Look up which security/compliance controls apply for a given regulation, control category, enforcement surface, and/or sector.

Each result includes: the named control, the regulations that mandate it, the tooling options that implement it (categorised as managed/oss/commercial/standard), the evidence shape an auditor would expect, sector relevance, and a practitioner note.

Sourced from the curated dataset at hellouchit.com/dataset/ (CC BY 4.0). Covers EU AI Act, NIST AI RMF, ISO/IEC 42001, APRA CPS 234/230, AU AI Safety Standard, ASD Essential Eight, IRAP, SLSA, NIST SSDF, OWASP LLM Top 10, MITRE ATLAS, BCBS 239, PCI DSS 4.0, HIPAA, GDPR, EU DORA, EU NIS2, CISA SSA, FDA SaMD, IEC 62443, and more.

Use this tool whenever you need to answer 'which tool closes X regulator's requirement on Y surface' or 'what evidence does Z compliance regime expect'.

Look up anti-patterns from the catalogue at hellouchit.com/anti-patterns/ — named failure modes that recur across regulated-industry tech delivery.

Each match returns: where the pattern appears, why it's bad, what to do instead, and a diagnostic 'tell' that surfaces it. Examples: 'Inline Prompt Pattern', 'AI CoE Trap', 'Vault Theatre', 'SBOM Shelfware', 'PDF Principles', 'Eval Set That Never Runs'.

Use when reviewing an architecture description or codebase to flag known failure shapes; or when you need to name a problem precisely for a stakeholder conversation.

Map a regulatory requirement to its equivalents across other frameworks. Covers: EU AI Act ↔ NIST AI RMF ↔ ISO/IEC 42001 ↔ AU AI Safety Standard ↔ APRA CPS 230/234 ↔ OECD AI Principles ↔ Council of Europe Framework Convention on AI ↔ GDPR ↔ SLSA ↔ NIST SSDF ↔ OWASP LLM Top 10.

Each mapping has overlap classification (FULL · PARTIAL · NEW) plus practitioner notes on why.

Use whenever a user has work in one framework and needs to know what carries over to another. Highest-leverage when multinationals operating across jurisdictions need to demonstrate 'work done once counts everywhere'.

Source data maintained at hellouchit.com/dataset/. Set list_all_frameworks=true to see the framework catalogue first if you're unsure of the slugs.

Return a structured 90-day playbook (or specific week/gate from one). Playbooks are sequenced from week 1 to week 12, organised into 3 phases, with 12 named gates and anti-pattern callouts. Available playbooks:

• eu-ai-act-12-weeks: From 'Piloting' to EU AI Act Articles 9-15 ready by 2 Aug 2026

• cisa-attestation-90-days: From 'some SSDF practices' to defensible CISA Secure Software Attestation

• cloud-cost-aware-to-controlled: From 5-12% YoY savings to 20-35% (FinOps Aware → Controlled)

• vault-theatre-to-workload-identity: From static-creds-in-vault to OIDC workload identity Use to walk a user through implementation sequentially, or to extract a specific gate's requirements.

Classify an AI use-case under EU AI Act (Annex III + Article 5) and optionally AU AI Safety Standard.

Returns: risk tier, matching Annex III categories with sub-points, applicable Articles 9-15 obligations, enforcement date, and a recommended next-step sequence (which other tools to call).

Use for: initial classification of a new use-case, dual-jurisdiction analysis (EU + AU), or generating a structured input for the human-counsel-review handoff.

Not a substitute for legal counsel — borderline cases (especially employment, essential services, credit) need qualified review.

Return the regulations covered by the dataset. Useful as a discovery step — call this first to find available regulation slugs before calling lookup_control or crosswalk.

Each entry includes: slug (for use with other tools), full label, jurisdiction (AU/EU/US/INTL), and the count of control rows that reference it.