Compliance Ops
Automated compliance auditing against SOC 2, GDPR, HIPAA, ISO 27001, and PCI-DSS v4.0 across AWS and Azure.
Supported frameworks
| Framework | Coverage | Output |
|---|---|---|
| SOC 2 | Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) | Compliance gap report, per-control finding |
| GDPR | Data protection controls — encryption, access logging, data residency, retention | Compliance gap report, per-control finding |
| HIPAA | Security Rule — technical safeguards (access, audit controls, integrity, transmission security) | Compliance gap report, per-control finding |
| ISO 27001 | Annex A controls — information security, access control, cryptography, operations security | Compliance gap report, per-control finding |
| PCI-DSS v4.0 | Requirements 1–12 scoped to AWS infrastructure | Compliance gap report, per-control finding |
Example prompts
Run a SOC 2 audit on my AWS production account
What are my GDPR gaps in the Azure Corp subscription?
Check my HIPAA compliance posture for the payments environment
Which ISO 27001 Annex A controls am I failing?
Give me a PCI-DSS readiness report for account 123456789012How compliance audits work
Each framework is a registered agent in the ADK with skill IDs per control set. For example, the SOC 2 audit agent has skills:
compliance.soc2_audit → runs all TSC controls
compliance.gdpr_audit → runs GDPR data protection controls
compliance.hipaa_audit → runs HIPAA Security Rule
compliance.iso27001_audit → runs ISO 27001 Annex A
compliance.pci_dss_audit → runs PCI-DSS v4.0 requirementsEach skill:
- Reads the relevant estate data (IAM policies, encryption config, logging status, network config)
- Maps findings to specific control identifiers (e.g.
SOC2-CC6.1,HIPAA-164.312(a)(1)) - Produces a
compliance_reportwith pass/fail per control and evidence references
Output structure
Compliance Report: SOC 2 — prod-admin (123456789012)
Framework: SOC 2 Type II TSC
Controls evaluated: 64
Passed: 51
Failed: 9
Not applicable: 4
FAILED CONTROLS:
─────────────────────────────────────────────────
CC6.1 — Logical access — MFA not enforced for 3 IAM users
CC6.2 — Access revocation — 12 inactive IAM users not disabled
CC7.2 — System monitoring — CloudTrail not enabled in eu-west-1
CC8.1 — Change management — No SCPs restricting unapproved regions
...Required permissions
AWS
json
"iam:GenerateCredentialReport",
"iam:GetCredentialReport",
"iam:ListUsers",
"iam:GetAccountPasswordPolicy",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"config:DescribeConfigRules",
"config:GetComplianceDetailsByConfigRule",
"kms:ListKeys",
"kms:DescribeKey",
"s3:GetEncryptionConfiguration",
"rds:DescribeDBInstances",
"logs:DescribeLogGroups"Evidence for audit purposes
Each compliance report generates Evidence records suitable for external auditor review:
- Per-control pass/fail status with resource-level detail
- API call logs showing what Escher read
- Timestamps for all observations
- Links to the relevant EstateView snapshot version
Next steps
- IAM — Deep-dive IAM access analysis (feeds CC6 controls)
- Evidence & Reports — How to export compliance evidence
- SecOps — Security findings that contribute to compliance posture