Compliance artifact generator. Auto-generates audit evidence from guardrail detections, 4-eyes review gates, and DLP scans. Maps control evidence to SOC 2 Type II, ISO 27001, NIST CSF, and GDPR Article 30. Generates evidence packages on demand for auditors and tracks control effectiveness over time. Use for audit preparation, compliance evidence collection, or SOC 2/ISO 27001 artifact generation.
name compliance-evidence description Compliance artifact generator. Auto-generates audit evidence from guardrail detections, 4-eyes review gates, and DLP scans. Maps control evidence to SOC 2 Type II, ISO 27001, NIST CSF, and GDPR Article 30. Generates evidence packages on demand for auditors and tracks control effectiveness over time. Use for audit preparation, compliance evidence collection, or SOC 2/ISO 27001 artifact generation. Compliance Evidence Aliases: compliance evidence, audit evidence, SOC 2 evidence, ISO 27001, compliance artifact, audit preparation, control evidence, compliance documentation Maturity: Production Description: Auto-generate compliance artifacts from guardrail detections, 4-eyes review gates, and DLP scans. Map control evidence to SOC 2 Type II, ISO 27001, NIST CSF, and GDPR Article 30. Generate evidence packages on demand for auditors. Track control effectiveness over time and produce compliance dashboards. Overview Compliance is a byproduct of good operations. This skill turns every guardrail detection and human review into compliance evidence — the audit trail that proves you've implemented and are operating controls. Instead of scrambling to gather evidence when auditors arrive, this skill: Auto-tags every guardrail action with the control it demonstrates (e.g., "data blocking" → "AC-1: Access Control Policy") Maps controls to frameworks (SOC 2, ISO 27001, NIST, GDPR) Packages evidence on demand for audit requests Tracks control effectiveness (are controls actually working, or are we just logging actions?) Generates compliance dashboards showing audit readiness No spreadsheets, no scrambling. Evidence generation is continuous. Core Capabilities
Auto-Generated Compliance Evidence: Framework: SOC 2 Type II Control: CC6.1 (Logical Access Control Policy) Evidence: System detected and blocked unauthorized access to classified health data, per organizational data classification policy. Incident log entry: BLOCK-2026-1847.
Framework: ISO 27001 Control: A.9.1.1 (Access Control Policy) Evidence: Data access control enforced; unauthorized classification prevented. System maintained tamper-evident log of block.
Framework: GDPR Article 32 Control: Pseudonymization & Encryption Evidence: System prevents exposure of PII to unauthorized channels. Hard block prevents any processing without proper safeguards.
Artifact ID: EVIDENCE-DLP-20260412-001 Mappings: [CC6.1, A.9.1.1, Article 32(1)(a)] 4-Eyes Review Gate → Segregation of Duties & Authorization Control Guardrail Action: Timestamp: 2026-04-12 15:18 UTC Type: 4-Eyes Review Gate Triggered Scenario: Purchase order > $500k requires executive approval Requester: Manager A (dept: procurement) Approver: Director B (dept: finance) Decision: Approved Documentation: Audit log with both signatures
Auto-Generated Compliance Evidence: Framework: SOC 2 Type II Control: CC7.2 (Segregation of Duties) Evidence: System enforced segregation between requester and approver. No single person can authorize and execute transactions above threshold. Documented approval with audit trail.
Framework: COSO Internal Control Framework Control: Authority & Responsibility (Principle 6) Evidence: Defined approval authorities enforced; management approval documented; financial transaction authorized by responsible party (Director) separate from requester (Manager).
Framework: ISO 27001 Control: A.10.1.3 (Segregation of Duties) Evidence: Access control enforced; incompatible duties separated.
Artifact ID: EVIDENCE-4EYES-20260412-001 Transaction ID: PO-2026-18472 Mappings: [CC7.2, COSO Principle 6, A.10.1.3] DLP Soft Block (Monitored) → Data Loss Prevention & Monitoring Control Guardrail Action: Timestamp: 2026-04-12 16:45 UTC Type: DLP Soft Block (Monitoring) Trigger: Processing financial data with confidence 0.68 (below 0.75 threshold) Action: Allowed, but flagged for monitoring & logging
Auto-Generated Compliance Evidence: Framework: SOC 2 Type II Control: CC3.2 (Monitoring Activities) Evidence: System detected lower-confidence data classification and continued monitoring. Audit log created. Daily monitoring report generated for compliance review.
Framework: GDPR Article 30 (Records of Processing) Evidence: Processing activity logged with classification confidence metadata. Demonstrates org tracks data handling and risk level.
