Model Context Protocol (MCP) Specification",
   "publisher": "Linux Foundation (Agentic AI Infrastructure Foundation)",
   "publisher_type": "industry-body",
   "version": "2025-11-25",
   "canonical_url": "https://modelcontextprotocol.io/specification/2025-11-25",
   "published_date": "2024-11-25",
   "effective_date": "2025-11-25",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "agentic"
   ],
   "status": "current"
  },
  {
   "source_id": "auth0_genai",
   "title": "Auth0 for AI Agents",
   "full_title": "Auth0 for AI Agents: Identity and Security Guidance for GenAI Applications",
   "publisher": "Okta (Auth0)",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://auth0.com/ai/docs",
   "published_date": "2025-04-09",
   "effective_date": "2025-04-09",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "continuous",
   "primary_domains": [
    "security",
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "aws_egress_domains",
   "title": "AWS Egress Domain Controls for AI Agents",
   "full_title": "Control Which Domains Your AI Agents Can Access",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://aws.amazon.com/blogs/machine-learning/control-which-domains-your-ai-agents-can-access/",
   "published_date": "2026-04-02",
   "effective_date": "2026-04-02",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "aws_scoping_matrix",
   "title": "AWS Generative AI Security Scoping Matrix",
   "full_title": "Securing Generative AI: The Generative AI Security Scoping Matrix",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://aws.amazon.com/blogs/security/securing-generative-ai-an-introduction-to-the-generative-ai-security-scoping-matrix/",
   "published_date": "2024-11-01",
   "effective_date": "2024-11-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "beyondidentity_ceros",
   "title": "Ceros: Agentic AI Trust Layer",
   "full_title": "Ceros: The Agentic AI Trust Layer by Beyond Identity",
   "publisher": "Beyond Identity",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://www.ceros.sh/",
   "published_date": "2026-06-16",
   "effective_date": "2026-06-16",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "biv_skills",
   "title": "BIV: Behavioral Integrity Verification for AI Agent Skills",
   "full_title": "Behavioral Integrity Verification for AI Agent Skills",
   "publisher": "Palo Alto Networks",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://arxiv.org/abs/2605.11770",
   "published_date": "2026-05-12",
   "effective_date": "2026-05-12",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "cisa_agentic",
   "title": "CISA: Careful Adoption of Agentic AI Services",
   "full_title": "Careful Adoption of Agentic AI Services",
   "publisher": "CISA / NSA / Five Eyes Partners",
   "publisher_type": "government-agency",
   "version": "2026",
   "canonical_url": "https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services",
   "published_date": "2026-04-30",
   "effective_date": "2026-04-30",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "cisa_sbom_ai",
   "title": "CISA: Software Bill of Materials for AI",
   "full_title": "Software Bill of Materials for AI \u2013 Minimum Elements",
   "publisher": "CISA / G7 Partners",
   "publisher_type": "government-agency",
   "version": "2026",
   "canonical_url": "https://www.cisa.gov/resources-tools/resources/software-bill-materials-ai-minimum-elements",
   "published_date": "2026-05-12",
   "effective_date": "2026-05-12",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "claude_sandbox_bypass",
   "title": "Claude Code Sandbox Bypass Research",
   "full_title": "How Claude Code Escapes Its Own Denylist and Sandbox",
   "publisher": "Ona",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://ona.com/stories/how-claude-code-escapes-its-own-denylist-and-sandbox",
   "published_date": "2026-03-01",
   "effective_date": "2026-03-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "containment_gap",
   "title": "Quantifying LLM Container Sandbox Escape",
   "full_title": "Quantifying Frontier LLM Capabilities for Container Sandbox Escape",
   "publisher": "UK AI Security Institute",
   "publisher_type": "academic",
   "version": "2026",
   "canonical_url": "https://arxiv.org/abs/2603.02277",
   "published_date": "2026-03-01",
   "effective_date": "2026-03-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "cosai_oasis",
   "title": "CoSAI: Coalition for Secure AI",
   "full_title": "Coalition for Secure AI (CoSAI) \u2014 OASIS Open Project",
   "publisher": "OASIS Open",
   "publisher_type": "standards-body",
   "version": "2024",
   "canonical_url": "https://www.coalitionforsecureai.org/",
   "published_date": "2024-07-18",
   "effective_date": "2024-07-18",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "crowdstrike_aidr",
   "title": "CrowdStrike Falcon AIDR",
   "full_title": "CrowdStrike Falcon AI Detection and Response (AIDR)",
   "publisher": "CrowdStrike",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://www.crowdstrike.com/en-us/platform/falcon-aidr-ai-detection-and-response/",
   "published_date": "2025-12-01",
   "effective_date": "2025-12-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "csa_agent_survey",
   "title": "CSA: Securing Autonomous AI Agents",
   "full_title": "Securing Autonomous AI Agents: Survey Report",
   "publisher": "Cloud Security Alliance",
   "publisher_type": "industry-body",
   "version": "2026",
   "canonical_url": "https://cloudsecurityalliance.org/artifacts/securing-autonomous-ai-agents",
   "published_date": "2026-02-04",
   "effective_date": "2026-02-04",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "csa_maestro",
   "title": "CSA MAESTRO Framework",
   "full_title": "MAESTRO: Multi-Agent Environment, Security, Threat, Risk, and Outcome Agentic AI Threat Modeling Framework",
   "publisher": "Cloud Security Alliance",
   "publisher_type": "industry-body",
   "version": "2025",
   "canonical_url": "https://labs.cloudsecurityalliance.org/maestro/",
   "published_date": "2025-02-06",
   "effective_date": "2025-02-06",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "databricks_dasf3",
   "title": "Databricks DASF v3.0",
   "full_title": "Databricks AI Security Framework (DASF) v3.0: Agentic AI Security",
   "publisher": "Databricks",
   "publisher_type": "vendor",
   "version": "3.0",
   "canonical_url": "https://www.databricks.com/blog/agentic-ai-security-new-risks-and-controls-databricks-ai-security-framework-dasf-v30",
   "published_date": "2026-03-01",
   "effective_date": "2026-03-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "deepmind_agi_safety",
   "title": "DeepMind AGI Safety Technical Approach",
   "full_title": "An Approach to Technical AGI Safety and Security",
   "publisher": "Google DeepMind",
   "publisher_type": "vendor",
   "version": "2025-04",
   "canonical_url": "https://storage.googleapis.com/deepmind-media/DeepMind.com/Blog/evaluating-potential-cybersecurity-threats-of-advanced-ai/An_Approach_to_Technical_AGI_Safety_Apr_2025.pdf",
   "published_date": "2025-04-02",
   "effective_date": "2025-04-02",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "deepmind_ai_control",
   "title": "AI Control: Improving Safety Despite Intentional Subversion",
   "full_title": "AI Control: Improving Safety Despite Intentional Subversion (ICML 2024)",
   "publisher": "Redwood Research",
   "publisher_type": "academic",
   "version": "2024",
   "canonical_url": "https://arxiv.org/abs/2312.06942",
   "published_date": "2023-12-12",
   "effective_date": "2024-07-23",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "did_vc",
   "title": "W3C DID v1.0 & Verifiable Credentials",
   "full_title": "Decentralized Identifiers (DIDs) v1.0 and Verifiable Credentials Data Model",
   "publisher": "World Wide Web Consortium (W3C)",
   "publisher_type": "standards-body",
   "version": "1.0",
   "canonical_url": "https://www.w3.org/TR/did-1.0/",
   "published_date": "2022-07-19",
   "effective_date": "2022-07-19",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "firecracker",
   "title": "AWS Firecracker MicroVM",
   "full_title": "Firecracker: Lightweight Virtualization for Serverless Computing",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "open-source",
   "canonical_url": "https://firecracker-microvm.github.io/",
   "published_date": "2018-11-26",
   "effective_date": "2018-11-26",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "garak",
   "title": "Garak LLM Vulnerability Scanner",
   "full_title": "Garak: Generative AI Red-teaming & Assessment Kit",
   "publisher": "NVIDIA",
   "publisher_type": "vendor",
   "version": "0.14.0",
   "canonical_url": "https://github.com/NVIDIA/garak",
   "published_date": "2023-06-13",
   "effective_date": "2023-06-13",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "gitguardian_mcp_secrets",
   "title": "GitGuardian: Secrets in MCP",
   "full_title": "A Look Into the Secrets of MCP: The New Secret Leak Source",
   "publisher": "GitGuardian",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://blog.gitguardian.com/a-look-into-the-secrets-of-mcp/",
   "published_date": "2025-04-29",
   "effective_date": "2025-04-29",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "google_saif2",
   "title": "Google SAIF v2",
   "full_title": "Secure AI Framework (SAIF) v2.0",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "2.0",
   "canonical_url": "https://saif.google/",
   "published_date": "2026-01-01",
   "effective_date": "2026-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "google_secure_agents",
   "title": "Google: An Introduction to Secure AI Agents",
   "full_title": "An Introduction to Secure AI Agents",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "2025-05",
   "canonical_url": "https://storage.googleapis.com/gweb-research2023-media/pubtools/1018686.pdf",
   "published_date": "2025-05-01",
   "effective_date": "2025-05-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "gvisor",
   "title": "gVisor Container Sandbox",
   "full_title": "gVisor: Application Kernel for Containers",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "open-source",
   "canonical_url": "https://github.com/google/gvisor",
   "published_date": "2018-05-02",
   "effective_date": "2018-05-02",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_ai_series",
   "title": "ISO/IEC JTC 1/SC 42 AI Standards Series",
   "full_title": "ISO/IEC JTC 1/SC 42 Artificial Intelligence Standards Series (ISO/IEC 42001, 23894, 24028, 24368)",
   "publisher": "ISO/IEC JTC 1/SC 42",
   "publisher_type": "standards-body",
   "version": "2023",
   "canonical_url": "https://www.iso.org/committee/6794475.html",
   "published_date": "2023-12-15",
   "effective_date": "2023-12-15",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "mcp_authorization",
   "title": "MCP Authorization Specification",
   "full_title": "Model Context Protocol Authorization Specification",
   "publisher": "Anthropic",
   "publisher_type": "vendor",
   "version": "2025-11-25",
   "canonical_url": "https://modelcontextprotocol.io/specification/2025-11-25",
   "published_date": "2025-11-25",
   "effective_date": "2025-11-25",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "mitre_attack",
   "title": "MITRE ATT&CK",
   "full_title": "MITRE ATT&CK: Adversarial Tactics, Techniques & Common Knowledge",
   "publisher": "MITRE Corporation",
   "publisher_type": "industry-body",
   "version": "v19.1",
   "canonical_url": "https://attack.mitre.org/",
   "published_date": "2026-05-12",
   "effective_date": "2026-05-12",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "ms_agent_governance_toolkit",
   "title": "Microsoft Agent Governance Toolkit",
   "full_title": "AI Agent Governance Toolkit: Policy Enforcement, Zero-Trust Identity, Execution Sandboxing, and Reliability Engineering for Autonomous AI Agents",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://github.com/microsoft/agent-governance-toolkit",
   "published_date": "2025-05-15",
   "effective_date": "2025-05-15",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "ms_copilot_studio_governance",
   "title": "Microsoft Copilot Studio Security and Governance",
   "full_title": "Microsoft Copilot Studio Security and Governance Guidance",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://learn.microsoft.com/en-us/microsoft-copilot-studio/security-and-governance",
   "published_date": "2025-11-01",
   "effective_date": "2025-11-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "ms_entra_agent_id",
   "title": "Microsoft Entra Agent ID",
   "full_title": "Microsoft Entra Agent ID: Identity and Access Management for AI Agents",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://learn.microsoft.com/en-us/entra/agent-id/",
   "published_date": "2025-11-01",
   "effective_date": "2025-11-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "ms_failure_taxonomy",
   "title": "Taxonomy of Failure Modes in Agentic AI Systems",
   "full_title": "Taxonomy of Failure Modes in Agentic AI Systems (v2.0)",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "2.0",
   "canonical_url": "https://www.microsoft.com/en-us/security/blog/2026/06/04/updating-taxonomy-failure-modes-agentic-ai-systems-year-red-teaming-taught-us/",
   "published_date": "2025-04-24",
   "effective_date": "2025-04-24",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "ms_mxc",
   "title": "Microsoft Execution Containers (MXC)",
