Every framework. One honest coverage map.

The CSA AI Consensus Assessments Initiative Questionnaire is the self-assessment companion to the AICM and the basis for CSA STAR-for-AI listings. KYE™ generates each answer it can satisfy from runtime evidence (a KYE™ artefact + a §0.3 evidence event), and marks questions outside its execution scope as not applicable — never fabricated.

The AI Solutions Framework is an enterprise AI-adoption control framework (~90 safeguards across AI governance & accountability, risk management, AI safety, data privacy/lineage, compliance monitoring, and audit & evidence; IG1–IG3 maturity). KYE Protocol™ governs ONLY the runtime-authority-resolvable subset at the action boundary — the KYE AI Solutions Framework Authority Pack™ (§70 honesty bar). Frameworks define what should happen; KYE Protocol™ resolves who may make it happen, under what authority, and proves it later. The organisational safeguards (governance board, AI inventory, policy authorship, training, risk committee) and the deploy-time infrastructure-posture / CSPM safeguards (model-logging, encryption, IAM least-privilege, network egress) are honestly out of scope and ceded to their owning roles. KYE Protocol™ complements a deploy-time posture/CSPM layer — coverage is never inflated to 100%. Per-requirement bijection at framework-coverage-bijection.

The Cloud Security Alliance AI Controls Matrix defines 243 control objectives across 18 domains. AICM defines the controls. KYE™ operationalises them — proving how each control resolved at the moment a consequential AI action occurred. KYE™ binds the execution-resolvable domains and is honest about the infrastructure and model-training domains it does not touch.

Canada's proposed federal AI law (AIDA, Part 3 of Bill C-27). The bill lapsed on prorogation in January 2025 and is NOT in force — mapped as a forward-looking design anchor (all rows advisory): high-impact assessment, risk mitigation + monitoring, record-keeping, transparency, and serious-harm notification. Per-requirement bijection at /compliance/aida.html.

The 10 mandatory AI guardrails proposed by the Department of Industry, Science and Resources (Sept 2024) + the Voluntary AI Safety Standard. Per-requirement bijection at /compliance/au-ai-guardrails.html.

The German Federal Office for Information Security (BSI) AI Cloud Service Compliance Criteria Catalogue (AIC4) — one of the frameworks the CSA AICM crosswalks to. KYE™ binds the security-and-robustness criteria that resolve at action time and marks the cloud-platform operational criteria out of scope.

35 requirements across three pillars (Adopt / Defend / Govern), nine governance surfaces, twelve minimum controls (MC-1..MC-12), and three autonomy tiers (HITL / HOTL / HOOTL). Complementary to KYE Protocol™: ADG = operating model, KYE Protocol™ = runtime authority proof.

US federal guidelines defining the four-fifths adverse-impact rule and the validation duty for selection procedures.

EU regulation setting lifecycle obligations for high-risk AI systems.

Article 50 of Regulation (EU) 2024/1689 requires natural persons be informed they are interacting with an AI system, plus related transparency record-keeping. KYE Protocol™ governs the ENFORCEMENT AUTHORITY + EVIDENCE of the Article 50 chatbot disclosure at the action boundary — consumed by the KYE Chatbot Authority Pack™. The broader Regulation is covered by the eu-ai-act registry; this is the narrow chatbot-transparency execution slice. Per-requirement bijection at framework-coverage-bijection.

FDA + EMA AI / provenance expectations for AI-derived candidates entering regulated drug/device pipelines — documented provenance, reproducibility, and GxP data integrity (ALCOA+). KYE Protocol™ governs whether an AI-derived candidate may proceed to a regulated stage, binding replay-provable provenance — the KYE AI Bio-Chem Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

IMDA / AI Verify Foundation testing framework — transparency, accountability, human agency & oversight, robustness. Per-requirement bijection at /compliance/imda-ai-verify.html.

Management-system standard for the responsible development and use of AI.

