Compliance Alignment — Feature Status Rollup¶
Last Updated: 2026-05-31
Source Standards Research: ~/Projects/Work/research/docs/ai-compliance-stds/
Gap Analysis: analysis/scs-scp-gap-analysis.md
What This Document Is¶
A consolidated status view of every SCP feature item — formal FRs and backlog — that exists specifically to close a gap identified in the AI governance standards research. Items are organized by compliance domain, not by effort tier.
This is not a project plan. Prioritization against customer discovery is tracked in ROADMAP.md.
Standards Coverage Summary¶
The research covers 11 frameworks. These are the ones with direct implications for SCP feature work:
| Standard | Jurisdiction | Most Relevant Requirement | SCP Relevance |
|---|---|---|---|
| EU AI Act | EU | Art. 12 (audit logging), Art. 14 (human oversight), Art. 11 (technical documentation) | Strongest market driver; logging and governance gaps most visible here |
| ISO 42001 | International | Clause 7.5 (documented information), Annex A.6.11 (monitoring), Statement of Applicability | Documentation export and shared responsibility matrix |
| NIST AI RMF | US | MG.2.3 (human oversight), MS.2.7 (post-deployment monitoring), GV.6 (supply chain) | Bias test recording, anomaly alerting |
| HIPAA | US | §164.312(b) (audit controls), Breach Notification Rule, BAA chain | Healthcare sales prerequisites; SIEM export, BAA template |
| CHAI | Healthcare AI | Disaggregated metrics, human review for clinical decisions, drift monitoring | Bias test recording, human oversight routing |
| Singapore Agentic AI Framework | Singapore / APAC | Pre-defined authority scope, escalation triggers, tiered logging for chains | SCP's strongest regulatory alignment story; first-mover opportunity |
| Australia AI Safety Standard | Australia | 10 guardrails, Guardrail 8 (incident response), Guardrail 2 (risk assessment) | Pre-built compliance bundles |
| Colorado SB 24-205 / NY LL 144 | US States | Annual bias audit, disaggregated metrics, published results | Bias test result recording |
Feature Items by Compliance Domain¶
1. Audit Trail Completeness¶
Standards drivers: EU AI Act Art. 12, HIPAA §164.312(b), ISO 42001 A.6.11, Singapore Agentic AI Framework, Australia Guardrail 8
SCP's audit trail is its strongest compliance asset. The gaps are in completeness (context-in only; no output-out until recently), configurable retention, and export to external SIEM tools.
Output Logging Endpoint¶
Status: COMPLETE — feat: output logging endpoint (commit f2a2aee)
Caller POSTs agent output linked to a context request ID. Closes the context-in / output-out gap in the audit trail. EU AI Act Art. 12 requires logging events relevant to risk, which includes outputs, not just context delivery.
Standards closed: EU AI Act Art. 12, incident response across all frameworks
Formal FR: Not required — implemented as a targeted endpoint
Multi-Agent Chain Correlation¶
Status: COMPLETE — feat: multi-agent chain correlation (issue #9) (commit ded8ce4)
Accepts and stores a caller-supplied chain ID on context requests. Multi-agent call chains are now traceable through the audit log.
Standards closed: Singapore Agentic AI Framework (tiered logging for consequential decisions), EU AI Act Art. 12 for complex AI pipelines
Formal FR: Not required — partial closure. FR-001 is the full solution when multi-tenant MCP is needed.
Audit Log SIEM Export¶
Status: PARTIAL — SSE audit stream and executive dashboard shipped (commit 9ea647f). Streaming endpoint exists; scheduled batch export to Splunk/Datadog/Elasticsearch not yet built.
Without configurable retention and external export, SCP's audit trail is not reliably compliant with EU AI Act Art. 12 or HIPAA for regulated customers. The data exists; the delivery mechanism is incomplete.
Standards closed: EU AI Act Art. 12 (6-month minimum retention), HIPAA (6-year retention), ISO 42001 A.6.11
Formal FR: Warrants a formal spec — covers both export and the retention configuration below.