   "full_title": "Microsoft Execution Containers (MXC): Policy-Driven Sandboxed Execution for Untrusted Code (early preview; policies not yet hardened security boundaries)",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://github.com/microsoft/mxc",
   "published_date": "2026-06-02",
   "effective_date": "2026-06-02",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "ms_pyrit",
   "title": "Microsoft PyRIT",
   "full_title": "Python Risk Identification Tool for Generative AI (PyRIT)",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "0.14.0",
   "canonical_url": "https://github.com/microsoft/PyRIT",
   "published_date": "2024-02-22",
   "effective_date": "2024-02-22",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "ngac",
   "title": "INCITS 565: Next Generation Access Control (NGAC)",
   "full_title": "INCITS 565-2020: Information Technology \u2014 Next Generation Access Control (NGAC)",
   "publisher": "INCITS",
   "publisher_type": "standards-body",
   "version": "2020",
   "canonical_url": "https://www.nist.gov/identity-access-management/policy-machine-and-next-generation-access-control",
   "published_date": "2020-04-10",
   "effective_date": "2020-04-10",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_caisi",
   "title": "NIST CAISI",
   "full_title": "Center for AI Standards and Innovation (CAISI) \u2014 Cybersecurity of AI and Securing the AI Supply Chain",
   "publisher": "National Institute of Standards and Technology (NIST)",
   "publisher_type": "government-agency",
   "version": "2025",
   "canonical_url": "https://www.nist.gov/caisi",
   "published_date": "2025-06-03",
   "effective_date": "2025-06-03",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_cosais",
   "title": "NIST COSAiS",
   "full_title": "SP 800-53 Control Overlays for Securing AI Systems (COSAiS)",
   "publisher": "National Institute of Standards and Technology (NIST)",
   "publisher_type": "government-agency",
   "version": "2025",
   "canonical_url": "https://csrc.nist.gov/projects/cosais",
   "published_date": "2025-08-14",
   "effective_date": "2025-08-14",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_ai_rmf_playbook",
   "title": "NIST AI RMF Playbook",
   "full_title": "NIST AI Risk Management Framework Playbook",
   "publisher": "National Institute of Standards and Technology (NIST)",
   "publisher_type": "government-agency",
   "version": "1.0",
   "canonical_url": "https://airc.nist.gov/airmf-resources/playbook/",
   "published_date": "2023-01-26",
   "effective_date": "2023-01-26",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_nccoe_agent_id",
   "title": "NIST NCCoE AI Agent Identity",
   "full_title": "Accelerating the Adoption of Software and Artificial Intelligence Agent Identity and Authorization",
   "publisher": "NIST National Cybersecurity Center of Excellence (NCCoE)",
   "publisher_type": "government-agency",
   "version": "2026",
   "canonical_url": "https://csrc.nist.gov/pubs/other/2026/02/05/accelerating-the-adoption-of-software-and-ai-agent/ipd",
   "published_date": "2026-02-05",
   "effective_date": "2026-02-05",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "versioned",
   "primary_domains": [
    "identity",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "spiffe_spire",
   "title": "SPIFFE/SPIRE",
   "full_title": "SPIFFE Workload Identity Specification and SPIRE Reference Implementation",
   "publisher": "Cloud Native Computing Foundation (CNCF)",
   "publisher_type": "industry-body",
   "version": "1.0",
   "canonical_url": "https://spiffe.io/docs/latest/spiffe-about/overview/",
   "published_date": "2024-01-01",
   "effective_date": "2024-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "continuous",
   "primary_domains": [
    "identity",
    "security",
    "agentic"
   ],
   "status": "current"
  },
  {
   "source_id": "oauth21",
   "title": "OAuth 2.1",
   "full_title": "The OAuth 2.1 Authorization Framework",
   "publisher": "Internet Engineering Task Force (IETF)",
   "publisher_type": "standards-body",
   "version": "draft-ietf-oauth-v2-1-15",
   "canonical_url": "https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/",
   "published_date": "2026-03-02",
   "effective_date": "2026-03-02",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "identity",
    "security"
   ],
   "status": "draft"
  },
  {
   "source_id": "oidc_ciba",
   "title": "OpenID Connect CIBA",
   "full_title": "OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0",
   "publisher": "OpenID Foundation (OIDF)",
   "publisher_type": "standards-body",
   "version": "1.0",
   "canonical_url": "https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html",
   "published_date": "2021-09-01",
   "effective_date": "2021-09-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "identity",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "okta_cross_app_access",
   "title": "Okta Cross App Access (XAA)",
   "full_title": "Cross App Access: Securing AI Agent and App-to-App Connections via Identity Assertion Authorization Grant (ID-JAG)",
   "publisher": "Okta",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://www.okta.com/solutions/cross-app-access/",
   "published_date": "2025-06-23",
   "effective_date": "2025-06-23",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity",
    "agentic"
   ],
   "status": "current"
  },
  {
   "source_id": "openai_agent_builder_safety",
   "title": "OpenAI Agent Builder Safety",
   "full_title": "Safety in Building Agents \u2014 OpenAI Developer Guidance",
   "publisher": "OpenAI",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://platform.openai.com/docs/guides/agent-builder-safety",
   "published_date": "2025-03-01",
   "effective_date": "2025-03-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "continuous",
   "primary_domains": [
    "security",
    "agentic"
   ],
   "status": "current"
  },
  {
   "source_id": "openai_bug_bounty",
   "title": "OpenAI Bug Bounty Program",
   "full_title": "OpenAI Bug Bounty Program \u2014 Vulnerability Disclosure Scope and Policies",
   "publisher": "OpenAI",
   "publisher_type": "vendor",
   "version": "2023",
   "canonical_url": "https://openai.com/index/bug-bounty-program/",
   "published_date": "2023-04-12",
   "effective_date": "2023-04-12",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "openai_governing_agentic",
   "title": "OpenAI Practices for Governing Agentic AI",
   "full_title": "Practices for Governing Agentic AI Systems",
   "publisher": "OpenAI",
   "publisher_type": "vendor",
   "version": "2023",
   "canonical_url": "https://cdn.openai.com/papers/practices-for-governing-agentic-ai-systems.pdf",
   "published_date": "2023-12-01",
   "effective_date": "2023-12-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "agentic",
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "openai_preparedness_v2",
   "title": "OpenAI Preparedness Framework v2",
   "full_title": "OpenAI Preparedness Framework Version 2",
   "publisher": "OpenAI",
   "publisher_type": "vendor",
   "version": "v2",
   "canonical_url": "https://openai.com/index/updating-our-preparedness-framework/",
   "published_date": "2025-04-15",
   "effective_date": "2025-04-15",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "openssf_model_signing",
   "title": "OpenSSF Model Signing v1.0",
   "full_title": "OpenSSF Model Signing (OMS) Specification v1.0",
   "publisher": "Open Source Security Foundation",
   "publisher_type": "industry-body",
   "version": "v1.0",
   "canonical_url": "https://github.com/ossf/model-signing-spec",
   "published_date": "2025-04-04",
   "effective_date": "2025-04-04",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "owasp_agentic_threats",
   "title": "OWASP Agentic AI Threats and Mitigations",
   "full_title": "Agentic AI \u2014 Threats and Mitigations v1.0a",
   "publisher": "OWASP",
   "publisher_type": "industry-body",
   "version": "v1.0a",
   "canonical_url": "https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/",
   "published_date": "2025-02-01",
   "effective_date": "2025-02-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "owasp_asi_2026",
   "title": "OWASP Top 10 for Agentic Applications 2026",
   "full_title": "OWASP Top 10 for Agentic Applications for 2026 (Agentic Security Initiative)",
   "publisher": "OWASP",
   "publisher_type": "industry-body",
   "version": "2026",
   "canonical_url": "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
   "published_date": "2025-12-09",
   "effective_date": "2025-12-09",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "annual",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "owasp_finbot_ctf",
   "title": "OWASP FinBot CTF",
   "full_title": "OWASP FinBot: Agentic AI Capture The Flag (CTF) Application",
   "publisher": "OWASP",
   "publisher_type": "industry-body",
   "version": "1.0",
   "canonical_url": "https://owasp-finbot-ctf.org/",
   "published_date": "2026-04-28",
   "effective_date": "2026-04-28",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "owasp_nhi_2025",
   "title": "OWASP Non-Human Identities Top 10",
   "full_title": "OWASP Non-Human Identities Top 10 \u2014 2025",
   "publisher": "OWASP",
   "publisher_type": "industry-body",
   "version": "2025",
   "canonical_url": "https://owasp.org/www-project-non-human-identities-top-10/2025/",
   "published_date": "2024-12-09",
   "effective_date": "2025-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "annual",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "ping_identity_ai",
   "title": "Ping Identity: Identity for AI Guide",
   "full_title": "Identity for AI: The Ultimate Guide to Agentic IAM",
   "publisher": "Ping Identity",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://www.pingidentity.com/en-us/docs/assets/4260-ultimate-guide-ai-identity",
   "published_date": "2026-03-24",
   "effective_date": "2026-03-24",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "plaskett_coding_agent_security",
   "title": "NCC Group: AI Coding Agent Security",
   "full_title": "An Introduction to AI Coding Agent Security",
   "publisher": "NCC Group",
   "publisher_type": "academic",
   "version": "2026",
   "canonical_url": "https://www.nccgroup.com/media/jtepwx1t/nccgroup_codingagentswhitepaper.pdf",
   "published_date": "2026-01-01",
   "effective_date": "2026-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "promptfoo",
   "title": "Promptfoo",
   "full_title": "Promptfoo: Open-Source LLM Evaluation and Red-Teaming Framework",
   "publisher": "Promptfoo",
   "publisher_type": "vendor",
   "version": "continuous",
   "canonical_url": "https://github.com/promptfoo/promptfoo",
   "published_date": "2023-01-01",
   "effective_date": "2023-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current"
  },
  {
   "source_id": "pisanitizer",
   "title": "PISanitizer",
   "full_title": "PISanitizer: Preventing Prompt Injection to Long-Context LLMs via Prompt Sanitization",
   "publisher": "Independent Research",
   "publisher_type": "academic",
   "version": "2025",
   "canonical_url": "https://arxiv.org/abs/2511.10720",
   "published_date": "2025-11-13",
   "effective_date": "2025-11-13",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security"
   ],
   "status": "draft"
  },
  {
   "source_id": "acc_legal_ops_contract_mgmt",
   "title": "ACC Legal Operations Contract Management Best Practices",
   "full_title": "ACC Legal Operations Contract Management Best Practices",
   "publisher": "Association of Corporate Counsel",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://www.acc.com/legalops",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "aicpa-soc2",
   "title": "AICPA SOC 2 Trust Services Criteria",
   "full_title": "AICPA SOC 2 Trust Services Criteria",
   "publisher": "American Institute of Certified Public Accountants",
   "publisher_type": "standards-body",
   "version": "TSC 2017",
   "canonical_url": "https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022",
   "published_date": "2017-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "anthropic_privacy_policy_2024",
   "title": "Anthropic Privacy Policy & Zero Data Retention Addendum",
   "full_title": "Anthropic Privacy Policy & Zero Data Retention Addendum",
   "publisher": "Anthropic, PBC",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://www.anthropic.com/legal/privacy",
   "published_date": "2024-09-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "data",
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "aws_artifact_compliance_2024",
   "title": "AWS Artifact (Compliance Reports)",
   "full_title": "AWS Artifact (Compliance Reports)",
   "publisher": "Amazon Web Services, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://aws.amazon.com/artifact/",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "aws_bedrock_guardrails_2024",
   "title": "Amazon Bedrock Guardrails",
   "full_title": "Amazon Bedrock Guardrails",
   "publisher": "Amazon Web Services, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html",
   "published_date": "2024-04-23",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "agentic"
   ],
   "status": "current",
   "notes": "GA announced 2024-04-23. Title formerly \"AWS Bedrock Guardrails & Agent Safety\" \u2014 Guardrails is a content-safeguard feature; agent authorization/quota/cost capabilities belong to Bedrock Agents, IAM, Service Quotas, and Budgets."
