The sequence matters. OpenCompliance is strongest if it goes from formal semantics to deterministic verification, then to tamper-evident artifact handling, and only after that to broader publication and continuous operation.
Publish the first open Lean 4 control-spec library, the three-tier control classification model, and a first exact-anchor review pilot for the SOC 2 Security plus ISO 27001 technical overlap corridor, then widen the public review layer to GDPR, IRAP, Cyber Essentials, NCSC CAF, NIST, and the first AI-governance frameworks without faking implementation that does not exist yet.
Define the typed evidence-claim schema, actor ontology, and OSCAL-native ingest path for catalogs, profiles, mappings, and assessment-style artifacts.
Ship the Lean proof runner, trust-surface report, and single Verify flow that returns a certificate or typed punch-list for the same evidence every time.
Add canonical artifact envelopes, signatures, transparency logging, reproducible replay bundles, and witness receipts for exact-match reruns.
Connect real evidence sources, track freshness, detect compliance drift, and handle certificate revocation or re-verification when state changes. The current synthetic lifecycle pack already demonstrates the fail-closed shape and the delta-recheck plan.
Split docs, open specs, and public example fixtures into separate public bundles so the semantic layer can be inspected and reused in the open.
The first milestone is intentionally narrow. Seed public corridors now exist for blocked, stale, certificate-eligible, cyber-baseline, and AI-governance ExampleCo runs, the public lifecycle pack now shows what happens after drift, and the specs now include an exact-anchor review pilot that still reaches beyond the implemented fixtures. That is the right shape: formalize a few defensible controls well before claiming broad framework coverage loosely.
Make the standards-to-formal-language mapping reviewable and extendable in the open.
Ensure the same evidence package yields the same verdict and trust-surface output every time.
Move from one-shot runs to delta-triggered rechecks and revocable certificate lifecycles. The public next step is a live event stream and scheduled rerun path, not just static drift examples.