Codex
flow-compliance-validation
Orchestrate compliance validation workflow with requirements mapping, audit evidence collection, gap analysis, remediation tracking, and attestation
104 stars
byjmagly
Best use case
flow-compliance-validation is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
It is a strong fit for teams already working in Codex.
Orchestrate compliance validation workflow with requirements mapping, audit evidence collection, gap analysis, remediation tracking, and attestation
Teams using flow-compliance-validation should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/flow-compliance-validation/SKILL.md --create-dirs "https://raw.githubusercontent.com/jmagly/aiwg/main/.agents/skills/flow-compliance-validation/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/flow-compliance-validation/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How flow-compliance-validation Compares
| Feature / Agent | flow-compliance-validation | Standard Approach |
|---|---|---|
| Platform Support | Codex | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Orchestrate compliance validation workflow with requirements mapping, audit evidence collection, gap analysis, remediation tracking, and attestation
Which AI agents support this skill?
This skill is designed for Codex.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agent for Product Research
Browse AI agent skills for product research, competitive analysis, customer discovery, and structured product decision support.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
AI Agent for SaaS Idea Validation
Use AI agent skills for SaaS idea validation, market research, customer discovery, competitor analysis, and documenting startup hypotheses.
SKILL.md Source
# Compliance Validation Flow
**You are the Core Orchestrator** for comprehensive compliance validation and attestation.
## Your Role
**You orchestrate multi-agent workflows. You do NOT execute bash scripts.**
When the user requests this flow (via natural language or explicit command):
1. **Interpret the request** and confirm understanding
2. **Read this template** as your orchestration guide
3. **Extract agent assignments** and workflow steps
4. **Launch agents via Task tool** in correct sequence
5. **Synthesize results** and finalize artifacts
6. **Report completion** with summary
## Compliance Validation Overview
**Purpose**: Validate project compliance with regulatory frameworks (GDPR, HIPAA, SOC2, PCI-DSS, ISO 27001, etc.)
**Key Deliverables**:
- Compliance Requirements Matrix
- Control Mapping Documentation
- Gap Analysis Report
- Remediation Plans
- Audit Evidence Package
- Compliance Attestation
**Success Criteria**:
- All applicable requirements identified and mapped
- Audit evidence collected for all controls
- Critical and high gaps remediated or risk accepted
- Control effectiveness validated
- Compliance attestation signed by Executive Sponsor
**Expected Duration**: 2-4 weeks (typical), 20-30 minutes orchestration
## Natural Language Triggers
Users may say:
- "Check compliance"
- "Validate GDPR compliance"
- "Run compliance audit"
- "Verify regulatory compliance"
- "Check SOC2 readiness"
- "Assess HIPAA compliance"
- "Prepare for ISO 27001 audit"
You recognize these as requests for this orchestration flow.
## Parameter Handling
### Compliance Framework Parameter
**Required**: User must specify which framework to validate
**Supported Frameworks**:
- **sox**: Sarbanes-Oxley Act (financial controls)
- **hipaa**: Health Insurance Portability and Accountability Act (healthcare data)
- **gdpr**: General Data Protection Regulation (EU data privacy)
- **pci-dss**: Payment Card Industry Data Security Standard (payment data)
- **iso27001**: ISO 27001 (information security management)
- **soc2**: SOC 2 Type I/II (service organization controls)
- **fedramp**: Federal Risk and Authorization Management Program (US government cloud)
- **ccpa**: California Consumer Privacy Act (California data privacy)
- **nist**: NIST Cybersecurity Framework (US government security)
### --guidance Parameter
**Purpose**: User provides upfront direction to tailor compliance focus
**Examples**:
```
--guidance "Focus on data privacy controls, GDPR Article 25 critical"
--guidance "Tight audit deadline, prioritize critical gaps only"
--guidance "First-time audit, need comprehensive evidence collection"
--guidance "Already have partial evidence from last year's audit"
```
**How to Apply**:
- Parse guidance for keywords: privacy, security, audit, deadline, evidence
- Adjust agent assignments (add privacy-officer for GDPR, security-architect for SOC2)
- Modify validation depth (comprehensive vs. streamlined based on timeline)
- Influence priority ordering (critical gaps first vs. complete coverage)
### --interactive Parameter
**Purpose**: You ask 6 strategic questions to understand compliance context
**Questions to Ask** (if --interactive):
```
I'll ask 6 strategic questions to tailor the compliance validation to your needs:
Q1: What are your top priorities for this compliance activity?
(e.g., passing external audit, internal readiness, specific control areas)
Q2: What are your biggest compliance constraints?
