Compliance Studio
Regulatory compliance lifecycle for audits, certifications, and policy management
Stage Pipeline
Stage Details
Define the compliance framework, identify applicable controls, and map to systems
Hats
Analyze the target regulatory framework(s), identify all applicable controls, and determine which organizational systems and processes fall within scope. Understand the regulatory landscape before mapping begins.
Map applicable controls to specific systems, services, and data flows. Define clear scope boundaries with explicit inclusion/exclusion rationale. Build the system inventory that drives downstream assessment.
Review Agents
The agent **MUST** verify all applicable controls are identified and mapped to systems.
Evaluate current state against controls, identify gaps and risks
Hats
Evaluate each in-scope control against the current state of systems and processes. Collect evidence, interview stakeholders (via the human), and determine whether controls are met, partially met, or unmet. Be objective and evidence-driven.
Evaluate the risk exposure from identified gaps. Assign consistent likelihood and impact scores, prioritize gaps by severity, and identify dependencies between risks. Transform raw findings into an actionable risk picture.
Review Agents
The agent **MUST** verify assessment findings accurately reflect the current state.
The agent **MUST** verify the assessment covers all controls with adequate evidence.
Implement controls, fix gaps, update configurations and policies
Hats
Draft and update policies, procedures, and standards required by the compliance framework. Ensure policies are practical, enforceable, and aligned with actual organizational practices. Policies should reflect reality, not aspiration.
Implement technical controls to close identified gaps. Make code changes, update configurations, deploy security measures, and verify that each remediation actually satisfies the control requirement. Every change must be traceable to a specific gap.
Review Agents
The agent **MUST** verify remediations actually close the identified gaps.
Create evidence packages, audit trails, and compliance documentation
Hats
Create the narrative compliance documentation that ties evidence to controls and tells the compliance story end-to-end. Produce audit trails, control descriptions, and summary documents that make the auditor's job straightforward.
Gather, organize, and catalog evidence artifacts that demonstrate control implementation. Ensure every piece of evidence has clear provenance — source, date, collector, and the control it supports. Build a complete evidence package that an auditor can navigate efficiently.
Review Agents
The agent **MUST** verify evidence packages meet audit standards.
Prepare for and support external audit, address findings
Hats
Prepare the organization for external audit by organizing evidence per the auditor's request format, verifying completeness, and anticipating auditor questions. Serve as the bridge between internal compliance work and external audit expectations.
Address auditor findings with documented responses that include root cause analysis, remediation evidence, or justified risk acceptance. Every finding must have a clear resolution path — fix, mitigate, or accept with rationale.
Review Agents
The agent **MUST** verify the evidence package and remediation state are sufficient to pass external audit.
from Assess stage
from Remediate stage
Compliance Studio
Compliance lifecycle for managing regulatory requirements (SOC2, HIPAA, GDPR, ISO 27001, etc.). Covers scope definition, gap assessment, remediation, documentation, and certification. Uses git persistence because compliance often requires code/config changes and auditable history.