Compliance verifies that controls exist. Regulators increasingly ask whether the controls work — a different question with a different formal structure. The first is a Rung 1 inventory; the second is a Rung 2 causal attribution. A passing audit is not a defensible causal claim, and regulators in financial services, healthcare, environmental liability, and employment law are moving toward standards that distinguish the two.
Each case below opens with what the compliance framework was certifying and walks through the causal question a regulator or counterparty might ask instead. Model files ship with every case.
▾Hide / show all
▸NIST CSF 2.0 — Investment in the wrong priority.
$4.2M to allocate across two NIST functions. The maturity assessment said both needed investment. The causal model said one reduced breach probability by 61%, the other by 11%.
▸GDPR — Compliance exceptions are handed out like chiclets. Most don’t survive a regulator’s causal question.
An exception that passes the legal test is not the same as an exception that survives a regulator asking did this practice cause this harm. The causal model is what supports the answer in a form a regulator accepts.
▸CCPA / CPRA — The compliance checklist passed. The opt-out mechanism was broken.
A checklist verifies that controls exist. A causal model asks whether they work — whether the opt-out causes the requested outcome, or whether something downstream undoes the opt-out silently. Two different questions.
▸Causal Evidence — The regulator asks what caused the harm. Association is not the answer.
Regulators in financial services, healthcare, environmental liability, and employment law increasingly distinguish between statistical association and causal attribution. A structural causal model is the artifact that supplies the answer in defensible form.
▸Criminal Causation — The expert’s statistics are accurate. Their logic is backward.
A frequency stated forward (the probability of the evidence given innocence) is not what the question asks (the probability of innocence given the evidence). The prosecutor’s fallacy is a Rung-error; the causal model is what makes the direction explicit.
Next
For the methods behind these cases, see Confounding and the Querying cluster. For the wider portfolio across all five risk types, see About Risk.