MAS Principles to promote Fairness, Ethics, Accountability and Transparency (FEAT) in the use of AI and data analytics in Singapore's financial sector. Per-requirement bijection at /compliance/mas-feat.html.

Voluntary framework for managing AI risk across the Govern, Map, Measure, and Manage functions.

NYC law requiring a bias audit before an automated employment decision tool screens a candidate, with candidate notice and published results.

Algorithm Charter for Aotearoa New Zealand (2020) — transparency, human oversight, and data/bias commitments for government use of algorithms. Per-requirement bijection at /compliance/nz-algorithm-charter.html.

The Treasury Board Directive on Automated Decision-Making governing Canadian federal-government automated decision systems: the Algorithmic Impact Assessment, transparency notice, meaningful explanation, and quality-assurance + recourse. Per-requirement bijection at /compliance/tbs-directive-adm.html.

The UK government's AI assurance toolkit — the measure / evaluate / communicate loop and the six assurance mechanisms that operationalise the UK AI principles. KYE Protocol™ is itself an assurance mechanism: it measures every governed AI action, evaluates it against purpose admissibility, and communicates it as signed, replayable evidence.

The UK's pro-innovation AI principles and the DSIT AI assurance toolkit.

UK statute making an automated selection rule that disadvantages a protected group unlawful indirect discrimination unless objectively justified.

US Executive Order 14110 (2023) Safe/Secure/Trustworthy AI — biosecurity, nucleic-acid synthesis screening, and content provenance provisions (rescinded Jan 2025; the dual-use-bio + synthesis-screening + provenance obligation pattern it established remains the de-facto reference set). KYE Protocol™ governs whether an AI-generated sequence/molecule may proceed to a consequential action — the KYE AI Bio-Chem Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

The wave of US state AI-chatbot statutes (13+ states; 7 with a private right of action at roughly $1,000/violation) — CA SB 243, Utah AI Mental Health Chatbot Act, NY, IL, et al. Four recurring themes: crisis protocols, minor protections, deception/disclosure, liability. KYE Protocol™ governs the AUTHORITY + EVIDENCE of the chatbot safeguard actions at the moment the interaction occurs — the KYE Chatbot Authority Pack™. It does not provide the chatbot/LLM, the clinical crisis content, or the GRC program. Per-requirement bijection at framework-coverage-bijection.

Canada's voluntary code for advanced generative AI systems (ISED, 2023). Voluntary signatory program — all rows advisory: accountability, transparency, and human oversight + monitoring outcomes anchored to the KYE Protocol™ action-governance layer. Per-requirement bijection at /compliance/voluntary-code-genai.html.

ISO 31000:2018 risk-management principles, framework and process. KYE Protocol™ governs the authority, evidence and finality of AI-agent actions as a risk-treatment and risk-recording control inside the ISO 31000 process — it does not run the enterprise risk-management system. Per-requirement bijection at framework-coverage-bijection.

The IIA's Three Lines Model (2020). KYE Protocol™ supplies the runtime authority + evidence + assurance primitives the model assumes across first line (operational), second line (risk/compliance) and third line (internal audit) — it does not replace any line's people or mandate. Per-requirement bijection at framework-coverage-bijection.

Alberta's private-sector privacy law (PIPA), substantially similar to PIPEDA and the first Canadian private-sector law with mandatory breach notification: consent, protection of personal information, and breach notification. Per-requirement bijection at /compliance/alberta-pipa.html.

DSG is Austria's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Austria-specific national deltas here. Per-requirement bijection at /compliance/at-dsg.html.

British Columbia's private-sector privacy law (PIPA), substantially similar to PIPEDA: consent, reasonable security, and access/correction. Per-requirement bijection at /compliance/bc-pipa.html.

Belgian Data Protection Act 2018 is Belgium's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Belgium-specific national deltas here. Per-requirement bijection at /compliance/be-dpa-2018.html.

Bulgarian Personal Data Protection Act is Bulgaria's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Bulgaria-specific national deltas here. Per-requirement bijection at /compliance/bg-pdpa.html.

