feat(ai-sdk): source_role control-pool — controls are not only technical_standard

Live gate test showed control-intent (#36/#37) was inert for the EU cyber corpus:
"Welche Controls passen zu Security Updates?" recalls ENISA good-practices
(relevant measures, but source_class=supervisory_guidance) + binding regs, never
NIST — so lifting technical_standard above binding did nothing.

Per the finalized control-corpus model (User 2026-06-24): add source_role
(functional role) ORTHOGONAL to source_class (legal authority). source_class still
decides rank; source_role decides CONTROL-POOL membership. classifyRole derives 7
roles from markers (no re-tagging): obligation / operational_requirement /
procedural_requirement / control_standard / implementation_guidance /
interpretation / definition.

Control-intent now boosts the control-pool (operational/procedural requirement,
control standard, implementation guidance) over the abstract obligation, soft-
ordered op_req > procedural > standard > guidance (controlPoolGain + role bonus) —
replacing "lift technical_standard above binding". So CRA Annex I
(operational_requirement) wins over NIST (control_standard) for "which measures",
and ENISA (implementation_guidance) enters the pool while staying guidance.

Recall of not-retrieved standards (NIST) for generic control queries = next step
(searchControls). Tested: classifyRole table, role-preference, op_req-Top-1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

ai-compliance-sdk/internal/ucca/authority.go

@@ -9,8 +9,8 @@ import (
 // authorityInfo is the normative classification of a search result, used internally
 // for re-ranking only (Phase 1 changes ordering, not the response contract).
 type authorityInfo struct {
-	weight       int    // 100 binding_law, 70 guidance, 0 foreign_law, 50 unknown
-	sourceClass  string // binding_law | supervisory_guidance | foreign_law | unknown
+	weight       int    // 100 binding, 80 technical_standard, 70 guidance, 0 foreign, 50 unknown
+	sourceClass  string // binding_law | technical_standard | supervisory_guidance | foreign_law | unknown
 	jurisdiction string // DE | EU | CH
 }
 
@@ -18,7 +18,13 @@ var (
 	guidanceMarkers = []string{
 		"DSK", "EDPB", "BfDI", "BFDI", "BayLfD", "Baylfb", "ENISA", "BSI", "EUCC",
 		"Standards Mapping", "Kpnr", "Orientierungshilfe", "Handreichung", "Beschluss",
-		"Leitlinie", "Guidance", "Empfehlung", "NIST", "OECD", "CISA", "Blue Guide",
+		"Leitlinie", "Guidance", "Empfehlung", "OECD", "CISA", "Blue Guide",
+	}
+	// Technical standards / control frameworks (best-practice controls). Checked BEFORE
+	// guidanceMarkers so a "BSI Grundschutz" chunk classifies as a standard, not BSI guidance.
+	standardMarkers = []string{
+		"NIST", "OWASP", "Grundschutz", "ISO 27001", "ISO/IEC 27001",
+		"CSA CCM", "Cloud Controls Matrix", "CIS Benchmark", "CIS Control",
 	}
 	foreignMarkers = []string{"RevDSG", "fedlex", "(CH)"}
 	deMarkers      = []string{"BDSG", "DSK", "BfDI", "BFDI", "BayLfD", "Baylfb", "BSI"}
@@ -48,6 +54,8 @@ func classifyAuthority(r LegalSearchResult) authorityInfo {
 	switch {
 	case containsAny(hay, foreignMarkers):
 		return authorityInfo{weight: 0, sourceClass: "foreign_law", jurisdiction: "CH"}
+	case r.Category == "standard" || containsAny(hay, standardMarkers):
+		return authorityInfo{weight: 80, sourceClass: "technical_standard", jurisdiction: jur}
 	case r.Category == "guidance" || containsAny(hay, guidanceMarkers):
 		return authorityInfo{weight: 70, sourceClass: "supervisory_guidance", jurisdiction: jur}
 	case r.Category == "regulation" || r.Category == "eu_recht" || normPattern.MatchString(r.ArticleLabel):
@@ -61,6 +69,8 @@ func sourceClassFromWeight(w int) string {
 	switch {
 	case w >= 100:
 		return "binding_law"
+	case w >= 80:
+		return "technical_standard"
 	case w >= 70:
 		return "supervisory_guidance"
 	case w <= 0:

