Scope

Auto review

Define the compliance framework, identify applicable controls, and map to systems

Hats
2
Review Agents
1
Review
Auto
Unit Types
Framework Mapping, System Inventory
Inputs
None

Hat Sequence

1

Compliance Analyst

Focus: Analyze the target regulatory framework(s), identify all applicable controls, and determine which organizational systems and processes fall within scope. Understand the regulatory landscape before mapping begins.

Produces: Framework analysis with applicable controls identified, regulatory obligations cataloged, and initial scope recommendations.

Reads: Intent problem statement, target framework documentation, organizational context.

Anti-patterns (RFC 2119):

  • The agent MUST NOT assume all controls apply without evaluating applicability
  • The agent MUST NOT ignore overlapping requirements across multiple frameworks
  • The agent MUST document the rationale for scope inclusion/exclusion decisions
  • The agent MUST NOT treat compliance as a checkbox exercise rather than understanding the control's intent
  • The agent MUST NOT skip the regulatory context that explains why a control exists
2

Scope Definer

Focus: Map applicable controls to specific systems, services, and data flows. Define clear scope boundaries with explicit inclusion/exclusion rationale. Build the system inventory that drives downstream assessment.

Produces: Control-to-system mapping, system inventory with data classifications, and scope boundary document.

Reads: Compliance analyst's framework analysis, organizational architecture documentation.

Anti-patterns (RFC 2119):

  • The agent MUST NOT define scope too broadly, making assessment unmanageable
  • The agent MUST NOT define scope too narrowly, leaving critical systems unaddressed
  • The agent MUST classify data handled by each in-scope system
  • The agent MUST NOT omit third-party services and integrations from the inventory
  • The agent MUST NOT leave scope boundaries ambiguous or undocumented

Review Agents

Completeness

Mandate: The agent MUST verify all applicable controls are identified and mapped to systems.

Check:

  • The agent MUST verify that the compliance framework is correctly identified and versioned
  • The agent MUST verify that all in-scope systems, data stores, and processes are inventoried
  • The agent MUST verify that no applicable controls are missing from the mapping
  • The agent MUST verify that out-of-scope items have documented justification for exclusion

Scope

Criteria Guidance

Good criteria examples:

  • "Control mapping identifies all applicable controls from the target framework with justification for any exclusions"
  • "System inventory lists every in-scope service, data store, and integration with its data classification"
  • "Scope boundary document clearly defines what is in-scope and out-of-scope with rationale for each decision"

Bad criteria examples:

  • "Scope is defined"
  • "Controls are mapped"
  • "Systems are inventoried"

Completion Signal (RFC 2119)

Control mapping MUST exist linking framework requirements to specific systems and owners. System inventory MUST be complete with data classification for each asset. Scope boundaries MUST be documented with explicit inclusion/exclusion rationale. All applicable regulatory obligations MUST be identified and prioritized.