Switzerland's revised Federal Act on Data Protection (nFADP/revDSG) — a sovereign, GDPR-aligned statute under an EU adequacy decision. this registry maps the Swiss national deltas; AI-system governance defers to the directly-applicable obligations Switzerland references. Per-requirement bijection at /compliance/ch-nfadp.html.

Law 125(I)/2018 is Cyprus's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Cyprus-specific national deltas here. Per-requirement bijection at /compliance/cy-law-125-2018.html.

Zákon 110/2019 is Czech Republic's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Czech Republic-specific national deltas here. Per-requirement bijection at /compliance/cz-zakon-110-2019.html.

BDSG is Germany's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Germany-specific national deltas here. Per-requirement bijection at /compliance/de-bdsg.html.

Databeskyttelsesloven is Denmark's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Denmark-specific national deltas here. Per-requirement bijection at /compliance/dk-databeskyttelsesloven.html.

LOPDGDD is Spain's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Spain-specific national deltas here. Per-requirement bijection at /compliance/es-lopdgdd.html.

Tietosuojalaki is Finland's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Finland-specific national deltas here. Per-requirement bijection at /compliance/fi-tietosuojalaki.html.

Loi Informatique et Libertés is France's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the France-specific national deltas here. Per-requirement bijection at /compliance/fr-lil.html.

EU regulation governing the processing of personal data.

GDPR Article 22 gives data subjects the right not to be subject to solely-automated similarly-significant decisions without safeguards — human intervention, meaningful information about the logic, and the right to contest. KYE Protocol™ governs whether an AI-assisted insurance decision in scope may proceed — under a recorded named-authority (the human-involvement safeguard), with a recorded adverse-action reason-code (meaningful information about the logic), a signed replay-provable Evidence Pack™ per decision, and an appeal / contestability record (the right to contest and to human intervention). The lawful basis / substantive decision / risk pricing on the merits stays the controller's own work (honest scope, §0). Per-requirement bijection at /compliance/gdpr-automated-decision.html.

Law 4624/2019 is Greece's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Greece-specific national deltas here. Per-requirement bijection at /compliance/gr-law-4624-2019.html.

Info Act is Hungary's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Hungary-specific national deltas here. Per-requirement bijection at /compliance/hu-info-act.html.

Data Protection Act 2018 is Ireland's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Ireland-specific national deltas here. Per-requirement bijection at /compliance/ie-dpa-2018.html.

ISO 23081-1:2017 records-metadata spine and AUTHORITY ANCHOR for the InSight DXP connector contract. KYE Protocol™ CONSUMES records metadata (agent, classification, event-history) as the input signal at the action boundary (enforced: classification-driven-authority, custody→authority binding, agent→principal binding); records-metadata creation / management is out-of-scope (owned by Iron Mountain InSight DXP).

Codice Privacy is Italy's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Italy-specific national deltas here. Per-requirement bijection at /compliance/it-codice-privacy.html.

Luxembourg Data Protection Act 2018 is Luxembourg's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Luxembourg-specific national deltas here. Per-requirement bijection at /compliance/lu-cnpd.html.

UAVG is Netherlands's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Netherlands-specific national deltas here. Per-requirement bijection at /compliance/nl-uavg.html.

Personopplysningsloven is Norway's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Norway-specific national deltas here. Per-requirement bijection at /compliance/no-personopplysningsloven.html.

The NZ Information Privacy Principles + Part 6 notifiable privacy breaches. Per-requirement bijection at /compliance/nz-privacy-act-2020.html.

Canada's federal private-sector privacy law (PIPEDA, S.C. 2000, c. 5): the ten Schedule 1 fair-information principles plus mandatory breach-of-security-safeguards reporting (s.10.1). Per-requirement bijection at /compliance/pipeda.html.

UODO is Poland's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Poland-specific national deltas here. Per-requirement bijection at /compliance/pl-uodo.html.

The Australian Privacy Principles + the 2024 automated-decision-making transparency reform (ADM provisions commence Dec 2026). Per-requirement bijection at /compliance/privacy-act-1988.html.