ai-compliance-sdk/internal/ucca/authority_rerank.go

@@ -7,17 +7,17 @@ import (
 
 // Re-ranking coefficients (validated in the offline golden harness; Phase A — conservative).
 const (
-	authorityCoef        = 0.40 // * weight/100
-	jurisdictionGain     = 0.05 // binding/guidance from DE or EU
-	foreignPenalty       = 0.60 // foreign law on a DE/EU question (demoted, not removed)
-	unknownPenalty       = 0.08
-	domainMatchGain      = 0.15
-	offDomainPenalty     = 0.10 // off-domain binding (demoted, not removed)
-	scopePenalty         = 0.25 // BDSG Teil 3 (law enforcement) on a general DP question
-	topicGain            = 0.18 // amplifier only
-	supersededPenalty    = 0.50 // superseded Alt-Quelle (pre-eu-v1): demoted, nicht versteckt
-	guidanceIntentGain   = 0.25 // controlled guidance override on explicit interpretation intent
-	guidanceIntentMargin = 0.05 // ...only if the guideline is semantically competitive with binding
+	authorityCoef     = 0.40 // * weight/100
+	jurisdictionGain  = 0.05 // binding/guidance from DE or EU
+	foreignPenalty    = 0.60 // foreign law on a DE/EU question (demoted, not removed)
+	unknownPenalty    = 0.08
+	domainMatchGain   = 0.15
+	offDomainPenalty  = 0.10 // off-domain binding (demoted, not removed)
+	scopePenalty      = 0.25 // BDSG Teil 3 (law enforcement) on a general DP question
+	topicGain         = 0.18 // amplifier only
+	supersededPenalty = 0.50 // superseded Alt-Quelle (pre-eu-v1): demoted, nicht versteckt
+	intentLiftGain    = 0.10 // epsilon a qualifying interpretative source is lifted ABOVE the best binding
+	intentLiftMargin  = 0.05 // ...only if that source is semantically competitive with binding
 )
 
 // guidanceIntentSignals mark a query that EXPLICITLY asks for an interpretation /
@@ -29,10 +29,19 @@ var guidanceIntentSignals = []string{
 	"auslegung", "empfiehlt", "empfehlung", "sagt", "laut",
 }
 
-// queryWantsGuidance reports whether the query explicitly asks for guidance/interpretation.
-func queryWantsGuidance(query string) bool {
+// controlIntentSignals mark a query that asks HOW to implement / which controls or
+// measures fit — rather than WHAT the binding obligation is. Only then may a
+// (semantically competitive) technical_standard outrank the binding norm.
+var controlIntentSignals = []string{
+	"control", "controls", "maßnahme", "massnahme", "schutzmaßnahme",
+	"best practice", "best-practice", "umsetzen", "implementier", "absicher",
+	"härt", "haert", "hardening", "nist", "owasp", "grundschutz",
+	"ccm", "iso 27001", "isms",
+}
+
+func queryMatchesAny(query string, signals []string) bool {
 	q := strings.ToLower(query)
-	for _, sig := range guidanceIntentSignals {
+	for _, sig := range signals {
 		if strings.Contains(q, sig) {
 			return true
 		}
@@ -40,16 +49,22 @@ func queryWantsGuidance(query string) bool {
 	return false
 }
 
+// queryWantsGuidance reports whether the query explicitly asks for guidance/interpretation.
+func queryWantsGuidance(query string) bool { return queryMatchesAny(query, guidanceIntentSignals) }
+
+// queryWantsControls reports whether the query asks for implementation controls/measures.
+func queryWantsControls(query string) bool { return queryMatchesAny(query, controlIntentSignals) }
+
 // bestBindingSemantic returns the highest RAW semantic score among binding-law
-// results (0 if none / intent not requested). Used as the guard threshold so an
-// off-topic guideline cannot ride the interpretation-intent boost.
-func bestBindingSemantic(results []LegalSearchResult, wantsGuidance bool) float64 {
-	if !wantsGuidance {
+// results (0 if none / no intent). Used as the guard threshold so an off-topic
+// interpretative source cannot ride the intent boost.
+func bestBindingSemantic(results []LegalSearchResult, wantsIntent bool) float64 {
+	if !wantsIntent {
 		return 0
 	}
 	best := 0.0
 	for _, r := range results {
-		if r.SourceClass == "binding_law" && r.Score > best {
+		if classifyAuthority(r).sourceClass == "binding_law" && r.Score > best {
 			best = r.Score
 		}
 	}
@@ -104,23 +119,53 @@ func rerankByAuthority(query string, results []LegalSearchResult) []LegalSearchR
 	qDomain := queryDomain(query)
 	qForeign := queryIsForeign(query)
 	wantsGuidance := queryWantsGuidance(query)
+	wantsControls := queryWantsControls(query)
 	bestBindingSem := bestBindingSemantic(results, wantsGuidance)
 