Remaining work: - Configurable retention periods (6 months / 6 years / 10 years) selectable at deploy time - Scheduled batch export (not just streaming) for Splunk, Datadog, Elasticsearch - Export format documentation
Log Retention Configuration¶
Status: OPEN
Current defaults are not documented against regulatory requirements. EU AI Act requires 6 months minimum for operational logs; HIPAA requires 6 years for security-related records; EU AI Act Art. 11 requires 10 years for technical documentation.
Standards closed: EU AI Act Art. 12, HIPAA §164.316(b), ISO 42001 Clause 7.5
Formal FR: Roll into the SIEM export FR — they are the same configuration surface.
2. Agentic AI Governance¶
Standards drivers: Singapore Agentic AI Framework (Jan 2026), EU AI Act implementation guidance, ISO 42001
This is SCP's most compelling regulatory alignment story. Singapore's IMDA framework describes exactly what SCP does: pre-defined authority scope, escalation triggers, context integrity validation, tiered logging. SCP is a de facto implementation.
FR-001: Tenant-Scoped MCP Control¶
Status: PROPOSED / SPECCED — Full spec at docs/feature-requests/FR-001-tenant-scoped-mcp.md
Target Version: v0.4
Extends SCP governance to MCP servers — the other side of agent tool calls. Two enforcement layers: tenant isolation (data scoping rules injected into every MCP call) and schema validation (parameter validation against registered tool schemas). Closes the multi-agent chain logging gap fully and is the right vehicle for output-side governance.
Standards closed: - Singapore Agentic AI Framework: full multi-agent chain logging; context integrity validation - EU AI Act Art. 12: full provenance chain for complex AI pipelines - HIPAA: logical access controls, minimum necessary principle (column filtering), audit trail for MCP calls - SOC 2: logical access separation, monitoring - GDPR: data minimization (PII masking), access controls
Implementation phases: - Phase 1 (v0.4.0): Foundation — tenant policies, MCP registry, gateway, schema validation, audit logging (~2.5 weeks) - Phase 2 (v0.4.1): Enforcement — response validation, violation detection, column filtering, PII masking, circuit breaker (~2 weeks) - Phase 3 (v0.4.2): Graph integration — policy materialization, graph-based context resolution (~1 week) - Phase 4 (v0.5.0): Advanced — rate limiting, circuit breaker, HITL queue, monitoring dashboard (~3 weeks)
Trigger: Build when a customer requires it. NexTern or a future healthcare customer needing multi-tenant agent isolation is the likely trigger.
Singapore Agentic AI Framework Alignment Document¶
Status: OPEN — Positioning / No Engineering Required
IMDA's January 2026 framework is the first jurisdiction to formally require what SCP provides. An explicit alignment document maps SCP capabilities point-for-point to the framework's requirements. First-mover advantage in APAC; can be published before a single APAC customer exists.
Standards closed: Singapore IMDA Agentic AI Governance Framework (Jan 2026)
Formal FR: Not required — documentation deliverable.
3. Bias & Fairness Testing Integration¶
Standards drivers: CHAI, NY LL 144, Colorado SB 24-205, NIST AI RMF MS.2.5, EU AI Act Art. 10
The most significant gap in SCP's compliance story. Neither SCS nor SCP conducts bias testing — and this gap cannot be closed architecturally without becoming a different product. The strategic response is to make external bias test results a first-class governance artifact in SCP, not to build testing.
Bias Test Result Recording¶
Status: OPEN
New endpoint: link external bias test results (tool, date, metrics, pass/fail) to an agent + bundle version. A compliance officer running IBM OpenScale, Fiddler AI, or Holistic AI can record the results against the SCP artifact that governed that agent at that version. Turns external testing into a traceable governance record.
This does not close the bias testing gap — SCP never conducts the tests. It does close the documentation and traceability gap, which is what the frameworks require of deployers.
Standards closed: CHAI (audit trails for equity evaluations), NY LL 144 (published audit results), Colorado SB 24-205 (impact assessment records), NIST AI RMF MS.2.5
Formal FR: Warranted — small endpoint but requires a defined data model for test result records.
