Automated Framework Assessment, Gap Analysis & Audit Readiness
The Compliance Agent automates the most time-consuming part of MSP work: keeping clients continuously compliant with the regulatory frameworks their industry requires. It maps each client's environment against the controls of their assigned frameworks, collects evidence automatically, scores every control, surfaces gaps before they become violations, and generates audit-ready reports on demand.
Compliance is not a once-a-year project with the Compliance Agent β it is a live, daily score. When something in a client's environment changes (a new system, a changed configuration, a failed patch), the affected controls are re-scored automatically and the compliance dashboard updates in real time. Your clients never have to wonder where they stand.
The Compliance Agent replaces manual compliance spreadsheets, quarterly assessments that are stale the moment they're complete, and the hours spent compiling evidence packages before audits. One MSP partner reported their SOC 2 Type II audit prep dropped from 11 weeks to 9 days after enabling this agent for their clients.
Each framework is fully mapped to individual controls that the agent can assess, score, and collect evidence for. Frameworks can be mixed β a healthcare client can be assessed against both HIPAA and NIST CSF simultaneously, with overlapping controls mapped once rather than evaluated redundantly.
| Framework | Controls Mapped | Auto-Assessed | Primary Vertical | Evidence Auto-Collected |
|---|---|---|---|---|
| SOC 2 | 64 Trust Service Criteria | 71% | SaaS, Tech, Finance | Yes β access logs, config exports, policy docs |
| HIPAA | 54 Required + Addressable Safeguards | 78% | Healthcare, Medical Practices | Yes β encryption status, access controls, audit logs |
| NIST CSF 2.0 | 106 Subcategories across 6 Functions | 65% | All verticals, Government | Yes β asset inventory, detection logs, recovery plans |
| PCI-DSS v4.0 | 261 Requirements | 58% | Retail, Hospitality, Payment Processing | Partial β network diagrams, scan reports, policy evidence |
| ISO 27001 | 93 Controls (Annex A) | Coming Q3 2026 | Enterprise, International | Coming Q3 2026 |
SOC 2 Type I assesses whether controls are designed correctly at a point in time. Type II assesses whether those controls operated effectively over a defined period (typically 6 or 12 months). The Compliance Agent supports both: Type I assessments can be run on-demand, while Type II requires continuous evidence collection across the observation period. Enable the Type II evidence collection window in the framework settings β the agent captures and timestamps evidence automatically.
An assessment is not a questionnaire your client fills out. The Compliance Agent pulls data directly from the client's environment, maps it to control requirements, and scores each control automatically. The human team reviews the scoring output, fills in the gaps that require attestation or documentation, and exports the result.
Assign framework to client
Pull environment evidence
Score each control 0β100
Surface failing controls
Generate audit package
Each framework control is mapped to specific, testable data points that can be queried from the client's environment: firewall rule exports, user access logs, encryption configuration status, patch compliance reports, backup verification records, and security policy documents. When a control cannot be fully assessed from automated data (e.g., physical security controls, employee training records), the agent flags it as "requires attestation" and generates a structured questionnaire for the client contact to complete.
Evidence is collected continuously in the background, not just during assessment runs. Every piece of collected evidence is timestamped, tagged to the control it satisfies, and stored in the client's evidence vault. For SOC 2 Type II, this creates the continuous, dated record an auditor needs to verify that controls operated over time. Evidence types collected automatically include:
Every control receives a score from 0 to 100. The score is not binary β it reflects how well the control is implemented, not just whether it exists. The 0β100 range maps to five maturity levels, each with a specific definition. Scores are weighted by the control's importance within the framework before being rolled up to a composite framework score.
