Compliance Control

Compliance controls exist only in the heads of the security team. When an auditor asks 'show me your access review control,' someone scrambles to explain the process verbally. There is no written control catalog, no control IDs, no documented implementation status, and no evidence repository. 'We do that, we just haven't written it down' is the standard response.

None — AI has no compliance control documentation to reason about because nothing is formalized.

A spreadsheet lists compliance controls with IDs and descriptions, but it drifts from reality. Some controls reference SOC 2 criteria, others use ad-hoc numbering. Implementation status is vague — 'in progress' could mean 10% or 90% complete. Evidence is scattered across Google Drive folders, Slack messages, and email attachments with no consistent linking.

Can list documented compliance controls but cannot verify implementation status or locate supporting evidence because the spreadsheet is disconnected from actual control operations.

A GRC platform manages compliance controls with framework mappings, ownership assignments, and implementation status tracking. Controls link to their parent frameworks (SOC 2, ISO 27001, HIPAA). But evidence collection is still manual — someone screenshots a configuration, writes a narrative, and uploads it before each audit. Control effectiveness is self-assessed, not measured.

Can query the GRC platform for control status and framework coverage gaps but cannot assess whether controls are actually effective because evidence is manually curated point-in-time snapshots.

Every compliance control record contains structured framework mappings, implementation milestones, defined evidence requirements, linked evidence artifacts with provenance, and effectiveness metrics. An auditor can query 'show me the access review control, its SOC 2 mapping, the last three evidence collection cycles, and the pass/fail rate' and get a documented, verifiable answer.

Can perform automated compliance assessments, identify controls with stale evidence, and flag framework coverage gaps. Cannot yet verify control effectiveness in real time because evidence is collected periodically.

A validated compliance control schema enforces attribute types, harmonizes controls across frameworks (a single 'encryption at rest' control maps to SOC 2 CC6.1, ISO 27001 A.10.1, and HIPAA §164.312), and defines machine-readable effectiveness criteria. AI agents evaluate control compliance programmatically, flagging controls that fail their defined effectiveness thresholds.

Can autonomously assess compliance posture across all mapped frameworks, identify cross-framework gaps, and generate audit-ready compliance reports. Human judgment is needed for interpreting regulatory ambiguity and emerging framework requirements.

Compliance control records are self-documenting — operational telemetry from configuration management, policy enforcement engines, and security monitoring automatically populates control evidence, updates implementation status, and recalculates effectiveness scores. The compliance control catalog maintains itself in real time as the security posture evolves.

Can autonomously maintain the complete compliance control catalog with real-time evidence, cross-framework mapping, and continuous effectiveness assessment — producing audit-ready documentation at any moment.

Ceiling of the CMC framework for this dimension.