Lei 58/2019 is Portugal's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Portugal-specific national deltas here. Per-requirement bijection at /compliance/pt-lei-58-2019.html.

Quebec's modernised private-sector privacy regime (Law 25, fully in force Sept 2024): privacy-impact assessment, automated-decision transparency, confidentiality-incident reporting to the CAI, data portability, and express consent for sensitive information. Per-requirement bijection at /compliance/quebec-law-25.html.

Law 190/2018 is Romania's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Romania-specific national deltas here. Per-requirement bijection at /compliance/ro-law-190-2018.html.

Swedish Data Protection Act is Sweden's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Sweden-specific national deltas here. Per-requirement bijection at /compliance/se-dpa.html.

Act 18/2018 is Slovakia's national statute implementing/supplementing the GDPR. Substantive obligations reuse the deep GDPR per-article registry (edged via framework↔jurisdiction); this registry maps only the Slovakia-specific national deltas here. Per-requirement bijection at /compliance/sk-act-18-2018.html.

AICPA Statements on Standards for Tax Services (2024) — the enforceable standards for tax-return positions (reasonable basis / disclosure), reasonable inquiry & reliance on data, and the form & content of advice. KYE Protocol™ governs whether an AI-generated tax position / advice may proceed under a named member's authority, with the SSTS standards recorded before the action — the KYE Tax Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

AIFMD (Directive 2011/61/EU) and the UCITS Directive (Directive 2009/65/EC) govern EU collective-investment fund management — fund-manager authorisation & conduct, the risk-management function & limits, investment limits & diversification, and recordkeeping / depositary oversight. KYE Protocol™ governs whether an AI-assisted investment decision/action is within the fund's mandate and limits, authorised, evidenced, and final at the action boundary — the KYE Investment Decision Authority Pack™. KYE Protocol™ does not run the risk-management function, judge whether a decision is correct, produce investment intelligence, or act as a fund manager. Per-requirement bijection at framework-coverage-bijection.

APRA Prudential Standard CPS 230 — operational risk management, business continuity and service-provider management for APRA-regulated entities. Per-requirement bijection at /compliance/apra-cps-230.html.

Canada's consumer-driven banking (open banking) framework under the Consumer-Driven Banking Act, 2024 (stood up by the FCAC): accreditation of participants, consumer consent + data-sharing control, a common technical/security standard, and oversight + accountability. Per-requirement bijection at /compliance/canada-cdb.html.

The UK Companies Act 2006 — adequate accounting records (s.386), true and fair view (s.393), director responsibility & board approval (s.414), and filing of the statutory accounts with the Registrar of Companies / Companies House (s.441/s.442). KYE Protocol™ governs whether an AI-generated financial entry / statement / filing may proceed to a consequential action under a named accountant's / director's authority, with §36 two-person sign-off on the irreversible Companies House submission — the KYE Accounting Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

EU regulation for the digital operational resilience of the financial sector.

DORA ICT Incident Reporting (Regulation (EU) 2022/2554, Article 19) is the EU financial-sector ICT-incident reporting regime. KYE Protocol™ governs whether an AI-assisted containment action, incident classification, or staged-report timing decision under it may proceed to a consequential incident action — under a named accountable officer's authority, with incident-evidence chain-of-custody recorded, no AI-asserted classification relied on without a pinned signal source, a signed replay-provable Evidence Pack™ per decision, and a contestability record so any decision can be reconstructed and challenged. Threat detection / SIEM-EDR runtime / forensics / remediation stays the entity's own security operations (honest scope, §0/§70). Per-requirement bijection at /compliance/dora-ict-incident.html.

The EU Sixth Anti-Money Laundering Directive (Directive (EU) 2018/1673) harmonises money-laundering offences, the 22 predicate offences, aiding/abetting/inciting, and corporate liability across the EU. KYE Protocol™ governs whether an AI agent's AML action may proceed at the action boundary under a named compliance officer's authority, with due diligence before the action and replay-provable provenance. KYE Protocol™ does not run transaction-monitoring models, does not decide whether conduct is criminal money-laundering, and does not replace the institution's AML program or legal advice.

