📚 412+ Controls · 17 Frameworks · Live Real-Time Scoring

Cloud + AI Compliance Encyclopedia

Attribute-level compliance scoring across AWS, GCP, Azure, and Kubernetes — including the industry-first productized AI Workload Compliance framework mapping NIST AI-RMF + EU AI Act + ISO/IEC 42001 + MITRE ATLAS to your live K8s AI/ML inventory. Live re-scoring within 30 seconds of every cloud change.

19
Frameworks
412+
Controls
≤30s
Re-score SLA
AI-First
EU AI Act Ready
🤖 Industry-First Productized Framework

AI Workload Compliance — built for the EU AI Act

EU AI Act enforcement starts February 2026 with €35M / 7% global-turnover penalties for high-risk AI systems lacking risk-management evidence. EchelonGraph's Tier 3 K8s watcher catches shadow AI workloads (KServe · Kubeflow · Argo Rollouts · KubeRay · Seldon · Run:ai) the moment they hit your cluster, then auto-maps them to NIST AI-RMF, EU AI Act Articles 9/15/16/17, ISO/IEC 42001, and MITRE ATLAS. No CSV exports. No quarterly snapshots. No competitor ships this productized today.

NIST AI-RMFEU AI Act Art 9EU AI Act Art 15EU AI Act Art 16EU AI Act Art 17ISO/IEC 42001:2023MITRE ATLAS
Explore AI Compliance →
12 controls · live mapped to your K8s
⚡ Live Real-Time Compliance — ≤30s SLA

Every cloud or Kubernetes change fires a signed webhook that triggers an immediate re-score. Compare to traditional CSPM tools running 24-hour crons — EchelonGraph re-scores 4,800× more frequently. Compliance evidence stays accurate between audits, not just on audit day.

≤30s
Re-score SLA
4800×
vs daily cron

AI Governance

🤖

NIST AI-RMF

18 controls

National Institute of Standards and Technology Artificial Intelligence Risk Management Framework (NIST AI-RMF 1.0). Four functions — Govern, Map, Measure, Manage — providing voluntary guidance for trustworthy AI development and deployment. The de-facto reference standard cited by US federal AI Executive Order 14110 and state-level AI laws.

ALL
🇪🇺

EU AI Act

18 controls

The world's first comprehensive AI regulation. High-risk AI system obligations under Articles 9-17 begin enforcement on August 2, 2026. Penalties up to €35M or 7% of global annual revenue — more punitive than GDPR. Extraterritorial reach: applies to any provider, deployer, importer, or distributor whose AI output reaches the EU market.

ALL
📐

ISO/IEC 42001

15 controls

The first international management-system standard for artificial intelligence. Provides certifiable framework for organisations developing, providing, or using AI systems. Modelled on ISO/IEC 27001's structure (Clauses 4-10) so organisations with mature ISMS can extend to AI management system with familiar PDCA + continual improvement cadence.

ALL

AI Threat Modelling

🎯

MITRE ATLAS

12 controls

MITRE ATLAS catalogues adversarial tactics, techniques, and case studies specific to AI/ML systems. The AI counterpart to MITRE ATT&CK, ATLAS provides the structured taxonomy security teams need to threat-model AI workloads. Used by NIST AI-RMF, EU AI Act guidance, and OWASP LLM Top 10 as the canonical adversarial-ML reference.

ALL

AI Application Security

🧠

OWASP LLM Top 10

12 controls

OWASP's specialised Top 10 for Large Language Model applications. The de-facto checklist for any product team shipping LLM-backed features. Maps to EU AI Act Article 15 cybersecurity requirements + MITRE ATLAS adversarial techniques + NIST AI-RMF MEASURE controls. Updated quarterly by the OWASP GenAI Project working group.

ALL

Cloud Security

🔷

CIS GCP

24 controls

Center for Internet Security benchmark for Google Cloud Platform. 130+ controls covering IAM, networking, logging, storage, databases, and compute security.

GCP
🟠

CIS AWS

35 controls

Center for Internet Security benchmark for Amazon Web Services. 140+ controls covering IAM, storage, logging, monitoring, and networking.

