diff --git a/obligations/controls_for_obligation_mapping.json b/obligations/controls_for_obligation_mapping.json
new file mode 100644
index 00000000..12848311
--- /dev/null
+++ b/obligations/controls_for_obligation_mapping.json
@@ -0,0 +1,71 @@
+{
+ "schema_version": "controls_for_obligation_mapping_v1",
+ "purpose": "Accepted CRA->OWASP controls (Compliance Execution Graph) for the Obligation Registry to propose the SEMANTIC control->obligation_id, replacing the coarse citation_unit interim join. Fill proposed_obligation_id per control, then we adopt it into control_mapping.obligation_id.",
+ "source": "ai-compliance-sdk control_mappings, mapping_status=accepted, reviewed_by=benjamin 2026-06-25",
+ "count": 7,
+ "controls": [
+  {
+   "framework": "OWASP ASVS",
+   "control": "V6.3.1",
+   "source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff",
+   "citation_unit": "Annex I (2)(c)",
+   "family": "auth",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V6.1.1",
+   "source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff",
+   "citation_unit": "Annex I (2)(c)",
+   "family": "auth",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V11.2.1",
+   "source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung",
+   "citation_unit": "Annex I (2)(d)",
+   "family": "crypto",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V11.7.1",
+   "source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung",
+   "citation_unit": "Annex I (2)(d)",
+   "family": "crypto",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V16.3.3",
+   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
+   "citation_unit": "Annex I (2)(k)",
+   "family": "logging",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V16.3.4",
+   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
+   "citation_unit": "Annex I (2)(k)",
+   "family": "logging",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V16.1.1",
+   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
+   "citation_unit": "Annex I (2)(k)",
+   "family": "logging",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  }
+ ]
+}