This guide covers achieving regulatory compliance through SEA™ Forge’s spec-first architecture.
SEA™ Forge transforms compliance from a periodic exercise to a continuous process:
| Traditional | SEA™ Forge Spec-First |
|---|---|
| Quarterly audits | Continuous validation |
| Manual evidence gathering | Automated audit trails |
| Documentation drift | Specs are source of truth |
| Reactive compliance | Proactive enforcement |
| Function | SEA™ Forge Implementation |
|---|---|
| Govern | SEA™ DSL policies, SDS-035 invariants |
| Map | SDS context analysis, stakeholder mapping |
| Measure | Evidence Service metrics, drift detection |
| Manage | Policy Gateway enforcement, kill switch |
| Requirement | SEA™ Forge Implementation |
|---|---|
| Context analysis | ADR/SDS context sections |
| Leadership commitment | Governance roles in SDS |
| Risk assessment | SEA™ DSL risk policies |
| Controls | SDS-035 invariants |
| Monitoring | Evidence Service |
| Continuous improvement | Spec evolution |
| Requirement | SEA™ Forge Implementation |
|---|---|
| Risk classification | SEA™ DSL policy annotations |
| Transparency | Model cards in SDS |
| Human oversight | HITL policies |
| Documentation | Specs as audit evidence |
| Incident reporting | Evidence Service alerts |
Every spec serves as compliance evidence:
1
2
3
4
5
6
7
8
9
10
11
12
13
# SDS document serves as:
# - System documentation (ISO 42001)
# - Technical documentation (EU AI Act)
# - Control documentation (SOX)
metadata:
compliance:
frameworks:
- iso-42001: [4.1, 4.2, 6.1]
- eu-ai-act: [Article 11, Article 13]
- nist-ai-rmf: [GOVERN-1, MAP-1]
last_review: 2026-01-15
next_review: 2026-04-15
1
2
3
4
5
6
7
8
9
10
11
12
# Generate compliance evidence package
curl http://localhost:8083/api/v1/evidence-package \
-d '{
"framework": "ISO-42001",
"period": "2026-Q1",
"include": [
"policy_decisions",
"access_logs",
"incident_reports",
"control_attestations"
]
}' > iso42001_evidence_q1_2026.zip
1
2
3
4
5
6
7
# Verify spec-to-code traceability
node scripts/spec-cross-check.js --mode staging --dir docs/specs
# Output includes:
# - ADR → PRD → SDS links
# - SDS → Generated code mappings
# - Policy → Enforcement mappings
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Audit Readiness Checklist
## Documentation
- [ ] All specs pass `just spec-guard`
- [ ] SDS documents have compliance metadata
- [ ] Traceability matrix is current
- [ ] Model cards are complete
## Evidence
- [ ] Evidence Service logs complete
- [ ] Policy violation reports available
- [ ] Incident response documentation ready
- [ ] Access control logs retrievable
## Controls
- [ ] SDS-035 invariants documented
- [ ] Policy Gateway rules documented
- [ ] Kill switch tested and documented
- [ ] Key rotation records available
## Team
- [ ] Compliance roles assigned
- [ ] Training records available
- [ ] Interview preparation complete
1
2
3
4
5
6
7
8
9
10
11
12
13
# Generate comprehensive audit package
just generate-audit-package \
--framework ISO-42001 \
--period 2026-Q1 \
--output audit_package_q1_2026/
# Package includes:
# - specs/ # All relevant specifications
# - evidence/ # Evidence Service exports
# - traceability/ # Spec-to-code mappings
# - controls/ # Invariant documentation
# - incidents/ # Incident reports
# - training/ # Team training records
1
2
3
4
5
6
7
8
9
10
11
12
13
# CI/CD compliance gates
compliance_checks:
- name: spec-guard
run: just spec-guard
gate: required
- name: drift-detection
run: just ci
gate: required
- name: policy-validation
run: just sea-validate docs/specs/*/policies.sea
gate: required
1
2
3
4
5
6
7
8
# Access compliance dashboard
open http://localhost:5080/dashboards/compliance
# Metrics displayed:
# - Spec validation status
# - Policy violations (trending)
# - Evidence Service health
# - Control effectiveness scores
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Governance calendar
reviews:
weekly:
- Policy violation summary
- Drift detection status
monthly:
- Comprehensive spec review
- Control effectiveness assessment
quarterly:
- Regulatory alignment check
- External audit preparation
annually:
- Framework update review
- Retention policy review
1
2
3
4
5
6
7
8
9
10
11
# SDS compliance section
compliance:
hipaa:
enabled: true
controls:
- phi_encryption
- access_logging
- minimum_necessary
- breach_notification
evidence:
retention: 6_years
1
2
3
4
5
6
7
8
9
10
11
12
compliance:
sox:
enabled: true
controls:
- financial_data_integrity
- audit_trail_immutability
- access_control_enforcement
glba:
enabled: true
controls:
- customer_data_protection
- security_program_documentation
1
2
3
4
5
6
7
8
compliance:
fedramp:
impact_level: moderate
controls:
ref: NIST-800-53
families: [AC, AU, CM, IA, SC]
documentation:
ssp_reference: SSP-2026-001
policy ComplianceIncidentResponse:
it is obligatory that each ComplianceViolation
with severity = critical
has incident_report = created
has root_cause_analysis = initiated
has remediation_plan = documented
within 24_hours
1
2
3
4
5
6
7
8
9
10
11
# Notification requirements
notifications:
gdpr_breach:
deadline: 72_hours
to: [dpo, supervisory_authority]
template: gdpr_breach_notification
hipaa_breach:
deadline: 60_days
to: [hhs, affected_individuals]
template: hipaa_breach_notification
| Last Updated: January 2026 | Version: 1.0.0 |