From Crosswalk Spreadsheets to Canonical Infrastructure

Crosswalks are the quiet backbone of multi jurisdiction compliance.

Every organisation does them.

• GDPR ↔ SOC2

• ISO ↔ internal controls

• industry frameworks ↔ policies

• sector regulations ↔ audit programs

The problem is that most crosswalks are built as documents rather than systems. They are fragile, difficult to govern, and nearly impossible to keep stable over time.

Why crosswalks break even in good organisations

Crosswalks fail through four predictable structural mechanisms.

Ambiguity at the unit level

If the source material is treated as paragraphs or sections, one row often mixes multiple requirements. Mapping becomes subjective.

Inconsistent meaning assignment

Two teams map similar obligations to different concepts. Over time, your control library diverges even if the underlying regulation does not.

Version collisions

A framework changes. The crosswalk is not re run structurally. It is patched manually instead. Legacy mappings remain and nobody is sure what still applies.

Taxonomy drift

Control libraries and policy taxonomies evolve. The same control becomes three controls with slightly different names and evidence requirements.

This is why crosswalk maintenance becomes a permanent tax.

The infrastructure move (standardise the unit of measurement)

Mandatry’s approach is an infrastructure move, not a content move.

A helpful analogy from our internal doctrine is this.

Imagine if nearly every country measured temperature differently. Some in Celsius, some in Fahrenheit, some in poetry. That is regulation. Mandatry converts every law into Kelvin.

The point is not to change the law. It is to standardise the unit of obligation so comparisons are reliable.

The 3 layer model: Atomic → Canonical → Crosswalk

A durable cross jurisdiction system needs three layers.

Atomic obligations

The smallest enforceable requirements. One row equals one testable requirement, right, or prohibition.

Canonical concepts

A jurisdiction neutral meaning layer. These are the universal concepts that sit beneath frameworks, such as breach notification, access request handling, and vendor due diligence.

Crosswalk graph

Frameworks do not map to each other. They map to canonical meaning. That is what makes multi framework comparison scale.

This is the shift from document mapping to structural mapping.

Why this is not AI summarisation

A lot of modern compliance tooling is effectively this.

• ingestion
• tagging
• summarisation
• workflow

That can be useful. But it is probabilistic, and it does not guarantee structural integrity.

Mandatry is designed as a governed data system.

• deterministic units
• controlled taxonomy
• enforceable integrity constraints
• governance hardening that prevents silent drift

Governance is the difference between an ontology and a spreadsheet

A canonical layer only becomes infrastructure when it is governed.

That governance includes the following.

• duplicate concept prevention
• synonym consolidation
• mapping integrity checks
• orphan prevention
• production gating rules

Without those controls, the canonical layer fractures and you are back to spreadsheet truth.

The economic outcome: Lower marginal compliance cost per framework

The strategic payoff is simple.

If your unit of obligation is stable and your meaning layer is governed

• new frameworks add less net new work
• control reuse becomes provable rather than assumed
• overlap and gaps become computable
• cross jurisdiction change becomes diff based rather than narrative re analysis

This is why we describe Mandatry as structural regulatory infrastructure, not another operational layer.