AWS
🔵

CIS Azure

10 controls

Center for Internet Security benchmark for Microsoft Azure. 120+ controls covering identity, networking, storage, databases, and logging.

AZURE
☸️

CIS Kubernetes

26 controls

Center for Internet Security benchmark for Kubernetes Pod Security, RBAC, and NetworkPolicy. EchelonGraph evaluates against the live cluster topology emitted by the Tier 3 K8s watcher (Pods, RBAC, NetworkPolicy CRDs).

KUBERNETES
🔒

Pod Security Standards

10 controls

Kubernetes-native policy tiers replacing PodSecurityPolicy. EchelonGraph scores against the live Pod inventory + securityContext attributes captured by the Tier 3 watcher to verify which Pods meet Baseline vs Restricted profiles.

KUBERNETES

Audit Framework

🛡️

SOC 2

33 controls

AICPA Service Organization Control 2 framework covering Security, Availability, Processing Integrity, Confidentiality, and Privacy trust service criteria.

AWSGCPAzure

International Standard

📋

ISO 27001

36 controls

International standard for information security management systems (ISMS). Annex A defines 93 reference controls across organizational, people, physical, and technological categories.

AWSGCPAzure

Industry Regulation

🏥

HIPAA

21 controls

US federal law that establishes national standards to protect electronic personal health information (ePHI). Covers administrative, physical, and technical safeguards.

AWSGCPAzure
💳

PCI DSS

27 controls

Global standard for organizations that handle cardholder data. 12 requirements covering network security, data protection, access control, and monitoring.

AWSGCPAzure

Privacy Regulation

🇪🇺

GDPR

23 controls

European Union regulation on data protection and privacy. Applies to all organizations processing personal data of EU residents, regardless of where the organization is located.

AWSGCPAzure
🤖

AI Workload Compliance

9 controls

Industry-first productized AI governance framework. Maps NIST AI-RMF, EU AI Act Articles 9/15/16/17, ISO/IEC 42001, and MITRE ATLAS to the live Kubernetes AI/ML workload inventory captured by the Tier 3 watcher (KServe InferenceService, Kubeflow Notebook, Argo Rollouts, KubeRay RayCluster, Seldon SeldonDeployment, Run:ai RunaiJob).

ALL
🇮🇳

DPDP Act

20 controls

India's comprehensive data-protection regulation, enacted August 2023. Applies to processing of digital personal data within India + cross-border processing of data principals in India. Penalty up to ₹250 crore per violation. The dominant privacy regulation for the world's most populous market.

🇰🇷

ISMS-P

22 controls

Korea's combined information security + privacy certification managed by KISA (Korea Internet & Security Agency). Mandatory for many Korean industries; voluntary for others. Penalty: up to 3% of annual revenue (proposed amendments to 10% to align with GDPR).

Government Standard

🏛️

NIST 800-53

41 controls

National Institute of Standards and Technology security and privacy controls for federal information systems. 20 control families covering every aspect of information security.

AWSGCPAzure

What's Inside Each Control Page

Every control in this encyclopedia goes far beyond documentation. Each page is a complete security reference designed for security engineers, compliance managers, and auditors.

Real-World Attack Scenarios

Detailed narratives of how each control has been exploited in real breaches — Capital One, SolarWinds, Uber, Anthem, and more. Understand the exact attack chain so you can prioritize remediation.

Cost of Non-Compliance

Dollar-figure consequences with real case studies: GDPR fines (Amazon €746M, British Airways £20M), HIPAA settlements (Anthem $16M), PCI penalties ($5K–$500K/month), and average breach costs per control category.

Terraform & IaC Fixes

Copy-paste Terraform code blocks for every CIS Benchmark control. Includes resource configurations for GCP, AWS, and Azure with security best practices baked in — not just documentation, but deployable infrastructure.

MITRE ATT&CK Mapping

Every control maps to specific MITRE ATT&CK techniques (T1078, T1190, T1530, etc.) enabling threat-informed defense. Use these mappings to connect compliance requirements to your threat model.

Auditor Questions

The exact questions SOC 2 auditors, ISO 27001 certification bodies, PCI QSAs, and HIPAA OCR investigators will ask. Prepare evidence before the audit, not during it.