(e.g., time to audit, resource availability, technical limitations)
Q3: What compliance risks concern you most?
(e.g., data breaches, audit failure, regulatory penalties)
Q4: What's your team's experience level with this framework?
(Helps me gauge guidance depth and evidence collection support)
Q5: What's your target timeline for attestation?
(Influences remediation prioritization and evidence collection pace)
Q6: Are there specific areas where you expect gaps?
(e.g., encryption, access control, audit logging)
Based on your answers, I'll adjust:
- Agent assignments (add specialized reviewers)
- Validation depth (comprehensive vs. targeted)
- Priority ordering (critical controls first)
- Remediation approach (quick fixes vs. systematic improvements)
```
**Synthesize Guidance**: Combine answers into structured guidance string for execution
## Artifacts to Generate
**Primary Deliverables**:
- **Compliance Requirements Matrix**: Framework requirements mapped to controls → `.aiwg/compliance/requirements-matrix-{framework}.md`
- **Control Mapping**: Controls mapped to evidence → `.aiwg/compliance/control-mapping-{framework}.md`
- **Gap Analysis Report**: Identified compliance gaps → `.aiwg/compliance/gap-analysis-{framework}.md`
- **Remediation Plans**: Plans to address gaps → `.aiwg/compliance/remediation-plans-{framework}.md`
- **Evidence Collection Checklist**: Evidence inventory → `.aiwg/compliance/evidence-checklist-{framework}.md`
- **Control Testing Results**: Effectiveness validation → `.aiwg/compliance/control-testing-{framework}.md`
- **Compliance Report**: Executive summary → `.aiwg/reports/compliance-report-{framework}.md`
- **Attestation Statement**: Formal compliance attestation → `.aiwg/compliance/attestation-{framework}.md`
**Supporting Artifacts**:
- Control owner assignments
- Evidence repository index
- Risk acceptance documentation
- Audit readiness checklist
## Multi-Agent Orchestration Workflow
### Step 1: Map Compliance Requirements
**Purpose**: Identify applicable requirements and map to project controls
**Your Actions**:
1. **Initialize Compliance Assessment**:
```
Create workspace:
- .aiwg/compliance/
- .aiwg/compliance/evidence/
- .aiwg/compliance/working/
```
2. **Launch Requirements Mapping Agents** (parallel based on framework):
**For GDPR**:
```
Task(
subagent_type="privacy-officer",
description="Map GDPR requirements to controls",
prompt="""
Framework: GDPR (General Data Protection Regulation)
Map GDPR requirements:
1. Lawful Basis (Articles 6-9)
- Consent management
- Legitimate interest assessment
- Contract necessity
2. Data Subject Rights (Articles 12-23)
- Right to access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to portability (Article 20)
3. Privacy by Design (Article 25)
- Data minimization
- Purpose limitation
- Storage limitation
4. Data Protection (Articles 32-34)
- Technical measures (encryption, pseudonymization)
- Organizational measures (policies, training)
- Breach notification (72-hour requirement)
5. International Transfers (Articles 44-49)
- Adequacy decisions
- Standard contractual clauses
- Binding corporate rules
For each requirement:
- Identify if applicable to project
- Map to technical/administrative controls
- Specify evidence requirements
- Assign control owner (role)
Output: .aiwg/compliance/requirements-matrix-gdpr.md
"""
)
```
**For HIPAA**:
```
Task(
subagent_type="security-architect",
description="Map HIPAA requirements to controls",
prompt="""
Framework: HIPAA (Health Insurance Portability and Accountability Act)
Map HIPAA requirements:
1. Administrative Safeguards (§164.308)
- Security Officer designation
- Workforce training
- Access management
- Incident response procedures
- Business Associate Agreements
2. Physical Safeguards (§164.310)
- Facility access controls
- Workstation use policies
- Device and media controls
3. Technical Safeguards (§164.312)
- Access control (unique user ID, encryption)
- Audit controls (logging, monitoring)
- Integrity controls (data validation)
- Transmission security (encryption in transit)
4. Breach Notification (§164.400-414)
- Risk assessment process
