Framework Mappings

Framework mappings connect your rules to specific compliance controls. When a rule passes, the mapping is recorded in the Evidence Pack — providing documented evidence that the control was enforced on that commit.

Available frameworks

Framework ID	Full name	Governing body
`soc2`	SOC 2 Trust Services Criteria	AICPA
`eu-ai-act`	EU Artificial Intelligence Act	European Parliament
`hipaa`	HIPAA Security Rule	US HHS
`dora`	Digital Operational Resilience Act	European Commission

Adding mappings to a rule

- id: sec-001
  name: no-eval
  severity: block
  pattern: "\\beval\\("
  maps-to:
    - framework: soc2
      control: CC6.1
    - framework: eu-ai-act
      control: Art.9.5

SOC 2 controls

The most commonly mapped SOC 2 Trust Services Criteria:

Control ID	Description	Typical rule types
`CC1.1`	Control environment	Governance rules
`CC6.1`	Logical and physical access controls	Auth, secret management
`CC6.6`	Logical access security measures	Input validation
`CC6.7`	Transmission protection	HTTPS requirements
`CC7.1`	Detection/monitoring of malicious activity	Injection prevention
`CC7.2`	System monitoring	Logging, audit trails
`CC8.1`	Change management	Deployment rules
`CC9.2`	Risk assessment for vendors	Dependency rules
`A1.1`	Availability — capacity planning	Scaling rules

EU AI Act controls

Key articles applicable to AI-assisted software development:

Control ID	Description	Applicable rules
`Art.9.2`	Risk management system	AI audit logging
`Art.9.5`	Testing high-risk AI systems	Output validation, injection prevention
`Art.10`	Data and data governance	PII handling, data quality
`Art.12.1`	Record-keeping obligations	Audit trail rules
`Art.13.1`	Transparency obligations	AI disclosure markers
`Annex.III`	High-risk AI systems list	Sector-specific rules

Key date

EU AI Act enforcement begins August 2, 2026. The llm-* rule category and the EU AI Act mappings are designed specifically to satisfy Article 9 and Article 12 requirements for high-risk AI systems.

HIPAA controls

Control ID	Description	Applicable rules
`164.308(a)(1)`	Risk analysis	Security assessment rules
`164.308(a)(5)`	Security awareness training	N/A (administrative)
`164.312(a)(1)`	Access control	Authentication rules
`164.312(a)(2)(iv)`	Encryption and decryption	Encryption requirements
`164.312(b)`	Audit controls	PHI access logging
`164.312(c)(1)`	Integrity	Data validation rules
`164.312(d)`	Person authentication	Auth middleware rules
`164.312(e)(1)`	Transmission security	HTTPS requirements

DORA controls

Control ID	Description	Applicable rules
`Art.9.2`	ICT risk management framework	Security rules
`Art.9.4`	ICT systems protection	Vulnerability prevention
`Art.10`	ICT-related incident detection	Monitoring, logging
`Art.11`	ICT business continuity	Availability, scaling rules
`Art.25`	Testing of ICT tools	Evidence of test coverage
`Art.28`	Third-party risk	Dependency management rules

Using multiple frameworks

A single rule can map to controls across multiple frameworks. This is common for security rules that satisfy requirements from several regulations simultaneously:

- id: sec-002
  name: no-hardcoded-secrets
  severity: block
  pattern: "(password|api_key|secret)\\s*[:=]\\s*['\"][^'\"]{8,}"
  maps-to:
    - framework: soc2
      control: CC6.1
    - framework: hipaa
      control: "164.312(a)(2)(iv)"
    - framework: eu-ai-act
      control: Art.9.5
    - framework: dora
      control: Art.9.4

Each framework mapping creates a separate line in the Evidence Pack's compliance section, allowing the same check result to satisfy multiple auditors.

Framework coverage report

Run a report showing which frameworks are covered by your current spec:

vyb check --coverage-report

Output:

Framework Coverage Report
──────────────────────────────────────────
SOC 2:
  Covered:  CC6.1, CC6.7, CC7.1, CC7.2, CC8.1
  Gaps:     CC1.1, CC6.6, CC9.2, A1.1

EU AI Act:
  Covered:  Art.9.2, Art.9.5, Art.10, Art.12.1
  Gaps:     Art.13.1

HIPAA:
  Covered:  164.312(a)(2)(iv), 164.312(b), 164.312(e)(1)
  Gaps:     164.312(a)(1), 164.312(c)(1)

DORA:
  Covered:  Art.9.2, Art.9.4
  Gaps:     Art.10, Art.11, Art.25, Art.28
──────────────────────────────────────────

Use this to identify which controls are uncovered and either add rules or accept the gap with documented rationale.

Next: Web UI

Available frameworks​

Adding mappings to a rule​

SOC 2 controls​

EU AI Act controls​

HIPAA controls​

DORA controls​

Using multiple frameworks​

Framework coverage report​