Effort Estimates

Side-by-side comparison of manual remediation effort vs. automated detection with EchelonGraph. Typical savings: 40+ hours of manual IAM review reduced to 60-second automated scan.

Control Severity Breakdown

77 critical 218 high 111 medium

Framework Coverage

FrameworkControlsCloudsKey Areas
🔷 CIS GCP24GCPIAM, networking, logging, storage, databases, compute, GKE, Cloud Run, KMS
🟠 CIS AWS35AWSRoot MFA, S3 public access, CloudTrail, Security Groups, RDS, IMDSv2
🔵 CIS Azure10AzureAzure AD MFA, NSG rules, Blob Storage, SQL encryption, AKS RBAC
☸️ CIS Kubernetes26Kubernetes (any cloud)5.1.1 Cluster-admin, 5.1.5 Default SA tokens, 5.2.1 Privileged, 5.2.4 hostNetwork, 5.3.2 NetworkPolicy, 5.7.3 runAsNonRoot
🛡️ SOC 233AWS · GCP · AzureCC6.1 Access, CC6.6 Network, CC7.2 Monitoring, CC7.5 Recovery
📋 ISO 2700136AWS · GCP · AzureA.5.1 Policies, A.8.2 Privileged Access, A.8.24 Cryptography, A.8.25 Secure SDLC
🏥 HIPAA21AWS · GCP · Azure§164.312 Access, Encryption, Audit Controls, Authentication, Transmission Security
💳 PCI DSS27AWS · GCP · AzureCDE segmentation, Default creds, PAN encryption, TLS, MFA, Audit trails
🇪🇺 GDPR23AWS · GCP · AzureArt 5 Principles, Art 25 Privacy by Design, Art 32 Security, Art 33 Breach Notification
🏛️ NIST 800-5341AWS · GCP · AzureAC-2 Accounts, AC-6 Least Privilege, CM-6 Configuration, SC-7 Boundary, SI-4 Monitoring
🔒 Pod Security Standards10Kubernetes (any cloud)Privileged · Baseline · Restricted profile compliance against live Pod posture flags
🤖 AI Workload Compliance9AWS · GCP · Azure · KubernetesNIST AI-RMF · EU AI Act Art 9/15/16/17 · ISO 42001 · MITRE ATLAS shadow AI detection
🇮🇳 DPDP Act20AllIndia's comprehensive data-protection regulation, enacted August 2023. Applies to processing of digital personal data within India + cross-border processing of data principals in India. Penalty up to ₹250 crore per violation. The dominant privacy regulation for the world's most populous market.
🇰🇷 ISMS-P22AllKorea's combined information security + privacy certification managed by KISA (Korea Internet & Security Agency). Mandatory for many Korean industries; voluntary for others. Penalty: up to 3% of annual revenue (proposed amendments to 10% to align with GDPR).
🤖 NIST AI-RMF18AllNational Institute of Standards and Technology Artificial Intelligence Risk Management Framework (NIST AI-RMF 1.0). Four functions — Govern, Map, Measure, Manage — providing voluntary guidance for trustworthy AI development and deployment. The de-facto reference standard cited by US federal AI Executive Order 14110 and state-level AI laws.
🇪🇺 EU AI Act18AllThe world's first comprehensive AI regulation. High-risk AI system obligations under Articles 9-17 begin enforcement on August 2, 2026. Penalties up to €35M or 7% of global annual revenue — more punitive than GDPR. Extraterritorial reach: applies to any provider, deployer, importer, or distributor whose AI output reaches the EU market.
📐 ISO/IEC 4200115AllThe first international management-system standard for artificial intelligence. Provides certifiable framework for organisations developing, providing, or using AI systems. Modelled on ISO/IEC 27001's structure (Clauses 4-10) so organisations with mature ISMS can extend to AI management system with familiar PDCA + continual improvement cadence.
🎯 MITRE ATLAS12AllMITRE ATLAS catalogues adversarial tactics, techniques, and case studies specific to AI/ML systems. The AI counterpart to MITRE ATT&CK, ATLAS provides the structured taxonomy security teams need to threat-model AI workloads. Used by NIST AI-RMF, EU AI Act guidance, and OWASP LLM Top 10 as the canonical adversarial-ML reference.
🧠 OWASP LLM Top 1012AllOWASP's specialised Top 10 for Large Language Model applications. The de-facto checklist for any product team shipping LLM-backed features. Maps to EU AI Act Article 15 cybersecurity requirements + MITRE ATLAS adversarial techniques + NIST AI-RMF MEASURE controls. Updated quarterly by the OWASP GenAI Project working group.
⚙️

