Compliance
The compliance system provides solutions-based component grouping, compliance snapshots for audit evidence, digital attestations, compliance scoring with trend analysis, and comprehensive audit logging for regulatory requirements.
Solutions
Solutions group related platform components (applications, workflows, data sources, models) into logical units for unified governance and compliance tracking. A solution represents a business capability or product composed of multiple Strongly AI resources.
Creating a Solution
- Navigate to Governance > Solutions (or
/governance/solutions) - Click Create Solution
- The Solution Builder wizard guides you through configuration:
General Tab
| Field | Description |
|---|---|
| Name | Unique name for the solution (e.g., "Customer Analytics Platform") |
| Description | What this solution does and why it exists |
| Type | dynamic (auto-updates), snapshot (frozen at creation), or logical (conceptual grouping) |
Business Context Tab
| Field | Description |
|---|---|
| Purpose | Business purpose of the solution |
| Business Value | Value proposition and impact |
| Criticality | Critical, High, Medium, or Low |
| Data Classification | Sensitivity level: Public, Internal, Confidential, or Restricted |
| Regulatory Scope | Applicable regulations (HIPAA, GDPR, SOC 2, PCI DSS, etc.) |
| Compliance Frameworks | Associated compliance frameworks |
Composition Tab
Solutions can be composed using three methods, and you can combine them:
Explicit Selection — Manually select specific resources by ID:
- Applications
- Workflows
- Data Sources
- Models (ML Registry)
- AI Gateway Models
- Add-ons
- Workspaces
- Projects
Tag-Based Selection — Include or exclude components by tags:
- Include tags — Components with any of these tags are included
- Exclude tags — Components with any of these tags are excluded
- Dynamic — As tags change on resources, solution membership updates automatically
Query-Based Selection — Use MongoDB query selectors to filter components by any field combination. This provides the most flexible composition for advanced use cases.
Ownership Tab
| Field | Description |
|---|---|
| Business Owner | Person responsible for business outcomes |
| Technical Owner | Person responsible for technical implementation |
| Team | Team or department that owns this solution |
| Department | Organizational department |
| Cost Center | Financial allocation for cost tracking |
Lifecycle
| Type | Description |
|---|---|
| Permanent | Solution is always active |
| Temporal | Valid for a specific date range (start and end dates) |
| Event-Driven | Activated by a trigger condition |
Solution Types
| Type | Behavior |
|---|---|
| Dynamic | Components are resolved in real-time. As resources are added, tagged, or removed, the solution membership updates automatically. |
| Snapshot | Composition is captured at creation time and does not change. Useful for point-in-time audits. |
| Logical | Conceptual grouping for organizational purposes. Components are listed but not dynamically resolved. |
Managing Solutions
| Operation | Description |
|---|---|
| View solution | See composition, ownership, associated snapshots |
| Edit solution | Modify name, description, composition, or ownership |
| Delete solution | Remove solution (blocked if frozen snapshots exist) |
| Export solution | Export solution with resolved components, snapshots, and policy instances |
| Create snapshot | Create a compliance snapshot for this solution |
Component Governance Metadata
Each component within a solution can have governance metadata attached:
| Field | Description |
|---|---|
tags | Organizational tags for categorization |
criticality | critical, high, medium, or low |
dataClassification | public, internal, confidential, or restricted |
regulatoryScope | Array of applicable regulations |
sla | Service level agreement configuration |
usedBySolutions | Solutions that include this component |
Components can be shared across multiple solutions. Each component's usage within a solution includes its role (primary, shared, dependency) and permission level.
Compliance Snapshots
Compliance snapshots capture a point-in-time view of a solution's compliance state. They serve as evidence for audits, release approvals, and regulatory reviews. Once frozen, snapshots become immutable audit evidence.
Snapshot Types
| Type | Description | Auto-Frozen |
|---|---|---|
baseline | Initial compliance state for comparison | No |
periodic | Regular compliance check (weekly, monthly) | No |
release | Captured before a release for approval | No |
audit | Formal audit evidence | Yes |
Creating a Snapshot
- Navigate to a solution's detail page and click Create Snapshot, or go to Governance > Snapshots > Create
- Select the snapshot type (
baseline,periodic,release, oraudit) - Optionally provide:
- Custom name and description
- Target audience
- Compliance framework selection
- Audit information (auditor name, organization, date, certification ID)
- Click Create Snapshot
The system automatically:
- Resolves all current solution components and captures their state
- Evaluates all applicable policies and calculates compliance scores
- Assigns a version number (v1, v2, v3, etc.)