  },
  {
   "source_id": "aws_bedrock_knowledge_bases_2024",
   "title": "Amazon Bedrock Knowledge Bases",
   "full_title": "Amazon Bedrock Knowledge Bases",
   "publisher": "Amazon Web Services, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base.html",
   "published_date": "2024",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current"
  },
  {
   "source_id": "aws_financial_services_compliance_2024",
   "title": "AWS User Guide to Financial Services Regulations & Guidelines in the United States",
   "full_title": "AWS User Guide to Financial Services Regulations & Guidelines in the United States (whitepaper); see also Financial Services Industry Lens \u2014 AWS Well-Architected",
   "publisher": "Amazon Web Services, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://aws.amazon.com/financial-services/security-compliance/",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance"
   ],
   "status": "current"
  },
  {
   "source_id": "aws_lake_formation_macie_2024",
   "title": "AWS data governance services (Lake Formation, Macie, Glue, S3)",
   "full_title": "AWS data governance services (Lake Formation, Macie, Glue, S3)",
   "publisher": "Amazon Web Services, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://docs.aws.amazon.com/lake-formation/latest/dg/what-is-lake-formation.html",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "data"
   ],
   "status": "current"
  },
  {
   "source_id": "aws_organizations_scp_2024",
   "title": "AWS Organizations: Service Control Policies & Control Tower",
   "full_title": "AWS Organizations: Service Control Policies & Control Tower",
   "publisher": "Amazon Web Services, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "aws_privacy_data_governance_2024",
   "title": "AWS Data Privacy (Data Privacy Center)",
   "full_title": "AWS Data Privacy (Data Privacy Center)",
   "publisher": "Amazon Web Services, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://aws.amazon.com/compliance/data-privacy/",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "aws_well_arch_reliability_2024",
   "title": "AWS Well-Architected Reliability Pillar",
   "full_title": "AWS Well-Architected Reliability Pillar",
   "publisher": "Amazon Web Services, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/welcome.html",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "resilience"
   ],
   "status": "current"
  },
  {
   "source_id": "aws_well_arch_security_iam_2024",
   "title": "AWS Well-Architected Security Pillar: Identity and Access Management",
   "full_title": "AWS Well-Architected Security Pillar: Identity and Access Management",
   "publisher": "Amazon Web Services, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/identity-and-access-management.html",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "c2pa_spec_2_1",
   "title": "C2PA \u2014 Coalition for Content Provenance and Authenticity Technical Specification 2.1",
   "full_title": "C2PA \u2014 Coalition for Content Provenance and Authenticity Technical Specification 2.1",
   "publisher": "Coalition for Content Provenance and Authenticity (C2PA)",
   "publisher_type": "vendor",
   "version": "2.1",
   "canonical_url": "https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html",
   "published_date": "2024-09-20",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current",
   "note": "C2PA Technical Specification 2.1 was published 2024-09-20; C2PA 2.4 is the current release."
  },
  {
   "source_id": "c2pa_spec_v2",
   "title": "C2PA Technical Specification 2.2",
   "full_title": "Coalition for Content Provenance and Authenticity (C2PA) Technical Specification, Version 2.2",
   "publisher": "Coalition for Content Provenance and Authenticity (C2PA)",
   "publisher_type": "standards-body",
   "version": "2.2",
   "canonical_url": "https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html",
   "published_date": "2025-05-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "periodic-review",
   "primary_domains": [
    "model"
   ],
   "status": "current"
  },
  {
   "source_id": "ccpa_cpra_2023",
   "title": "California Consumer Privacy Act (CPRA) + CPPA ADMT Regulations",
   "full_title": "California Consumer Privacy Act (CPRA) + CPPA ADMT Regulations",
   "publisher": "California Privacy Protection Agency / California Legislature",
   "publisher_type": "government",
   "version": "CPRA eff. 2023-01-01; ADMT Regs adopted 2025-07-24",
   "canonical_url": "https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.",
   "published_date": "2023-01-01",
   "effective_date": null,
   "jurisdiction": [
    "us"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "cfpb_adverse_action_2022",
   "title": "Consumer Financial Protection Circular 2022-03 \u2014 Adverse action notification requirements in connection with credit decisions based on complex algorithms",
   "full_title": "Consumer Financial Protection Circular 2022-03: Adverse action notification requirements in connection with credit decisions based on complex algorithms",
   "publisher": "Consumer Financial Protection Bureau (CFPB)",
   "publisher_type": "government",
   "version": "2022-03",
   "canonical_url": "https://www.consumerfinance.gov/compliance/circulars/circular-2022-03-adverse-action-notification-requirements-in-connection-with-credit-decisions-based-on-complex-algorithms/",
   "published_date": "2022-05-26",
   "effective_date": null,
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "notes": "See also Consumer Financial Protection Circular 2023-03 (2023-09-19): adverse action reasons may not be limited to the Regulation B sample-form checklist when credit decisions are based on complex algorithms."
  },
  {
   "source_id": "china_pipl_2021",
   "title": "China Personal Information Protection Law (PIPL)",
   "full_title": "China Personal Information Protection Law (PIPL)",
   "publisher": "Standing Committee of the National People's Congress of China",
   "publisher_type": "government",
   "version": "2021 (promulgated 2021-08-20; effective 2021-11-01)",
   "canonical_url": "http://www.npc.gov.cn/npc/c2/c30834/202108/t20210820_313088.html",
   "published_date": "2021-08-20",
   "effective_date": "2021-11-01",
   "jurisdiction": [
    "cn"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "cloudflare_resilience_2024",
   "title": "Cloudflare DDoS Protection",
   "full_title": "Cloudflare DDoS Protection",
   "publisher": "Cloudflare, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://www.cloudflare.com/ddos/",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "resilience"
   ],
   "status": "current"
  },
  {
   "source_id": "cnil_ai_guidance_2023",
   "title": "CNIL AI Recommendations \u2014 Use of Artificial Intelligence and Protection of Personal Data",
   "full_title": "CNIL AI Recommendations \u2014 Use of Artificial Intelligence and Protection of Personal Data",
   "publisher": "Commission Nationale de l'Informatique et des Libert\u00e9s (CNIL)",
   "publisher_type": "government",
   "version": "2024-2025 recommendations set (final recommendations summer 2025)",
   "canonical_url": "https://www.cnil.fr/en/topics/artificial-intelligence-ai",
   "published_date": "2023-06-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "colorado_sb26_189",
   "title": "Colorado SB 26-189 \u2014 Automated Decision-Making Technology",
   "full_title": "Colorado SB 26-189 \u2014 Automated Decision-Making Technology",
   "publisher": "Colorado General Assembly",
   "publisher_type": "government",
   "version": "SB 26-189",
   "canonical_url": "https://leg.colorado.gov/bills/sb26-189",
   "published_date": "2026-05-14",
   "effective_date": "2027-01-01",
   "jurisdiction": [
    "us"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "notes": "Signed 2026-05-14; replaced the SB 24-205 Colorado AI Act developer/deployer duty-of-care, impact-assessment, and risk-management-program regime with a narrower ADMT consumer disclosure-and-appeal framework; effective 2027-01-01."
  },
  {
   "source_id": "csa_ai_caiq_v1",
   "title": "CSA AI Controls Matrix (AICM) and AI Consensus Assessments Initiative Questionnaire (AI CAIQ)",
   "full_title": "CSA AI Controls Matrix (AICM) and AI Consensus Assessments Initiative Questionnaire (AI CAIQ)",
   "publisher": "Cloud Security Alliance",
   "publisher_type": "vendor",
   "version": "1.1.0",
   "canonical_url": "https://cloudsecurityalliance.org/artifacts/ai-controls-matrix-v1-1",
   "published_date": "2025-07-10",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "data_contract_spec_1_0",
   "title": "Open Data Contract Standard (Bitol ODCS)",
   "full_title": "Bitol Open Data Contract Standard (ODCS) \u2014 formerly the Data Contract Specification",
   "publisher": "Bitol (LF AI & Data Foundation)",
   "publisher_type": "industry-body",
   "version": "3.1.0",
   "canonical_url": "https://github.com/bitol-io/open-data-contract-standard",
   "published_date": "2025-12-08",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "data"
   ],
   "status": "current",
   "url_verified": true
  },
  {
   "source_id": "databricks_unity_catalog_2024",
   "title": "Databricks Unity Catalog",
   "full_title": "Databricks Unity Catalog",
   "publisher": "Databricks, Inc.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://docs.databricks.com/en/data-governance/unity-catalog/index.html",
   "published_date": "2024",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "data",
    "knowledge"
   ],
   "status": "current"
  },
  {
   "source_id": "doj_ai_guidance_2023",
   "title": "DOJ \u2014 Algorithms, Artificial Intelligence, and Disability Discrimination in Hiring",
   "full_title": "DOJ \u2014 Algorithms, Artificial Intelligence, and Disability Discrimination in Hiring",
   "publisher": "U.S. Department of Justice Civil Rights Division",
   "publisher_type": "government",
   "version": "2022",
   "canonical_url": "https://www.ada.gov/resources/ai-guidance/",
   "published_date": "2022-05-12",
   "effective_date": null,
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics"
   ],
   "status": "current"
  },
  {
   "source_id": "eeoc_ai_hiring_2023",
   "title": "EEOC \u2014 Select Issues: Assessing Adverse Impact in Software, Algorithms, and Artificial Intelligence Used in Employment Selection Procedures Under Title VII",
   "full_title": "Select Issues: Assessing Adverse Impact in Software, Algorithms, and Artificial Intelligence Used in Employment Selection Procedures Under Title VII of the Civil Rights Act of 1964 (May 18, 2023)",
   "publisher": "Equal Employment Opportunity Commission (EEOC)",
   "publisher_type": "government",
   "version": "2023",
   "canonical_url": "https://www.eeoc.gov/laws/guidance/questions-and-answers-clarifying-eeocs-role-addressing-employment-discrimination",
   "published_date": "2023-05-18",
   "effective_date": null,
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics"
   ],
   "status": "withdrawn",
   "notes": "Removed from eeoc.gov on 2025-01-27 following the January 2025 executive-order rollback; canonical_url retained for the historical location, archived copies remain available (e.g., ACLU archive)."