 	out := make([]LegalSearchResult, len(results))
 	copy(out, results)
 	for i := range out {
 		out[i].Score = authorityScore(query, out[i], qDomain, qForeign)
-		// Interpretations-Intent (eng begrenzt): NUR wenn die Query explizit nach
-		// Guidance/Auslegung fragt UND die Leitlinie semantisch konkurrenzfaehig ist
-		// (>= bester binding-Treffer - margin), darf supervisory_guidance die bindende
-		// Norm ueberholen. Sonst bleibt binding > guidance (Normfrage unveraendert).
-		if wantsGuidance && out[i].SourceClass == "supervisory_guidance" &&
-			results[i].Score >= bestBindingSem-guidanceIntentMargin {
-			out[i].Score += guidanceIntentGain
-		}
+	}
+	// Explicit interpretation intent → a competitive guideline may outrank binding (lift
+	// above the best binding FINAL). Explicit implementation intent → boost the CONTROL-POOL
+	// (operational/procedural requirement, control standard, implementation guidance) over
+	// the abstract obligation, soft-ordered by role. Norm questions (neither) stay untouched.
+	if wantsGuidance {
+		liftAboveBinding(out, results, bestBindingSem, "supervisory_guidance")
+	}
+	if wantsControls {
+		applyControlRoles(out)
 	}
 	sort.SliceStable(out, func(a, b int) bool {
 		return out[a].Score > out[b].Score
 	})
 	return out
 }
+
+// liftAboveBinding lifts a semantically-competitive interpretative source (the given
+// sourceClass — supervisory_guidance or technical_standard) just ABOVE the best binding
+// hit, ordered by semantic, so an EXPLICIT guidance/implementation question can return
+// that source Top-1. A pure norm question (no intent → not called) keeps binding on top.
+// Sources below the semantic margin are left untouched, so an off-topic source can never
+// ride the override — and the lift is from the binding FINAL score, so authority/topic/
+// domain bonuses cannot edge it out.
+func liftAboveBinding(out, raw []LegalSearchResult, bestBindingSem float64, sourceClass string) {
+	bestBindingFinal := 0.0
+	for i := range out {
+		if classifyAuthority(out[i]).sourceClass == "binding_law" && out[i].Score > bestBindingFinal {
+			bestBindingFinal = out[i].Score
+		}
+	}
+	for i := range out {
+		// Classify (not raw payload) so the untagged legacy corpus — e.g. NIST ingested
+		// before source_class tagging — is still recognized as its interpretative class.
+		if classifyAuthority(out[i]).sourceClass != sourceClass || raw[i].Score < bestBindingSem-intentLiftMargin {
+			continue
+		}
+		lifted := bestBindingFinal + intentLiftGain + (raw[i].Score - bestBindingSem)
+		if lifted > out[i].Score {
+			out[i].Score = lifted
+		}
+	}
+}

