Getting Started
Quick Start Architecture
AI Agents
MSP Hunter Threat Researcher Tech Support Compliance Agent Account Manager Onboarding Agent
Compliance
HIPAA SOC 2 PCI-DSS NIST
Guides
First 30 Days Scaling
API
Overview Endpoints

Compliance Agent

Automated Framework Assessment, Gap Analysis & Audit Readiness

What It Does

The Compliance Agent automates the most time-consuming part of MSP work: keeping clients continuously compliant with the regulatory frameworks their industry requires. It maps each client's environment against the controls of their assigned frameworks, collects evidence automatically, scores every control, surfaces gaps before they become violations, and generates audit-ready reports on demand.

Compliance is not a once-a-year project with the Compliance Agent β€” it is a live, daily score. When something in a client's environment changes (a new system, a changed configuration, a failed patch), the affected controls are re-scored automatically and the compliance dashboard updates in real time. Your clients never have to wonder where they stand.

What This Agent Replaces

The Compliance Agent replaces manual compliance spreadsheets, quarterly assessments that are stale the moment they're complete, and the hours spent compiling evidence packages before audits. One MSP partner reported their SOC 2 Type II audit prep dropped from 11 weeks to 9 days after enabling this agent for their clients.

Supported Frameworks

Each framework is fully mapped to individual controls that the agent can assess, score, and collect evidence for. Frameworks can be mixed β€” a healthcare client can be assessed against both HIPAA and NIST CSF simultaneously, with overlapping controls mapped once rather than evaluated redundantly.

SOC 2 Type I / Type II HIPAA Security Rule NIST CSF 2.0 PCI-DSS v4.0 ISO 27001 (Coming Q3 2026)
Framework Controls Mapped Auto-Assessed Primary Vertical Evidence Auto-Collected
SOC 2 64 Trust Service Criteria 71% SaaS, Tech, Finance Yes β€” access logs, config exports, policy docs
HIPAA 54 Required + Addressable Safeguards 78% Healthcare, Medical Practices Yes β€” encryption status, access controls, audit logs
NIST CSF 2.0 106 Subcategories across 6 Functions 65% All verticals, Government Yes β€” asset inventory, detection logs, recovery plans
PCI-DSS v4.0 261 Requirements 58% Retail, Hospitality, Payment Processing Partial β€” network diagrams, scan reports, policy evidence
ISO 27001 93 Controls (Annex A) Coming Q3 2026 Enterprise, International Coming Q3 2026
SOC 2 Type I vs. Type II

SOC 2 Type I assesses whether controls are designed correctly at a point in time. Type II assesses whether those controls operated effectively over a defined period (typically 6 or 12 months). The Compliance Agent supports both: Type I assessments can be run on-demand, while Type II requires continuous evidence collection across the observation period. Enable the Type II evidence collection window in the framework settings β€” the agent captures and timestamps evidence automatically.

How Assessments Work

An assessment is not a questionnaire your client fills out. The Compliance Agent pulls data directly from the client's environment, maps it to control requirements, and scores each control automatically. The human team reviews the scoring output, fills in the gaps that require attestation or documentation, and exports the result.

πŸ—ΊοΈ Map

Assign framework to client

πŸ“‘ Collect

Pull environment evidence

πŸ“Š Score

Score each control 0–100

πŸ” Gap

Surface failing controls

πŸ“‹ Report

Generate audit package

Control Mapping

Each framework control is mapped to specific, testable data points that can be queried from the client's environment: firewall rule exports, user access logs, encryption configuration status, patch compliance reports, backup verification records, and security policy documents. When a control cannot be fully assessed from automated data (e.g., physical security controls, employee training records), the agent flags it as "requires attestation" and generates a structured questionnaire for the client contact to complete.

Evidence Collection

Evidence is collected continuously in the background, not just during assessment runs. Every piece of collected evidence is timestamped, tagged to the control it satisfies, and stored in the client's evidence vault. For SOC 2 Type II, this creates the continuous, dated record an auditor needs to verify that controls operated over time. Evidence types collected automatically include:

5-Level Maturity Scoring

Every control receives a score from 0 to 100. The score is not binary β€” it reflects how well the control is implemented, not just whether it exists. The 0–100 range maps to five maturity levels, each with a specific definition. Scores are weighted by the control's importance within the framework before being rolled up to a composite framework score.