How We Score Compliance

Every compliance score in EchelonGraph is derived from real infrastructure signals — not questionnaires or self-assessments. Our scoring engine runs pure-function evaluators against your actual cloud state on every scan cycle. Below is the exact mapping of every control to its automated check.

🔧Infrastructure Check
🔑IAM & Access Check
📋Procedural / Maturity
Custom Logic

Scoring Formula

Score % = (Pass + Partial × 0.5) ÷ Total Controls × 100

Each control produces one of four verdicts: Pass (1.0), Fail (0.0), Partial (0.5), or N/A (excluded from denominator). Scores are computed independently per cloud provider.

🛡️

SOC 2 Type II

17 controls · 7 infra checks · 9 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
CC1.1
Ethics & Code of Conduct
📋 MaturityOrganisational governance control
≥50 assets + ≥6 types<50 assets or <6 types0 assets
CC1.2
Board Independence
📋 MaturityOrganisational governance control
≥50 assets + ≥6 types<50 assets or <6 types0 assets
CC2.1
Security Policy Library
📋 MaturityOrganisational governance control
≥50 assets + ≥6 types<50 assets or <6 types0 assets
CC3.1
Risk Assessment
🔧 InfrastructureChecks total asset count > 0
Assets under scanNo cloud accounts connected
CC4.1
Continuous Monitoring
🔧 InfrastructureChecks total asset count > 0
Assets under scanNo cloud accounts connected
CC5.1
Network Segmentation
🔧 InfrastructureVPC count + firewall rule count
VPC + firewall both presentMissing VPC or firewall
CC5.2
Segregation of Duties
📋 MaturityIaC + PR review workflow
≥50 assets + ≥6 types<50 assets or <6 types0 assets
CC6.1
MFA & Authentication
🔑 IAM & AccessIAM user + service account count
IAM users found — verify MFANo IAM identities
CC6.2
Access Provisioning
📋 MaturityOnboarding workflow
≥50 assets + ≥6 types<50 assets or <6 types0 assets
CC6.3
Access Removal
📋 MaturityOffboarding workflow
≥50 assets + ≥6 types<50 assets or <6 types0 assets
CC6.6
Firewall Posture
🔧 InfrastructureScans for 0.0.0.0/0 ingress rules
No broad rulesOver-permissive rules detected
CC6.7
TLS Enforcement
🔧 InfrastructureLB, DB, compute TLS posture
TLS enforced across servicesTLS not verified
CC6.8
Threat Detection
🔧 InfrastructureGuardDuty / SCC / Defender presence
Threat detection activeNot detected
CC7.1
Audit Logging
🔧 InfrastructureCloudTrail / Audit Logs / Activity Log
Audit logging enabledAudit logging not verified
CC7.2
Incident Response
📋 MaturityIR runbook existence
≥50 assets + ≥6 types<50 assets or <6 types0 assets
CC8.1
Change Management
📋 MaturityCI/CD + PR review pipeline
≥50 assets + ≥6 types<50 assets or <6 types0 assets
CC9.1
Vendor Risk
📋 MaturityVendor risk register
≥50 assets + ≥6 types<50 assets or <6 types0 assets
🇪🇺

GDPR

12 controls · 2 infra checks · 9 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
Art5
Lawful Basis
📋 MaturityRecords of Processing Activities (RoPA)
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Art6
Lawful Basis Mapping
📋 MaturityArticle 6 legal basis per processing activity
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Art7
Consent Management
📋 MaturityConsent UI + withdrawal records
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Art12
Privacy Notice
📋 MaturityPublic privacy notice + DSAR procedure
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Art15
DSAR Procedure
📋 MaturitySubject access request portal, 30-day SLA
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Art17
Right to Erasure
📋 MaturityCascading delete + backup retention policy
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Art25
Privacy by Design
🔧 InfrastructureHas object_storage or managed_database with encryption
Encryption at rest verifiedNo storage resources
Art30
Records of Processing
📋 MaturityRoPA register maintained
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Art32
Security of Processing
🔧 InfrastructureHas object_storage or managed_database with encryption
Encryption at rest verifiedNo storage resources
Art33
Breach Notification
📋 Maturity72-hour notification runbook
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Art35
DPIA Template
📋 MaturityData Protection Impact Assessment template
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Art44
Cross-Border Transfers
 Custom LogicCloud region metadata
Region known — verify adequacyRegion info unavailable
🏛️