  },
  {
   "source_id": "eidas2_2024_1183",
   "title": "eIDAS 2.0 \u2014 Regulation (EU) 2024/1183",
   "full_title": "Regulation (EU) 2024/1183 amending Regulation (EU) No 910/2014 (eIDAS 2.0 \u2014 European Digital Identity Framework)",
   "publisher": "European Union",
   "publisher_type": "government",
   "version": "2024/1183",
   "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1183",
   "published_date": "2024-04-30",
   "effective_date": null,
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "enisa_ai_cybersec_2023",
   "title": "ENISA \u2014 Cybersecurity of AI and Standardisation",
   "full_title": "ENISA \u2014 Cybersecurity of AI and Standardisation",
   "publisher": "European Union Agency for Cybersecurity (ENISA)",
   "publisher_type": "government",
   "version": "2023",
   "canonical_url": "https://www.enisa.europa.eu/publications/cybersecurity-of-ai-and-standardisation",
   "published_date": "2023-03-14",
   "effective_date": null,
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "resilience"
   ],
   "status": "current"
  },
  {
   "source_id": "eu_data_act_2023_2854",
   "title": "EU Data Act \u2014 Regulation (EU) 2023/2854",
   "full_title": "EU Data Act \u2014 Regulation (EU) 2023/2854",
   "publisher": "European Parliament and Council of the European Union",
   "publisher_type": "government",
   "version": "2023/2854",
   "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R2854",
   "published_date": "2023-12-13",
   "effective_date": null,
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "data",
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "eu_data_gov_act_2022_868",
   "title": "EU Data Governance Act \u2014 Regulation (EU) 2022/868",
   "full_title": "EU Data Governance Act \u2014 Regulation (EU) 2022/868",
   "publisher": "European Parliament and Council of the European Union",
   "publisher_type": "government",
   "version": "2022/868",
   "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R0868",
   "published_date": "2022-06-03",
   "effective_date": null,
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "data",
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "fapi_2_0_security_profile",
   "title": "FAPI 2.0 Security Profile",
   "full_title": "FAPI 2.0 Security Profile",
   "publisher": "OpenID Foundation FAPI Working Group",
   "publisher_type": "vendor",
   "version": "2.0",
   "canonical_url": "https://openid.net/specs/fapi-2_0-security-profile.html",
   "published_date": "2025-02-22",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "ffiec_it_handbook_da",
   "title": "FFIEC IT Examination Handbook \u2014 Development, Acquisition, and Maintenance",
   "full_title": "FFIEC IT Examination Handbook \u2014 Development, Acquisition, and Maintenance",
   "publisher": "Federal Financial Institutions Examination Council (FFIEC)",
   "publisher_type": "government",
   "version": "2024-08",
   "canonical_url": "https://ithandbook.ffiec.gov/it-booklets/development-acquisition-and-maintenance/",
   "published_date": "2024-08-29",
   "effective_date": null,
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance"
   ],
   "status": "current"
  },
  {
   "source_id": "finra_rn_24_09",
   "title": "FINRA Regulatory Notice 24-09 \u2014 Generative AI and Large Language Models",
   "full_title": "FINRA Regulatory Notice 24-09 \u2014 Generative AI and Large Language Models",
   "publisher": "Financial Industry Regulatory Authority (FINRA)",
   "publisher_type": "government",
   "version": "2024",
   "canonical_url": "https://www.finra.org/rules-guidance/notices/24-09",
   "published_date": "2024-06-27",
   "effective_date": null,
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance"
   ],
   "status": "current"
  },
  {
   "source_id": "ftc_ai_bias_2022",
   "title": "FTC \u2014 Aiming for Truth, Fairness, and Equity in Your Company's Use of AI",
   "full_title": "FTC \u2014 Aiming for Truth, Fairness, and Equity in Your Company's Use of AI",
   "publisher": "Federal Trade Commission (FTC)",
   "publisher_type": "government",
   "version": "2021",
   "canonical_url": "https://www.ftc.gov/business-guidance/blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai",
   "published_date": "2021-04-19",
   "effective_date": null,
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics"
   ],
   "status": "current"
  },
  {
   "source_id": "gdm_fsf_v3_1",
   "title": "Frontier Safety Framework v3.1",
   "full_title": "Google DeepMind Frontier Safety Framework, Version 3.1",
   "publisher": "Google DeepMind",
   "publisher_type": "vendor",
   "version": "3.1",
   "canonical_url": "https://storage.googleapis.com/deepmind-media/DeepMind.com/Blog/strengthening-our-frontier-safety-framework/frontier-safety-framework_3-1.pdf",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "model"
   ],
   "status": "current",
   "published_date": "2026-04-17"
  },
  {
   "source_id": "google_ai_principles_2023",
   "title": "Google AI Principles",
   "full_title": "Google AI Principles (2025 revision: Bold innovation; Responsible development and deployment; Collaborative progress)",
   "publisher": "Google LLC",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://ai.google/responsibility/principles/",
   "published_date": "2025-02-04",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "notes": "February 2025 revision replaced the 2018 seven principles (and the \"applications we will not pursue\" list) with three pillars."
  },
  {
   "source_id": "google_cloud_compliance_2024",
   "title": "Google Cloud Compliance & Assurance",
   "full_title": "Google Cloud Compliance & Assurance",
   "publisher": "Google LLC",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://cloud.google.com/security/compliance",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "google_cloud_financial_services_ai_2024",
   "title": "Google Cloud Explainable AI",
   "full_title": "Google Cloud Explainable AI (with Vertex AI Model Registry, Model Monitoring, and Model Cards as companion product documentation)",
   "publisher": "Google LLC",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://cloud.google.com/explainable-ai",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "notes": "Replaces a marketing landing page (cloud.google.com/solutions/financial-services) previously registered as if it were financial-AI governance guidance. Published date is year precision; the page carries no formal publication date."
  },
  {
   "source_id": "google_dataplex_bigquery_2024",
   "title": "Google Cloud Dataplex & BigQuery",
   "full_title": "Google Cloud Dataplex & BigQuery",
   "publisher": "Google LLC",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://cloud.google.com/dataplex/docs/introduction",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "data"
   ],
   "status": "current"
  },
  {
   "source_id": "google_org_policy_service_2024",
   "title": "Google Cloud Organization Policy Service",
   "full_title": "Google Cloud Organization Policy Service",
   "publisher": "Google LLC",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "google_saif_2023",
   "title": "Google Secure AI Framework (SAIF)",
   "full_title": "Google Secure AI Framework (SAIF)",
   "publisher": "Google LLC",
   "publisher_type": "vendor",
   "version": "1.0",
   "canonical_url": "https://saif.google/secure-ai-framework",
   "published_date": "2023-06-08",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "agentic",
    "identity",
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "google_sre_workbook_2018",
   "title": "Site Reliability Engineering (SRE Book, 2016)",
   "full_title": "Site Reliability Engineering: How Google Runs Production Systems (SRE Book, 2016)",
   "publisher": "Google LLC",
   "publisher_type": "vendor",
   "version": "2016",
   "canonical_url": "https://sre.google/sre-book/table-of-contents/",
   "published_date": "2016-04-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "resilience"
   ],
   "status": "current",
   "notes": "Chapter citations follow the 2016 SRE Book. The 2018 Site Reliability Workbook (sre.google/workbook) is cited separately where used, labeled \"SRE Workbook\" with its own chapter numbering."
  },
  {
   "source_id": "google_vertex_ai_rag_2024",
   "title": "Google Vertex AI RAG & Grounding",
   "full_title": "Google Vertex AI RAG & Grounding",
   "publisher": "Google LLC",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://cloud.google.com/vertex-ai/docs/generative-ai/grounding/overview",
   "published_date": "2024",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current"
  },
  {
   "source_id": "ibm_ai_fairness_360_2021",
   "title": "IBM AI Fairness 360 (AIF360)",
   "full_title": "AI Fairness 360 (AIF360) \u2014 open-source toolkit of fairness metrics and bias mitigation algorithms",
   "publisher": "IBM Corporation",
   "publisher_type": "vendor",
   "version": "2018",
   "canonical_url": "https://github.com/Trusted-AI/AIF360",
   "published_date": "2018-09-19",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "notes": "Released by IBM Research in September 2018; hosted under the LF AI & Data Foundation (Trusted-AI) since 2020. Distinct from IBM Watson OpenScale."
  },
  {
   "source_id": "ietf_rfc_6749_oauth2",
   "title": "OAuth 2.0 Authorization Framework (RFC 6749)",
   "full_title": "OAuth 2.0 Authorization Framework (RFC 6749)",
   "publisher": "IETF OAuth Working Group",
   "publisher_type": "standards-body",
   "version": "RFC 6749",
   "canonical_url": "https://www.rfc-editor.org/rfc/rfc6749",
   "published_date": "2012-10-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "ietf_rfc_9449_dpop",
   "title": "RFC 9449 \u2014 OAuth 2.0 Demonstrating Proof of Possession (DPoP)",
   "full_title": "RFC 9449 \u2014 OAuth 2.0 Demonstrating Proof of Possession (DPoP)",
   "publisher": "IETF",
   "publisher_type": "standards-body",
   "version": "RFC 9449",
   "canonical_url": "https://www.rfc-editor.org/rfc/rfc9449",
   "published_date": "2023-09-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_42005_2025",
   "title": "ISO/IEC 42005:2025",
   "full_title": "ISO/IEC 42005:2025 \u2014 Information technology \u2014 Artificial intelligence \u2014 AI system impact assessment",
   "publisher": "ISO/IEC",
   "publisher_type": "standards-body",
   "version": "2025",
   "canonical_url": "https://www.iso.org/standard/42005",
   "published_date": "2025-05-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "periodic-review",
   "primary_domains": [
    "model"
   ],
   "status": "current"
  },
  {
   "source_id": "iso_5259_1_2024",
   "title": "ISO/IEC 5259-1:2024 \u2014 Data Quality for Analytics and ML \u2014 Part 1",
   "full_title": "ISO/IEC 5259-1:2024 \u2014 Artificial intelligence \u2014 Data quality for analytics and machine learning (ML) \u2014 Part 1: Overview, terminology, and examples",
   "publisher": "International Organization for Standardization / International Electrotechnical Commission",
   "publisher_type": "standards-body",
   "version": "2024",
   "canonical_url": "https://www.iso.org/standard/81088.html",
   "published_date": "2024-07-01",
   "effective_date": "2024-07-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "data"
   ],
   "status": "current"
  },
  {
   "source_id": "itil4_service_level_mgmt",
   "title": "ITIL 4 \u2014 Service Level Management",
   "full_title": "ITIL 4 \u2014 Service Level Management",
   "publisher": "PeopleCert (Axelos)",
   "publisher_type": "vendor",
   "version": "4",
   "canonical_url": "https://www.axelos.com/certifications/itil-service-management",
   "published_date": "2019-02-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "meta_llama_responsible_use_2024",
   "title": "Meta Llama Responsible Use Guide",
   "full_title": "Responsible Use Guide (Meta Llama)",
   "publisher": "Meta Platforms, Inc.",
   "publisher_type": "vendor",
   "version": "2023",
   "canonical_url": "https://www.llama.com/responsible-use-guide/",
   "published_date": "2023-07-18",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "notes": "Originally released July 2023 alongside Llama 2. The Llama Acceptable Use Policy (llama.com/use-policy) is a separate document."
