Skip to content

Proportionality-Gated Guidance Mapping

Problem

External security/compliance guidance is written for the whole ecosystem — the org that designs the agent, the one that builds it, the one that operates a service on it, and the one that merely uses it. Mapping such guidance onto a small team's real posture with a flat "covered / not-covered" checklist produces two failure modes:

  1. False gaps from audience mismatch. Controls scoped to a service operator (managed identity registries, runtime policy-decision-points, fleet trust-scoring) get marked "not covered" and generate work, when they were never the tool-user's responsibility at all.
  2. Enterprise-theatre backlog. Every genuine gap becomes a spec proposal, so a 4-dev team ends up with a cryptographic-attestation epic it will never proportionately need — cargo-culting big-org controls onto a small tool.

Pattern

Run the mapping as two passes plus a gate, and record the reasoning in the table itself so it stays traceable.

Pass 1 — audience triage. Before classifying coverage, tag each recommendation by whose control it is: - in-audience — meaningful for our actual role (here: tool-user/operator). - N/A (builder-scoped) — lives inside the upstream platform (model training, in-context composition, per-agent identity). - N/A (operator-scoped) — only applies to an org running the service for others. Defaults to N/A unless our role changes.

Only in-audience rows proceed. This kills the false gaps up front.

Pass 2 — coverage classification. For in-audience rows, classify against what is enforced by default, not what merely exists in the repo: - covered — enforced by default (a wired hook, a pre-commit check, git-versioning, or — for controls that cannot be hook-enforced — a maintained, present-and-current doc/runbook). - partial — the control exists but isn't enforced by default (authored-not- deployed, doc-only, or a manual --verify). - gap — no control exists.

The gate — proportionality. A gap becomes a spec proposal only if it passes a single question: "does this threat realistically exist for a team of our actual size and threat model?" Cap the proposals (SPEC-131 capped at two). Every gap that fails the gate is deferred: inline, with its rationale, not dropped — so the deferral is auditable and revisitable if scale changes.

Why it works

  • Audience-triage separates "not our job" from "our job, undone" — two things a flat checklist conflates.
  • The enforced-by-default bar stops "it's in the repo somewhere" from being scored as a real control.
  • The proportionality gate is the antidote to compliance cargo-culting: it forces each proposed spec to justify itself against this team's reality, and the deferred-with-rationale rows make the "no" as traceable as the "yes."
  • Recording all of it in the mapping table makes the artifact citable by a downstream policy doc (SPEC-131 feeds the KI-Richtlinie, SPEC-147): every row carries a stable source anchor and a spec/proposal/deferred reference.

Durability guard

The mapping is a claim about reality, so back it with an executable gate: a structural test that dereferences every covered/partial path (a claim that points at nothing on disk fails the build) and asserts every gap carries an actionable reference. Pair each positive assertion with a tripping fixture so the gate is proven to redden on drift — see test-enforced-redaction-claims.md and structural-test-assertions.md. Add a non-gating staleness WARN on the source-pin date so calendar decay surfaces without a false-RED (the guidance-source can be revised out from under the mapping).

When to reach for it

Any time you map an external, multi-audience standard onto an internal posture: govt guidance, OWASP/MITRE taxonomies, ISO/SOC control sets, vendor hardening guides. The shape generalizes beyond security to any "big framework → small team" adoption decision.

Anti-pattern

Reproducing the source document 1:1, or scoring coverage before triaging audience. Both inflate the gap list with controls you don't own and bury the few gaps that genuinely matter.

Source: SPEC-131 (Govt Adoption-Guidance Mapping + Gap-Audit).