Industry-mandated control sets — PCI, HIPAA, FISMA, FedRAMP, CMMC, SOC2, ISO 27001, Section 508 — where the defect is *non-conformance to a named framework*.
The framework layer: a named external standard prescribes a control, and the product either meets it or does not.
In scope. Industry-mandated control sets where the defect is measured against a specific framework: PCI-DSS network segmentation, HIPAA audit-log retention, FedRAMP baseline controls, CMMC levels, SOC2 evidence, ISO 27001 clauses, FISMA requirements, Section 508 federal-accessibility obligations, SOX-driven financial controls, export-control marking.
Not in scope. Privacy frameworks centered on user rights (GDPR, CCPA, COPPA) — those are privacy-consent (though HIPAA carries both because it has patient-rights and covered-entity dimensions). The underlying security/accessibility mechanism — that's the relevant mechanism taxon (access-control, accessibility, etc.). A pattern almost always carries both this taxon and the mechanism taxon.
Distinct because. The defect is "the framework says do X and the product doesn't" — authority comes from the framework's prescription, not the technical harm. A missing audit log may be a defect under observability (operationally) and under regulatory-conformance (because HIPAA requires it); the latter taxon captures the legal/industry obligation lens.
Conceptual sub-structure. Payment-card, healthcare, federal / gov, financial, accessibility-legal, international (ISO).