ISO 27001:2022

14 controls · 3 infra checks · 7 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
A5.1
Info Security Policy
📋 MaturityOrganisational governance
≥50 assets + ≥6 types<50 assets or <6 types0 assets
A5.2
Roles & Responsibilities
📋 MaturityDocumented security roles
≥50 assets + ≥6 types<50 assets or <6 types0 assets
A6.1
Background Checks
📋 MaturityHR security control
≥50 assets + ≥6 types<50 assets or <6 types0 assets
A6.2
Employment Terms
📋 MaturityHR security control
≥50 assets + ≥6 types<50 assets or <6 types0 assets
A7.1
Physical Security
📋 MaturityInherited from cloud provider attestations
≥50 assets + ≥6 types<50 assets or <6 types0 assets
A7.2
Physical Entry Controls
📋 MaturityInherited from cloud provider attestations
≥50 assets + ≥6 types<50 assets or <6 types0 assets
A8.1
Endpoint Management
 Custom Logiccompute_instance + serverless_function count
Managed compute inventoriedNo managed compute
A8.2
Privileged Access
🔑 IAM & AccessIAM principal analysis for over-privilege
No broad IAMOver-privileged accountsNo IAM
A8.3
Access Restriction
🔑 IAM & AccessIAM principal analysis
No broad IAMOver-privileged accountsNo IAM
A8.4
Source Code Access
📋 MaturityIdP-federated git host
≥50 assets + ≥6 types<50 assets or <6 types0 assets
A8.5
Secure Authentication
🔑 IAM & AccessIAM user + service account count
IAM users found — verify MFANo IAM identities
A8.9
Configuration Mgmt
🔧 InfrastructureChecks for default/unhardened firewall rules
No default rules remainDefault vendor configs detectedNo firewall rules
A8.20
Network Security
🔧 InfrastructureVPC + firewall rule presence
Network segmentedSegmentation gap
A8.24
Cryptography
🔧 InfrastructureKMS keys, encryption + TLS posture
KMS or default encryption activeManual review needed
🏥

HIPAA Security Rule

5 controls · 1 infra checks · 1 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
164.312(a)
ePHI Access Control
 Custom Logicmanaged_database behind VPC + firewall
DB isolated in VPCDB without network isolationNo databases
164.312(c)
ePHI Integrity
 Custom Logicmanaged_database with point-in-time recovery
Integrity controls presentNo databases
164.312(d)
Person Authentication
🔑 IAM & AccessIAM user + service account count
IAM users found — verify MFANo IAM identities
164.312(e)
Transmission Security
🔧 InfrastructureLB, DB, compute TLS enforcement
TLS enforcedTLS not verified
164.308(a)(1)
Risk Analysis
📋 MaturityAnnual ePHI risk analysis
≥50 assets + ≥6 types<50 assets or <6 types0 assets
💳