ai-compliance-sdk/internal/ucca/authority_test.go

@@ -14,6 +14,10 @@ func TestClassifyAuthority(t *testing.T) {
 		{"tagged guidance DE", LegalSearchResult{AuthorityWeight: 70, SourceClass: "supervisory_guidance", Jurisdiction: "DE"}, 70, "supervisory_guidance", "DE"},
 		{"tagged foreign CH", LegalSearchResult{AuthorityWeight: 0, SourceClass: "foreign_law", Jurisdiction: "CH"}, 0, "foreign_law", "CH"},
 		{"untagged ENISA guidance", LegalSearchResult{RegulationShort: "ENISA", ArticleLabel: "ENISA CRA Standards Mapping"}, 70, "supervisory_guidance", "EU"},
+		{"untagged NIST standard", LegalSearchResult{RegulationShort: "NIST SP 800-82r3", ArticleLabel: "AU-8"}, 80, "technical_standard", "EU"},
+		{"BSI Grundschutz standard beats BSI guidance", LegalSearchResult{RegulationShort: "BSI Grundschutz", ArticleLabel: "BSI Grundschutz Baustein"}, 80, "technical_standard", "DE"},
+		{"weight-only 85 TRGS standard", LegalSearchResult{AuthorityWeight: 85, RegulationShort: "TRGS 529"}, 85, "technical_standard", "EU"},
+		{"tagged technical_standard", LegalSearchResult{AuthorityWeight: 80, SourceClass: "technical_standard", Jurisdiction: "EU"}, 80, "technical_standard", "EU"},
 		{"untagged CRA binding", LegalSearchResult{RegulationShort: "CRA", ArticleLabel: "Art. 13 CRA", Category: "regulation"}, 100, "binding_law", "EU"},
 		{"untagged BDSG binding DE", LegalSearchResult{RegulationShort: "BDSG", ArticleLabel: "§ 38 BDSG"}, 100, "binding_law", "DE"},
 		{"untagged RevDSG foreign", LegalSearchResult{RegulationShort: "RevDSG", ArticleLabel: "RevDSG (CH)"}, 0, "foreign_law", "CH"},

ai-compliance-sdk/internal/ucca/control_role.go

@@ -0,0 +1,94 @@
+package ucca
+
+import "strings"
+
+// source_role is the FUNCTIONAL role of a chunk — WHAT must be done (obligation),
+// HOW to implement it (operational/procedural requirement, control standard,
+// implementation guidance), or how to READ the norm (interpretation/definition).
+// It is ORTHOGONAL to source_class (legal authority): source_class decides RANK,
+// source_role decides CONTROL-POOL membership for implementation questions.
+// Derived deterministically from markers, so the untagged corpus needs no re-tag.
+const (
+	roleObligation      = "obligation"              // the abstract duty (the WHAT)
+	roleOperationalReq  = "operational_requirement" // concrete binding requirement (CRA Annex I)
+	roleProceduralReq   = "procedural_requirement"  // a process: notification/registration/DPIA/incident report
+	roleControlStandard = "control_standard"        // best-practice control catalog (NIST/OWASP/ISO/CIS)
+	roleImplGuidance    = "implementation_guidance" // advisory how-to (ENISA good practices, BSI)
+	roleInterpretation  = "interpretation"          // interprets the norm's MEANING (EDPB guideline)
+	roleDefinition      = "definition"              // definitions / scope / recitals
+)
+
+var (
+	proceduralMarkers = []string{
+		"Meldung", "Meldepflicht", "Notification", "Notifizierung", "Registrierung",
+		"Registration", "Konformitätserklärung", "Declaration of Conformity", "Incident",
+		"Berichterstattung", "Reporting", "Folgenabschätzung", "DSFA", "DPIA", "Anzeigepflicht",
+	}
+	annexMarkers       = []string{"Anhang", "Annex", "Appendix", "Anlage"}
+	operationalMarkers = []string{"Anforderung", "Requirement", "essential", "wesentliche"}
+	implMarkers        = []string{
+		"Good Practice", "Best Practice", "Standards Mapping", "Umsetzung", "Implementation",
+		"Handreichung", "Maßnahmenkatalog", "ICS", "SCADA", "Technical Guideline", "TIG",
+	}
+	definitionMarkers = []string{"Begriffsbestimmung", "Definition"}
+)
+
+// classifyRole derives the functional source_role from chunk metadata + the authority
+// class. technical_standard is always a control_standard; guidance splits into
+// implementation_guidance (how-to) vs interpretation (meaning); binding splits into
+// procedural / operational requirement / definition / plain obligation.
+func classifyRole(r LegalSearchResult) string {
+	cls := classifyAuthority(r).sourceClass
+	hay := strings.ToLower(r.ArticleLabel + " " + r.RegulationShort + " " + r.RegulationName + " " + r.Article)
+	switch {
+	case r.IsRecital:
+		return roleDefinition
+	case cls == "technical_standard":
+		return roleControlStandard
+	case cls == "supervisory_guidance":
+		if containsAnyLower(hay, implMarkers) {
+			return roleImplGuidance
+		}
+		return roleInterpretation
+	case cls == "binding_law":
+		switch {
+		case containsAnyLower(hay, definitionMarkers):
+			return roleDefinition
+		case containsAnyLower(hay, proceduralMarkers):
+			return roleProceduralReq
+		case containsAnyLower(hay, annexMarkers) || containsAnyLower(hay, operationalMarkers):
+			return roleOperationalReq
+		default:
+			return roleObligation
+		}
+	default:
+		return roleObligation
+	}
+}
+
+// controlRoleBonus is the soft intra-pool preference (User 2026-06-24):
+// operational_requirement > procedural_requirement > control_standard > implementation_guidance.
+var controlRoleBonus = map[string]float64{
+	roleOperationalReq:  0.100,
+	roleProceduralReq:   0.075,
+	roleControlStandard: 0.050,
+	roleImplGuidance:    0.000,
+}
+
+// controlPoolGain lifts EVERY control-pool role over the non-control roles (obligation/
+// interpretation/definition) on an implementation question, so the binding abstract
+// obligation does not dominate by authority alone. The obligation is not removed — it
+// stays visible as "Rechtsgrundlage" context below the recommended measures.
+const controlPoolGain = 0.15
+
+// applyControlRoles boosts the control-pool (the four implementation roles) for an
+// EXPLICIT implementation question, soft-ordered op_req > procedural > standard > guidance.
+// Replaces the earlier "lift technical_standard above binding" — controls are not only
+// technical_standard, and the binding operational_requirement (e.g. CRA Annex I) should win.
+func applyControlRoles(out []LegalSearchResult) {
+	for i := range out {
+		if bonus, ok := controlRoleBonus[classifyRole(out[i])]; ok {
+			out[i].Score += controlPoolGain + bonus
+		}
+	}
+}

