For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
  • Getting Started
    • Welcome
    • Architecture
    • Installation
    • Authentication
    • Quick Start
    • Support
  • Core Concepts
    • Guardrails
    • AI BOM
    • Red Teaming
    • Compliance
    • Audit Logs
  • Integrations
    • GitHub
    • GitLab
    • Azure DevOps
    • Bitbucket
    • Jira
    • LiteLLM
  • Usage Guides
    • Organization
    • Guardrails Setup
    • Policies
    • Scans
    • Red Team
    • Dashboards
  • Code Examples
    • cURL
    • Python
    • Node.js
    • API Patterns
On this page
  • Compliance Frameworks
  • Supported Frameworks
  • Enterprise Frameworks
  • Framework Specific Features
  • SOC2 Type II
  • HIPAA
  • GDPR
  • Mapping to Frameworks
  • Automatic Control Mapping
  • Manual Control Documentation
  • Generating Compliance Reports
  • Dashboard Report Generation
  • API Report Generation
  • Monitoring Compliance Status
  • Real-Time Dashboard
  • Alerting
  • Audit Trail for Compliance
  • Remediation Tracking
  • Best Practices
  • Next Steps
Core Concepts

Compliance Frameworks

Was this page helpful?
Edit this page
Previous

Audit & Activity Logs

Next
Built with

Compliance Frameworks

GovernanceAI includes built-in support for major compliance frameworks, helping you demonstrate governance and meet regulatory requirements.

Supported Frameworks

Enterprise Frameworks

FrameworkScopeFocusIndustries
SOC2 Type IIOrganizationTrust, Security, AvailabilityEnterprise SaaS
ISO 27001OrganizationInformation SecurityAll
HIPAAData HandlingHealthcare DataHealthcare
GDPRData PrivacyEU Resident DataAll (EU focus)
CCPAData PrivacyCalifornia Resident DataAll (CA focus)
PCI DSSPayment DataCredit Card DataFintech
FedRAMPGovernmentFederal RequirementsGovernment

Framework Specific Features

SOC2 Type II

Coverage:

  • CC6: Logical and Physical Access Controls
  • CC7: System Monitoring and Monitoring
  • CC8: System Change Management
  • CC9: Risk Mitigation

Automated Checks:

  • ✅ API access logging and monitoring
  • ✅ User authentication and authorization
  • ✅ Data encryption in transit
  • ✅ Change management process
  • ✅ Incident response procedures

Evidence:

$curl -H "Authorization: Bearer $API_KEY" \
>  https://api.governanceai.com/v1/compliance/soc2/evidence \
>  -d '{"control": "CC6.1", "period": "2024-01"}' \
>
$# Returns: 15,000 access logs, 340 successful authentications,
$# 0 unauthorized access attempts

HIPAA

Coverage:

  • Administrative Safeguards (workforce, information access)
  • Physical Safeguards (facility access, media controls)
  • Technical Safeguards (encryption, access controls, audit logs)

Automated Checks:

  • ✅ ePHI encryption (TLS 1.2+)
  • ✅ Access controls and authentication
  • ✅ Audit logging and integrity controls
  • ✅ User activity documentation
  • ⚠️ Business Associate Agreement tracking

Risk Assessment:

$curl -H "Authorization: Bearer $API_KEY" \
>  https://api.governanceai.com/v1/compliance/hipaa/risk-assessment
$
$# Returns:
${
>  "framework": "HIPAA",
>  "compliance_percentage": 92,
>  "risk_level": "low",
>  "gaps": [
>    {
>      "safeguard": "Technical Safeguards",
>      "requirement": "Encryption of ePHI at rest",
>      "status": "needs_attention",
>      "remediation": "Enable database encryption"
>    }
>  ]
>}

GDPR

Coverage:

  • Data Protection Principles (lawfulness, fairness, transparency)
  • Consent & Rights (access, deletion, portability)
  • Data Processors & DPAs
  • Breach Notification

Automated Checks:

  • ✅ Data residency (EU data stays in EU)
  • ✅ Encryption and anonymization
  • ✅ Consent management
  • ✅ Data retention policies
  • ✅ DPA compliance tracking

Compliance Report:

$curl -H "Authorization: Bearer $API_KEY" \
>  https://api.governanceai.com/v1/compliance/gdpr/report \
>  -d '{"format": "pdf", "include_evidence": true}'

Report includes:

  • Data processing inventory
  • Lawful basis documentation
  • Consent records
  • Data subject rights log
  • DPA effectiveness summary

Mapping to Frameworks

Automatic Control Mapping

GovernanceAI automatically maps your guardrails to compliance controls:

Your Guardrail: "block_pii"
  ├─ SOC2 Maps to: CC6.1 - Logical Access Control
  │  └─ Evidence: Blocks SSN, credit cards in prompts
  │
  ├─ HIPAA Maps to: 164.312(a)(2)(i) - Encryption
  │  └─ Evidence: Redacts ePHI before processing
  │
  ├─ GDPR Maps to: Article 32 - Security of Processing
  │  └─ Evidence: Applies PII redaction across all data flows
  │
  └─ CCPA Maps to: Section 1798.150 - Data Breach
     └─ Evidence: Prevents unauthorized PII access