- Notification procedures
- Documentation requirements
For each requirement:
- Identify PHI handling in project
- Map to specific controls
- Define evidence requirements
- Assign control owner
Output: .aiwg/compliance/requirements-matrix-hipaa.md
"""
)
```
**For SOC2**:
```
Task(
subagent_type="security-architect",
description="Map SOC2 Trust Services Criteria",
prompt="""
Framework: SOC2 (Service Organization Control 2)
Map SOC2 Trust Services Criteria:
1. Security (Common Criteria)
- CC1: Control Environment
- CC2: Communication and Information
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical and Physical Access
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
2. Availability (if applicable)
- A1: Availability commitments and SLAs
3. Processing Integrity (if applicable)
- PI1: Processing accuracy and completeness
4. Confidentiality (if applicable)
- C1: Protection of confidential information
5. Privacy (if applicable)
- P1-P8: Privacy criteria
For each criterion:
- Map to project controls
- Identify control activities
- Specify testing procedures
- Define evidence requirements
Output: .aiwg/compliance/requirements-matrix-soc2.md
"""
)
```
**For PCI-DSS**:
```
Task(
subagent_type="security-architect",
description="Map PCI-DSS requirements",
prompt="""
Framework: PCI-DSS (Payment Card Industry Data Security Standard)
Map PCI-DSS 4.0 Requirements:
1. Build and Maintain Secure Networks (Req 1-2)
- Network segmentation
- Firewall configurations
- Default passwords changed
2. Protect Cardholder Data (Req 3-4)
- Data retention and disposal
- Encryption at rest
- Encryption in transit
3. Vulnerability Management (Req 5-6)
- Anti-malware programs
- Secure development practices
- Security patches
4. Access Control (Req 7-9)
- Need-to-know access
- Unique user IDs
- Physical access controls
5. Monitor and Test (Req 10-11)
- Audit logging
- Security testing (scans, penetration tests)
- Network monitoring
6. Information Security Policy (Req 12)
- Security policies
- Risk assessments
- Incident response
For each requirement:
- Identify cardholder data in scope
- Map to compensating controls (if applicable)
- Define quarterly/annual validation
- Specify ASV scan requirements
Output: .aiwg/compliance/requirements-matrix-pci-dss.md
"""
)
```
**For ISO 27001**:
```
Task(
subagent_type="security-architect",
description="Map ISO 27001 controls",
prompt="""
Framework: ISO 27001:2022
Map ISO 27001 Annex A Controls (93 controls in 4 categories):
1. Organizational Controls (37 controls)
- Information security policies
- Roles and responsibilities
- Segregation of duties
- Management commitment
2. People Controls (8 controls)
- Screening and vetting
- Terms of employment
- Security awareness training
- Disciplinary process
3. Physical Controls (14 controls)
- Physical security perimeter
- Physical entry controls
- Protection against threats
- Secure disposal
4. Technological Controls (34 controls)
- Access control
- Cryptography
- Systems security
- Application security
- Secure configuration
For each applicable control:
- Document implementation status
- Map to existing controls
- Identify control effectiveness measures
- Define audit evidence
Create Statement of Applicability (SoA)
Output: .aiwg/compliance/requirements-matrix-iso27001.md
"""
)
```
3. **Synthesize Requirements Matrix**:
```
Task(
subagent_type="compliance-auditor",
description="Create unified compliance requirements matrix",
prompt="""
Read framework-specific requirements matrix
Create comprehensive matrix including:
- Requirement ID and description
- Applicable: Yes/No/Partial
- Control type (Preventive/Detective/Corrective)
- Implementation status (Implemented/Partial/Missing)
- Control owner assignment
- Evidence requirements
- Testing approach
Prioritize by:
- Regulatory importance (mandatory vs. recommended)
- Risk impact (critical/high/medium/low)
- Implementation complexity
Output: .aiwg/compliance/unified-requirements-matrix-{framework}.md
"""
)
```
**Communicate Progress**:
```
✓ Initialized compliance validation for {framework}
⏳ Mapping {framework} requirements to controls...