ai-compliance-sdk/internal/ucca/control_role_test.go

@@ -0,0 +1,50 @@
+package ucca
+
+import "testing"
+
+func TestClassifyRole(t *testing.T) {
+	tests := []struct {
+		name string
+		r    LegalSearchResult
+		want string
+	}{
+		{"NIST -> control_standard", LegalSearchResult{RegulationShort: "NIST SP 800-82r3", ArticleLabel: "AU-8"}, roleControlStandard},
+		{"OWASP -> control_standard", LegalSearchResult{RegulationShort: "OWASP ASVS"}, roleControlStandard},
+		{"CRA Anhang -> operational_requirement", LegalSearchResult{RegulationShort: "CRA", ArticleLabel: "CRA Anhang I", Category: "regulation"}, roleOperationalReq},
+		{"CRA Meldepflicht -> procedural_requirement", LegalSearchResult{RegulationShort: "CRA", ArticleLabel: "Art. 14 CRA Meldepflicht", Category: "regulation"}, roleProceduralReq},
+		{"ENISA Good Practices -> implementation_guidance", LegalSearchResult{RegulationShort: "ENISA Supply Chain Good Practices"}, roleImplGuidance},
+		{"EDPB Leitlinie -> interpretation", LegalSearchResult{RegulationShort: "EDPB DPO", ArticleLabel: "WP243 Leitlinien Datenschutzbeauftragte"}, roleInterpretation},
+		{"DORA article -> obligation", LegalSearchResult{RegulationShort: "DORA", ArticleLabel: "Art. 5 DORA", Category: "regulation"}, roleObligation},
+		{"DSGVO Begriffsbestimmungen -> definition", LegalSearchResult{RegulationShort: "DSGVO", ArticleLabel: "Art. 4 DSGVO Begriffsbestimmungen", Category: "regulation"}, roleDefinition},
+		{"recital -> definition", LegalSearchResult{RegulationShort: "CRA", IsRecital: true}, roleDefinition},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := classifyRole(tt.r); got != tt.want {
+				t.Errorf("classifyRole() = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestApplyControlRoles_PoolPreference(t *testing.T) {
+	// op_req > procedural > control_standard > impl_guidance; non-control roles get no boost.
+	roles := []struct {
+		r        LegalSearchResult
+		wantGain float64
+	}{
+		{LegalSearchResult{ArticleLabel: "CRA Anhang I", Category: "regulation"}, controlPoolGain + 0.100},
+		{LegalSearchResult{ArticleLabel: "Art. 14 CRA Meldepflicht", Category: "regulation"}, controlPoolGain + 0.075},
+		{LegalSearchResult{RegulationShort: "NIST SP 800-53"}, controlPoolGain + 0.050},
+		{LegalSearchResult{RegulationShort: "ENISA Good Practices"}, controlPoolGain + 0.000},
+		{LegalSearchResult{ArticleLabel: "Art. 5 DORA", Category: "regulation"}, 0.0}, // obligation: no boost
+	}
+	for _, rc := range roles {
+		out := []LegalSearchResult{rc.r}
+		out[0].Score = 1.0
+		applyControlRoles(out)
+		if got := out[0].Score - 1.0; got < rc.wantGain-1e-9 || got > rc.wantGain+1e-9 {
+			t.Errorf("role %q: gain %.3f, want %.3f", classifyRole(rc.r), got, rc.wantGain)
+		}
+	}
+}