  },
  {
   "source_id": "microsoft_azure_ai_search_2024",
   "title": "Microsoft Azure AI Search & Grounding",
   "full_title": "Microsoft Azure AI Search & Grounding",
   "publisher": "Microsoft Corporation",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://learn.microsoft.com/en-us/azure/search/",
   "published_date": "2024",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current"
  },
  {
   "source_id": "microsoft_azure_reliability_2024",
   "title": "Microsoft Azure Resiliency & BCDR",
   "full_title": "Microsoft Azure Resiliency & BCDR",
   "publisher": "Microsoft Corporation",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://learn.microsoft.com/en-us/azure/reliability/overview",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "resilience"
   ],
   "status": "current"
  },
  {
   "source_id": "microsoft_purview_compliance_2024",
   "title": "Microsoft Purview Compliance Manager",
   "full_title": "Microsoft Purview Compliance Manager",
   "publisher": "Microsoft Corporation",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://learn.microsoft.com/en-us/purview/compliance-manager",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "microsoft_purview_data_governance_2024",
   "title": "Microsoft Purview (Data Governance)",
   "full_title": "Microsoft Purview (Data Governance)",
   "publisher": "Microsoft Corporation",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://learn.microsoft.com/en-us/purview/purview",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "data"
   ],
   "status": "current"
  },
  {
   "source_id": "microsoft_rai_standard_v2_2022",
   "title": "Microsoft Responsible AI Standard v2",
   "full_title": "Microsoft Responsible AI Standard v2",
   "publisher": "Microsoft Corporation",
   "publisher_type": "vendor",
   "version": "2",
   "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
   "published_date": "2022-06-21",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "agentic",
    "authority",
    "ethics",
    "finance",
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "mitchell_2019",
   "title": "Model Cards for Model Reporting",
   "full_title": "Model Cards for Model Reporting (Mitchell et al., 2019)",
   "publisher": "Google Research",
   "publisher_type": "academic",
   "version": "2019",
   "canonical_url": "https://arxiv.org/abs/1810.03993",
   "published_date": "2019-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "model"
   ],
   "status": "current"
  },
  {
   "source_id": "nist_ai_100_4",
   "title": "NIST AI 100-4",
   "full_title": "NIST AI 100-4 \u2014 Reducing Risks Posed by Synthetic Content: An Overview of Technical Approaches to Digital Content Transparency",
   "publisher": "National Institute of Standards and Technology (NIST)",
   "publisher_type": "government",
   "version": "1.0",
   "canonical_url": "https://www.nist.gov/publications/reducing-risks-posed-synthetic-content-overview-technical-approaches-digital-content",
   "published_date": "2024-11-20",
   "effective_date": null,
   "jurisdiction": [
    "us"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "model"
   ],
   "status": "current"
  },
  {
   "source_id": "nyc_ll144_2021",
   "title": "NYC Local Law 144 \u2014 Automated Employment Decision Tools",
   "full_title": "NYC Local Law 144 \u2014 Automated Employment Decision Tools",
   "publisher": "New York City Council",
   "publisher_type": "government",
   "version": "2021",
   "canonical_url": "https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4344524",
   "published_date": "2021-12-11",
   "effective_date": null,
   "jurisdiction": [
    "us-ny"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics"
   ],
   "status": "current"
  },
  {
   "source_id": "occ_2024_7",
   "title": "OCC Comptroller's Handbook \u2014 Model Risk Management",
   "full_title": "Comptroller's Handbook, Safety and Soundness: Model Risk Management, Version 1.0",
   "publisher": "Office of the Comptroller of the Currency (OCC)",
   "publisher_type": "government",
   "version": "1.0",
   "canonical_url": "https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/model-risk-management/index-model-risk-management.html",
   "published_date": "2021-08-18",
   "effective_date": null,
   "jurisdiction": [
    "us"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "notes": "Examiner guidance for model risk management at national banks; the OCC co-issued the 2026 revised interagency model risk management guidance (SR 26-2 at the Federal Reserve). Replaces a fabricated 'OCC Bulletin 2024-7 AI Risk Management' citation \u2014 the real Bulletin 2024-7 is a FOIA NPRM (2024-02-26)."
  },
  {
   "source_id": "oidc_federation_1_0",
   "title": "OpenID Federation 1.0",
   "full_title": "OpenID Federation 1.0",
   "publisher": "OpenID Foundation",
   "publisher_type": "vendor",
   "version": "1.0 (Final)",
   "canonical_url": "https://openid.net/specs/openid-federation-1_0.html",
   "published_date": "2026-02-17",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "okta_authz_server_2025",
   "title": "Okta Authorization Servers & Fine-Grained Authorization",
   "full_title": "Okta Authorization Servers & Fine-Grained Authorization",
   "publisher": "Okta, Inc.",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
   "published_date": "2025-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "okta_financial_services_access_2025",
   "title": "Okta for Financial Services",
   "full_title": "Okta for Financial Services (solutions page; anchors cite Okta System Log, access management, Adaptive MFA, and Okta Privileged Access product documentation)",
   "publisher": "Okta, Inc.",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://www.okta.com/solutions/financial-services/",
   "published_date": "2025-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "notes": "Published date is year precision; the solutions page carries no formal publication date."
  },
  {
   "source_id": "okta_identity_governance_2025",
   "title": "Okta Identity Governance",
   "full_title": "Okta Identity Governance",
   "publisher": "Okta, Inc.",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://www.okta.com/products/identity-governance/",
   "published_date": "2025-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "compliance"
   ],
   "status": "current"
  },
  {
   "source_id": "okta_nhi_agent_identity_2025",
   "title": "Secure and Govern Non-Human Identities (NHIs) at Scale",
   "full_title": "Secure and Govern Non-Human Identities (NHIs) at Scale",
   "publisher": "Okta, Inc.",
   "publisher_type": "vendor",
   "version": "2025",
   "canonical_url": "https://www.okta.com/solutions/protect-non-human-identities/",
   "published_date": "2025-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity",
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "opa_rego_docs_2024",
   "title": "Open Policy Agent \u2014 Policy Language and Documentation",
   "full_title": "Open Policy Agent \u2014 Policy Language and Documentation",
   "publisher": "Cloud Native Computing Foundation (CNCF) / Styra Inc.",
   "publisher_type": "vendor",
   "version": "0.68",
   "canonical_url": "https://www.openpolicyagent.org/docs/",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "openai_enterprise_policies_2024",
   "title": "OpenAI Enterprise Privacy",
   "full_title": "OpenAI Enterprise Privacy",
   "publisher": "OpenAI, L.L.C.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://openai.com/enterprise-privacy/",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "compliance",
    "finance"
   ],
   "status": "current"
  },
  {
   "source_id": "openai_model_spec_2024",
   "title": "OpenAI Model Specification",
   "full_title": "OpenAI Model Specification",
   "publisher": "OpenAI, L.L.C.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://cdn.openai.com/spec/model-spec-2024-05-08.html",
   "published_date": "2024-05-08",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "ethics"
   ],
   "status": "current"
  },
  {
   "source_id": "openai_privacy_dpa_2024",
   "title": "OpenAI Privacy Policy & Data Processing Addendum",
   "full_title": "OpenAI Privacy Policy & Data Processing Addendum",
   "publisher": "OpenAI, L.L.C.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://openai.com/policies/privacy-policy",
   "published_date": "2024-03-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "openai_system_cards_2024",
   "title": "OpenAI System Cards & Transparency",
   "full_title": "OpenAI System Cards & Transparency",
   "publisher": "OpenAI, L.L.C.",
   "publisher_type": "vendor",
   "version": "2024",
   "canonical_url": "https://openai.com/index/gpt-4-system-card/",
   "published_date": "2023-03-14",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current"
  },
  {
   "source_id": "openid_connect_core_1_0",
   "title": "OpenID Connect Core 1.0",
   "full_title": "OpenID Connect Core 1.0",
   "publisher": "OpenID Foundation",
   "publisher_type": "standards-body",
   "version": "1.0 (errata set 2)",
   "canonical_url": "https://openid.net/specs/openid-connect-core-1_0.html",
   "published_date": "2023-12-15",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "openlineage_spec_1_0",
   "title": "OpenLineage \u2014 Open Standard for Data Lineage",
   "full_title": "OpenLineage \u2014 Open Standard for Data Lineage (LF AI & Data graduated project, September 2023)",
   "publisher": "OpenLineage (LF AI & Data Foundation)",
   "publisher_type": "industry-body",
   "version": "1.0.0",
   "canonical_url": "https://openlineage.io/",
   "published_date": "2023-08-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "data",
    "knowledge"
   ],
   "status": "current",
   "url_verified": true
  },
  {
   "source_id": "owasp_aisvs_v1",
   "title": "OWASP AI Security Verification Standard v1.0",
   "full_title": "OWASP AI Security Verification Standard v1.0",
   "publisher": "Open Worldwide Application Security Project (OWASP)",
   "publisher_type": "standards-body",
   "version": "1.0",
   "canonical_url": "https://github.com/OWASP/AISVS",
   "published_date": "2026-06-24",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "agentic",
    "model"
   ],
   "status": "current"
  },
  {
   "source_id": "ping_machine_identity_2026",
   "title": "Ping Identity: Identity for AI",
   "full_title": "Identity for AI \u2014 Ping Identity agentic AI identity guidance",
   "publisher": "Ping Identity",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://www.pingidentity.com/en/solution/agentic-ai-identity.html",
   "published_date": "2026",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity"
   ],
   "status": "current",
   "notes": "Undated vendor marketing/solution page; year-precision date. Formerly listed with a fabricated 2026-03-24 date and Thales as owner (Thales is a partner; Ping Identity is Thoma Bravo-owned)."