| Level | Score Range | Definition | Audit Readiness |
|---|---|---|---|
| 0 β None | 0β19 | Control is completely absent or non-functional. No evidence exists. | Fails audit. Immediate remediation required. |
| 1 β Initial | 20β39 | Control exists informally or partially. No consistent process or documentation. | Likely fails audit. Significant gaps remain. |
| 2 β Developing | 40β59 | Control is documented and partially implemented. Evidence is incomplete or inconsistent. | Borderline. Acceptable for Type I with caveats; insufficient for Type II. |
| 3 β Defined | 60β79 | Control is fully documented, consistently implemented, and evidenced. | Passes most audits. Minor gaps may generate findings but not failures. |
| 4 β Optimized | 80β100 | Control is automated, continuously monitored, and verified with high-frequency evidence. | Passes all audits cleanly. Audit findings unlikely. |
Gap identified: 3 service accounts are excluded from MFA enforcement. Access review was last performed 94 days ago (target: every 60 days). Update the access review schedule and enforce MFA on service accounts to reach Level 4.
Not all controls carry equal weight. Within each framework, controls are weighted based on their criticality to the overall compliance posture. A single failed critical control (e.g., encryption at rest for PHI under HIPAA) can hold the overall score below passing even if 90% of other controls are green. The dashboard shows both the raw composite score and a "critical controls" indicator that flags any single-control blockers.
After every assessment, the Compliance Agent identifies "quick wins" β controls that are currently failing or at a low maturity level but can be remediated with low effort, yielding a significant improvement to the overall compliance score. Quick wins are surfaced first in the remediation queue to give clients the fastest path to meaningful progress.
| Control | Current Score | Effort | Score Gain | Time to Implement |
|---|---|---|---|---|
| Enable MFA on all admin accounts | 1 β Initial | Low | +18 pts | 2 hours |
| Configure automated backup verification alerts | 2 β Developing | Low | +11 pts | 1 hour |
| Enable audit logging on domain controllers | 1 β Initial | Low | +9 pts | 30 minutes |
| Implement encrypted email for PHI transmission | 0 β None | Medium | +14 pts | 1β2 days |
| Document and sign Acceptable Use Policy | 0 β None | Low | +7 pts | 2 hours (template provided) |
Across Gridlock clients, the top 5 quick wins on a new assessment account for an average of 47 percentage points of compliance score improvement. Most clients can get from "failing" to "passing" on their primary framework in under two weeks by completing quick wins before tackling the more complex controls.
When your client has an audit scheduled, the Compliance Agent generates a complete evidence package β a structured ZIP archive containing all evidence collected for every assessed control, organized by control ID and labeled for auditor navigation.
| Document Type | Source | Included Automatically |
|---|---|---|
| Access control configuration exports | Directory service, firewall, VPN | Yes |
| MFA enrollment status report | Identity provider or directory | Yes |
| Patch compliance report (60-day history) | Endpoint management or Gridlock connector | Yes |
| Backup execution logs (90-day history) | Backup platform or Gridlock connector | Yes |
| Vulnerability scan reports | Integrated scanner or Threat Researcher agent | Yes |
| Security incident log | Threat Researcher agent and alert history | Yes |
| Encryption configuration attestation | System scan + manual attestation | Yes (scan portion); attestation prompted |
| Signed policy documents | Policy template library | Yes, if created using Gridlock policy templates |
| Employee security training records | Connected LMS or manual upload | If connected; otherwise prompted |
| Vendor and third-party risk assessments | Manual attestation | Prompted β agent provides template |
The evidence package includes an Audit Readiness Score (0β100) based on how completely the evidence package covers the required controls. A score above 85 indicates the package is ready to be handed to an auditor. Scores below 85 include a "remaining gaps" list with specific actions to reach readiness.
A missing or unsigned policy document is one of the most common audit findings β and one of the easiest to fix. The Compliance Agent includes a library of policy templates ready to customize, sign, and attach to the evidence package.