ai-compliance-sdk/internal/ucca/legal_rag_intent_test.go

@@ -70,3 +70,66 @@ func TestRerank_OffTopicGuidance_BlockedByGuard(t *testing.T) {
 		t.Errorf("off-topic guidance must not win even with intent, got %s", out[0].SourceClass)
 	}
 }
+
+func TestQueryWantsControls(t *testing.T) {
+	wants := []string{
+		"Welche Controls passen zu Security Updates?",
+		"Welche Maßnahmen sollten wir umsetzen?",
+		"Wie härten wir den Server ab?",
+		"Gibt es NIST-Controls dafür?",
+		"OWASP Best Practice für Logging?",
+		"BSI Grundschutz Bausteine",
+	}
+	plain := []string{
+		"Welche Anforderungen bestehen an Security Updates?",
+		"Ab wann braucht man einen Datenschutzbeauftragten?",
+	}
+	for _, q := range wants {
+		if !queryWantsControls(q) {
+			t.Errorf("should detect control/implementation intent: %q", q)
+		}
+	}
+	for _, q := range plain {
+		if queryWantsControls(q) {
+			t.Errorf("should NOT detect control intent (norm question): %q", q)
+		}
+	}
+}
+
+func TestRerank_ControlQuestion_OperationalReqTop(t *testing.T) {
+	// User priority for implementation questions: operational_requirement (binding concrete,
+	// CRA Anhang I) > control_standard (NIST). Both are in the control-pool; op_req wins.
+	results := []LegalSearchResult{
+		{RegulationShort: "NIST SP 800-82r3", ArticleLabel: "AU-8", SourceClass: "technical_standard", AuthorityWeight: 80, Jurisdiction: "EU", Score: 0.60},
+		{RegulationShort: "CRA", ArticleLabel: "CRA Anhang I", Category: "regulation", Score: 0.58},
+	}
+	out := rerankByAuthority("Welche Controls und Massnahmen passen zu Security Updates?", results)
+	if out[0].RegulationShort != "CRA" {
+		t.Errorf("operational_requirement (CRA Anhang I) should be Top-1 over control_standard, got %q", out[0].RegulationShort)
+	}
+}
+
+func TestRerank_NormQuestion_BindingOverStandard(t *testing.T) {
+	// "Anforderungen" → no control intent → binding obligation stays Top-1 over the standard.
+	results := []LegalSearchResult{
+		intentRes("NIST SP 800-82", "technical_standard", 0.62, 80),
+		intentRes("CRA", "binding_law", 0.58, 100),
+	}
+	out := rerankByAuthority("Welche Anforderungen bestehen an Security Updates?", results)
+	if out[0].SourceClass != "binding_law" {
+		t.Errorf("norm question: binding must stay Top-1 over standard, got %s", out[0].SourceClass)
+	}
+}
+
+func TestRerank_ControlQuestion_PoolBeatsBareObligation(t *testing.T) {
+	// A control-pool source (NIST control_standard) outranks an abstract obligation with no
+	// domain/topic advantage, because the implementation intent boosts the control-pool.
+	results := []LegalSearchResult{
+		{RegulationShort: "NIST SP 800-82r3", ArticleLabel: "AU-8", SourceClass: "technical_standard", AuthorityWeight: 80, Jurisdiction: "EU", Score: 0.55},
+		{RegulationShort: "XYZ", ArticleLabel: "Art. 5 XYZ", Category: "regulation", Score: 0.58},
+	}
+	out := rerankByAuthority("Welche Controls und Massnahmen passen zu Security Updates?", results)
+	if out[0].RegulationShort != "NIST SP 800-82r3" {
+		t.Errorf("control_standard should beat a bare abstract obligation on a control question, got %q", out[0].RegulationShort)
+	}
+}