EU Directive on Administrative Cooperation — DAC6 mandatory disclosure of reportable cross-border arrangements (hallmarks A–E, main-benefit test, 30-day window) and DAC7 platform-operator reporting. KYE Protocol™ governs whether an AI-generated arrangement / advice that may be reportable proceeds only after the hallmark / disclosure screen is recorded — the KYE Tax Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

The FATF 40 Recommendations are the global AML/CFT authority anchor — risk-based approach (R.1), customer due diligence & beneficial ownership (R.10), record-keeping (R.11), the Travel Rule (R.16), and suspicious-transaction reporting (R.20). KYE Protocol™ governs whether an AI agent's AML action may proceed at the action boundary (alert triage, sanctions screening, SAR/STR drafting, KYC/CDD) under a named compliance officer's authority, with §36 two-person sign-off on the consequential SAR/STR filing — the KYE AML & Financial-Crimes Governance Pack™. KYE Prot™ocol™ does not run transaction-monitoring models, does not decide whether a transaction is truly money-laundering, and does not replace the institution's AML program.

The FCA Conduct of Business Sourcebook (COBS) governs UK investment business with clients — the client's best interests rule (COBS 2.1.1R), suitability (COBS 9), best execution (COBS 11), and recordkeeping. KYE Protocol™ governs whether an AI-assisted investment decision/action is within mandate, authorised, evidenced, and final at the action boundary — the KYE Investment Decision Authority Pack™. KYE Protocol™ does not perform the suitability assessment, judge whether a recommendation is correct, produce investment intelligence, or act as an investment adviser. Per-requirement bijection at framework-coverage-bijection.

The Financial Reporting Council's Ethical Standard — integrity, objectivity & independence, professional competence & due care, and the threats-and-safeguards framework for auditors and accountants. KYE Protocol™ governs whether an AI-generated entry / statement / conclusion may proceed under a named professional's authority, with the objectivity / independence / competence basis recorded before the action — the KYE Accounting Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

The Financial Stability Board's Sound Practices for the Responsible Adoption of AI in Finance (consultation, 10 June 2026) sets supervisory expectations for how financial institutions govern AI across model risk, accountability, third-party dependency, and operational resilience. This framework is REGISTERED in the §70 Framework Mapping Rail but NOT yet deep-mapped — no requirement has been bound to a KYE Protocol™ artefact, so coverage is honestly reported as out of scope pending deep mapping. The §70 honesty bar forbids claiming enforced/designed coverage before a requirement is bound to a cited artefact. Deep mapping will be scheduled through the §70 rail (by hand, the §59 deterministic pipeline, or the §70 framework-mapping-agent) once the final report text is pinned.

The Investment Policy Statement (IPS) / discretionary investment mandate — the authority anchor for AI-assisted investment decisions. Defines permitted investments, concentration / liquidity limits, prohibited investments, named authority / delegation, and reporting obligations. KYE Protocol™ governs whether an AI-assisted investment decision/action is within the recorded mandate, under whose authority it proceeds, evidenced, contestable, and final at the action boundary — the KYE Investment Decision Authority Pack™. KYE Protocol™ does not produce investment intelligence, judge whether a thesis is correct, or render any view on alpha / returns / suitability of outcome, and is not an investment adviser. Per-requirement bijection at framework-coverage-bijection.

Treasury Department Circular No. 230 (31 CFR Part 10) — the standards of practice (due diligence §10.22, competence §10.35, return positions §10.34, written advice §10.37) for practitioners before the IRS. KYE Protocol™ governs whether an AI-generated tax position/filing/advice may proceed to a consequential action under a named preparer's authority — the KYE Tax Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

The International Standards on Auditing (UK) — professional scepticism & reasonable assurance (ISA 200), fraud responsibilities (ISA 240), risk identification & assessment (ISA 315), and forming the opinion & reporting (ISA 700). KYE Protocol™ governs whether an AI-generated audit working-paper / conclusion may proceed under a named auditor's authority, with the ISA (UK) responsibilities recorded before the action — the KYE Accounting Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

Monetary Authority of Singapore Technology Risk Management Guidelines — access control, audit logging, IT incident management, third-party risk. Per-requirement bijection at /compliance/mas-trm.html.