PCI DSS 4.0

12 controls · 6 infra checks · 4 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
Req1
Network Segmentation
🔧 InfrastructureVPC + firewall rule presence
CDE segmentedSegmentation gap
Req2
Default Configs
🔧 InfrastructureChecks for unhardened default firewall rules
No defaults remainDefault vendor configsNo firewall rules
Req3
Stored Data Protection
🔧 InfrastructureStorage/DB encryption-at-rest posture
Encryption verifiedNo storage
Req4
Transit Encryption
🔧 InfrastructureLB, DB, compute TLS enforcement
TLS enforcedTLS not verified
Req5
Malware Protection
🔧 InfrastructureGuardDuty / SCC / Defender presence
ActiveNot detected
Req6
Secure Development
📋 MaturitySAST + dependency scanning pipeline
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Req7
Access Restriction
🔑 IAM & AccessIAM privilege analysis
No broad IAMOver-privilegedNo IAM
Req8
Authentication
🔑 IAM & AccessIAM user + service account count
Verify MFANo IAM
Req9
Physical Access
📋 MaturityInherited from cloud provider
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Req10
Audit Trails
🔧 InfrastructureCloudTrail / Audit Logs / Activity Log
Logging enabledLogging not verified
Req11
Vulnerability Testing
📋 MaturityQuarterly ASV + annual pen-test
≥50 assets + ≥6 types<50 assets or <6 types0 assets
Req12
Security Policy
📋 MaturityInformation security policy document
≥50 assets + ≥6 types<50 assets or <6 types0 assets
🏛️

NIST CSF 2.0

21 controls · 5 infra checks · 11 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
GV.OC-01
Organisational Context
📋 MaturityGovernance framework
≥50 assets + ≥6 types<50 assets or <6 types0 assets
GV.RM-01
Risk Strategy
📋 MaturityRisk management programme
≥50 assets + ≥6 types<50 assets or <6 types0 assets
GV.SC-01
Supply Chain Risk
📋 MaturityThird-party risk programme
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ID.AM-01
Hardware Inventory
 Custom LogicTotal asset count across all types
Assets inventoriedNo assets connected
ID.AM-02
Software Inventory
 Custom Logiccompute + serverless + k8s count
Software platforms inventoriedNo platforms detected
ID.RA-01
Vulnerability Scanning
 Custom LogicTotal asset count under CVE matching
Under continuous scanNo assets to scan
ID.RA-02
Threat Intelligence
📋 MaturityNVD + MITRE ATT&CK feed subscription
≥50 assets + ≥6 types<50 assets or <6 types0 assets
PR.AA-01
Identity Management
🔑 IAM & AccessIAM privilege analysis
No broad IAMOver-privilegedNo IAM
PR.AA-03
MFA
🔑 IAM & AccessIAM user + service account count
Verify MFANo IAM
PR.DS-01
Data-at-Rest
🔧 InfrastructureStorage/DB encryption posture
EncryptedNo storage
PR.DS-02
Data-in-Transit
🔧 InfrastructureTLS enforcement across services
TLS enforcedTLS not verified
PR.PS-01
Config Management
🔧 InfrastructureDefault firewall rule detection
HardenedDefault configsNo rules
PR.IR-01
Incident Response Plan
📋 MaturityIR plan document
≥50 assets + ≥6 types<50 assets or <6 types0 assets
DE.CM-01
Network Monitoring
🔧 InfrastructureAudit logging posture
Logging onNot verified
DE.CM-06
Activity Monitoring
🔧 InfrastructureAudit logging posture
Logging onNot verified
DE.AE-02
Anomaly Analysis
📋 MaturityAnomaly playbooks
≥50 assets + ≥6 types<50 assets or <6 types0 assets
RS.MA-01
Incident Management
📋 MaturityIncident workflow
≥50 assets + ≥6 types<50 assets or <6 types0 assets
RS.CO-02
Regulatory Notification
📋 MaturityNotification templates
≥50 assets + ≥6 types<50 assets or <6 types0 assets
RS.MI-01
Containment
📋 MaturityContainment playbooks
≥50 assets + ≥6 types<50 assets or <6 types0 assets
RC.RP-01
Recovery Planning
📋 MaturityBackup + restore drill cadence
≥50 assets + ≥6 types<50 assets or <6 types0 assets
RC.CO-01
Recovery Comms
📋 MaturityRecovery communication templates
≥50 assets + ≥6 types<50 assets or <6 types0 assets
🇮🇳

DPDP Act (India)

