{"api":{"name":"api.sb","description":"Business-as-Code surface for Startups.Studio","home":"https://api.sb","docs":"https://api.sb/docs","version":"1.0.0"},"$context":"https://api.sb/$context","$type":"FoundingHypothesis","$id":"https://api.sb/founding-hypotheses/fh%3Acompliance-officers-regulatory-gap-analysis%3At-ais-low-tech%3Av1","links":{"self":"https://api.sb/v1/founding-hypotheses/fh%3Acompliance-officers-regulatory-gap-analysis%3At-ais-low-tech%3Av1","canonical":"https://api.sb/founding-hypotheses/fh%3Acompliance-officers-regulatory-gap-analysis%3At-ais-low-tech%3Av1","pool":"https://api.sb/v1/founding-hypotheses"},"foundingHypothesis":{"id":"fh:compliance-officers-regulatory-gap-analysis:t-ais-low-tech:v1","lens":"ManagedWorkflow","type":"founding-hypothesis","click":{"rubricScores":{"C8_lensFit":0,"C7_magicLensFit":0,"C4_competitorHonesty":1,"C6_crossSlotCoherence":1,"C1_customerSpecificity":1,"C2_problemFrictionRealism":1,"C9_killCriteriaAttestability":1,"C3_approachEngineCoverability":1,"C5_differentiationLoservilleEscape":1},"upperRightLoserville":true},"cellRef":{"id":"work-contexts.org.ai/compliance-officers-regulatory-gap-analysis","stableHash":"wcc:compliance-officers:regulatory-gap-analysis:document:v1"},"problem":{"slotStatement":"Every time a regulator pushes an amendment (NIST rev bump, HIPAA subpart edit, PCI-DSS errata), the on-call compliance dev eats 4-6 hours per framework hand-diffing the new text against their control library, and roughly 1 in 5 amendments still slips through undetected for a quarter — at a $95/hr loaded rate that's $400-600 of rework-loop labor per missed-amendment event, times ~30 amendment drops per year across their frameworks."},"approach":{"oneSentence":"Pay-per-diff regulatory-drift API: POST the framework name + your current control library, get back a JSON delta naming every amended clause, the exact control IDs that drift, and a traceable link to the source register — $0.25 per amendment-diff call, 50 free calls on signup, no contract, curl-and-go in under five minutes."},"customer":{"icpShape":"Senior compliance engineers and GRC platform devs at solo-to-small regulated SaaS shops (10-250 employees, targetCompanyType: company-type-solo-dental-practice-adjacent small regulated-software vendors), where the buyer who signs the credit-card charge is the Head of Engineering or Founding CTO and the daily user is the senior compliance-tooling dev or SRE wiring rule-ingest pipelines into their internal control library.","beachheadShape":"EarlyAdopterJTBD: solo/small regulated-SaaS teams who ship their own in-house rule-diff scripts against HIPAA/SOC2/PCI corpora and are tired of missing amendment deltas between quarterly regulator releases."},"archetype":"startup-archetypes.org.ai/ManagedWorkflow-MoneyOnDelivery","beachhead":"EarlyAdopterJTBD: solo/small regulated-SaaS teams who ship their own in-house rule-diff scripts against HIPAA/SOC2/PCI corpora and are tired of missing amendment deltas between quarterly regulator releases.","competitors":{"substitutes":[{"name":"In-house Python diff script hitting the Federal Register / NIST OSCAL feeds","category":"informal","uncopyabilityReason":""},{"name":"Manual Outlook + SharePoint search for the latest regulator bulletin PDF","category":"manual-bridge","uncopyabilityReason":""},{"name":"AuditBoard","category":"incumbent","uncopyabilityReason":"AuditBoard's revenue model is seat-licensed enterprise GRC suites sold through 4-6 month procurement cycles with SOC2 security review; shipping a $0.25-per-call credit-card API would cannibalize its $40k+ ACV floor and — more structurally — its deployment-mode is a multi-module UI workbench, not a developer API, so exposing a metered diff endpoint requires rebuilding the billing, entitlement, and rate-limit plane it doesn't own (deployment-mode-mismatch)."