Methodology · v1
How SAL maps agents to standards
Transparent by design. Every spec in the registry is derived from a named public government source through a documented process. This page explains that process so anyone — auditor, journalist, competitor, or customer — can verify the work independently.
Four principles
1 · Cite to source
Every registry entry carries the specific government document it was derived from. No spec is accepted into the registry without a verifiable public source anchor.
2 · Cross-reference, don't invent
SAL does not create new occupational or regulatory standards. SAL cross-references existing government classifications to produce structured agent specifications.
3 · Name the limits
SAL is not a government entity, not affiliated with any government agency, and not a verifier of compliance. Specs describe what a role does; deploying agents remains the operator's responsibility.
4 · Update on schedule
Source data changes. SAL re-ingests each source on a published cadence and timestamps every spec with its last verified date.
What SAL ingests, from where
| Classification system | Source | Specs |
|---|---|---|
| SOC / O*NET occupations | onetonline.org · U.S. Bureau of Labor Statistics | 1,017 |
| CFR regulations | ecfr.gov · all 49 active titles | 8,302 |
| ISCO-08 international | International Labour Organization (ILO) | 43 |
| NAICS industry sectors | census.gov/naics | 79 |
| NIST cybersecurity | NIST CSF 2.0 + 800-53 Rev 5 | 42 |
| Total in registry | — | 9,483 |
How each spec is built
- Ingest. Source data is fetched from the authoritative government endpoint via documented scripts (see
scripts/in the public repo). Each row retains its source URL and ingestion timestamp. - Normalize. Each spec is mapped into a common schema:
soc_code,title,description,primary_directive,step_by_step_json,toolbox_requirements,guardrails. - Cross-reference. Related specs across systems are linked. A SOC healthcare occupation links to the CFR regulation that applies to it (e.g., 29-2072 Medical Records Specialists ↔ 45 CFR Part 164 HIPAA Security Rule).
- Validate. Every spec must resolve to a real, currently-active source entry. Orphaned or superseded entries are flagged and either updated or removed.
- Publish. Specs enter the public registry and become queryable through the website and API. The source anchor travels with the spec through every response.
Certification
What “SAL Certified” means — and what it does not
A SAL Certifiedagent has been submitted to SAL and evaluated against SAL's own certification criteria, cross-referenced to federal SOC, CFR, and NIST classifications. Certification documents that the agent:
- Has a clearly defined role mapped to a registry spec
- Declares the regulations it operates under
- Declares its toolbox and action boundaries
- Carries an audit trail from spec to deployment
It does not mean the agent has been approved by the U.S. government, verified against HIPAA/GDPR/etc by a regulator, or is exempt from any compliance obligation its operator is otherwise subject to. SAL certification is an industry self-regulation framework, not a regulatory sign-off.
Refresh cadence
Daily
eCFR titles most commonly cited in AI deployments (HIPAA, GDPR-adjacent, financial, labor).
Weekly
Remainder of eCFR, NIST CSF advisories, NAICS industry updates.
Monthly
O*NET SOC code updates (U.S. Bureau of Labor Statistics release cycle).
On release
ISCO major-group changes, AI Act risk-tier updates, new NIST publications.
Known limitations
- Derivative classifications are mappings, not equivalences. A SOC occupation does not equal a CFR regulation. SAL links them so an operator can find applicable regulation quickly, but the final legal determination of what applies in a specific deployment remains the operator's responsibility.
- CFR entries are regulatory specs, not AI-agent roles. When the registry surfaces a CFR entry, it represents the governing framework a compliance agent should cite — not a day-to-day operational role. The registry also returns the SOC roles that execute the work so you see both layers.
- SAL is not a regulator. SAL has no authority to grant compliance, authorize practice, or adjudicate disputes. SAL is a public classification registry.
- Update latency. Government sources publish on their own schedule. The “last verified” timestamp on each spec reflects when SAL last synced the source, not when the source itself was last revised.
Spot a mapping error?
The registry is open and the methodology is public for a reason. If you find a spec that misreads its source, or a citation that no longer resolves, tell us.
Submit a correction