- Records the compliance score in the history collection for trend analysis
- Freezes audit-type snapshots immediately
Snapshot Contents
Each snapshot contains:
| Section | Description |
|---|---|
| Resolved Components | Array of component snapshots with ID, type, name, and captured state |
| Resolution Metadata | Total components, shared components, resolution method, timestamp |
| Policy Results | Per-policy evaluation results with status, score, and findings |
| Compliance State | Overall score, category scores, violations, and warnings |
| Approvals | Sign-off records from approvers |
| Attestations | Formal compliance statements |
| Frozen Status | Whether the snapshot is immutable |
Compliance State
The compliance state is calculated from all policy instances applied to the solution's components:
| Metric | Description |
|---|---|
| Score | Overall compliance score (0-100) |
| Overall Compliant | true if no critical violations and score is 80 or higher |
| Critical Violations | Count of denied or failed policy instances |
| Warnings | Count of in-progress or pending approval instances |
| Category Scores | Per-category averages: Security, Compliance, Quality, Operational, Cost |
Instance scoring:
| Instance Status | Score | Classification |
|---|---|---|
completed or approved | 100 | Compliant |
denied | 0 | Critical violation |
pending_approval or in_progress | 50 | Warning |
| Other | 50 | Warning |
Snapshot Detail View
Navigate to any snapshot to see the full compliance picture across multiple tabs:
| Tab | Contents |
|---|---|
| Overview | Status, compliance score, resolved components, creation metadata |
| Policies | Per-policy evaluation results (passed/failed/warning/pending/exempted) |
| Components | Component-level compliance status and individual scores |
| Findings | Findings organized by severity (Critical, High, Medium, Low) |
| Actions | Required remediation actions with priority and assignment |
| Approvals | Sign-off records from validators |
| Comments | Discussion thread for the snapshot |
Compliance Dashboard
Each snapshot has a dedicated compliance dashboard (accessible from the snapshot detail page) showing:
| Section | Description |
|---|---|
| Score Gauge | Circular progress indicator (0-100) with color coding: green (80+), yellow (60-79), orange (40-59), red (0-39) |
| Category Scores | Breakdown by Security, Compliance, Quality, Operational, Cost with trend indicators |
| Policy Evaluations | Per-policy cards showing status and findings |
| Component Grid | Each component's compliance status |
| Findings Summary | Count by severity level |
| Required Actions | Remediation tasks with priority and assignment |
| Enforcement Status | Whether deployment is allowed, blocked, or requires override |
Freezing Snapshots
Frozen snapshots are immutable and cannot be modified or deleted. This ensures audit evidence integrity.
- Audit-type snapshots are frozen automatically upon creation
- Other snapshot types can be frozen manually by the creator or an admin
- Frozen snapshots record: freeze timestamp, who froze it
- Solutions with frozen snapshots cannot be deleted — this preserves audit chain integrity
Snapshot Approval
Administrators can approve or reject snapshots for release or compliance certification:
| Field | Description |
|---|---|
| Approver Name | Who made the decision |
| Role | Approver's role |
| Decision | approved or rejected |
| Comments | Detailed feedback |
| Conditions | Any conditions on the approval |
| Timestamp | When the decision was made |
Multiple approvals can be recorded on a single snapshot.
Score History and Trends
Compliance scores are stored in a history collection each time a snapshot is created, enabling trend analysis:
- Query history to see score changes over time
- Historical records include overall score, category scores, critical findings, and warnings
- Records have a 1-year TTL and are automatically expired after 365 days
- Use trend data to identify compliance degradation before it becomes critical
Attestations
Attestations are formal digital statements of compliance made by authorized users against compliance snapshots. They serve as evidence that a qualified person has reviewed and certified the compliance state.
Attestation Types
| Type | Purpose |
|---|---|
compliance_certification | General compliance certification |
data_accuracy | Certification that data is accurate and complete |
security_review | Security review has been completed |
privacy_review | Privacy review has been completed |
risk_acceptance | Formal acceptance of identified risks |
audit_acknowledgment | Acknowledgment of audit findings |
annual_recertification | Annual compliance recertification |
Creating an Attestation
- Navigate to a compliance snapshot's detail page
- Click Add Attestation
- Select the attestation type
- Enter the compliance statement (what you are attesting to)
- Optionally add a custom statement and conditions
- Submit the attestation
The system records:
| Field | Description |
|---|---|
| Attester identity | User ID, name, email, and role |
| Statement | What is being attested |
| Custom statement | Additional context or qualifications |
| Conditions | Any conditions on the attestation |
| Signature method | Authentication method (e.g., password — authenticated session) |
| Timestamp | When the attestation was made |
| Expiration | Default: 1 year from creation |
Attestations are stored both in the dedicated governance_attestations collection and embedded in the snapshot's attestations array for quick access.