  },
  {
   "source_id": "quebec_law_25_2021",
   "title": "Quebec Act Respecting the Protection of Personal Information in the Private Sector (Law 25)",
   "full_title": "Quebec Act Respecting the Protection of Personal Information in the Private Sector (Law 25)",
   "publisher": "Assembl\u00e9e nationale du Qu\u00e9bec",
   "publisher_type": "government",
   "version": "2021",
   "canonical_url": "https://www.legisquebec.gouv.qc.ca/en/document/cs/P-39.1",
   "published_date": "2021-09-22",
   "effective_date": null,
   "jurisdiction": [
    "ca"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "rfc_9700_oauth_bcp",
   "title": "OAuth 2.0 Security Best Current Practice (RFC 9700)",
   "full_title": "OAuth 2.0 Security Best Current Practice (RFC 9700)",
   "publisher": "IETF OAuth Working Group",
   "publisher_type": "vendor",
   "version": "RFC 9700",
   "canonical_url": "https://www.rfc-editor.org/rfc/rfc9700",
   "published_date": "2025-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "identity"
   ],
   "status": "current"
  },
  {
   "source_id": "salesforce_einstein_trust_layer_2024",
   "title": "Salesforce Einstein Trust Layer",
   "full_title": "Salesforce Einstein Trust Layer",
   "publisher": "Salesforce, Inc.",
   "publisher_type": "vendor",
   "version": "2023",
   "canonical_url": "https://help.salesforce.com/s/articleView?id=ai.generative_ai_trust_arch.htm",
   "published_date": "2023-06-12",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "agentic"
   ],
   "status": "current",
   "notes": "Announced 2023-06-12; generally available fall 2023. Replaces prior dead salesforce.com/products URL and 2024-01-01 placeholder date."
  },
  {
   "source_id": "sec_predictive_analytics_2023",
   "title": "SEC \u2014 Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers",
   "full_title": "SEC \u2014 Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers",
   "publisher": "U.S. Securities and Exchange Commission (SEC)",
   "publisher_type": "government",
   "version": "34-97990 (2023 proposed; withdrawn 2025-06-12)",
   "canonical_url": "https://www.sec.gov/rules/proposed/2023/34-97990.pdf",
   "published_date": "2023-07-26",
   "effective_date": null,
   "jurisdiction": [
    "us"
   ],
   "normative_force": "informative-reference",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "finance"
   ],
   "status": "withdrawn",
   "notes": "Proposed rule only \u2014 never adopted; formally withdrawn by the Commission on 2025-06-12. Retained for historical context."
  },
  {
   "source_id": "sigstore_rekor",
   "title": "Sigstore Rekor \u2014 Immutable Transparency Log",
   "full_title": "Sigstore Rekor \u2014 Immutable Transparency Log",
   "publisher": "Sigstore Project (OpenSSF)",
   "publisher_type": "vendor",
   "version": "1.3.0",
   "canonical_url": "https://docs.sigstore.dev/logging/overview/",
   "published_date": "2024-01-15",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "model"
   ],
   "status": "current"
  },
  {
   "source_id": "uk_duaa_2025",
   "title": "Data (Use and Access) Act 2025 (UK DUAA)",
   "full_title": "Data (Use and Access) Act 2025",
   "publisher": "UK Parliament",
   "publisher_type": "government",
   "version": "2025 c. 18",
   "canonical_url": "https://www.legislation.gov.uk/ukpga/2025/18",
   "published_date": "2025-06-19",
   "effective_date": "2025-06-19",
   "jurisdiction": [
    "uk"
   ],
   "normative_force": "binding-law",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy"
   ],
   "status": "current"
  },
  {
   "source_id": "anthropic_zt_agents",
   "title": "Zero Trust for AI Agents",
   "full_title": "Zero Trust for AI Agents \u2014 A security framework for deploying autonomous AI agents in the enterprise",
   "publisher": "Anthropic",
   "publisher_type": "vendor",
   "version": "2026-05-18",
   "canonical_url": "input/anthropic-zero-trust-ai-agents-2026.pdf (Anthropic eBook, 2026-05-18; public eBook URL not embedded in the artifact)",
   "published_date": "2026-05-18",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "agentic",
    "identity"
   ],
   "status": "current",
   "notes": "Anthropic's current thinking on agent security architecture; explicitly offered as a framework for your own evaluation, not as legal, compliance, or security assurance. Tiered (Foundation/Enterprise/Advanced) Zero Trust framework + 8-phase agent implementation workflow. Anchor file: anchors/anthropic_zt_agents.json (titles mode).",
   "url_verified": false
  },
  {
   "source_id": "ms_ifc_agents",
   "title": "Information-flow control: Moving toward secure, autonomous agents",
   "full_title": "Information-flow control: Moving toward secure, autonomous agents (Microsoft Command Line)",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "2026",
   "canonical_url": "https://commandline.microsoft.com/information-flow-control-moving-toward-secure-autonomous-agents/",
   "effective_date": null,
   "retrieved_on": "2026-07-03",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security",
    "agentic",
    "data"
   ],
   "status": "current",
   "notes": "Microsoft Command Line engineering/research thought-leadership by Santiago Zanella-B\u00e9guelin, Shruti Tople, Mark Russinovich, Aashish Kolluri, Boris K\u00f6pf, and Manuel Costa (undated; retrieved 2026-07-03). Describes information-flow control (IFC) for agents as a deterministic three-step control \u2014 label data (integrity: trusted/untrusted; confidentiality: public/confidential/read-access list), propagate labels, and check before each tool call via a policy engine (allow/block/human review). Covers IFC integration into MCP via the _meta field, OPA Rego policy advertisement, the Fides Gateway (open-source MCP gateway), SecureAgentConfig in Microsoft Agent Framework, and the Dual LLM / Quarantined LLM pattern for untrusted data. Best-practice: vendor thought-leadership describing a research/experimental direction (\"moving toward\"), not a standard or certification. Anchor file: anchors/ms_ifc_agents.json (titles mode).",
   "url_verified": true
  },
  {
   "source_id": "databricks_omnigent_2026",
   "title": "Databricks Omnigent \u2014 Contextual Policies",
   "full_title": "Contextual Policies in Omnigent: Using session state to better govern AI agents",
   "publisher": "Databricks",
   "publisher_type": "vendor",
   "version": "2026-07-07",
   "canonical_url": "https://www.databricks.com/blog/contextual-policies-omnigent-using-session-state-better-govern-ai-agents",
   "published_date": "2026-07-07",
   "effective_date": "2026-07-07",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "agentic",
    "identity",
    "authority"
   ],
   "status": "current"
  },
  {
   "source_id": "owasp_aivss",
   "title": "OWASP AIVSS v0.8",
   "full_title": "AIVSS Scoring System For OWASP Agentic AI Core Security Risks v0.8",
   "publisher": "OWASP",
   "publisher_type": "industry-body",
   "version": "0.8",
   "canonical_url": "https://aivss.owasp.org/",
   "published_date": "2026-01-01",
   "effective_date": "2026-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "agentic",
    "security"
   ],
   "status": "draft",
   "retrieved_on": "2026-07-08",
   "notes": "v0.8 draft (pre-1.0). Publication date not stated in the PDF; approximated to 2026. AIVSS is a risk-SCORING methodology (Agentic AI Risk Score / AARS, amplification model, CVSS v4.0 baseline) over the OWASP Agentic AI Core Security Risks; its Appendix B crosswalks its 10 risks to the OWASP Agentic Security Initiative top-10 (owasp_asi_2026, already ingested)."
  },
  {
   "source_id": "nist_ai_100_2",
   "title": "NIST AI 100-2e2025",
   "full_title": "Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2e2025)",
   "publisher": "National Institute of Standards and Technology",
   "publisher_type": "standards-body",
   "version": "100-2e2025",
   "canonical_url": "https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-2e2025.pdf",
   "published_date": "2025-03-20",
   "effective_date": "2025-03-20",
   "jurisdiction": [
    "United States"
   ],
   "normative_force": "informative-reference",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "model",
    "agentic"
   ],
   "status": "current",
   "retrieved_on": "2026-07-08"
  },
  {
   "source_id": "owasp_ml_top10",
   "title": "OWASP ML Security Top 10",
   "full_title": "OWASP Machine Learning Security Top 10 (2023)",
   "publisher": "OWASP Foundation",
   "publisher_type": "community",
   "version": "2023",
   "canonical_url": "https://owasp.org/www-project-machine-learning-security-top-10/",
   "published_date": "2023-01-01",
   "effective_date": "2023-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "versioned",
   "primary_domains": [
    "model",
    "security"
   ],
   "status": "draft",
   "retrieved_on": "2026-07-08"
  },
  {
   "source_id": "etsi_gr_sai_005",
   "title": "ETSI GR SAI 005",
   "full_title": "ETSI GR SAI 005 V1.1.1 \u2014 Securing Artificial Intelligence (SAI); Mitigation Strategy Report",
   "publisher": "ETSI",
   "publisher_type": "standards-body",
   "version": "V1.1.1",
   "canonical_url": "https://www.etsi.org/deliver/etsi_gr/SAI/001_099/005/01.01.01_60/gr_SAI005v010101p.pdf",
   "published_date": "2021-03-01",
   "effective_date": "2021-03-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "versioned",
   "primary_domains": [
    "security",
    "model"
   ],
   "status": "current",
   "retrieved_on": "2026-07-08",
   "notes": "ETSI Group Report (informative survey), not a normative deliverable."
  },
  {
   "source_id": "ncsc_cisa_secure_ai_2023",
   "title": "NCSC/CISA Secure AI Dev Guidelines",
   "full_title": "Guidelines for Secure AI System Development (NCSC/CISA joint, 2023)",
   "publisher": "UK NCSC & US CISA (joint, international)",
   "publisher_type": "government-agency",
   "version": "2023",
   "canonical_url": "https://www.ncsc.gov.uk/files/Guidelines-for-secure-AI-system-development.pdf",
   "published_date": "2023-11-27",
   "effective_date": "2023-11-27",
   "jurisdiction": [
    "international"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security",
    "model",
    "agentic"
   ],
   "status": "current",
   "retrieved_on": "2026-07-08"
  },
  {
   "source_id": "plot4ai",
   "title": "PLOT4ai Threat Library",
   "full_title": "PLOT4ai \u2014 Practical Library Of Threats 4 Artificial Intelligence",
   "publisher": "PLOT4ai",
   "publisher_type": "community",
   "version": "1.0",
   "canonical_url": "https://plot4.ai/library",
   "published_date": "2022-01-01",
   "effective_date": "2022-01-01",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "privacy",
    "ethics",
    "agentic"
   ],
   "status": "current",
   "retrieved_on": "2026-07-08",
   "notes": "138 threats across 8 categories; version/date not stated on the page (approximated)."
