# Open invitation to FINOS and Karl Moll

**From:** the open Pathways project (Originator), channel `djat-poc-hypergraph-20260716`
**To:** [FINOS](https://finos.org) (`tm:finos`) and **Karl Moll**, Technical Project Advocate, FINOS
**Re:** Co-developing CALM as the shared modeling language for a cross-industry Proof-of-Control hypergraph

---

## Why you

Karl, your work convening the **AI Governance Framework (AIGF) &times; Common Cloud Controls (CCC) &times; CALM** convergence &mdash; getting architecture off whiteboards and into machine-readable, validatable code that carries measurable controls &mdash; is precisely the substrate this bundle needs. Your [Governance, Controls &amp; Architecture](https://docs.google.com/presentation/d/1K3GiIELCOOhrLmjxXmFgr8XP8xPkduQxlqF15iD5fow/edit?usp=sharing) presentation frames the exact problem we are attacking from the evidence side: reference architectures that make governance concrete and auditable.

We have built a **PoC Shared Domain Hypergraph**: one Shared Domain Graph per Proof-of-Control domain (Security, Privacy, Portability, Authorization, Identity, and Provenance), all connected to the same Proof-of-Control construct, with the cross-domain intersections, conflicts, and convergence / divergence / emergence patterns made first-class. It formalizes a landscape Gap Analysis of the standards community into a trackable registry of anchors &mdash; and every anchor is an open door for engagement.

## The premise: CALM as the collaboration language

We adopt **FINOS CALM** ([`tm:finos-calm`](../hypergraph-domain/registry/external-names.yaml)) as the **generic standardized modeling language** upon which cross-industry collaboration occurs, **deeply integrated with Pathway encodings**. Each is the other's missing half:

- CALM **controls** declare *what must hold*; Pathway runs + Proof-of-Control evidence prove *that it held at runtime*.
- CALM **flows** describe *how a change moves through an architecture*; Trust Key deep links make *each transition followable* across contexts and substrates.

We have already encoded how a **security vulnerability is identified and fixed** as a CALM flow &mdash; [`vulnerability-lifecycle.flow.calm.json`](../calm/flows/vulnerability-lifecycle.flow.calm.json) over the CALM architecture [`incident-response-fabric.calm.json`](../calm/architecture/incident-response-fabric.calm.json) &mdash; using CALM v1.1 nodes, relationships (`interacts`/`connects`/`deployed-in`/`composed-of`), controls (keyed to our `tm:` anchors with `requirement-url`s), and sequenced flow transitions.

## Proposed joint work program

Four pre-registered experiments (full designs in [`../calm/experiments/EXPERIMENTS.md`](../calm/experiments/EXPERIMENTS.md); hypotheses H-HG-1..4):

1. **EXP-CALM-1** &mdash; CALM controls &harr; PoC gap-matrix crosswalk. Trace every CALM control to a Gap Analysis row and a standard clause; controls with no matching evidence property are machine-detectable gaps.
2. **EXP-CALM-2** &mdash; a CALM flow and its cryptographic evidence as one artifact. Execute the vulnerability-lifecycle flow as PathwayRuns bound into Trust Keys and reconstruct the flow from provenance.
3. **EXP-CALM-3** &mdash; per-customer in-situ PoC instantiation emitted as a valid CALM **pattern**, specialized to a customer's threat vectors ("the process is the product").
4. **EXP-CALM-4** &mdash; **AIGF risks and CCC controls mapped onto the SDG hyperedges**, producing a validating CALM reference-architecture fragment per PoC domain &mdash; a direct contribution to your convergence.

## What collaboration looks like

- FINOS, CALM, AIGF, and CCC are registered anchors (`tm:finos`, `tm:finos-calm`, `tm:finos-aigf`, `tm:finos-ccc`) &mdash; each an authenticated entry point.
- Your engagement is recorded through the [Anchor Name Ledger](../hypergraph-domain/techniques/ANCHOR_NAME_LEDGER.v1.md), so every mention and association is trackable and deep-linkable.
- Everything is offline-verifiable: no platform lock-in, no live access required. The powerful party does least &mdash; verify a Trust Key on your own device, follow a deep link only if you want more.

## The bigger picture: insurance

Security and AI are now part of the underwriting of every industry, and insurers are bifurcating into those that **exclude AI** and those **embracing it**. A collaborative, cryptographically-attributed incident-response fabric &mdash; expressed in CALM, proven with Proof-of-Control evidence &mdash; is the acceleration path by which the embracing side can reinvent underwriting on real evidence. Financial-services AI, FINOS's home turf, is exactly where this lands first. See the [insurance brief](../executive-summaries/Insurance_Underwriting_Brief.md).

## Next step

Open the portal ([`../assets/hypergraph-map/index.html`](../assets/hypergraph-map/index.html)), read the four experiment designs, and tell us which one you'd like to run first. We'll seal a reciprocal bundle to your channel.

With respect and an open door,
*the open Pathways project*