MiFID II (Directive 2014/65/EU) governs the provision of investment services in the EU — acting in the client's best interest (Art. 24), suitability (Art. 25), best execution (Art. 27), and recordkeeping. KYE Protocol™ governs whether an AI-assisted investment decision/action is within mandate, authorised, evidenced, and final at the action boundary — the KYE Investment Decision Authority Pack™. KYE Protocol™ does not perform the suitability assessment, judge whether a recommendation is correct, produce investment intelligence, or act as an investment adviser. Per-requirement bijection at framework-coverage-bijection.

OECD/G20 Pillar Two GloBE rules — a 15% global minimum effective tax rate (IIR / UTPR) with a per-jurisdiction top-up tax reported in the GloBE Information Return (GIR). KYE Protocol™ governs whether an AI-generated Pillar Two computation may proceed to a filing or a booked liability — the KYE Tax Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

OSFI Guideline B-10 — risk-based management of third-party arrangements for federally regulated financial institutions: the arrangement register, criticality-proportionate risk assessment, and ongoing monitoring + concentration risk. Per-requirement bijection at /compliance/osfi-b-10.html.

OSFI Guideline B-13 — technology and cyber risk management for federally regulated financial institutions: governance, technology operations + resilience, and cyber security. Per-requirement bijection at /compliance/osfi-b-13.html.

OSFI Guideline E-23 — enterprise-wide model risk management across the model lifecycle (model definition expanded to AI/ML): inventory + risk rating, independent validation, ongoing monitoring, and accountability. Per-requirement bijection at /compliance/osfi-e-23.html.

Security standard for entities that store, process, or transmit cardholder data.

Canada's anti-money-laundering and terrorist-financing regime (PCMLTFA + Regulations, administered by FINTRAC): client identification + KYC, ongoing monitoring, suspicious-transaction reporting, and record-keeping. Per-requirement bijection at /compliance/pcmltfa-fintrac.html.

EU payment-services regulation covering strong customer authentication and third-party access to accounts.

Reserve Bank of New Zealand outsourcing policy — control over outsourced functions, continuity of basic banking functions, continuing compliance evidence. Per-requirement bijection at /compliance/rbnz-bs11.html.

The US Investment Advisers Act of 1940 (s.206) and the SEC's 2019 fiduciary interpretation establish a federal fiduciary duty for registered investment advisers — a duty of care, a duty of loyalty, and the books-and-records rule (204-2). KYE Protocol™ governs whether an AI-assisted investment decision/action is within mandate, authorised, evidenced, and final at the action boundary — the KYE Investment Decision Authority Pack™. KYE Protocol™ does not form the reasonable belief, judge whether advice is correct, produce investment intelligence, or act as an investment adviser. Per-requirement bijection at framework-coverage-bijection.

Sarbanes-Oxley §404 — management (and auditor) assessment of internal control over financial reporting (ICFR), with the income-tax provision a recurring material-weakness source requiring review controls, documentation, and data integrity. KYE Protocol™ governs whether an AI-generated tax-provision figure may proceed to being booked under recorded management-review controls with replay-provable provenance — the KYE Tax Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

FRS 102 / FRS 105 (UK GAAP) — recognition and measurement bases, accounting-policy selection and consistency, disclosure requirements, and the micro-entity regime. KYE Protocol™ governs whether an AI-generated entry / statement may proceed with the FRS 102 / FRS 105 recognition, measurement, and disclosure basis recorded before the action — the KYE Accounting Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

