Can you trust a mapping?
Every control we map to an external framework carries its own record. Before any abstraction, you should be able to answer five plain questions about a single mapping — and reproduce the answers yourself.
Independent review is additive to provenance. An unreviewed mapping is not an untrustworthy one — it is anchored to primary text but not yet panel-scored. That is why we report trust as dimensions, not one score.
The dimensions
Cadence: mappings that point at a binding obligation are re-reviewed every 6 months; standards and threat mappings every 12; softer guidance every 18. Each case carries its own next-review date.
Look up a mapping
Type a control id (e.g. EV-06), a framework (e.g. eu_ai_act), or a domain. The trust card answers the five questions for each match.
Loading the validation suite…
Every card is generated from the signed validation suite. Recompute the anchor hash and re-derive the sample to check any of it yourself — see Trust and Source References.