✓ Requirements identified: {count}
✓ Controls mapped: {count}
✓ Control owners assigned
✓ Requirements matrix complete: .aiwg/compliance/requirements-matrix-{framework}.md
```
### Step 2: Collect Audit Evidence
**Purpose**: Gather evidence demonstrating control implementation
**Your Actions**:
1. **Generate Evidence Collection Checklist**:
```
Task(
subagent_type="compliance-auditor",
description="Create evidence collection checklist",
prompt="""
Read requirements matrix: .aiwg/compliance/requirements-matrix-{framework}.md
For each control, specify evidence needed:
1. Documentation Evidence
- Policies and procedures
- Architecture documentation
- Configuration standards
- Training materials
2. Configuration Evidence
- System configurations (screenshots/exports)
- Security settings
- Access control lists
- Firewall rules
3. Operational Evidence
- Audit logs (samples)
- Incident reports
- Change tickets
- Monitoring dashboards
4. Testing Evidence
- Vulnerability scan reports
- Penetration test results
- Code review reports
- Security assessments
Create checklist with:
- Control ID
- Evidence type needed
- Evidence location (if known)
- Collection method
- Owner responsible
- Collection deadline
- Status (Collected/Pending/N/A)
Output: .aiwg/compliance/evidence-checklist-{framework}.md
"""
)
```
2. **Launch Evidence Collection Agents** (parallel by control domain):
```
# Technical Controls Evidence
Task(
subagent_type="security-architect",
description="Collect technical control evidence",
prompt="""
Read evidence checklist (technical controls section)
Collect or document location of:
1. Encryption configurations
- TLS certificates and versions
- Database encryption settings
- Key management procedures
2. Access control configurations
- IAM policies
- RBAC configurations
- MFA settings
3. Security monitoring
- Log aggregation setup
- SIEM rules and alerts
- Incident response runbooks
4. Network security
- Firewall rules
- Network segmentation diagrams
- VPN configurations
For each piece of evidence:
- Verify it's current (not outdated)
- Redact sensitive information
- Document retrieval process
- Save to .aiwg/compliance/evidence/technical/
Update checklist with collection status
"""
)
# Administrative Controls Evidence
Task(
subagent_type="privacy-officer",
description="Collect administrative control evidence",
prompt="""
Read evidence checklist (administrative controls section)
Collect or document:
1. Policies and procedures
- Information security policy
- Data handling procedures
- Incident response plan
- Business continuity plan
2. Training and awareness
- Training materials
- Completion records
- Security awareness communications
3. Third-party management
- Vendor assessments
- Contract reviews
- SLAs and agreements
4. Risk management
- Risk assessments
- Risk register
- Risk treatment plans
Save to .aiwg/compliance/evidence/administrative/
Update checklist status
"""
)
# Operational Controls Evidence
Task(
subagent_type="devops-engineer",
description="Collect operational control evidence",
prompt="""
Read evidence checklist (operational controls section)
Collect evidence of:
1. Change management
- Change tickets (samples)
- Approval workflows
- Deployment logs
- Rollback procedures
2. Monitoring and logging
- Log samples (30-90 days)
- Alert configurations
- Monitoring dashboards
- Availability metrics
3. Backup and recovery
- Backup schedules
- Recovery test results
- RTO/RPO documentation
4. Vulnerability management
- Scan reports (recent)
- Patch management records
- Vulnerability remediation tickets
Save to .aiwg/compliance/evidence/operational/
Update checklist status
"""
)
```
3. **Validate Evidence Quality**:
```
Task(
subagent_type="compliance-auditor",
description="Validate evidence completeness and quality",
prompt="""
Review all collected evidence
For each piece of evidence, validate:
1. Completeness (no missing sections)
2. Currency (within required timeframe)
3. Authenticity (legitimate source)
4. Relevance (addresses control requirement)
5. Sufficiency (enough to prove control)
Create evidence quality report:
- Total evidence items: {count}
- Complete: {count} ({percentage}%)
- Incomplete: {count} (list items)
- Outdated: {count} (list items)
- Missing: {count} (list items)
Flag critical gaps for immediate collection
Output: .aiwg/compliance/evidence-quality-report-{framework}.md
"""
)
```
**Communicate Progress**:
```
⏳ Collecting audit evidence...
✓ Evidence checklist created: {count} items
✓ Technical evidence: {percentage}% collected
✓ Administrative evidence: {percentage}% collected
✓ Operational evidence: {percentage}% collected
✓ Evidence collection complete: {percentage}% overall
⚠️ Missing evidence flagged: {count} items
```
### Step 3: Conduct Gap Analysis
**Purpose**: Compare current state to compliance requirements
**Your Actions**:
1. **Launch Gap Analysis Agents** (parallel by severity):
```
Task(
subagent_type="compliance-auditor",
description="Identify compliance gaps",
prompt="""
Read:
- Requirements matrix: .aiwg/compliance/requirements-matrix-{framework}.md
- Evidence quality report: .aiwg/compliance/evidence-quality-report-{framework}.md
For each requirement, assess:
1. Control Implementation
- Fully Implemented (control exists and operates)
- Partially Implemented (control exists but incomplete)
- Not Implemented (control missing)
2. Evidence Status
- Sufficient (proves control effectiveness)
- Insufficient (partial evidence)
- Missing (no evidence)
3. Gap Severity
- Critical: Blocks compliance, high risk
- High: Audit finding likely, medium risk
- Medium: Minor finding possible, low risk
- Low: Improvement opportunity
Categorize gaps:
- Missing controls (not implemented)
- Ineffective controls (implemented but not working)
- Insufficient evidence (control works but can't prove)
Output: .aiwg/compliance/gap-analysis-{framework}.md
"""
)
Task(
subagent_type="security-architect",
description="Assess technical gap impact",
prompt="""
Read gap analysis
For each technical gap:
1. Assess security impact
- Data exposure risk
- System compromise risk
- Compliance violation risk
2. Estimate remediation effort
- Quick fix (hours/days)
- Standard fix (weeks)
- Major project (months)
3. Recommend remediation approach
- Technical solution
- Compensating controls
- Risk acceptance criteria
Prioritize by risk × effort matrix
Output: .aiwg/compliance/technical-gap-assessment-{framework}.md
"""
)
```
2. **Create Gap Remediation Matrix**:
```
Task(
subagent_type="project-manager",
description="Create remediation priority matrix",
prompt="""
Read:
- Gap analysis
- Technical gap assessment
Create remediation matrix:
| Gap ID | Requirement | Severity | Risk | Effort | Priority | Owner | Timeline |
|--------|------------|----------|------|--------|----------|-------|----------|
Prioritization formula:
- Critical gaps: MUST fix before attestation
- High gaps: SHOULD fix or have risk acceptance
- Medium gaps: Target for next cycle
- Low gaps: Continuous improvement
For each gap, specify:
- Remediation approach
- Success criteria
- Validation method
- Dependencies
Output: .aiwg/compliance/remediation-matrix-{framework}.md
"""
)
```
**Communicate Progress**:
```
⏳ Analyzing compliance gaps...