  },
  {
   "source_id": "biml_llm_ara",
   "title": "BIML LLM Risk Analysis",
   "full_title": "BIML \u2014 An Architectural Risk Analysis of Large Language Models (2024)",
   "publisher": "Berryville Institute of Machine Learning (BIML)",
   "publisher_type": "research-institute",
   "version": "2024",
   "canonical_url": "https://berryvilleiml.com/docs/BIML-LLM24.pdf",
   "published_date": "2024-01-24",
   "effective_date": "2024-01-24",
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "model",
    "security"
   ],
   "status": "current",
   "retrieved_on": "2026-07-08"
  },
  {
   "source_id": "bsi_ai_fundamentals",
   "title": "BSI Security of AI-Systems: Fundamentals",
   "full_title": "BSI \u2014 Security of AI-Systems: Fundamentals (Adversarial Deep Learning)",
   "publisher": "Federal Office for Information Security (BSI), Germany",
   "publisher_type": "government-agency",
   "version": "0.9",
   "canonical_url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/Security-of-AI-systems_fundamentals.pdf",
   "published_date": "2022-06-14",
   "effective_date": "2022-06-14",
   "jurisdiction": [
    "Germany",
    "EU"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "ad-hoc",
   "primary_domains": [
    "security",
    "model"
   ],
   "status": "current",
   "retrieved_on": "2026-07-08"
  },
  {
   "source_id": "owasp_ai_exchange",
   "title": "OWASP AI Exchange",
   "full_title": "OWASP AI Exchange \u2014 comprehensive framework of AI threats, controls, and best practices",
   "publisher": "OWASP Foundation",
   "publisher_type": "industry-body",
   "version": "continuously-updated",
   "canonical_url": "https://owaspai.org/",
   "published_date": "2024-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "continuous",
   "primary_domains": [
    "security",
    "model",
    "data",
    "privacy",
    "ethics"
   ],
   "status": "current",
   "notes": "OWASP Flagship project; feeds ISO/IEC 27090 & 27091 and the EU AI Act (liaison), linked via OpenCRE. Retrieved 2026-07-08."
  },
  {
   "source_id": "opencre",
   "title": "OpenCRE",
   "full_title": "OpenCRE \u2014 Open Common Requirement Enumeration (cross-standard requirement mapping)",
   "publisher": "OWASP Foundation",
   "publisher_type": "industry-body",
   "version": "continuously-updated",
   "canonical_url": "https://www.opencre.org/",
   "published_date": "2021-01-01",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "continuous",
   "primary_domains": [
    "security",
    "model",
    "data"
   ],
   "status": "current",
   "url_verified": true,
   "retrieved_on": "2026-07-08",
   "notes": "OWASP project we CONSUME as the cross-standard crosswalk source-of-truth (opencre_crosswalk.json): links OWASP AI Exchange controls to the equivalent MITRE ATLAS / NIST AI 100-2 / ETSI / OWASP requirements. We import it rather than hand-maintain a parallel crosswalk; re-imported on cadence via `npm run opencre:fetch` (AP-36/AP-37). Reference resource, not written as control citations."
  },
  {
   "source_id": "sans_ai_security_guidelines",
   "title": "SANS Critical AI Security Guidelines",
   "full_title": "SANS Critical AI Security Guidelines",
   "publisher": "SANS Institute",
   "publisher_type": "industry-body",
   "version": "1.0",
   "canonical_url": "https://www.sans.org/mlp/critical-ai-security-guidelines/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "security",
    "model"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "SANS Institute AI security guidelines (gated PDF; landing page only). Registered as a partner/reference resource; control mappings pending primary-text ingestion per Rule 11 (no citation without retrieval) \u2014 AP-35. Aligns with OWASP AI security guidance."
  },
  {
   "source_id": "pipl",
   "title": "Personal Information Protection Law (PIPL)",
   "full_title": "Personal Information Protection Law (PIPL)",
   "publisher": "National People\u2019s Congress (China)",
   "publisher_type": "government",
   "version": "current",
   "canonical_url": "https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm",
   "effective_date": null,
   "jurisdiction": [
    "china"
   ],
   "normative_force": "binding-law",
   "update_cadence": "periodic",
   "primary_domains": [
    "privacy"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "quebec_law25",
   "title": "Quebec Law 25 (Act to modernize legislative provisions on the protection of personal information)",
   "full_title": "Quebec Law 25 (Act to modernize legislative provisions on the protection of personal information)",
   "publisher": "Government of Quebec",
   "publisher_type": "government",
   "version": "current",
   "canonical_url": "https://www.legisquebec.gouv.qc.ca/en/document/cs/P-39.1",
   "effective_date": null,
   "jurisdiction": [
    "canada"
   ],
   "normative_force": "binding-law",
   "update_cadence": "periodic",
   "primary_domains": [
    "privacy"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "eu_data_act",
   "title": "EU Data Act (Regulation (EU) 2023/2854)",
   "full_title": "EU Data Act (Regulation (EU) 2023/2854)",
   "publisher": "European Union",
   "publisher_type": "government",
   "version": "current",
   "canonical_url": "https://eur-lex.europa.eu/eli/reg/2023/2854/oj",
   "effective_date": null,
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "binding-law",
   "update_cadence": "periodic",
   "primary_domains": [
    "data"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "eu_data_gov_act",
   "title": "EU Data Governance Act (Regulation (EU) 2022/868)",
   "full_title": "EU Data Governance Act (Regulation (EU) 2022/868)",
   "publisher": "European Union",
   "publisher_type": "government",
   "version": "current",
   "canonical_url": "https://eur-lex.europa.eu/eli/reg/2022/868/oj",
   "effective_date": null,
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "binding-law",
   "update_cadence": "periodic",
   "primary_domains": [
    "data",
    "privacy"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "occ_ai",
   "title": "OCC Model Risk Management / AI supervisory guidance",
   "full_title": "OCC Model Risk Management / AI supervisory guidance",
   "publisher": "Office of the Comptroller of the Currency",
   "publisher_type": "government-agency",
   "version": "current",
   "canonical_url": "https://www.occ.gov/",
   "effective_date": null,
   "jurisdiction": [
    "usa"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "periodic",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "ffiec",
   "title": "FFIEC IT Examination / AI guidance",
   "full_title": "FFIEC IT Examination / AI guidance",
   "publisher": "Federal Financial Institutions Examination Council",
   "publisher_type": "government-agency",
   "version": "current",
   "canonical_url": "https://www.ffiec.gov/",
   "effective_date": null,
   "jurisdiction": [
    "usa"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "periodic",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "finra",
   "title": "FINRA guidance on AI in the securities industry",
   "full_title": "FINRA guidance on AI in the securities industry",
   "publisher": "Financial Industry Regulatory Authority",
   "publisher_type": "government-agency",
   "version": "current",
   "canonical_url": "https://www.finra.org/",
   "effective_date": null,
   "jurisdiction": [
    "usa"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "periodic",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "sec_ai",
   "title": "SEC rules and guidance on AI / predictive analytics",
   "full_title": "SEC rules and guidance on AI / predictive analytics",
   "publisher": "U.S. Securities and Exchange Commission",
   "publisher_type": "government-agency",
   "version": "current",
   "canonical_url": "https://www.sec.gov/",
   "effective_date": null,
   "jurisdiction": [
    "usa"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "periodic",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "eeoc_ai",
   "title": "EEOC guidance on AI and employment discrimination",
   "full_title": "EEOC guidance on AI and employment discrimination",
   "publisher": "U.S. Equal Employment Opportunity Commission",
   "publisher_type": "government-agency",
   "version": "current",
   "canonical_url": "https://www.eeoc.gov/",
   "effective_date": null,
   "jurisdiction": [
    "usa"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "periodic",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "doj_ai",
   "title": "DOJ guidance on AI (civil rights / ADA)",
   "full_title": "DOJ guidance on AI (civil rights / ADA)",
   "publisher": "U.S. Department of Justice",
   "publisher_type": "government-agency",
   "version": "current",
   "canonical_url": "https://www.justice.gov/",
   "effective_date": null,
   "jurisdiction": [
    "usa"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "periodic",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "ftc_ai",
   "title": "FTC guidance and enforcement on AI",
   "full_title": "FTC guidance and enforcement on AI",
   "publisher": "U.S. Federal Trade Commission",
   "publisher_type": "government-agency",
   "version": "current",
   "canonical_url": "https://www.ftc.gov/business-guidance/blog",
   "effective_date": null,
   "jurisdiction": [
    "usa"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "periodic",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "cnil_ai",
   "title": "CNIL recommendations on AI and data protection",
   "full_title": "CNIL recommendations on AI and data protection",
   "publisher": "Commission Nationale de l\u2019Informatique et des Libert\u00e9s",
   "publisher_type": "government-agency",
   "version": "current",
   "canonical_url": "https://www.cnil.fr/en/ai",
   "effective_date": null,
   "jurisdiction": [
    "france",
    "eu"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "periodic",
   "primary_domains": [
    "privacy"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "enisa_ai",
   "title": "ENISA guidance on securing AI",
   "full_title": "ENISA guidance on securing AI",
   "publisher": "European Union Agency for Cybersecurity (ENISA)",
   "publisher_type": "government-agency",
   "version": "current",
   "canonical_url": "https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/artificial-intelligence",
   "effective_date": null,
   "jurisdiction": [
    "eu"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "periodic",
   "primary_domains": [
    "resilience"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "c2pa",
   "title": "C2PA Content Provenance and Authenticity specification",
   "full_title": "C2PA Content Provenance and Authenticity specification",
   "publisher": "Coalition for Content Provenance and Authenticity",
   "publisher_type": "standards-body",
   "version": "current",
   "canonical_url": "https://c2pa.org/specifications/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "periodic",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "fedramp_20x",
   "title": "FedRAMP 20x",
   "full_title": "FedRAMP 20x",
   "publisher": "U.S. General Services Administration (FedRAMP)",
   "publisher_type": "government-agency",
   "version": "current",
   "canonical_url": "https://www.fedramp.gov/",
   "effective_date": null,
   "jurisdiction": [
    "usa"
   ],
   "normative_force": "certification-standard",
   "update_cadence": "periodic",
   "primary_domains": [
    "compliance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "oidc_federation",
   "title": "OpenID Connect Federation 1.0",
   "full_title": "OpenID Connect Federation 1.0",
   "publisher": "OpenID Foundation",
   "publisher_type": "standards-body",
   "version": "current",
   "canonical_url": "https://openid.net/specs/openid-federation-1_0.html",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "periodic",
   "primary_domains": [
    "identity"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "fapi_2_0",
   "title": "FAPI 2.0 Security Profile",
   "full_title": "FAPI 2.0 Security Profile",
   "publisher": "OpenID Foundation",
   "publisher_type": "standards-body",
   "version": "current",
   "canonical_url": "https://openid.net/specs/fapi-2_0-security-profile.html",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "periodic",
   "primary_domains": [
    "identity"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "oauth_bcp",
   "title": "OAuth 2.0 Security Best Current Practice",
   "full_title": "OAuth 2.0 Security Best Current Practice",
   "publisher": "IETF",
   "publisher_type": "standards-body",
   "version": "current",
   "canonical_url": "https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "voluntary-standard",
   "update_cadence": "periodic",
   "primary_domains": [
    "identity"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "openlineage",
   "title": "OpenLineage data-lineage specification",
   "full_title": "OpenLineage data-lineage specification",
   "publisher": "LF AI & Data Foundation",
   "publisher_type": "standards-body",
   "version": "current",
   "canonical_url": "https://openlineage.io/docs/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "periodic",
   "primary_domains": [
    "data",
    "knowledge"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "data_contract_spec",
   "title": "Data Contract Specification",
   "full_title": "Data Contract Specification",
   "publisher": "Data Contract Specification (open source)",
   "publisher_type": "industry-body",
   "version": "current",
   "canonical_url": "https://datacontract.com/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "periodic",
   "primary_domains": [
    "data"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "csa_ai_caiq",
   "title": "CSA AI Consensus Assessment Initiative Questionnaire (AI-CAIQ)",
   "full_title": "CSA AI Consensus Assessment Initiative Questionnaire (AI-CAIQ)",
   "publisher": "Cloud Security Alliance",
   "publisher_type": "industry-body",
   "version": "current",
   "canonical_url": "https://cloudsecurityalliance.org/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "periodic",
   "primary_domains": [
    "compliance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "opa_rego",
   "title": "Open Policy Agent (OPA) / Rego policy language",
   "full_title": "Open Policy Agent (OPA) / Rego policy language",
   "publisher": "Cloud Native Computing Foundation (OPA)",
   "publisher_type": "industry-body",
   "version": "current",
   "canonical_url": "https://www.openpolicyagent.org/docs/latest/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "authority"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "microsoft_rai",
   "title": "Microsoft Responsible AI Standard",