| Policy Template | Frameworks Satisfied | Estimated Customization Time |
|---|---|---|
| Information Security Policy | SOC 2, HIPAA, NIST, PCI-DSS, ISO 27001 | 30 minutes |
| Acceptable Use Policy | SOC 2, HIPAA, NIST | 15 minutes |
| Access Control and Password Policy | SOC 2, HIPAA, PCI-DSS, NIST | 20 minutes |
| Incident Response Plan | SOC 2, HIPAA, NIST, PCI-DSS | 45 minutes |
| Business Continuity and Disaster Recovery Plan | SOC 2, HIPAA, NIST, PCI-DSS | 1β2 hours |
| Vendor Risk Management Policy | SOC 2, HIPAA, PCI-DSS | 30 minutes |
| Data Classification and Handling Policy | SOC 2, HIPAA, PCI-DSS, NIST | 20 minutes |
| Change Management Policy | SOC 2, PCI-DSS, NIST | 20 minutes |
| HIPAA Privacy Policy and Notice of Privacy Practices | HIPAA | 30 minutes |
| Penetration Testing and Vulnerability Management Policy | SOC 2, PCI-DSS, NIST | 20 minutes |
Policies signed via the Gridlock policy library are digitally signed with a timestamp and the signatory's identity. For employee policies (AUP, security awareness), the agent tracks who has signed and who has not, sends automated reminders to unsigned employees, and generates a signature completion report for the evidence package. No more chasing employees during audit week.
Identifying a gap is only useful if it gets fixed. The Compliance Agent converts every gap finding into a structured remediation task and tracks it through to completion.
auditpol /set /category:* /success:enable /failure:enable on all domain controllers").Critical-severity gaps (controls at Level 0 or controls flagged as critical by the framework) have a default 30-day remediation deadline. If the gap is not resolved within 30 days, the Account Manager agent receives a churn risk signal and the MSP is notified via dashboard alert. You can adjust default remediation deadlines per client in the compliance settings.
Every assessment result is stored as a timestamped snapshot. The compliance dashboard shows your clients' scores over time β not just where they are, but how they got there and whether the trajectory is positive.
| Signal | What It Indicates | Dashboard Display |
|---|---|---|
| Score improvement > 10 pts in 30 days | Active remediation in progress, strong momentum | Green trend arrow + "Improving" label |
| Score stable within +/- 3 pts over 60 days | Maintained compliance, no major changes | Flat trend arrow + "Stable" label |
| Score decline > 5 pts in 30 days | New gap introduced (config change, new system, lapsed policy) | Red trend arrow + alert notification to MSP |
| Critical control drops to Level 0 or 1 | High-severity gap that may block audit readiness | Critical badge + immediate alert to dashboard and email |
| Audit Readiness Score crosses 85 | Client is ready for an audit engagement | Green banner + suggested next step (schedule auditor) |
The compliance history chart is designed to be shown directly to clients during Quarterly Business Reviews. It demonstrates the tangible value of your MSP engagement: the client can see their score at the start of your engagement, the upward trajectory as remediation was completed, and where they stand today relative to their audit readiness target.
Three report types can be generated on demand from the compliance dashboard. All reports are available in PDF and as a structured JSON export for import into client GRC tools.
| Report | Audience | Contents | Typical Use Case |
|---|---|---|---|
| Executive Summary Report | Client leadership, board | Overall score, framework status, top 5 gaps, trend chart, remediation progress | QBR presentation, board reporting |
| Technical Gap Report | IT staff, compliance team | Full control-by-control scoring, gap descriptions, remediation steps, evidence status | Remediation planning, internal IT review |
| Audit Evidence Package | External auditor | All collected evidence, organized by control, with chain-of-custody timestamps | SOC 2, HIPAA, or PCI-DSS audit engagement |
All three report types are fully white-labeled. Your company logo, name, and brand colors replace Gridlock branding. Clients see a professional compliance report from your MSP β which strengthens your brand as the compliance expert, not ours. Configure white-labeling under Settings → Branding.
Vulnerability findings from the Threat Researcher feed directly into compliance scoring. An unpatched CVE on a system that handles cardholder data automatically lowers the PCI-DSS patch management control score.
Compliance question tickets submitted by clients are routed to the Compliance Agent's framework knowledge β delivering precise, control-referenced answers instead of generic guidance.
Clients with declining compliance scores or unresolved critical gaps are surfaced as churn risk signals in the Account Manager's health scoring, prompting proactive outreach before the client raises a concern.