Managing Attestations
| Operation | Description |
|---|---|
| List for snapshot | View all active attestations for a specific snapshot |
| List for solution | View attestations across all snapshots for a solution |
| List mine | View your own attestations |
| Revoke | Revoke an attestation with a documented reason |
| Summary | View counts by type, expiring soon, and revoked |
Attestation Expiration
Attestations have a default expiration of 1 year. The system sends notification reminders at:
| Days Before Expiry | Priority |
|---|---|
| 30 days | Medium |
| 14 days | High |
| 7 days | High |
| 3 days | Critical |
| 1 day | Critical |
Revoking Attestations
Attestations can be revoked by the attester or an administrator:
- Provide the attestation ID and a written reason for revocation
- The attestation is marked as revoked with timestamp, user, and reason
- The corresponding entry in the snapshot is also updated
- Revoked attestations are excluded from active queries but preserved for audit purposes
Audit Logging
Every governance action generates an immutable audit log entry. The audit trail provides complete change reconstruction for compliance reporting and regulatory reviews.
Logged Events
| Entity Type | Actions |
|---|---|
policy | created, updated, deleted, imported_from_yaml, created_from_template, shared, unshared, applied_to_snapshot |
instance | created, metadata_updated, submitted_for_approval, approved, denied, deleted, shared, unshared |
promotion | requested |
override | promotion_overridden, override_created, override_revoked |
template | created, updated, deleted |
solution | created, updated, deleted |
snapshot | created, frozen, approved, rejected, deleted |
attestation | created, revoked |
component-metadata | updated |
notification | Various notification actions |
exemption | created, revoked |
Audit Log Entry Structure
Each entry contains:
| Field | Description |
|---|---|
entityType | Type of entity that was changed |
entityId | ID of the entity |
action | What action was performed |
previousState | Complete state before the change (for updates) |
newState | Complete state after the change |
userId | ID of the user who performed the action |
userName | Display name of the user |
timestamp | When the action occurred |
Viewing Audit Logs
- Navigate to Governance > Audit Log (or
/governance/audit) - Filter by:
- Entity Type — Policy, Instance, Promotion, Override, Solution, Snapshot, Attestation, Template
- Action — Created, Updated, Approved, Denied, Overridden, Frozen, Revoked
- User — Who performed the action
- Date Range — When the action occurred
- Search — Free-text search on user, action, or entity ID
- Click any entry to see the full before/after state diff, enabling complete change reconstruction
Audit Indexes
Logs are indexed for efficient querying:
entityType+entityId— Find all changes to a specific entityuserId— Find all actions by a specific usertimestamp(descending) — Recent activity queriesaction— Filter by action type
Regulatory Compliance
Mapping Policies to Frameworks
- Identify applicable regulations for your organization
- Create policies that enforce specific requirements from each framework
- Tag policies with the relevant
complianceFrameworksvalues (SOC 2, HIPAA, GDPR, ISO 27001, PCI DSS, etc.) - Use the Policy Catalog search to find templates by framework
- Generate compliance snapshots and attestations as evidence for auditors
Evidence Trail for Auditors
For regulatory audits, the following governance artifacts serve as evidence:
| Artifact | Evidence Value |
|---|---|
| Policy definitions | Document what controls are in place |
| Policy instances | Show that controls were applied to specific resources |
| Signoff records | Prove that qualified reviewers approved compliance |
| Compliance snapshots (frozen) | Immutable point-in-time compliance state |
| Attestations | Formal statements of compliance from authorized personnel |
| Audit logs | Complete change history with before/after states |
| Score history | Demonstrate compliance trends over time |
| Override records | Document exceptions with business justification |
Compliance Reports
Generate compliance reports from snapshots for stakeholders and auditors:
- Open a compliance snapshot detail page
- Click Generate Report
- Select report sections:
- Executive summary
- Detailed analysis
- Compliance matrix
- Risk assessment
- Recommendations
- Download as PDF, print, or share via email
Best Practices
Establish Governance Early
- Define policies before deploying resources to production
- Document the purpose and requirements for each policy
- Communicate governance processes to all team members
- Review and update policies quarterly
Use Solutions Effectively
- Group resources by business capability or product
- Assign clear ownership (both business and technical)
- Set appropriate criticality and data classification
- Use tag-based composition for dynamic environments where resources change frequently
- Use explicit composition for stable, well-defined product boundaries
Maintain Compliance Evidence
- Create baseline snapshots when solutions are first deployed
- Generate periodic snapshots on a regular schedule (weekly or monthly)
- Create release snapshots before every production deployment
- Freeze audit snapshots for permanent evidence
- Collect attestations from qualified reviewers at each milestone
Monitor Compliance Health
- Review the compliance dashboard regularly
- Track score trends over time to identify degradation early
- Address critical violations immediately
- Investigate warning trends before they become violations
- Use trend analysis to forecast compliance risks
Preserve Audit Trail
- Never delete frozen snapshots or completed policy instances
- Export audit logs regularly for long-term archival
- Retain records per your organization's regulatory requirements
- Review audit logs during internal and external audits
- Use the diff view to reconstruct specific changes when investigating issues
Important
Frozen compliance snapshots and completed policy instances cannot be deleted. This is by design to preserve audit evidence integrity. Plan your governance data lifecycle accordingly.