10 controls · 0 infra checks · 8 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
DPDP-1
Lawful Purpose
📋 MaturityRecords of Processing Activities
≥50 assets + ≥6 types<50 assets or <6 types0 assets
DPDP-2
Privacy Notice
📋 MaturityPublic privacy notice
≥50 assets + ≥6 types<50 assets or <6 types0 assets
DPDP-3
Consent Management
📋 MaturityConsent platform
≥50 assets + ≥6 types<50 assets or <6 types0 assets
DPDP-4
Data Accuracy
📋 MaturityReconciliation jobs
≥50 assets + ≥6 types<50 assets or <6 types0 assets
DPDP-5
Data Retention
📋 MaturityLifecycle + retention policy
≥50 assets + ≥6 types<50 assets or <6 types0 assets
DPDP-6
Security Safeguards
 Custom LogicEncryption-at-rest + TLS-in-transit posture
Both verifiedIncomplete safeguards
DPDP-7
Breach Response
📋 MaturityDPB notification runbook
≥50 assets + ≥6 types<50 assets or <6 types0 assets
DPDP-8
Data Principal Rights
📋 MaturitySelf-service rights portal
≥50 assets + ≥6 types<50 assets or <6 types0 assets
DPDP-9
Cross-Border Transfer
 Custom LogicCloud region metadata
Region knownRegion unavailable
DPDP-10
Children's Data
📋 MaturityAge-gating + parental consent
≥50 assets + ≥6 types<50 assets or <6 types0 assets
☸️

CIS Kubernetes Benchmark v1.9

7 controls · 5 infra checks · 0 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
CIS-K8S-5.1.1
Cluster-admin minimised
🔑 IAM & AccessClusterRoleBinding subjects + non_system_subject_count attributes from live watcher
No non-system subject bound to cluster-adminBroad CRBs detectedNo K8s cluster
CIS-K8S-5.1.5
Default SA tokens not auto-mounted
🔑 IAM & AccessServiceAccount.AutomountServiceAccountToken posture attribute
default SA tokens disabledDefault SAs auto-mount tokensNo K8s cluster
CIS-K8S-5.2.1
Privileged containers minimised
🔧 InfrastructurePod priv_count attribute (containers[].securityContext.privileged)
No privileged PodsPrivileged Pods detectedNo K8s cluster
CIS-K8S-5.2.4
hostNetwork minimised
🔧 InfrastructurePod host_network posture attribute
No hostNetwork PodshostNetwork Pods detectedNo K8s cluster
CIS-K8S-5.2.5
hostPID minimised
🔧 InfrastructurePod host_pid posture attribute
No hostPID PodshostPID Pods detectedNo K8s cluster
CIS-K8S-5.3.2
NetworkPolicy on every namespace
🔧 InfrastructureLive correlation of K8S_NAMESPACE × K8S_NETWORKPOLICY assets
Every namespace coveredNamespaces without NetPol detectedNo K8s cluster
CIS-K8S-5.7.3
runAsNonRoot enforced
🔧 InfrastructurePod runasnonroot_count vs container_count posture
runAsNonRoot on every containerContainers running as rootNo K8s cluster
🔒

Pod Security Standards

3 controls · 0 infra checks · 0 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
PSS-Privileged
Privileged tier
 Custom LogicAlways informational — unrestricted policy in effect
Privileged tier acknowledged (low severity)No K8s cluster
PSS-Baseline
Baseline tier
 Custom LogicAggregate priv_count + host_network + host_pid violations
Baseline policies satisfiedBaseline violations: priv/hostNet/hostPIDNo K8s cluster
PSS-Restricted
Restricted tier
 Custom LogicAggregate Baseline checks + runasnonroot + default-SA automount
Restricted policies satisfiedRestricted violations detectedNo K8s cluster
🤖