Framework: NIST CSF Control: DE.AE-5 (Alerting) Evidence: System alerted to lower-confidence classification; created evidence artifact for follow-up review.
Artifact ID: EVIDENCE-DLP-SOFT-20260412-001 Mapping: [CC3.2, Article 30(1)(f), DE.AE-5] Follow-up: Assigned to Compliance Officer for manual review Behavioral Anomaly Detection → Fraud Detection & Investigation Control Guardrail Action: Timestamp: 2026-04-12 18:22 UTC Type: Behavioral Anomaly Detected Signal: Employee accessed 500+ records in 2 hours (3× normal pattern) Action: Flagged for investigation
Auto-Generated Compliance Evidence: Framework: SOC 2 Type II Control: CC6.2 (Physical/Logical Access) Evidence: Continuous monitoring detected anomalous access pattern. Investigation initiated per incident response plan. No unauthorized access occurred (access was authorized but unusual volume).
Framework: COSO Internal Control Framework Control: Monitoring Activities (Principle 16) Evidence: Management monitoring of user access controls; anomaly detection working as designed.
Framework: ISO 27001 Control: A.12.4.1 (Event Logging) Evidence: System logging access behavior; anomalies trigger investigation protocol.
Artifact ID: EVIDENCE-ANOMALY-20260412-001 Investigation Status: In Progress Owner: CISO Mappings: [CC6.2, COSO Principle 16, A.12.4.1] 2. Framework Mapping Matrix Skill maintains a mapping table between internal guardrails and audit frameworks: COMPLIANCE FRAMEWORK MAPPING
┌────────────────────────────────────────────────────────────────┐ │ Guardrail Action → Control Evidence → Framework Artifact │ ├────────────────────────────────────────────────────────────────┤ │ DLP Hard Block → Data Loss Prevention Control │ │ SOC 2: CC6.1 (Logical Access) │ │ ISO 27001: A.9.1.1 (Access Control Policy) │ │ NIST CSF: AC-3 (Access Enforcement) │ │ GDPR: Article 32(1)(a) (Pseudonymization & Encryption) │ │ │ │ 4-Eyes Gate → Segregation of Duties │ │ SOC 2: CC7.2 (Segregation of Duties) │ │ ISO 27001: A.10.1.3 (Segregation of Duties) │ │ COSO: Principle 6 (Authority & Responsibility) │ │ GDPR: Article 5(2) (Integrity & Confidentiality) │ │ │ │ Behavioral Anomaly Detection → Continuous Monitoring │ │ SOC 2: CC3.2 (Monitoring Activities) │ │ ISO 27001: A.12.4.1 (Event Logging) │ │ NIST CSF: DE.AE-5 (Alerting) │ │ COSO: Principle 16 (Monitoring Activities) │ │ │ │ AI Risk Classification → Model Governance & Transparency │ │ EU AI Act: Articles 9-13 (Documentation) │ │ GDPR: Article 22 (Automated Decision-Making) │ │ ISO 27001: A.6.1.1 (Information Security Policy) │ │ NIST CSF: GV-1 (Governance & Risk Management) │ └────────────────────────────────────────────────────────────────┘ 3. On-Demand Evidence Packages for Auditors Scenario: Auditor requests evidence of access control implementation. Skill generates: AUDIT EVIDENCE PACKAGE: Access Control (SOC 2 CC6.1) Generated: 2026-04-12 Auditor: [Big 4 Firm Name] Request: Evidence of logical access control policy implementation
═════════════════════════════════════════════════════════════════
CONTROL OBJECTIVE CC6.1: Logical Access Policy Implemented
Evidence Artifacts:
Data Classification Policy (Document)
DLP System Configuration (Technical)
Hard Block Incident Log (90 days)
Access Control Testing (Quarterly)
Monitoring & Alerting (Continuous)
CONTROL FREQUENCY: Continuous TESTING EVIDENCE: Quarterly + Incident Response EFFECTIVENESS RATING: Effective (No design or operating deficiencies)
═════════════════════════════════════════════════════════════════
COMPLIANCE STATEMENT: The organization has implemented and is operating a logical access control policy that effectively prevents unauthorized access to classified data. Evidence artifacts demonstrate:
✓ Policy documented and approved ✓ System controls configured and functioning ✓ Incidents monitored and logged ✓ Effectiveness tested quarterly ✓ No unauthorized access occurred
SOC 2 Type II Conclusion: CONTROL IS OPERATING EFFECTIVELY
═════════════════════════════════════════════════════════════════
Artifact Package Contents:
Package ID: PKG-CC6.1-20260412-001 Prepared by: Compliance Evidence Skill QA Checked: 2026-04-12 by Compliance Officer Auditor can now assess whether control is "operating effectively" vs. "design deficiency" vs. "operating deficiency." 4. GDPR Article 30 Records of Processing Every data processing activity auto-generates a Record of Processing: RECORD OF PROCESSING (GDPR Article 30)
Processing ID: PROC-2026-004 Activity: Customer Transaction Monitoring
NAME & PURPOSE OF PROCESSING Name: Transaction Fraud Detection & Prevention Purpose: Identify potentially fraudulent transactions; protect customers and company from financial loss
LEGAL BASIS Article 6(1)(f): Legitimate interest (fraud prevention)
DATA CONTROLLER Company Name: [Org Name] Contact: dpo@[org].com
DATA CATEGORIES PROCESSED
SPECIAL CATEGORY DATA (If applicable) None processed in this activity
RECIPIENT CATEGORIES
RETENTION PERIOD
TECHNICAL & ORGANIZATIONAL MEASURES ✓ Encryption in transit (TLS 1.3) ✓ Encryption at rest (AES-256) ✓ Access control (role-based) ✓ Anomaly detection (continuous monitoring) ✓ Regular backups (daily) ✓ Incident response plan (tested quarterly)
AUTOMATED DECISION-MAKING (Article 22) Does this involve automated decision-making with legal effect? Yes: Transactions flagged as fraudulent may be declined.