Manual Control Documentation

Document controls not automatically detected:

$curl -X POST https://api.governanceai.com/v1/compliance/controls \
>  -H "Authorization: Bearer $API_KEY" \
>  -d '{
>    "control_id": "SOC2-CC6.2",
>    "control_name": "Restriction of Logical Access",
>    "framework": "SOC2",
>    "implementation_status": "operating",
>    "evidence": [
>      "type": "procedure",
>      "title": "API Access Review Procedure",
>      "url": "https://wiki.internal/api-access-review"
>    ],
>    "testing_frequency": "quarterly",
>    "last_tested": "2024-01-15"
>  }'

Generating Compliance Reports

Dashboard Report Generation

  • Go to Compliance section
  • Select framework (SOC2, HIPAA, GDPR)
  • Choose period (quarterly, annual)
  • Click Generate Report
  • Download as PDF with evidence

API Report Generation

$# Generate SOC2 Type II Report
$curl -X POST https://api.governanceai.com/v1/compliance/reports \
>  -H "Authorization: Bearer $API_KEY" \
>  -d '{
>    "framework": "SOC2",
>    "reporting_period": {
>      "start": "2024-01-01",
>      "end": "2024-12-31"
>    },
>    "include_evidence": true,
>    "format": "pdf"
>  }' \
>  --output soc2_report_2024.pdf
$
$# Generate HIPAA Risk Assessment
$curl -X POST https://api.governanceai.com/v1/compliance/reports \
>  -H "Authorization: Bearer $API_KEY" \
>  -d '{
>    "framework": "HIPAA",
>    "report_type": "risk_assessment",
>    "format": "html"
>  }' \
>  --output hipaa_risk_assessment.html

Monitoring Compliance Status

Real-Time Dashboard

Dashboard shows:

  • Overall compliance percentage per framework
  • Control-by-control status
  • Gaps and remediation items
  • Evidence completeness
  • Trend over time

Alerting

Get notified when compliance status changes:

$curl -X POST https://api.governanceai.com/v1/compliance/alerts \
>  -H "Authorization: Bearer $API_KEY" \
>  -d '{
>    "framework": "HIPAA",
>    "alert_conditions": [
>      {
>        "type": "compliance_drop",
>        "threshold": 90,
>        "send_to": ["security@company.com"]
>      }
>    ]
>  }'

Audit Trail for Compliance

Every action is logged for audit:

$# Query compliance-related audit logs
$curl -H "Authorization: Bearer $API_KEY" \
>  https://api.governanceai.com/v1/audit/logs \
>  -d '{
>    "filters": {
>      "resource_type": "compliance",
>      "start_date": "2024-01-01",
>      "end_date": "2024-12-31"
>    }
>  }'
$
$# Returns:
${
>  "entries": [
>    {
>      "timestamp": "2024-01-15T10:30:00Z",
>      "action": "compliance_report_generated",
>      "user": "admin@company.com",
>      "details": {
>        "framework": "SOC2",
>        "period": "Q1 2024",
>        "controls_assessed": 45,
>        "controls_passing": 43
>      }
>    }
>  ]
>}

Remediation Tracking

Track remediation of compliance gaps:

$# Log remediation action
$curl -X POST https://api.governanceai.com/v1/compliance/remediations \
>  -H "Authorization: Bearer $API_KEY" \
>  -d '{
>    "gap_id": "gap_123",
>    "framework": "HIPAA",
>    "control": "164.312(a)(2)(i)",
>    "remediation_action": "Enable database encryption",
>    "remediation_date": "2024-01-20",
>    "evidence": "Database Encryption Policy v2.1",
>    "assigned_to": "DBA-Team",
>    "due_date": "2024-01-31"
>  }'
$
$# Track remediation progress
$curl -H "Authorization: Bearer $API_KEY" \
>  https://api.governanceai.com/v1/compliance/remediations/status \
>  -d '{"framework": "HIPAA"}'
$
$# Returns:
${
>  "open_remediations": 3,
>  "in_progress": 2,
>  "completed": 15,
>  "overdue": 0,
>  "completion_rate": "83%"
>}

Best Practices

✅ Do:

  • Review compliance reports quarterly
  • Keep evidence up to date
  • Test controls regularly
  • Document all control implementations
  • Set up automated alerts
  • Schedule annual audits
  • Train staff on compliance requirements

❌ Don’t:

  • Ignore compliance gaps
  • Let evidence become stale
  • Deploy without compliance review
  • Document after the fact
  • Over-rely on automated checks alone
  • Delay remediation of critical gaps

Next Steps

  • Running Scans - Scan for compliance violations
  • Audit & Activity - Track all activity
  • API Reference - Compliance API endpoints