AI Workload Compliance

12 controls · 1 infra checks · 3 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
AIRMF-MAP-1.1
AI System Inventory
 Custom LogicLive CRD watch on KServe / Kubeflow / Argo / Ray / Seldon / Run:ai
AI workloads inventoriedNo AI/ML workloads detected
AIRMF-MEASURE-2.7
AI Continuous Monitoring
 Custom LogicSame inventory signal + ≤30s notify webhook re-scoring SLA
Continuous monitoring activeNo AI/ML workloads detected
AIRMF-MANAGE-1.4
AI Cybersecurity Controls
 Custom LogicStrict-ZK Secret inventory + customer-managed encryption posture
Strict-ZK Secret scan + BYOK activeNo K8s cluster
AIRMF-GOVERN-1.4
AI Acceptable Use Policy
📋 MaturityAI usage policy + guardrails (organisational)
≥50 assets + ≥6 types<50 assets or <6 types0 assets
EU-AIACT-ART9
AI Risk Management
 Custom LogicLive AI workload inventory + risk classification
AI risk-mgmt evidence capturedNo AI/ML workloads detected
EU-AIACT-ART15
AI Cybersecurity Resilience
 Custom LogicStrict-ZK Secret inventory + secret rotation evidence
Cybersecurity controls verifiedNo K8s cluster
EU-AIACT-ART16
AI Access Control
🔑 IAM & AccessK8s broad-CRB detection scoped to AI namespaces
Least-privilege RBAC verifiedBroad CRBs on AI namespaceNo K8s cluster
EU-AIACT-ART17
AI Audit Logging
🔧 InfrastructureCloud audit-log presence on AI workload's host cloud
Audit logging enabledAudit logging gapsNo AI workloads or no cloud audit_log asset
ISO42001-7.4
AI Management System Documentation
📋 MaturityDocumented AI management system per ISO/IEC 42001:2023
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISO42001-8.2
AI Workload RBAC
🔑 IAM & AccessSame K8s broad-RBAC signal — adds ISO 42001 framework dimension
Least-privilege RBACBroad CRBsNo K8s cluster
ISO42001-8.4
AI Image Registry Policy
📋 MaturityAI workload container images sourced from approved registries
≥50 assets + ≥6 types<50 assets or <6 types0 assets
MITRE-ATLAS-AML.T0011
Shadow AI Detection
 Custom LogicLive CRD watch flags unauthorised KServe / Kubeflow / Ray / Seldon CRDs
AI workloads detected and auditedNo AI/ML workloads detected
🇰🇷

ISMS-P (Korea)

16 controls · 2 infra checks · 11 maturity-based
ControlWhat It ChecksInfrastructure SignalVerdict Logic
ISMS-1.1
ISMS Scope & Policy
📋 MaturityISMS scope definition
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-1.2
Risk Assessment
📋 MaturityAnnual risk assessment
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-2.1
Security Policy
📋 MaturityInformation security policy
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-2.2
Security Org
📋 MaturitySecurity organisation chart
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-2.3
HR Security
📋 MaturityBackground checks + training
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-2.4
Asset Management
 Custom LogicTotal asset count + type diversity
Assets classifiedNo assets identified
ISMS-2.5
Access Control
🔑 IAM & AccessIAM user + service account count
Verify MFANo IAM
ISMS-2.6
Cryptography
🔧 InfrastructureKMS, encryption, TLS posture
Crypto controls activeManual review needed
ISMS-2.7
Physical Security
📋 MaturityInherited from cloud provider
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-2.8
Operations
📋 MaturityOperations runbooks
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-2.9
Network Security
🔧 InfrastructureVPC + firewall rule presence
SegmentedGap detected
ISMS-2.10
Secure SDLC
📋 MaturitySecure development lifecycle
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-P.1
PI Protection Policy
📋 MaturityPersonal information protection
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-P.2
Consent Mgmt
📋 MaturityConsent platform
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-P.3
Data Lifecycle
📋 MaturityRetention + disposal
≥50 assets + ≥6 types<50 assets or <6 types0 assets
ISMS-P.4
Cross-Border Transfer
 Custom LogicCloud region metadata
Region knownRegion unavailable

📋 How Procedural / Maturity Scoring Works

Organisational controls (code of conduct, incident response, consent management) cannot be fully validated by infrastructure scans alone. Instead, we use your cloud infrastructure footprint as a maturity proxy:

N/A
0 assets
No cloud infrastructure to evaluate
Partial
< 50 assets or < 6 types
Early-stage infrastructure, document processes manually
Pass
≥ 50 assets + ≥ 6 types
Production-grade deployment implies mature processes

Beyond Documentation — Automated Compliance

EchelonGraph automatically detects compliance violations across your entire cloud infrastructure. 440+ rules running continuously — not just documentation.

Real-time scanning across AWS, GCP, and Azure accountsAuto-generated evidence for SOC 2 and ISO 27001 auditsTerraform remediation code for every CIS controlMITRE ATT&CK mapping for threat-informed defense
Start Free →