post-launch wave-4: compliance / SOX domain (regulated-industry beachhead)

[DubovskiyIM]

Why

Wave-1 (invest) and wave-2 (deploy-pipeline, see #3) target the dev/AI-engineer audience: HN, X-tech-Twitter, npm-installers. Wave-4 changes target. Compliance / SOX-aligned controls is the beachhead into regulated industries — fintech, healthcare, government — where ACVs jump from $0 (open-source quickstart) to $50-500K (enterprise SaaS).

Research findings (~/Desktop/IDF/2026-05-03-market-research-provenance-explainable.html):

• EU AI Act high-risk obligations active 2 Aug 2026
• Colorado AI Act effective 30 Jun 2026
• Revised MRM guidance (Fed/FDIC/OCC) 17 Apr 2026
• GDPR Article 22 enforcement post CJEU C-203/22 (Feb 2025)
• FDA AI/CDS guidance 6 Jan 2026

Six independent regulators converge on the same primitive: per-decision logged, explainable, contestable. Existing GRC platforms (AuditBoard $300M ARR, Workiva $1B revenue, Vanta $300M ARR) sell process-automation + evidence-aggregation. Nobody offers «the application itself answers why was this decision made? at runtime», which is exactly what Φ + anchoring + witness-of-proof + irreversibility gives.

Domain shape

The compliance domain already exists in idf repo (15 invariants — 5 expression, 5 __irr intents, 6 roles). It's the most mature ontology in the project. Wave-4 doesn't require new domain authorship — it requires packaging the existing one.

Six roles in current compliance:

• preparer — drafts journal entries
• reviewer — reviews & flags
• approver — approves journal entries (SoD: ≠ preparer)
• controlOwner — owns specific controls
• auditor — read-only across the firm
• cfo — agent-role with cycle-level scope (sign_off_cycle_404)

Five __irr.high intents: approve_je, submit_attestation, amend_attestation, sign_off_cycle_404, file_amendment.

Three rejection types this domain showcases (versus wave-1/2/3):

1. SoD triplet expression invariant — approve_je blocked when approver === preparer || approver === reviewer. Already implemented in current ontology — first wild example of kind: expression in production-grade fixture.
2. Dynamic threshold expression — sign_off_cycle_404 requires Σ(approved attestations) / Σ(total attestations) ≥ 0.95 of cycle. Real ICFR threshold from SOX 404 audits.
3. Cycle-close hard gate — submit_attestation blocked after cycle.status = "closed_with_findings". Cardinality + transition combined.

Why this is wave-4 and not wave-3

This is content-strategy, not new code. The compliance ontology already exists. Wave-4 = repackaging + targeted GTM:

1. Domain bundle — BOOTSTRAP_DOMAIN=compliance env-var override (same Docker pattern as wave-2/wave-3)
2. Domain-specific demo scripts:
   • demo:rogue-self-approve-je — preparer tries to approve own journal entry → SoD blocked
   • demo:rogue-cycle-close-late — auditor tries to submit attestation after cycle closed → transition blocked
   • demo:rogue-cfo-signoff-incomplete — CFO tries to sign off SOX-404 cycle with 80% completion → threshold expression rejects
3. Compliance-tuned landing variant at compliance.fold.software (or similar subdomain) with messaging:
   • Hero: «Your audit log doesn't explain decisions. Φ does.»
   • Proof: 5 __irr intents, 5 expression invariants, 6 roles, witness-of-proof on every effect
   • Demo: 3 rejection types above
4. First case study — pick a friendly mid-market fintech / regulated SaaS as design partner. Real SOX-404 close-cycle compliance use-case.

When to ship

Not soon. This is a 6-12-month wave, not a 2-week wave. Reasons:

• Enterprise sales cycle 12-18 months
• SOC 2 Type II is procurement gate ($15-100K, 3-6 months)
• ISO 42001 is emerging procurement gate for AI vendors ($50-150K)
• Compliance bundles need legal review before commercial offering
• Big4 channel partners (Deloitte / EY / KPMG) effectively mandatory for top-200 banks/insurers — and they'll wrap or compete

Triggers for opening this issue:

• Wave-1 launch metrics validate runtime-explainability framing (≥1K npm downloads first week, ≥3 enterprise inbound DMs «can this work for our compliance?»)
• One credible mid-market design partner volunteers
• Decision: «we have bandwidth for an enterprise sales motion in parallel with dev-tool growth»

Triggers for NOT opening this:

• Launch flops (pivot to messaging fixes, not enterprise expansion)
• Anthropic / OpenAI / ServiceNow ship native «AI Control Tower» that absorbs this category before we have a beachhead
• We choose to stay developer-tool focused

Risks specific to this wave

1. «Explainable Runtime» has zero category mindshare in 2026 (research finding). Sales requires riding existing AI Governance / Model Risk Management / GRC categories — not creating new one. Wave-4 messaging must lead with «Compliance-as-code» or «Runtime explainability for regulated AI», not «Fold».
2. Tier-1 banks build inhouse (post April 2026 MRM revision). ICP must be mid-market. Top-200 sells through Big4.
3. GRC tool fatigue is documented (60% of firms cite overwhelmed staff). Wave-4 must position as consolidation of existing tools, not addition.
4. Sales-led GTM ≠ developer-led GTM. Wave-1-3 work via npm/HN. Wave-4 needs enterprise AE, certifications, customer references. Different motion entirely.

Implementation path

Phase 1 (post-launch, 2-3 weeks): Repackage existing compliance ontology into Docker quickstart. Three demo-scripts. Internal test only.

Phase 2 (4-8 weeks post-launch): One mid-market design partner. Free 90-day pilot. Goal: case study + reference.

Phase 3 (3-6 months post-launch): SOC 2 Type II + ISO 42001 audits. $50-150K spend. Hire compliance-aware enterprise AE.

Phase 4 (6-12 months post-launch): Compliance bundles (SOX-pack, MiFID-pack, GDPR-pack) priced at $50-500K ACV. Channel partnerships.

Open questions

1. Subdomain or separate landing? compliance.fold.software vs fold.intent-design.tech/compliance. Lean: separate landing — different ICP, different sales motion, different brand voice.
2. License model? BSL 1.1 currently on runtime — that's already enterprise-friendly (no-resell-as-SaaS). For compliance bundles: add commercial-use clause in each domain-pack. Or paid hosted-only via separate SaaS.
3. Do we sell or license the ontologies themselves? I.e., the compliance ontology with 15 invariants + 6 roles is a work product of months of research. Sell as a product? Or open-source as community-good and sell hosting? Lean: open-source the ontology (BSL 1.1 keeps SaaS resale blocked), sell hosting + integrations + cert helpers.
4. Big4 partnership now or later? Lean: not now. Direct mid-market pilot first, then approach Big4 with referenceable case-study — or skip Big4 entirely and target post-Big4-engaged customers.

Source narrative

Wave-4 is the enterprise-grade unlock. Wave-1/2/3 are about reach. Wave-4 is about ACV.

«Your audit log records what happened. Φ explains why.»

This issue stays closed until Phase 1 trigger (≥3 enterprise inbound DMs after launch) is met.