Safeguards: ✓ Human review if flagged (optional customer escalation) ✓ Explanation provided to customer on request ✓ Right to object: Customer can contact fraud team ✓ Appeal process: Documented and tested
INTERNATIONAL TRANSFERS No transfers outside EU/EEA
CONTACT FOR QUESTIONS Data Protection Officer: dpo@[org].com Privacy Team: privacy@[org].com
═════════════════════════════════════════════════════════════════
Auto-generated from Sentinel Stack on 2026-04-12 Last reviewed: 2026-04-10 Next review: 2026-05-10 (mandatory quarterly review) This becomes the evidence for GDPR Article 30 compliance. 5. Control Effectiveness Tracking Skill tracks: Are controls actually reducing risk? CONTROL EFFECTIVENESS METRICS (90-day rolling)
Control: DLP Hard Block (Data Classification) Objective: Prevent unauthorized access to sensitive data
Metrics: Effectiveness: 100% (23/23 blocks successful; 0 unauthorized access) Detection rate: 23 incidents detected per quarter False positive rate: 0% (all blocks were legitimate blocks) Time to block: < 100ms (median)
Trend (Last 4 quarters): Q4 2025: 15 blocks Q1 2026: 23 blocks (↑ 53%) Interpretation: More detections = more enforcement activity; either more violations occurring OR better detection. Root cause analysis: New healthcare client (vertical expansion); staff training gap. (MITIGATE: training in progress)
Risk Reduction Impact: Before control: 0 blocks, potential data breaches (unquantified) After control: 23/23 attempts blocked; 0 breaches Effectiveness: HIGH (preventive control working)
═════════════════════════════════════════════════════════════════
Control: 4-Eyes Approval Gate (Segregation of Duties) Objective: Prevent unauthorized financial transactions
Metrics: Transactions requiring approval: 18 (per quarter) Approvals granted: 16 Approvals denied: 2 (flagged as policy violations) Approval time: 4.2 hours (median) Audit sample: 10/18 sampled; all correctly approved
Trend (Last 4 quarters): Q4 2025: 12 approvals Q1 2026: 18 approvals (↑ 50%) Interpretation: More high-value transactions; approvals working as designed. 2 denials indicate proper policy enforcement.
