Cross mapping
One event. Every framework that applies to it. At the same time.
Most AI decisions are governed by more than one regulation simultaneously. A single action can fall under the EU AI Act, GDPR, sector-specific rules, and internal policy at once. OBEXGATE evaluates against all of them, in parallel, before the action commits.
Regulatory articles are not referenced. They are enforced through the execution layer.
This is not a coverage map. It is executable logic tied to decisions.
Assess, Enforce, and Witness are mapped directly to regulatory obligations, not documented separately.
If an action violates a regulatory requirement, it does not execute.
Observer Mode shows how regulatory obligations apply. Enforce Mode determines whether actions are allowed to execute.
Not documentation. Evidence produced at execution.
The problem
Sequential evaluation produces wrong answers.
Most governance tools handle multi-framework compliance by checking one regulation at a time, then choosing the most restrictive verdict. This works only if the frameworks are aligned, which they usually are not. Frameworks have different scopes, different definitions, and different remedies.
A decision that satisfies the EU AI Act may still violate GDPR. A control that satisfies SOC 2 may not satisfy HIPAA. Sequential evaluation hides these conflicts. Cross mapping surfaces them.
Use cases
What cross mapping actually does, in production.
→ Multi-framework decisions
An EU-resident customer interacts with a US-headquartered firm using an AI-powered credit decision. EU AI Act, GDPR, US fair lending rules, and internal policy all apply simultaneously. Cross mapping evaluates all four in parallel and produces one verdict.
→ Cross-jurisdiction operations
A multinational deploying the same AI system across the EU, UK, US, and Australia. The action is identical. The regulatory surface is not. Cross mapping ensures the system is evaluated against each applicable regime, with verdicts traceable to the article that governed the decision.
→ Sector-specific overlay
A healthcare AI in the US is governed by HIPAA, FDA guidance where applicable, state law, and internal clinical policy. A financial AI in the UK is governed by UK GDPR, FCA, PRA, DORA, and internal risk policy. Cross mapping applies the sector overlay automatically.
→ Conflicting requirements
When two frameworks impose contradictory requirements (rare but real), cross mapping surfaces the conflict at evaluation rather than at audit. The action is blocked, the conflict is recorded, and resolution routes to legal review.
→ Audit evidence consolidation
A single decision produces evidence mapped to every framework that governed it. One incident, one trace, multiple article references. The evidence pack assembled for an EU AI Act audit also satisfies GDPR, SOC 2, and ISO/IEC 42001 requirements where applicable.
No system component can verify its own output. Regulatory evidence is produced independently of the actor generating the action.
Both executed and refused actions are recorded and mapped to applicable regulatory obligations.
→ Regulatory change management
When a regulation updates, cross mapping reapplies the new article to all relevant past decisions in the audit trail. The team sees which past decisions would now require review, before a regulator does.
Frameworks in scope
Eighty-eight enforcement engines across eight jurisdictions.
Cross mapping operates across the full regulatory surface OBEXGATE covers, including the EU AI Act, GDPR, UK GDPR, UK DUAA, DORA, FCA, PRA, NIS2, eIDAS, HIPAA, FDA, CCPA, NIST AI RMF, FedRAMP, CMMC, SOC 2, ISO 27001, ISO/IEC 42001, LGPD, Australia Privacy Act, NZ Privacy Act, PIPEDA, AIDA, Ontario Bill 194, PDPA, and the Singapore Model AI Governance Framework.
Coverage does not exist independently. It is applied at the moment of execution.
See cross mapping run on your jurisdictional surface.
Six questions. Personalised regulatory map across the frameworks you are exposed to, statutory exposure, three-year operational governance cost basis. To your inbox.