Terminology Glossary
Compliance as Infrastructure
This glossary covers all defined technical terms in the Compliance as Infrastructure manuscript. Terms are organized by conceptual domain. Each entry includes the canonical term, its definition as used in the manuscript, and the location of its first significant appearance.
Conceptual Framework
| Term | Definition | First Appears |
|---|---|---|
| Compliance as Infrastructure | The embedding of regulatory and contractual constraints directly into the execution and orchestration layers of production systems, such that compliance is evaluated at defined execution boundaries, as a continuously evaluated property of the system, with pre-execution admissibility where required, rather than a periodically declared status. | |
| Trust Gap | The structural gap between what systems actually do at runtime and what external parties can independently confirm about that behavior. Arises from the mismatch between continuous system change and periodic verification cadence. | Trust Gap |
| Trust Substitution | The practice of replacing direct verification of system behavior with proxy trust signals (certifications, third-party attestation, audit reports) when continuous independent verification is not feasible. | Trust Gap - Trust Substitution |
| Point-in-Time Model | The traditional compliance approach in which systems are declared compliant at a specific moment through periodic audit, documentation review, and evidence sampling - without continuous state verification. | Category Foundation - The Failure of the Point-in-Time Model |
| Enforcement Drift | The divergence between defined compliance constraints and the behavior actually occurring in operational systems over time. Accumulates through continuous system change, delayed evidence generation, and interpretation delay. | Evidence Latency and Enforcement Drift |
| Execution Drift | Divergence between defined operational constraints and actual system behavior, where the policy is correctly defined but the system is not operating in conformance with it. A detection and remediation problem. | Evidence Latency and Enforcement Drift - Execution Drift |
| Policy Drift | Divergence between an organization's documented compliance policies and the regulatory obligations those policies are intended to satisfy. The systems may conform to internal policy, but the policy itself no longer reflects current regulatory requirements. | Evidence Latency and Enforcement Drift - Policy Drift |
| Audit Theater | The condition in which compliance artifacts satisfy the formal requirements of an audit process while failing to represent the actual compliance state of operational systems. The structural outcome of applying documentation-based compliance to dynamic environments. | Documentation Debt |
| Visibility Inversion | The structural distortion in which auditors observe documentation (which describes intended design) rather than operational system behavior, so that a system can satisfy audit review while experiencing significant control failures. | Documentation Debt |
| Overlay (Compliance Overlay) | A compliance implementation that observes or reports on system behavior after execution but does not sit in the execution path and does not shape that behavior. Distinguished from infrastructure-embedded compliance. | Category Foundation - From Overlay to Inline Enforcement |
| Circular Validation | An architectural risk in which the entity generating compliance evidence also controls the verification of that evidence, structurally predisposing evidence to confirm compliance rather than accurately measure it. | Evidence Latency and Enforcement Drift - Circular Validation |
| Governed Verification | A compliance model in which infrastructure continuously generates, preserves, and attests to compliance-relevant evidence, while institutional governance retains responsibility for interpretive and legal determination. Distinguishes between what systems can decide computationally and what must be adjudicated by human or institutional authority. | Future of Compliance Infrastructure |
| Law Latency | The delay between the emergence of new system behaviors and the point at which legal or regulatory frameworks recognize, interpret, and formally govern those behaviors. Creates a structural gap where infrastructure operates beyond the speed of institutional response, requiring systems to manage compliance uncertainty in advance of formal legal clarity. | Future of Compliance Infrastructure |
| Contested Compliance | The system status that applies when active, unresolved conflicts exist between mutually unsatisfiable obligations. Requires an Adjudication Record and prevents the system from reporting a clean compliance state. | Translation Layer - Conflict Resolution Engine |
Failure Mechanics
| Term | Definition | First Appears |
|---|---|---|
| Documentation Debt | The systematic divergence between descriptive compliance artifacts (documentation) and the actual behavior of operational systems. Accumulates through change velocity mismatch, maintenance cost scaling, representational compression, and audit substitution. | Documentation Debt |
| Evidence Latency | The time gap between system behavior and the moment when verifiable compliance evidence describing that behavior becomes available for evaluation. Comprises two independent dimensions: Signal Latency and Semantic Latency. | Evidence Latency and Enforcement Drift |
| Signal Latency | The delay between the execution of system behavior and the generation or collection of operational signals describing that behavior (logs, telemetry, configuration snapshots). The dimension most commonly addressed by technical investment. | Evidence Latency and Enforcement Drift - Signal Latency |
| Semantic Latency | The delay between the availability of evidence and the ability of institutions to determine whether that evidence represents compliant or non-compliant behavior. Emerges from the interpretive process, not from technical pipeline delays. | Evidence Latency and Enforcement Drift - Semantic Latency |
| Oracle Problem | The irreducible verification limit that arises when a compliance infrastructure system depends on facts, attestations, or observations that originate outside the verifying system's direct observation and cannot be independently derived. | Oracle Problem |
| Oracle Boundary | The specific location in a verification architecture where derivable truth ends and trusted assertion begins - where verification stops being mechanical and starts being trusted. | Oracle Problem |
| Oracle Substitution | The replacement of deterministic control enforcement with human review or narrative human attestation, trading deterministic verifiability for institutional reliability. | Oracle Problem |
| Oracle Fidelity | The proportion of oracle assertions subsequently validated against ground truth that prove accurate. A quantitative basis for assessing oracle reliability over time. | Oracle Problem - Measuring Oracle Exposure |
Four-Layer Compliance Architecture
| Term | Definition | First Appears |
|---|---|---|
| Control Execution Layer (Layer 1) | The layer where operational behavior occurs: infrastructure configuration, deployment pipelines, authentication systems, data access enforcement, and runtime policy enforcement. Source of system state transitions. | Documentation Debt |
| Evidence Generation Layer (Layer 2) | The layer that captures telemetry produced by control execution: logs, metrics, audit trails, event streams, and state snapshots. Records what actually happened at the Control Execution Layer. | Documentation Debt |
| Documentation Layer (Layer 3) | The layer of human-readable artifacts describing how systems are expected to behave: policies, procedures, architecture diagrams, control narratives, and runbooks. Describes design intent, not actual behavior. | Documentation Debt |
| Audit Observation Layer (Layer 4) | The layer at which external observers (auditors, regulators, insurers, certification bodies) evaluate compliance by examining artifacts. In traditional compliance, auditors predominantly examine Layer 3 artifacts. | Documentation Debt |
| Prospective Documentation | Policies, procedures, architecture descriptions, and control narratives that describe how a system is intended to operate. Establishes intent but does not confirm execution. | Trust Gap - The Verification Limits of Documentation |
| Retrospective Artifacts | Operational records such as logs, deployment histories, system state captures, and control outputs that reflect what a system actually did. Constitute evidence of runtime behavior. | Trust Gap - The Verification Limits of Documentation |