Scope:
- POST /api/audit/bias-tests — record a test result with: agent_id, bundle_version, test_tool, test_date, demographic_groups_tested, metrics, pass/fail threshold, result
- GET /api/audit/bias-tests?agent_id=X — retrieve test history for an agent
- Linked to context audit log so a specific context delivery can be traced to the bias test that validated it
4. Compliance Documentation¶
Standards drivers: ISO 42001 Clause 7.5, EU AI Act Art. 11 (10-year retention of technical docs), EU AI Act Art. 13 (instructions for use), NIST AI RMF (model cards)
SCS is fundamentally a documentation system. SCP's registry holds bundle versions and context delivery history. The gap is that neither system generates compliance-formatted output — what's in SCP is documentation infrastructure, not documentation.
Compliance Documentation Export¶
Status: OPEN
Generate structured compliance documentation from SCS bundle configurations and SCP registry state. Specifically: ISO 42001 Statement of Applicability (which Annex A controls are implemented, by which SCDs, at what version) and EU AI Act Art. 13 instructions-for-use template.
This converts SCS from "documentation infrastructure" to "compliance documentation generator." All the data already exists in the control plane.
Standards closed: ISO 42001 Clause 7.5 and Statement of Applicability requirement, EU AI Act Art. 11 and Art. 13
Formal FR: Warranted — needs a defined output format and generation logic.
ISO 42001 Shared Responsibility Matrix¶
Status: OPEN — Positioning / No Engineering Required
For each ISO 42001 Annex A control: which ones SCP satisfies directly, which it supports, and which are the customer's obligation. Mirrors how AWS and Azure publish compliance matrices. Required for enterprise sales conversations with compliance-conscious buyers.
Standards closed: ISO 42001 Annex A (all 38 controls)
Formal FR: Not required — documentation deliverable.
EU AI Act Deployer Conformity Support Guide¶
Status: OPEN — Positioning / No Engineering Required
How deployers using SCP use its audit trail, policy enforcement, and documentation as evidence in their Art. 26 / Art. 9 conformity posture. Makes the shared responsibility model explicit for EU customers.
Standards closed: EU AI Act Art. 9, Art. 12, Art. 26
Formal FR: Not required — documentation deliverable.
5. Human Oversight (Output Side)¶
Standards drivers: EU AI Act Art. 14, CHAI (pre-action human review for clinical decisions), FDA SaMD, NIST AI RMF MG.2.3
SCP handles the input side of human oversight well: intent validation, policy filtering, and operational constraints SCDs define what agents can request and set hard limits. The gap is the output side: reviewing what agents produce, capturing reviewer decisions, and routing to human approval before action.
Output-Side Human Oversight / Review Routing¶
Status: OPEN — Requires Scoping (Significant Work)
Route agent outputs to a human reviewer based on rules (intent type, risk level, content flags); capture the reviewer's decision; log it as part of the governance record. Required for healthcare customers where CHAI and FDA require pre-action human review before clinical AI outputs are acted on.
Standards closed: EU AI Act Art. 14 (genuine human oversight), CHAI (human review before clinical action), FDA SaMD (human factors), NIST AI RMF MG.2.3
Formal FR: Required before starting — this is months of work and needs a customer driving it.
Trigger: A healthcare pilot where clinical AI outputs must be reviewed before action. Do not scope or build without a customer requirement.
6. Healthcare Compliance Prerequisites¶
Standards drivers: HIPAA BAA chain, HIPAA Security Rule §164.308(a)(1)
Table-stakes for any healthcare customer. Not optional.
Healthcare BAA Template + Security Documentation Package¶
Status: OPEN
Published BAA template naming SCP as a Business Associate; security architecture document customers can include in their HIPAA risk analysis. Without these, SCP cannot be sold to healthcare customers regardless of its technical capabilities.
Standards closed: HIPAA BAA chain requirement, HIPAA Security Rule risk analysis
Formal FR: Not required — legal/documentation deliverable. Requires legal review.
7. Incident Detection¶
Standards drivers: ISO 42001 A.6.12, NIST AI RMF MG.3, EU AI Act Art. 12, Australia Guardrail 8, CHAI (drift monitoring)
SCP logs every context request. It does not currently monitor for anomalous patterns. The difference: logging is passive (useful after an incident); alerting is active (catches incidents in progress).