   "full_title": "Microsoft Responsible AI Standard",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "periodic",
   "primary_domains": [
    "agentic",
    "authority",
    "ethics",
    "finance",
    "privacy"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "google_saif",
   "title": "Google Secure AI Framework (SAIF)",
   "full_title": "Google Secure AI Framework (SAIF)",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://safety.google/cybersecurity-advancements/saif/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "periodic",
   "primary_domains": [
    "agentic",
    "identity",
    "privacy"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "google_ai_principles",
   "title": "Google AI Principles",
   "full_title": "Google AI Principles",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://ai.google/responsibility/principles/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "openai_model_spec",
   "title": "OpenAI Model Spec",
   "full_title": "OpenAI Model Spec",
   "publisher": "OpenAI",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://cdn.openai.com/spec/model-spec-2024.html",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "openai_transparency",
   "title": "OpenAI transparency / usage reporting",
   "full_title": "OpenAI transparency / usage reporting",
   "publisher": "OpenAI",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://openai.com/policies/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "meta_llama_rai",
   "title": "Meta Llama Responsible Use Guide",
   "full_title": "Meta Llama Responsible Use Guide",
   "publisher": "Meta",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://ai.meta.com/llama/responsible-use-guide/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "ibm_ai_fairness",
   "title": "IBM AI Fairness 360",
   "full_title": "IBM AI Fairness 360",
   "publisher": "IBM",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://aif360.res.ibm.com/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "industry-framework",
   "update_cadence": "periodic",
   "primary_domains": [
    "ethics"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "salesforce_trust",
   "title": "Salesforce Trusted AI / Einstein Trust Layer",
   "full_title": "Salesforce Trusted AI / Einstein Trust Layer",
   "publisher": "Salesforce",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://www.salesforce.com/artificial-intelligence/trusted-ai/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "agentic"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "microsoft_compliance",
   "title": "Microsoft Purview Compliance guidance",
   "full_title": "Microsoft Purview Compliance guidance",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://learn.microsoft.com/en-us/purview/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "compliance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "microsoft_purview",
   "title": "Microsoft Purview data governance",
   "full_title": "Microsoft Purview data governance",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://learn.microsoft.com/en-us/purview/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "data"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "microsoft_azure_ai",
   "title": "Microsoft Azure AI / AI Foundry guidance",
   "full_title": "Microsoft Azure AI / AI Foundry guidance",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://learn.microsoft.com/en-us/azure/ai-services/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "microsoft_azure_resil",
   "title": "Microsoft Azure resiliency / reliability guidance",
   "full_title": "Microsoft Azure resiliency / reliability guidance",
   "publisher": "Microsoft",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://learn.microsoft.com/en-us/azure/reliability/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "resilience"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "google_financial",
   "title": "Google Cloud financial-services controls guidance",
   "full_title": "Google Cloud financial-services controls guidance",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://cloud.google.com/architecture/framework",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "google_sre",
   "title": "Google Site Reliability Engineering practices",
   "full_title": "Google Site Reliability Engineering practices",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://sre.google/books/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "resilience"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "google_org_policy",
   "title": "Google Cloud Organization Policy Service",
   "full_title": "Google Cloud Organization Policy Service",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "authority"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "google_compliance",
   "title": "Google Cloud compliance resource center",
   "full_title": "Google Cloud compliance resource center",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://cloud.google.com/security/compliance",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "compliance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "google_dataplex",
   "title": "Google Cloud Dataplex governance",
   "full_title": "Google Cloud Dataplex governance",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://cloud.google.com/dataplex/docs",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "data"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "google_vertex_rag",
   "title": "Google Vertex AI RAG / grounding guidance",
   "full_title": "Google Vertex AI RAG / grounding guidance",
   "publisher": "Google",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://cloud.google.com/vertex-ai/generative-ai/docs/grounding/overview",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "okta_iam",
   "title": "Okta identity & access management guidance",
   "full_title": "Okta identity & access management guidance",
   "publisher": "Okta",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://developer.okta.com/docs/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "identity",
    "privacy"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "okta_governance",
   "title": "Okta Identity Governance",
   "full_title": "Okta Identity Governance",
   "publisher": "Okta",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://www.okta.com/products/identity-governance/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "compliance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "okta_authz",
   "title": "Okta authorization (FGA / OAuth) guidance",
   "full_title": "Okta authorization (FGA / OAuth) guidance",
   "publisher": "Okta",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://developer.okta.com/docs/guides/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "authority"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "okta_financial",
   "title": "Okta guidance for financial-services identity",
   "full_title": "Okta guidance for financial-services identity",
   "publisher": "Okta",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://www.okta.com/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "aws_iam",
   "title": "AWS Identity and Access Management guidance",
   "full_title": "AWS Identity and Access Management guidance",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "identity"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "aws_reliability",
   "title": "AWS Well-Architected Reliability Pillar",
   "full_title": "AWS Well-Architected Reliability Pillar",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "resilience"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "aws_financial",
   "title": "AWS financial-services controls guidance",
   "full_title": "AWS financial-services controls guidance",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://aws.amazon.com/financial-services/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "aws_organizations",
   "title": "AWS Organizations / SCP guidance",
   "full_title": "AWS Organizations / SCP guidance",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "authority"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "aws_privacy",
   "title": "AWS data privacy guidance",
   "full_title": "AWS data privacy guidance",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://aws.amazon.com/compliance/data-privacy/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "privacy"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "aws_artifact",
   "title": "AWS Artifact compliance reports",
   "full_title": "AWS Artifact compliance reports",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://aws.amazon.com/artifact/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "compliance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "aws_bedrock_guardrails",
   "title": "AWS Bedrock Guardrails",
   "full_title": "AWS Bedrock Guardrails",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "agentic"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "aws_bedrock_kb",
   "title": "AWS Bedrock Knowledge Bases",
   "full_title": "AWS Bedrock Knowledge Bases",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base.html",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "knowledge"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "aws_lake_formation",
   "title": "AWS Lake Formation data governance",
   "full_title": "AWS Lake Formation data governance",
   "publisher": "Amazon Web Services",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://docs.aws.amazon.com/lake-formation/latest/dg/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "data"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "openai_enterprise",
   "title": "OpenAI Enterprise privacy & security",
   "full_title": "OpenAI Enterprise privacy & security",
   "publisher": "OpenAI",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://openai.com/enterprise-privacy/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "finance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "openai_policies",
   "title": "OpenAI usage policies",
   "full_title": "OpenAI usage policies",
   "publisher": "OpenAI",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://openai.com/policies/usage-policies/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "compliance"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "openai_privacy",
   "title": "OpenAI privacy policy / data controls",
   "full_title": "OpenAI privacy policy / data controls",
   "publisher": "OpenAI",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://openai.com/policies/privacy-policy/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "privacy"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "openai_sf",
   "title": "OpenAI safety / preparedness practices",
   "full_title": "OpenAI safety / preparedness practices",
   "publisher": "OpenAI",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://openai.com/safety/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "identity"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "anthropic_privacy",
   "title": "Anthropic privacy & data handling",
   "full_title": "Anthropic privacy & data handling",
   "publisher": "Anthropic",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://www.anthropic.com/legal/privacy",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "data",
    "privacy"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "databricks_unity",
   "title": "Databricks Unity Catalog governance",
   "full_title": "Databricks Unity Catalog governance",
   "publisher": "Databricks",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://docs.databricks.com/data-governance/unity-catalog/index.html",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "data",
    "knowledge"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "ping_identity",
   "title": "Ping Identity access-management guidance",
   "full_title": "Ping Identity access-management guidance",
   "publisher": "Ping Identity",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://docs.pingidentity.com/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "identity"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "cloudflare_resilience",
   "title": "Cloudflare resilience / availability guidance",
   "full_title": "Cloudflare resilience / availability guidance",
   "publisher": "Cloudflare",
   "publisher_type": "vendor",
   "version": "current",
   "canonical_url": "https://developers.cloudflare.com/",
   "effective_date": null,
   "jurisdiction": [
    "global"
   ],
   "normative_force": "best-practice",
   "update_cadence": "periodic",
   "primary_domains": [
    "resilience"
   ],
   "status": "current",
   "url_verified": false,
   "notes": "Registered for citation provenance (AP-40, 2026-07-08); existing frameworks[] mappings to this source are basis=asserted pending anchor ingestion."
  },
  {
   "source_id": "cisa_kev",
   "title": "CISA Known Exploited Vulnerabilities (KEV) Catalog",
   "full_title": "CISA Known Exploited Vulnerabilities Catalog (BOD 22-01)",
   "publisher": "Cybersecurity and Infrastructure Security Agency (CISA)",
   "publisher_type": "government-agency",
   "version": "continuously-updated",
   "canonical_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
   "effective_date": null,
   "jurisdiction": [
    "usa",
    "global"
   ],
   "normative_force": "supervisory-guidance",
   "update_cadence": "continuous",
   "primary_domains": [
    "security"
   ],
   "status": "current",
   "url_verified": true,
   "retrieved_on": "2026-07-08",
   "notes": "CISA catalog of vulnerabilities with reliable evidence of active exploitation; BOD 22-01 sets remediation due dates. Cited by Security EC-12 as the prioritization authority for AI serving-stack vulnerability remediation. A vulnerability-intelligence feed cited as supporting_guidance, not a control framework."
  }
 ],
 "meta": {
  "generated_at": "2026-07-02T00:00:00.000Z",
  "endpoint": "https://apeiris.ai/integration/source_registry.json",
  "normative_force_enum": [
   "binding-law",
   "regulation",
   "directive-transposed-nationally",
   "supervisory-guidance",
   "certification-standard",
   "voluntary-standard",
   "industry-framework",
   "best-practice",
   "draft",
   "pre-release",
   "enacted-not-yet-in-force",
   "withdrawn",
   "superseded"
  ],
  "publisher_type_enum": [
   "government",
   "government-agency",
   "standards-body",
   "industry-body",
   "vendor",
   "academic",
   "ngo"
  ],
  "note": "Entries marked url_verified=false have canonical URLs that should be confirmed before automated crawling.",
  "total_sources": 300
 }
}