✓ Gap analysis complete:
- Critical gaps: {count}
- High gaps: {count}
- Medium gaps: {count}
- Low gaps: {count}
✓ Remediation matrix created
⚠️ {count} critical gaps require immediate attention
```
### Step 4: Implement Remediation Plans
**Purpose**: Address critical and high-priority gaps
**Your Actions**:
1. **Create Detailed Remediation Plans** (parallel by gap severity):
```
# Critical Gaps
Task(
subagent_type="security-architect",
description="Create critical gap remediation plans",
prompt="""
Read remediation matrix (critical gaps)
For each critical gap, create detailed plan:
1. Gap Description
- Current state
- Required state
- Compliance impact
2. Remediation Steps
- Specific technical actions
- Configuration changes
- Process updates
- Documentation needs
3. Success Criteria
- How to verify remediation
- Evidence to collect
- Testing approach
4. Timeline
- Start date
- Milestones
- Completion date
- Validation date
5. Risk if Not Remediated
- Compliance impact
- Business impact
- Recommended risk acceptance (if applicable)
Output: .aiwg/compliance/remediation-plans/critical-{gap-id}.md
"""
)
# High Priority Gaps
Task(
subagent_type="compliance-specialist",
description="Create high-priority gap remediation plans",
prompt="""
Similar structure for high-priority gaps
Focus on quick wins and high-impact improvements
Output: .aiwg/compliance/remediation-plans/high-{gap-id}.md
"""
)
```
2. **Execute Quick Remediation** (where possible):
```
Task(
subagent_type="devops-engineer",
description="Implement quick-fix remediations",
prompt="""
Read remediation plans (quick fixes only)
For gaps that can be fixed immediately:
1. Update configurations
2. Enable logging/monitoring
3. Document procedures
4. Update access controls
For each fix:
- Document change made
- Collect evidence of fix
- Validate effectiveness
- Update gap status
Output: .aiwg/compliance/remediation-completed-{framework}.md
"""
)
```
3. **Document Risk Acceptance** (for gaps not remediated):
```
Task(
subagent_type="legal-liaison",
description="Document risk acceptance for unremediated gaps",
prompt="""
For gaps that cannot be remediated before attestation:
Create risk acceptance documentation:
1. Gap description and severity
2. Why it cannot be remediated now
3. Compensating controls (if any)
4. Residual risk assessment
5. Risk owner (must be executive level)
6. Acceptance period (temporary vs. permanent)
7. Re-evaluation date
Output: .aiwg/compliance/risk-acceptance-{framework}.md
"""
)
```
**Communicate Progress**:
```
⏳ Implementing remediation plans...
