OpenCompliance does not treat “full mapping” as a slogan. ISO 27001 and SOC 2 remain the hard proprietary-anchor wave. GDPR is the first public-law corridor where article-level review is already live and now includes lawful-basis, notice, impact-assessment, and automated-decision boundaries. The current ISO AI wave now has its own tracked inventory, candidate layer, and publication boundary model. The first U.S. sector-regime depth wave is now live too: HIPAA Privacy and Breach, GLBA and NYDFS, and CCPA/CPRA all now have narrow reviewed overlap instead of sitting as pure inventory. What remains is the hard part: widening exact-anchor review, claim-schema coverage, Lean coverage, family-by-family fixture rollout, and external review without pretending that inventory, candidates, or family proxies are the same thing as reviewed final mappings.
The current ISO 27001 bridge covers 85 seed controls touching the framework, 423 private pilot anchors, 85 mapped public controls, 85 implemented public controls, and 22 Lean-backed public controls. Exact-anchor publication remains blocker-aware for 71 promoted public controls pending licensed review, and those controls now have prepared private review packets rather than only a blocker count.
The current SOC 2 bridge covers 76 seed controls touching the framework, 175 private pilot anchors, 58 mapped public controls, 58 implemented public controls, and 21 Lean-backed public controls. Exact-anchor publication is also blocker-aware for 50 promoted public controls pending licensed review, and those controls now have prepared private review packets rather than only a blocker count.
The current GDPR corridor already covers 25 mapped public controls, 25 implemented public controls, 11 Lean-backed public controls, and 30 reviewed exact-anchor entries. The remaining work is not licensing. It is widening the public-law corridor beyond the current security, transfer, rights, processor, retention, lawful-basis, notice, impact-assessment, and automated-decision slice while keeping the article-level boundary honest.
The current ISO AI wave now tracks 11 frameworks or draft-watch projects, with 5 of them already carrying current public-control mappings, 11 unique mapped public controls, and 17 candidate exact-anchor entries. The rest are explicit inventory and maturity state. That means OpenCompliance can now say which AI ISO standards are already touching the public control layer and which are still only tracked, not mapped.
The current HIPAA wave deliberately starts narrow: 4 mapped public controls across HIPAA Privacy and HIPAA Breach Notification, all current documentary or workflow controls, all exact-anchor reviewed from public source text. That means business-associate safeguards, notices, privacy-governance signals, and breach handling are visible now, while the wider health-security and operational stack stays explicit future work.
The current financial-sector wave covers 7 unique mapped public controls and 13 reviewed exact-anchor entries across GLBA Safeguards and NYDFS Part 500. The overlap is still narrow, but it is real: MFA, logging, encryption, vendor terms, incident response, escalation, and retention or disposal governance are now machine-visible instead of sitting as vague future intent.
The current CCPA/CPRA wave covers 6 mapped public controls and 6 reviewed exact-anchor entries across rights handling, retention or deletion governance, privacy notices, and service-provider or contractor terms. It does not pretend that California privacy law has become a fully mechanised theorem library; it makes the first useful slice inspectable.
The bridge already knows which public controls matter. The remaining step is reviewing exact clause, Annex A, criterion, and point-of-focus anchors against licensed source material and deciding what derivative metadata can be published safely.
The private bridge still references planned future claim types. That means some non-judgment atoms are mapped, but they are not yet ready to become public verifier obligations.
Only a subset of the full decidable private corpus is Lean-backed today. OpenCompliance should widen that only when the public-control boundary and claim-schema story are stable enough to stay honest.
A mapped control is not the same thing as a fixture-backed corridor. Family-by-family rollout needs source exports, typed evidence, verifier outputs, trust-surface artifacts, and conformance checks.
The mapping wave becomes reference-quality only after ISO 27001 practitioners, SOC 2 assurance reviewers, OSCAL specialists, and formal-methods reviewers challenge it.
The public specs repo now includes the original ISO/SOC standards-mapping status file, a sibling GDPR and AI mapping status file, a U.S. sector-regime mapping status file for HIPAA Privacy and Breach, GLBA and NYDFS, and CCPA/CPRA, and a proprietary review-packet status file for the blocked ISO and SOC queue. Those files exist to say clearly what is already mapped, what is only planned, what is blocked, what is prepared privately for licensed review, and what is merely tracked for future normalization.
The private working repo now carries generated full-map plans for ISO 27001, SOC 2, GDPR, and the current ISO AI wave, plus exact-anchor review packet files for the blocked ISO and SOC public-control queues. Those plans keep the remaining exact-anchor, claim, Lean, rollout, and review work machine-readable without publishing proprietary source text or draft-only internals.
OpenCompliance would rather publish “blocked pending licensed review” than pretend a family proxy or a marketing summary is a defensible exact anchor. The blocker count is a trust feature, not a missing badge, and the current blocked ISO/SOC queue now has prepared private review packets for every blocked promoted public control.
Even when exact anchors stay blocked, public control IDs, relation semantics, route metadata, family rollout matrices, and coverage counts still make the semantic layer more inspectable than closed rule engines.
Work through the blocked promoted controls with the prepared private review packets, publication model, and external review program in hand.
Promote more non-judgment atoms only after their typed evidence contracts exist.
Move the next decidable atoms into Lean only when source, route, and evidence semantics are stable.
Convert planned controls into fixture-backed, replayable public corridors rather than leaving them as silent backlog.
Run the published review program with real framework practitioners and formal-review specialists.