HMRC Making Tax Digital — digital record-keeping, unbroken digital links from source data to submitted figures, and programmatic filing via the MTD API. KYE Protocol™ governs whether an AI-generated MTD figure may proceed to an API submission under a named preparer's authority, preserving the digital link in replay-provable provenance — the KYE Tax Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

The US Bank Secrecy Act (31 U.S.C. 5311 et seq.) and FinCEN regulations (31 CFR Chapter X) require a risk-based AML program (5318(h)), customer due diligence & beneficial ownership (CDD Rule), Suspicious Activity Reports (SARs), and record-keeping. KYE Protocol™ governs whether an AI agent's AML action may proceed at the action boundary under a named BSA/AML officer's authority, with §36 two-person sign-off on the consequential SAR filing. KYE Protocol™ does not run transaction-monitoring models, does not decide whether a transaction is truly suspicious, and does not replace the institution's BSA/AML program.

The Wolfsberg Group publishes industry AML, sanctions-screening, and correspondent-banking due-diligence standards for global banks. KYE Protocol™ governs whether an AI agent's AML or sanctions-screening action may proceed at the action boundary under a named compliance officer's authority, with due diligence before the action and replay-provable provenance. KYE Protocol™ does not run the screening engine, does not decide whether a name is a true sanctions match, and does not replace the institution's AML / sanctions program.

ECB Banking Supervision's emerging expectations on AI-amplified cyber and operational risk for significant institutions (planned 'dear CEO letter', per Reuters 3 June 2026; part of the ECB 2026–2028 supervisory priorities). REGISTERED in the §70 Framework Mapping Rail but NOT yet deep-mapped: no formal requirement text has been published, so coverage is honestly reported as out of scope pending deep mapping. The §70 honesty bar forbids claiming enforced/designed coverage before requirements are pinned. The substance — AI-actor authority, privileged-action gating, incident-response authority, replay-derivable evidence — is already covered by KYE Protocol™'s deep-mapped DORA artefacts and the shipped Cyber Resilience & Incident Authority Pack; deep mapping will graft those once the ECB text is final.

UK SM&CR accountability regime. KYE Protocol™ governs whether an AI agent's action may proceed under a named Senior Manager's delegated authority, with the responsibility line recorded and replay-provable. Consumed via kye:rule-pack:sm-cr + kye:sector-pack:uk-financial-services-sm-cr (§0: never re-mapped). Per-requirement bijection at framework-coverage-bijection.

UK ECCTA 2023 corporate 'failure to prevent fraud' offence. KYE Protocol™ turns AI-actor authority into a demonstrable 'reasonable fraud-prevention procedure': AI actions that could facilitate fraud are gated by named authority, evidenced, and contestable. KYE Protocol™ proves the procedure operated; it does not adjudicate the offence. Per-requirement bijection at framework-coverage-bijection.

UK MLR 2017 AML/CTF obligations. KYE Protocol™ governs whether an AI agent's AML action may proceed under a named compliance officer's authority, with due diligence recorded and replay-provable provenance. Consumed via the aml-financial-crimes spine (§0: never re-mapped). KYE Protocol™ proves the basis; it does not decide whether conduct is money laundering. Per-requirement bijection at framework-coverage-bijection.

The Clinical Laboratory Improvement Amendments (42 CFR Part 493) set US federal quality standards for testing on human specimens. KYE Protocol™ enforces the test-report integrity and electronic-record audit-trail slices, and governs the authority of AI-supported result generation — testing, proficiency testing and competency stay the laboratory's quality system. Per-requirement bijection at /compliance/clia.html.

Comprehensive security and governance standard for autonomous AI agents in clinical environments — 279 requirements across 8 categories.

ISO 15189:2022 sets quality and competence requirements for medical laboratories, including patient-safety risk management. KYE Protocol™ enforces the §7.4-7.6 report-integrity, §7.6/§8.4 data-integrity and audit-trail slices where a medical laboratory uses AI-supported decisioning — examination procedures and competence stay the laboratory's quality system. Per-requirement bijection at /compliance/iso-15189.html.