✓ Critical gap remediation: {count}/{total} complete
✓ High gap remediation: {count}/{total} complete
✓ Quick fixes applied: {count}
⚠️ Risk acceptance needed: {count} gaps
✓ Remediation phase complete
```
### Step 5: Validate Control Effectiveness
**Purpose**: Test that controls are operating effectively
**Your Actions**:
1. **Design Control Tests**:
```
Task(
subagent_type="test-architect",
description="Design control effectiveness tests",
prompt="""
Read:
- Requirements matrix
- Remediation completed list
For each control, design test:
1. Test objective (what to validate)
2. Test approach (how to test)
3. Sample size (if sampling)
4. Success criteria (pass/fail)
5. Evidence to collect
Test types:
- Inquiry (interview control owners)
- Observation (watch control in action)
- Inspection (review evidence)
- Re-performance (repeat control action)
Output: .aiwg/compliance/control-test-plan-{framework}.md
"""
)
```
2. **Execute Control Tests** (parallel by control domain):
```
Task(
subagent_type="security-tester",
description="Test technical controls",
prompt="""
Execute technical control tests:
1. Access Control Testing
- Attempt unauthorized access
- Verify least privilege
- Test segregation of duties
2. Encryption Testing
- Verify encryption in transit (TLS scan)
- Verify encryption at rest
- Test key management
3. Logging and Monitoring
- Verify log generation
- Test alert triggers
- Validate log retention
4. Security Configuration
- Run configuration scans
- Test hardening standards
- Validate patch levels
Document results:
- Control ID
- Test performed
- Result (Pass/Fail)
- Evidence collected
- Deficiencies noted
Output: .aiwg/compliance/control-test-results-technical-{framework}.md
"""
)
Task(
subagent_type="compliance-auditor",
description="Test administrative controls",
prompt="""
Test administrative controls through:
1. Policy review (current and approved)
2. Training record inspection
3. Process observation
4. Staff interviews
5. Documentation review
Output: .aiwg/compliance/control-test-results-administrative-{framework}.md
"""
)
```
3. **Consolidate Test Results**:
```
Task(
subagent_type="compliance-auditor",
description="Consolidate control testing results",
prompt="""
Read all test results
Create summary:
- Total controls tested: {count}
- Controls effective: {count} ({percentage}%)
- Controls with deficiencies: {count}
- Controls failed: {count}
For deficiencies:
- Categorize by severity
- Determine if attestation blocker
- Recommend remediation or acceptance
Output: .aiwg/compliance/control-effectiveness-summary-{framework}.md
"""
)
```
**Communicate Progress**:
```
⏳ Testing control effectiveness...
✓ Test plan created: {count} controls to test
✓ Technical controls tested: {percentage}% effective
✓ Administrative controls tested: {percentage}% effective
✓ Control testing complete: {percentage}% overall effectiveness
⚠️ {count} controls with deficiencies identified
```
### Step 6: Generate Compliance Report and Attestation
**Purpose**: Create executive report and formal attestation
**Your Actions**:
1. **Generate Executive Compliance Report**:
```
Task(
subagent_type="compliance-auditor",
description="Generate comprehensive compliance report",
prompt="""
Read all compliance artifacts:
- Requirements matrix
- Gap analysis
- Remediation status
- Control test results
- Risk acceptances
Generate executive report with:
# Compliance Validation Report - {Framework}
## Executive Summary
- Overall compliance status
- Critical findings
- Attestation readiness
## Compliance Status
- Total requirements: {count}
- Requirements met: {percentage}%
- Critical gaps: {count}
- Risk acceptances: {count}
## Gap Analysis Summary
[Table of gaps by severity]
## Remediation Status
[Progress on gap closure]
## Control Effectiveness
[Testing results summary]
## Risk Acceptance Summary
[Accepted risks with owners]
## Recommendations
- Immediate actions needed
- Long-term improvements
- Process enhancements
## Attestation Readiness
- Ready to attest: YES/NO/CONDITIONAL
- Conditions (if any)
Output: .aiwg/reports/compliance-report-{framework}.md
"""
)
```
2. **Prepare Attestation Statement**:
```
Task(
subagent_type="legal-liaison",
description="Prepare formal attestation statement",
prompt="""
Based on compliance status, prepare attestation:
# {Framework} Compliance Attestation
**Organization**: [Project/Company Name]
**Framework**: {framework}
**Assessment Period**: [Start Date] to [End Date]
**Attestation Date**: {current date}
## Attestation Statement
I, [Executive Name], in my capacity as [Title], hereby attest that:
1. A comprehensive compliance assessment has been conducted
2. Controls have been implemented to address {framework} requirements
3. Control effectiveness has been validated through testing
4. Identified gaps have been remediated or formally risk accepted
5. The organization is [COMPLIANT/SUBSTANTIALLY COMPLIANT/NOT COMPLIANT]
with {framework} requirements
## Scope
[Define what is included/excluded]
## Exceptions and Limitations
[List any gaps with risk acceptance]
## Compensating Controls
[Describe compensating controls for gaps]
## Management Commitment
We commit to maintaining compliance through:
- Continuous monitoring
- Periodic assessments
- Timely remediation
**Signature**: _________________________
**Name**: [Executive Sponsor]
**Title**: [Title]
**Date**: [Date]
Output: .aiwg/compliance/attestation-{framework}.md
"""
)
```
3. **Package Audit Evidence**:
```
Task(
subagent_type="documentation-archivist",
description="Create audit evidence package",
prompt="""
Create organized evidence package for auditor:
Create index:
.aiwg/compliance/evidence/INDEX.md
Structure:
1. Executive Summary
- Compliance report
- Attestation statement
2. Requirements Mapping
- Requirements matrix
- Control mapping
3. Gap Analysis
- Gap analysis report
- Remediation plans
- Risk acceptances
4. Evidence by Control
- Organize by requirement ID
- Include test results
- Link to source documents
5. Appendices
- Policies and procedures
- Technical configurations
- Test reports
Create ZIP archive:
.aiwg/compliance/audit-package-{framework}-{date}.zip
Output: Evidence package ready for auditor review
"""
)
```
**Communicate Progress**:
```
✓ Generating compliance documentation...