Native Alerting on Anomalous Context Patterns¶
Status: OPEN
Alert on: unexpected intent types for a given agent, request rate spikes outside normal patterns, out-of-hours access from agents that normally operate within business hours. Currently achievable via external monitoring on the API; native implementation is more reliable and lower friction for customers.
Standards closed: ISO 42001 A.6.12 (incident management), NIST AI RMF MG.3 (incident detection), EU AI Act Art. 12, Australia Guardrail 8
Formal FR: Warranted when a customer needs it or when SSE audit stream adoption shows customers are building this externally.
8. Pre-Built Standards Content¶
Standards drivers: EU AI Act, ISO 42001 Annex A, Australia AI Safety Standard (10 guardrails), NIST AI RMF
Authoring a compliance bundle from scratch requires reading and interpreting the standards — significant friction. Pre-built bundles lower the barrier: a new customer with an EU AI Act obligation deploys the bundle and has a structured starting point rather than an empty SCS instance.
Pre-Built Compliance Bundles¶
Status: OPEN
Package EU AI Act high-risk AI obligations, ISO 42001 Annex A controls, and Australia's 10 guardrails as ready-to-deploy SCS standards bundles. Extend existing HIPAA, CHAI, and NIST bundles with current requirements from the research.
Standards closed: EU AI Act (high-risk AI obligations), ISO 42001 Annex A (all controls), Australia AI Safety Standard (all 10 guardrails)
Formal FR: Not required — content work, not engineering. One or two people with the research docs can produce these.
Status Summary¶
| Feature Item | Domain | Status | Standards |
|---|---|---|---|
| Output Logging Endpoint | Audit Trail | DONE | EU AI Act Art. 12 |
| Multi-Agent Chain Correlation | Agentic Governance | DONE | Singapore, EU AI Act |
| SSE Audit Stream | Audit Trail | PARTIAL | EU AI Act, HIPAA, ISO 42001 |
| Log Retention Configuration | Audit Trail | OPEN | EU AI Act, HIPAA, ISO 42001 |
| Audit Log SIEM Export (batch) | Audit Trail | OPEN | EU AI Act, HIPAA, ISO 42001 |
| FR-001: Tenant-Scoped MCP Control | Agentic Governance | SPECCED | Singapore, EU AI Act, HIPAA |
| Singapore Alignment Doc | Positioning | OPEN | Singapore IMDA 2026 |
| Bias Test Result Recording | Bias & Fairness | OPEN | CHAI, NY LL 144, Colorado, NIST |
| Compliance Documentation Export | Documentation | OPEN | ISO 42001, EU AI Act Art. 11/13 |
| ISO 42001 Shared Responsibility Matrix | Positioning | OPEN | ISO 42001 Annex A |
| EU AI Act Conformity Support Guide | Positioning | OPEN | EU AI Act Art. 9/12/26 |
| Output-Side Human Oversight Routing | Human Oversight | OPEN — requires scoping | EU AI Act Art. 14, CHAI, FDA |
| Healthcare BAA Template | Healthcare | OPEN | HIPAA |
| Native Anomaly Alerting | Incident Detection | OPEN | ISO 42001, NIST, Australia |
| Pre-Built Compliance Bundles | Standards Content | OPEN | EU AI Act, ISO 42001, Australia |
Items That Need Formal FR Specs Before Starting¶
These are open items with enough scope and design decisions that proceeding without a spec would be wasteful:
- SIEM Export + Log Retention — needs a combined spec covering export format, delivery mechanisms (push vs. pull), and retention policy configuration model
- Bias Test Result Recording — needs a data model for test result records, API design, and link to context audit entries
- Compliance Documentation Export — needs output format definitions (ISO 42001 SoA, EU AI Act Art. 13 template) and generator logic
- Output-Side Human Oversight Routing — do not start without a customer requirement and a dedicated spec; this is the most complex item on the list
Items that do not need formal FRs: documentation deliverables (Singapore alignment doc, ISO 42001 matrix, EU AI Act conformity guide, BAA template, pre-built bundles). These are content work.
Source: ~/Projects/Work/research/docs/ai-compliance-stds/analysis/scs-scp-gap-analysis.md and cross-standard-requirements.md. Review gap analysis before customer sales conversations — it includes positioning guidance and honest scope limits.