UK Statutory Instrument 2002/618 — risk classes, conformity assessment, essential requirements (Annex I regs 7-12), Annex IX classification rules, and post-market vigilance (regs 44-47). 53 requirements.

Explicit post-market surveillance obligations: PMS plan (Reg 7), post-market clinical follow-up (Reg 8), incident reporting timelines (2/10/15-day), Periodic Safety Update Reports (PSURs), trend reporting. 36 requirements.

41 requirements: 15 original work-packages + 7 PCCP (Predetermined Change Control Plan) obligations + 9 change-class triggers (capability / model_params / training-data / bias drift) + 6 transparency obligations + 4 oversight/bias-mitigation controls.

Ontario's health-privacy statute (PHIPA, 2004): consent + lawful purpose, circle-of-care implied consent, data minimisation, the electronic audit-log duty, access/correction, and IPC breach notification for personal health information. Per-requirement bijection at /compliance/phipa-ontario.html.

API RP 580 (RBI methodology) + API 581 (RBI quantitative technology) for fixed-equipment inspection planning. KYE Protocol™ governs the authority and evidence of an AI-recommended inspect/repair/replace action and records the inspection-interval + failure-mode reference vocabulary; KYE Protocol™ does not compute RBI risk. Per-requirement bijection at framework-coverage-bijection.

Australia Group dual-use export-control regime — harmonised control lists for dual-use biological agents, toxins, equipment, and chemical-weapon precursors. KYE Protocol™ governs whether an AI-generated design mapping to a controlled item may proceed to a consequential action — the KYE AI Bio-Chem Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

BCBS 239 sets the Basel Committee's 14 principles for effective risk data aggregation and risk reporting. KYE Protocol™ governs whether a model-driven output or risk report under it may proceed to a consequential action — only a currently-validated model used within its approved scope, model changes as named-authority decisions with evidence, every consequential decision pinned to model_id + version + validation reference, and every risk report bound to its data-lineage evidence chain, sealed into a signed replay-provable Evidence Pack™. The quantitative model build / validation mathematics / capital computation / portfolio composition stays the bank's own work (honest scope, §0 — not investment advice). All 14 principles are mapped one row each (honest tri-state). Per-requirement bijection at /compliance/bcbs-239.html.

Colorado SB21-169 restricts insurers' use of external consumer data, algorithms, and predictive models to prevent unfair discrimination, and requires testing, documentation, and consumer adverse-action reasons. KYE Protocol™ governs whether an AI-assisted underwriting or claims decision relying on external data may proceed to a consequential adverse action — under a named authority, with a recorded adverse-action reason-code, with proxy-discrimination / fairness-evidence captured, a signed replay-provable Evidence Pack™ per decision, and an appeal / contestability record. The external-data selection / pricing / methodology design on the merits stays the insurer's own work (honest scope, §0). Per-requirement bijection at /compliance/colorado-sb21-169.html.

UK COSHH 2002 (SI 2002/2677), HSE-enforced. KYE Protocol™ governs the authority, evidence and finality of AI-authored or AI-approved COSHH assessments and control instructions — the KYE HSE Authority Pack™. Per-requirement bijection at framework-coverage-bijection.

Chemical Weapons Convention (CWC, Schedules 1/2/3) + Biological Weapons Convention (BWC, prohibited bio/toxin agents). KYE Protocol™ governs whether an AI-generated molecule or agent mapping to a scheduled/prohibited item may proceed to a consequential action — a hard stop routed to oversight, the KYE AI Bio-Chem Governance Pack™. Per-requirement bijection at framework-coverage-bijection.

DoD 5015.02-STD records-management-application spine for the KYE Chain of Authority™ for Iron Mountain InSight DXP. KYE Protocol™ overlays the action-boundary access-control + named-authority + governance-decision audit (enforced); the RMA record-declaration / file-plan / disposition criteria are out-of-scope (owned by the records-manager). §0: KYE Protocol™ retains PROOF-OF-GOVERNANCE, not the customer's records.