✓ Executive report complete
✓ Attestation statement prepared
✓ Audit evidence package created
✓ Compliance validation complete for {framework}
```
## Framework-Specific Considerations
### GDPR Specific
- Focus on privacy rights implementation
- Document lawful basis for processing
- Validate DSAR (data subject access request) process
- Ensure DPO (Data Protection Officer) involvement
- Verify cross-border transfer mechanisms
### HIPAA Specific
- Emphasize PHI safeguards
- Validate Business Associate Agreements
- Test breach notification procedures
- Verify workforce training completion
- Document risk assessments
### SOC2 Specific
- Align with Trust Services Criteria
- Focus on continuous monitoring
- Document control activities
- Validate change management
- Emphasize availability metrics
### PCI-DSS Specific
- Define cardholder data environment (CDE)
- Validate network segmentation
- Quarterly vulnerability scans by ASV
- Annual penetration testing
- Compensating controls documentation
### ISO 27001 Specific
- Create Statement of Applicability
- Document ISMS scope
- Validate risk assessment methodology
- Internal audit before certification
- Management review evidence
## Quality Gates
Before marking workflow complete, verify:
- [ ] All applicable requirements identified
- [ ] Evidence collected for all controls
- [ ] Gap analysis complete with severity assessment
- [ ] Critical gaps remediated or risk accepted
- [ ] Control effectiveness validated
- [ ] Executive report generated
- [ ] Attestation statement prepared
- [ ] Audit package assembled
## User Communication
**At start**: Confirm framework and scope
```
Understood. I'll orchestrate compliance validation for {framework}.
This will include:
- Requirements mapping to controls
- Evidence collection and validation
- Gap analysis and remediation
- Control effectiveness testing
- Compliance report and attestation
Expected duration: 20-30 minutes.
Starting compliance validation...
```
**During**: Update progress with clear indicators
```
✓ = Complete
⏳ = In progress
❌ = Failed/blocked
⚠️ = Attention needed
```
**At end**: Compliance summary report
```
═══════════════════════════════════════════════
{Framework} Compliance Validation Complete
═══════════════════════════════════════════════
**Compliance Status**: {COMPLIANT | SUBSTANTIALLY COMPLIANT | NON-COMPLIANT}
**Attestation Ready**: {YES | NO | CONDITIONAL}
**Requirements Coverage**:
✓ Total Requirements: {count}
✓ Requirements Met: {count} ({percentage}%)
⚠️ Requirements with Gaps: {count}
**Gap Summary**:
- Critical: {count} [{resolved}/{total}]
- High: {count} [{resolved}/{total}]
- Medium: {count}
- Low: {count}
**Control Effectiveness**: {percentage}% effective
**Evidence Collection**: {percentage}% complete
**Key Artifacts**:
- Compliance Report: .aiwg/reports/compliance-report-{framework}.md
- Gap Analysis: .aiwg/compliance/gap-analysis-{framework}.md
- Attestation: .aiwg/compliance/attestation-{framework}.md
- Audit Package: .aiwg/compliance/audit-package-{framework}.zip
**Next Steps**:
1. Review executive report with leadership
2. Obtain attestation signature
3. Address remaining gaps (if any)
4. Schedule audit (internal or external)
5. Implement continuous monitoring
**Recommendations**:
{List top 3-5 recommendations}
═══════════════════════════════════════════════
```
## Error Handling
**Framework Not Recognized**:
```
❌ Compliance framework '{input}' not recognized
Supported frameworks:
- sox: Sarbanes-Oxley Act
- hipaa: Health Insurance Portability and Accountability Act
- gdpr: General Data Protection Regulation
- pci-dss: Payment Card Industry Data Security Standard
- iso27001: ISO 27001 Information Security
- soc2: Service Organization Control 2
- fedramp: Federal Risk and Authorization Management Program
- ccpa: California Consumer Privacy Act
- nist: NIST Cybersecurity Framework
Please specify a valid framework.