Risk Reduction Impact: Before control: Manual approval, risk of collusion After control: System-enforced segregation; documented audit trail Effectiveness: HIGH (operating as designed) These metrics feed audit readiness dashboards and board reports. 6. Compliance Dashboard & Audit Readiness Skill generates a live compliance status dashboard: COMPLIANCE READINESS DASHBOARD
═════════════════════════════════════════════════════════════════
FRAMEWORK: SOC 2 Type II
Control Implementation Status: ✓ Access Control (CC6.1, CC6.2) 100% [Evidence ready] ✓ Risk Assessment (CC3.1) 95% [1 minor gap] ✓ Change Management (CC7.3) 100% [Evidence ready] ✓ Segregation of Duties (CC7.2) 100% [Evidence ready] ✓ Monitoring Activities (CC3.2) 100% [Evidence ready] → OVERALL SOC 2 READINESS: 99%
Evidence Coverage: Total controls: 17 Fully evidenced: 16 Partially evidenced: 1 (CC3.1 - Design gap in policy approval workflow) Not evidenced: 0
Audit Readiness: READY (Minor remediation before audit) Last audit: 2024-06-15 Next audit: 2026-06-15 (14 months away)
═════════════════════════════════════════════════════════════════
FRAMEWORK: ISO 27001
Control Status: A.5 (Governance) 95% [1 policy update pending] A.6 (HR Security) 100% A.7 (Asset Management) 100% A.8 (Access Control) 100% A.9 (Cryptography) 100% A.10 (Physical & Environmental) 90% [2 office locations] A.11 (Operations) 95% A.12 (Communications) 100% → OVERALL ISO 27001 READINESS: 97%
Evidence Quality: HIGH
Audit Readiness: READY Last certification: 2023-09-30 Recertification due: 2026-09-30 (17 months away)
═════════════════════════════════════════════════════════════════
FRAMEWORK: GDPR Article 30 (Records of Processing)
Records Complete: Total processing activities: 43 Documented: 42 Missing documentation: 1 (new activity added this month)
Articles 30-35 Compliance: ✓ Data Protection Impact Assessments: 8/8 for high-risk processing ✓ Data Processing Agreements: 12/12 with third parties ✓ Breach notification procedure: Documented & tested ✓ DPO contact info: Published on website
Compliance Status: 98% Inspection Readiness: READY Last GDPR audit (self-assessment): 2026-02-01
═════════════════════════════════════════════════════════════════
OUTSTANDING ITEMS (Action Required):
CC3.1 (Risk Assessment Policy) - ISO 27001 Owner: Chief Risk Officer Deadline: 2026-04-20 Status: In Progress (80%)
A.5 (Governance Policy Update) - ISO 27001 Owner: CISO Deadline: 2026-04-15 Status: Awaiting Legal review
PROC-2026-NEW (Record of Processing) - GDPR Owner: DPO Deadline: 2026-04-20 Status: Data gathering in progress
═════════════════════════════════════════════════════════════════
AUDITOR PACKAGE READY FOR DOWNLOAD: SOC 2 Type II: Full evidence package (500+ pages) ISO 27001: Full evidence package (800+ pages) GDPR Article 30: Records of Processing (45 records)
Next scheduled audit: 2026-06-15 (SOC 2) Estimated readiness: 100% (if outstanding items completed on schedule) Integration with Sentinel Stack Guardrail Layer │ ├─ DLP Hard Block ├─ 4-Eyes Gate ├─ Behavioral Anomaly └─ AI Risk Classification ↓ Compliance Evidence Layer ├─ Auto-map to control ├─ Assign to frameworks ├─ Generate artifact └─ Track effectiveness ↓ Audit Evidence Package ├─ SOC 2 Type II evidence ├─ ISO 27001 evidence ├─ GDPR Article 30 records ├─ NIST CSF mapping └─ Ready for auditor review How to Invoke Trigger Phrases: "Generate SOC 2 evidence package" "What's our compliance status?" "Create an audit readiness dashboard" "Generate GDPR Records of Processing" "Is control X effective?" "What evidence do we have for this control?" "Prepare evidence package for auditor" "Show control effectiveness metrics" Example Prompt: Skill: compliance-evidence
"DE.AE-5" audit-schedule: soc2: "2026-06-15"
iso27001: "2026-09-30"
gdpr: "continuous"
retention-policy: evidence-artifacts: "P7Y"
incident-logs: "P3Y"
test-results: "P3Y"
Outputs & Artifacts Control Evidence Artifacts — Auto-generated from guardrail actions Framework Mapping — Control → SOC 2 / ISO 27001 / NIST / GDPR Audit Evidence Packages — On-demand for auditor requests GDPR Records of Processing — Auto-maintained Article 30 records Control Effectiveness Dashboard — Real-time control performance metrics Compliance Readiness Report — Framework-by-framework status & audit readiness Management Sign-Offs — Approval trail (CRO, CISO, DPO) Key Principles Evidence is a byproduct. Compliance artifacts are generated automatically; you don't create evidence, you enable operations that produce it. Audit-ready, always. When an auditor arrives, your evidence package is ready. No scrambling, no gaps. Control effectiveness is measurable. You can quantify whether controls are actually reducing risk, not just whether they exist. Framework-agnostic mapping. Same guardrails map to SOC 2, ISO 27001, GDPR, and NIST; no duplicative effort. Continuous, not annual. Evidence is generated continuously. Audits are a checkpoint, not the driver. See Also ai-governance skill — Provides AI system classification & governance artifacts risk-register skill — Risk scoring & treatment tracking (inputs to control effectiveness) DLP guardrails — Core detection mechanism that feeds evidence generation