Compliance Frameworks

GovernanceAI includes built-in support for major compliance frameworks, helping you demonstrate governance and meet regulatory requirements.

Supported Frameworks

Enterprise Frameworks

Framework	Scope	Focus	Industries
SOC2 Type II	Organization	Trust, Security, Availability	Enterprise SaaS
ISO 27001	Organization	Information Security	All
HIPAA	Data Handling	Healthcare Data	Healthcare
GDPR	Data Privacy	EU Resident Data	All (EU focus)
CCPA	Data Privacy	California Resident Data	All (CA focus)
PCI DSS	Payment Data	Credit Card Data	Fintech
FedRAMP	Government	Federal Requirements	Government

Framework Specific Features

SOC2 Type II

Coverage:

CC6: Logical and Physical Access Controls
CC7: System Monitoring and Monitoring
CC8: System Change Management
CC9: Risk Mitigation

Automated Checks:

✅ API access logging and monitoring
✅ User authentication and authorization
✅ Data encryption in transit
✅ Change management process
✅ Incident response procedures

Evidence:

$ curl -H "Authorization: Bearer $API_KEY" \
>   https://api.governanceai.com/v1/compliance/soc2/evidence \
>   -d '{"control": "CC6.1", "period": "2024-01"}' \
> 
$ # Returns: 15,000 access logs, 340 successful authentications,
$ # 0 unauthorized access attempts

HIPAA

Coverage:

Administrative Safeguards (workforce, information access)
Physical Safeguards (facility access, media controls)
Technical Safeguards (encryption, access controls, audit logs)

Automated Checks:

✅ ePHI encryption (TLS 1.2+)
✅ Access controls and authentication
✅ Audit logging and integrity controls
✅ User activity documentation
⚠️ Business Associate Agreement tracking

Risk Assessment:

$ curl -H "Authorization: Bearer $API_KEY" \
>   https://api.governanceai.com/v1/compliance/hipaa/risk-assessment
$ 
$ # Returns:
$ {
>   "framework": "HIPAA",
>   "compliance_percentage": 92,
>   "risk_level": "low",
>   "gaps": [
>     {
>       "safeguard": "Technical Safeguards",
>       "requirement": "Encryption of ePHI at rest",
>       "status": "needs_attention",
>       "remediation": "Enable database encryption"
>     }
>   ]
> }

Coverage:

Data Protection Principles (lawfulness, fairness, transparency)
Consent & Rights (access, deletion, portability)
Data Processors & DPAs
Breach Notification

Automated Checks:

✅ Data residency (EU data stays in EU)
✅ Encryption and anonymization
✅ Consent management
✅ Data retention policies
✅ DPA compliance tracking

Compliance Report:

$ curl -H "Authorization: Bearer $API_KEY" \
>   https://api.governanceai.com/v1/compliance/gdpr/report \
>   -d '{"format": "pdf", "include_evidence": true}'

Report includes:

Data processing inventory
Lawful basis documentation
Consent records
Data subject rights log
DPA effectiveness summary

Mapping to Frameworks

Automatic Control Mapping

GovernanceAI automatically maps your guardrails to compliance controls:

Your Guardrail: "block_pii"
  ├─ SOC2 Maps to: CC6.1 - Logical Access Control
  │  └─ Evidence: Blocks SSN, credit cards in prompts
  │
  ├─ HIPAA Maps to: 164.312(a)(2)(i) - Encryption
  │  └─ Evidence: Redacts ePHI before processing
  │
  ├─ GDPR Maps to: Article 32 - Security of Processing
  │  └─ Evidence: Applies PII redaction across all data flows
  │
  └─ CCPA Maps to: Section 1798.150 - Data Breach
     └─ Evidence: Prevents unauthorized PII access

Manual Control Documentation

Document controls not automatically detected:

$ curl -X POST https://api.governanceai.com/v1/compliance/controls \
>   -H "Authorization: Bearer $API_KEY" \
>   -d '{
>     "control_id": "SOC2-CC6.2",
>     "control_name": "Restriction of Logical Access",
>     "framework": "SOC2",
>     "implementation_status": "operating",
>     "evidence": [
>       "type": "procedure",
>       "title": "API Access Review Procedure",
>       "url": "https://wiki.internal/api-access-review"
>     ],
>     "testing_frequency": "quarterly",
>     "last_tested": "2024-01-15"
>   }'

