The Jurisdiction Stack: Why Federal-Only Compliance Leaves You Exposed
When people say "compliance," they usually mean the famous federal frameworks — the acronyms with conferences and consultants attached. But talk to owners who've actually been fined, and a different picture emerges: the rules that catch small businesses are overwhelmingly not federal.
The stack, from top to bottom
Every business in America sits under at least four layers of rulemaking authority:
- Federal — agency regulations keyed to what your business does. Well-published, well-documented, and the layer every compliance tool covers.
- State — licensing boards, labor rules, state-specific mandates. This is where occupational licensing lives, with renewal windows that carry real consequences.
- County — health departments, environmental programs, permits. The inspector who walks through your door most often works at this level.
- City — municipal ordinances, local inspections, premises-specific requirements. The least published, least tracked, most surprising layer.
And cutting across all four: the universal layer — employment, utilities, water, and entity requirements that apply to every business regardless of industry.
Why the bottom of the stack bites hardest
Federal rules are prominent precisely because they're centralized: one register, one publication process, an entire industry of tools tracking them. The lower you go in the stack, the more fragmented publication becomes — and the less likely any tool, newsletter, or consultant is watching it for you.
Consider a requirement as mundane as an annual backflow-prevention assembly test — a city-level rule tied to your water connection. It appears in no federal database, and enterprise GRC platforms were never designed to track it. The first document most owners see about it is the violation notice. Multiply that pattern across permits, postings, logs, and inspections, and you get the real shape of small-business compliance risk: dozens of small, local, unglamorous obligations, each individually manageable and collectively invisible.
The tooling gap
Compliance software followed the money, and the money was in large enterprises certifying against single frameworks. That produced excellent tools for going deep on one slice of the stack — and almost nothing for the business whose actual risk is spread across all of it.
A restaurant doesn't get to choose between federal labor law and the county health code. It answers to both, plus the state licensing board, plus the fire marshal. A tool that models one layer models a minority of the risk.
What resolving the full stack looks like
The alternative is to treat the stack as one problem: take a specific business — its industry, its locations, its operations — and resolve every layer against it simultaneously, keeping the result current as each layer changes on its own schedule. That's the approach SOLOX takes, and it's why we describe the output as a digital twin rather than a checklist: the stack is alive, so the model of it has to be too.