AI Compliance Reports

Generate compliance reports against SOC 2, ISO 27001, HIPAA, PCI DSS, and NIST frameworks from your knowledge graph.

Overview

AI compliance reports automate the generation of compliance documentation by mapping your knowledge graph data to regulatory framework controls. The system uses LLMs to analyze resource configurations, relationships, and change history, then produces auditor-ready compliance evidence packages.

Supported frameworks

Framework	Version	Controls mapped
SOC 2	2024	All TSC categories (Security, Availability, etc.)
ISO 27001	2022	Annex A controls relevant to infrastructure
HIPAA	2024	Security Rule (administrative, physical, technical)
PCI DSS	4.0	Requirements 1-12, focusing on network security and access control
NIST CSF	2.0	Govern, Identify, Protect, Detect, Respond, Recover
CIS Benchmarks	Latest	Cloud provider benchmark controls

Custom framework support

Custom compliance frameworks can be defined via YAML control mappings. This enables support for industry-specific regulations (FedRAMP, GDPR, SOC 3, etc.).

Report generation

The report generation pipeline works in three stages:

Evidence collection -- gather relevant resource data, configurations, and change history from the graph
Control mapping -- map evidence to specific framework controls using predefined rules
LLM analysis -- analyze each control for compliance status, generate findings, and suggest remediation

Reports include an executive summary, detailed control-by-control findings, and a compliance score. They can be exported as PDF, HTML, or integrated with GRC platforms via API.

Evidence mapping

# Custom control mapping example
compliance:
  frameworks:
    gdpr:
      article_32:
        description: "Security of processing"
        evidence:
          - resource_type: aws_kms_key
            checks:
              - key.enabled == true
          - resource_type: aws_s3_bucket
            checks:
              - bucket.encryption != null
              - bucket.block_public_access == true
          - resource_type: aws_cloudtrail_trail
            checks:
              - trail.is_logging == true

Scheduling

Reports can be generated on demand or on a recurring schedule:

Monthly -- standard compliance reporting cadence
Quarterly -- comprehensive reports with trend analysis
On change -- triggered when critical resources are modified
On demand -- manual generation for auditor requests

# config.yaml
ai:
  compliance_reports:
    enabled: true
    frameworks:
      - soc2
      - iso_27001
      - hipaa
    schedule:
      - type: monthly
        day: 1
      - type: quarterly
        month: [3, 6, 9, 12]
    export:
      formats: [pdf, json]
      auto_email: compliance@acme.com