},{"name":"OneTrust","category":"incumbent","uncopyabilityReason":"OneTrust's moat is its regulator-relations data corpus (privacy authority mappings across 150+ jurisdictions) licensed under redistribution restrictions that prohibit exposing raw amendment deltas via a metered third-party API; its content-licensing contracts with regulator aggregators forbid the very usage pattern this approach sells (vertical-data-corpus lock-in)."},{"name":"Workiva","category":"incumbent","uncopyabilityReason":"Workiva is structurally a documents-and-workbooks collaboration platform integrated deep into SEC XBRL filing workflows — adding real-time amendment-diff requires integration depth into dozens of regulator feed parsers that its roadmap has deprioritized in favor of ESG and financial-reporting modules (integration-depth)."},{"name":"Hyperproof","category":"AI-native horizontal","uncopyabilityReason":"Hyperproof distributes via compliance-consultant channel partners who resell configured-framework bundles; a self-serve developer API undermines the partner margin structure its GTM depends on and it lacks the direct-to-developer marketing org to reach the SRE/compliance-dev persona (distribution-channel)."}]},"studioThesis":"T-AIS-LOW-TECH","killThreshold":{"K":8,"M":40,"N":7,"rubricItemSet":["C1_customerSpecificity","C2_problemFrictionRealism","C3_approachEngineCoverability","C4_competitorHonesty","C5_differentiationLoservilleEscape","C6_crossSlotCoherence","C7_magicLensFit","C8_lensFit","C9_killCriteriaAttestability"],"verdictPolicy":"all-load-bearing-pass-and-overall-ge-X","loadBearingItemSet":["C1_customerSpecificity","C2_problemFrictionRealism","C3_approachEngineCoverability","C4_competitorHonesty","C5_differentiationLoservilleEscape","C6_crossSlotCoherence","C9_killCriteriaAttestability"],"verdictPolicyVerbatim":"KILL unless every load-bearing rubric item passes per workbook AND overall pass-rate ≥ 7/9 (CASCADE.md §4 Stage 9 commit threshold)."},"lifecycleState":"Active","differentiation":{"twoByTwo":{"xAxis":"Cost shape (seat-licensed enterprise ACV ↔ metered per-amendment-diff at $0.25/call)","yAxis":"Amendment-detection cadence (quarterly human review of regulator PDFs ↔ on-demand API call against live regulator register)","winningQuadrant":"Metered per-diff pricing with on-demand live-register detection — a dev hits the endpoint the morning after a NIST rev bump and gets the delta in under a second, billed at a quarter","loservilleEscape":true,"loservilleQuadrant":"Seat-licensed annual suite with quarterly human-reviewed bulletin PDFs — AuditBoard's documented failure mode where subscribers only learn about a HIPAA subpart edit when the Q3 regulatory-update deck lands in their GRC workspace, already two months stale"}},"unmetRequirements":[],"pricingArchitecture":"usage-meter"},"actions":{},"options":{},"relationships":{"runtimeUnit":"https://api.sb/v1/runtime-units?startupRef=startup%3Afh%3Acompliance-officers-regulatory-gap-analysis%3At-ais-low-tech%3Av1","brand":"https://api.sb/v1/brands?startupId=startup%3Afh%3Acompliance-officers-regulatory-gap-analysis%3At-ais-low-tech%3Av1","listing":"https://api.services/listings?foundingHypothesisRef=fh%3Acompliance-officers-regulatory-gap-analysis%3At-ais-low-tech%3Av1","cell":"https://api.sb/v1/cells/work-contexts.org.ai/compliance-officers-regulatory-gap-analysis","thesis":"https://api.sb/v1/theses/T-AIS-LOW-TECH"},"meta":{"level":"L0","scopes":[]},"user":{"requestId":"a0575b6afbfba8fe","edgeLocation":"a0575b6afbfba8fe","geo":{"country":"US"},"ua":{"browser":"Claude"}},"references":{"total":0,"limit":25,"page":1,"links":{"self":"https://api.sb/v1/founding-hypotheses/fh%3Acompliance-officers-regulatory-gap-analysis%3At-ais-low-tech%3Av1/references"},"items":[]}}