Can you trust a mapping?

Every control we map to an external framework carries its own record. Before any abstraction, you should be able to answer five plain questions about a single mapping — and reproduce the answers yourself.

What backs it?The typed fit (direct / partial / supporting / adjacent) and whether the cited id was validated against captured primary text or only asserted.
Against what source?The exact framework requirement, bound to the SHA-256 of the primary-text anchor it was checked against. Re-capture the source and the case auto-stales.
Who checked it, and when?Whether an independent multi-model panel has scored it, which reviewers, and the date — or an honest "not yet reviewed."
Can you reproduce it?The review sample is seeded and the manifest is Ed25519-signed, so anyone can re-derive the sample and re-verify the anchors.

Independent review is additive to provenance. An unreviewed mapping is not an untrustworthy one — it is anchored to primary text but not yet panel-scored. That is why we report trust as dimensions, not one score.

The dimensions

loading…

Cadence: mappings that point at a binding obligation are re-reviewed every 6 months; standards and threat mappings every 12; softer guidance every 18. Each case carries its own next-review date.

Look up a mapping

Type a control id (e.g. EV-06), a framework (e.g. eu_ai_act), or a domain. The trust card answers the five questions for each match.

Loading the validation suite…

Every card is generated from the signed validation suite. Recompute the anchor hash and re-derive the sample to check any of it yourself — see Trust and Source References.