```
**Critical Gaps Not Remediated**:
```
⚠️ Critical compliance gaps remain
{count} critical gaps must be addressed before attestation:
1. {gap description}
2. {gap description}
Options:
- Remediate gaps (recommended)
- Document compensating controls
- Obtain executive risk acceptance
- Defer attestation
Cannot proceed with attestation while critical gaps remain unremediated.
```
**Insufficient Evidence**:
```
❌ Insufficient evidence for compliance validation
Evidence gaps:
- {count} controls missing evidence
- {count} controls with outdated evidence
Actions needed:
1. Collect missing evidence
2. Update outdated documentation
3. Re-run validation
Compliance cannot be attested without sufficient evidence.
```
## Success Criteria
This orchestration succeeds when:
- [ ] Framework requirements mapped to controls
- [ ] Control owners identified and assigned
- [ ] Evidence collected (≥90% complete)
- [ ] Gap analysis completed
- [ ] Critical/high gaps remediated or risk accepted
- [ ] Control effectiveness validated
- [ ] Compliance report generated
- [ ] Attestation statement prepared
- [ ] Audit package ready for review
## Metrics to Track
**During orchestration, track**:
- Requirements coverage: % of requirements with implemented controls
- Evidence completeness: % of controls with sufficient evidence
- Gap closure rate: % of gaps remediated
- Control effectiveness: % of controls testing as effective
- Time to remediation: Average days to close gaps
- Risk acceptance rate: % of gaps requiring risk acceptance
## References
**Templates** (via $AIWG_ROOT):
- Requirements Matrix: `templates/compliance/compliance-requirements-matrix-template.md`
- Control Mapping: `templates/compliance/control-mapping-template.md`
- Gap Analysis: `templates/compliance/gap-analysis-template.md`
- Evidence Checklist: `templates/compliance/evidence-collection-checklist-template.md`
- Attestation: `templates/compliance/compliance-attestation-template.md`
- Control Testing: `templates/compliance/control-testing-template.md`
**Framework Guidance**:
- GDPR: `add-ons/gdpr-compliance/`
- HIPAA: External reference (HHS.gov)
- SOC2: AICPA Trust Services Criteria
- PCI-DSS: PCI Security Standards Council
- ISO 27001: ISO/IEC 27001:2022 standard
**Related Flows**:
- Security Review: `flow-security-review-cycle.md`
- Risk Management: `flow-risk-management-cycle.md`
- Gate Checks: `flow-gate-check.md`Related Skills
research-workflow
104
from jmagly/aiwg
Execute multi-stage research workflows
Codex
legal-compliance
104
from jmagly/aiwg
Project directory path (default current directory)
Codex
flow-test-strategy-execution
104
from jmagly/aiwg
Orchestrate comprehensive test strategy with test suite execution, coverage validation, defect triage, and regression analysis
Codex
flow-security-review-cycle
104
from jmagly/aiwg
Orchestrate continuous security validation, threat modeling, vulnerability management, and security gate enforcement across SDLC phases
Codex
flow-risk-management-cycle
104
from jmagly/aiwg
Orchestrate continuous risk identification, assessment, tracking, and retirement across SDLC phases
Codex
flow-retrospective-cycle
104
from jmagly/aiwg
Orchestrate systematic retrospective cycle with structured feedback collection, improvement tracking, and action item management
Codex
flow-requirements-evolution
104
from jmagly/aiwg
Orchestrate living requirements refinement, change control, impact analysis, and traceability maintenance throughout SDLC
Codex
flow-performance-optimization
104
from jmagly/aiwg
Orchestrate continuous performance optimization with baseline establishment, bottleneck identification, optimization implementation, load testing, and SLO validation
Codex
flow-knowledge-transfer
104
from jmagly/aiwg
Orchestrate Knowledge Transfer flow with assessment, documentation, shadowing, validation, and handover
Codex
flow-iteration-dual-track
104
from jmagly/aiwg
Orchestrate dual-track iteration with synchronized Discovery (next) and Delivery (current) workflows
Codex
flow-incident-response
104
from jmagly/aiwg
Orchestrate production incident triage, escalation, resolution, and post-incident review using ITIL best practices
Codex
flow-inception-to-elaboration
104
from jmagly/aiwg
Orchestrate Inception→Elaboration phase transition with architecture baselining and risk retirement
Codex