Generating Compliance Reports

Dashboard Report Generation

Go to Compliance section
Select framework (SOC2, HIPAA, GDPR)
Choose period (quarterly, annual)
Click Generate Report
Download as PDF with evidence

API Report Generation

$ # Generate SOC2 Type II Report
$ curl -X POST https://api.governanceai.com/v1/compliance/reports \
>   -H "Authorization: Bearer $API_KEY" \
>   -d '{
>     "framework": "SOC2",
>     "reporting_period": {
>       "start": "2024-01-01",
>       "end": "2024-12-31"
>     },
>     "include_evidence": true,
>     "format": "pdf"
>   }' \
>   --output soc2_report_2024.pdf
$ 
$ # Generate HIPAA Risk Assessment
$ curl -X POST https://api.governanceai.com/v1/compliance/reports \
>   -H "Authorization: Bearer $API_KEY" \
>   -d '{
>     "framework": "HIPAA",
>     "report_type": "risk_assessment",
>     "format": "html"
>   }' \
>   --output hipaa_risk_assessment.html

Monitoring Compliance Status

Real-Time Dashboard

Dashboard shows:

Overall compliance percentage per framework
Control-by-control status
Gaps and remediation items
Evidence completeness
Trend over time

Alerting

Get notified when compliance status changes:

$ curl -X POST https://api.governanceai.com/v1/compliance/alerts \
>   -H "Authorization: Bearer $API_KEY" \
>   -d '{
>     "framework": "HIPAA",
>     "alert_conditions": [
>       {
>         "type": "compliance_drop",
>         "threshold": 90,
>         "send_to": ["security@company.com"]
>       }
>     ]
>   }'

Audit Trail for Compliance

Every action is logged for audit:

$ # Query compliance-related audit logs
$ curl -H "Authorization: Bearer $API_KEY" \
>   https://api.governanceai.com/v1/audit/logs \
>   -d '{
>     "filters": {
>       "resource_type": "compliance",
>       "start_date": "2024-01-01",
>       "end_date": "2024-12-31"
>     }
>   }'
$ 
$ # Returns:
$ {
>   "entries": [
>     {
>       "timestamp": "2024-01-15T10:30:00Z",
>       "action": "compliance_report_generated",
>       "user": "admin@company.com",
>       "details": {
>         "framework": "SOC2",
>         "period": "Q1 2024",
>         "controls_assessed": 45,
>         "controls_passing": 43
>       }
>     }
>   ]
> }

Remediation Tracking

Track remediation of compliance gaps:

$ # Log remediation action
$ curl -X POST https://api.governanceai.com/v1/compliance/remediations \
>   -H "Authorization: Bearer $API_KEY" \
>   -d '{
>     "gap_id": "gap_123",
>     "framework": "HIPAA",
>     "control": "164.312(a)(2)(i)",
>     "remediation_action": "Enable database encryption",
>     "remediation_date": "2024-01-20",
>     "evidence": "Database Encryption Policy v2.1",
>     "assigned_to": "DBA-Team",
>     "due_date": "2024-01-31"
>   }'
$ 
$ # Track remediation progress
$ curl -H "Authorization: Bearer $API_KEY" \
>   https://api.governanceai.com/v1/compliance/remediations/status \
>   -d '{"framework": "HIPAA"}'
$ 
$ # Returns:
$ {
>   "open_remediations": 3,
>   "in_progress": 2,
>   "completed": 15,
>   "overdue": 0,
>   "completion_rate": "83%"
> }

Best Practices

✅ Do:

Review compliance reports quarterly
Keep evidence up to date
Test controls regularly
Document all control implementations
Set up automated alerts
Schedule annual audits
Train staff on compliance requirements

❌ Don’t:

Ignore compliance gaps
Let evidence become stale
Deploy without compliance review
Document after the fact
Over-rely on automated checks alone
Delay remediation of critical gaps

Next Steps

Running Scans - Scan for compliance violations
Audit & Activity - Track all activity
API Reference - Compliance API endpoints