Level Score Range Definition Audit Readiness
0 β€” None 0–19 Control is completely absent or non-functional. No evidence exists. Fails audit. Immediate remediation required.
1 β€” Initial 20–39 Control exists informally or partially. No consistent process or documentation. Likely fails audit. Significant gaps remain.
2 β€” Developing 40–59 Control is documented and partially implemented. Evidence is incomplete or inconsistent. Borderline. Acceptable for Type I with caveats; insufficient for Type II.
3 β€” Defined 60–79 Control is fully documented, consistently implemented, and evidenced. Passes most audits. Minor gaps may generate findings but not failures.
4 β€” Optimized 80–100 Control is automated, continuously monitored, and verified with high-frequency evidence. Passes all audits cleanly. Audit findings unlikely.

Sample Scored Control

SOC 2 / CC6.1 β€” Logical Access Controls
Multi-factor authentication enforced for all privileged accounts
3 β€” Defined   74/100
Policy documentation20/20
Technical enforcement (MFA on admin accounts)28/35
Evidence recency (last access review)14/25
Exception handling and logging12/20

Gap identified: 3 service accounts are excluded from MFA enforcement. Access review was last performed 94 days ago (target: every 60 days). Update the access review schedule and enforce MFA on service accounts to reach Level 4.

Weighted Framework Scoring

Not all controls carry equal weight. Within each framework, controls are weighted based on their criticality to the overall compliance posture. A single failed critical control (e.g., encryption at rest for PHI under HIPAA) can hold the overall score below passing even if 90% of other controls are green. The dashboard shows both the raw composite score and a "critical controls" indicator that flags any single-control blockers.

Quick Wins

After every assessment, the Compliance Agent identifies "quick wins" β€” controls that are currently failing or at a low maturity level but can be remediated with low effort, yielding a significant improvement to the overall compliance score. Quick wins are surfaced first in the remediation queue to give clients the fastest path to meaningful progress.

Control Current Score Effort Score Gain Time to Implement
Enable MFA on all admin accounts 1 β€” Initial Low +18 pts 2 hours
Configure automated backup verification alerts 2 β€” Developing Low +11 pts 1 hour
Enable audit logging on domain controllers 1 β€” Initial Low +9 pts 30 minutes
Implement encrypted email for PHI transmission 0 β€” None Medium +14 pts 1–2 days
Document and sign Acceptable Use Policy 0 β€” None Low +7 pts 2 hours (template provided)
Quick Win ROI

Across Gridlock clients, the top 5 quick wins on a new assessment account for an average of 47 percentage points of compliance score improvement. Most clients can get from "failing" to "passing" on their primary framework in under two weeks by completing quick wins before tackling the more complex controls.

Evidence Package Generation

When your client has an audit scheduled, the Compliance Agent generates a complete evidence package β€” a structured ZIP archive containing all evidence collected for every assessed control, organized by control ID and labeled for auditor navigation.

What the Evidence Package Includes

Document Type Source Included Automatically
Access control configuration exports Directory service, firewall, VPN Yes
MFA enrollment status report Identity provider or directory Yes
Patch compliance report (60-day history) Endpoint management or Gridlock connector Yes
Backup execution logs (90-day history) Backup platform or Gridlock connector Yes
Vulnerability scan reports Integrated scanner or Threat Researcher agent Yes
Security incident log Threat Researcher agent and alert history Yes
Encryption configuration attestation System scan + manual attestation Yes (scan portion); attestation prompted
Signed policy documents Policy template library Yes, if created using Gridlock policy templates
Employee security training records Connected LMS or manual upload If connected; otherwise prompted
Vendor and third-party risk assessments Manual attestation Prompted β€” agent provides template

Audit Readiness Level

The evidence package includes an Audit Readiness Score (0–100) based on how completely the evidence package covers the required controls. A score above 85 indicates the package is ready to be handed to an auditor. Scores below 85 include a "remaining gaps" list with specific actions to reach readiness.

Policy Template Library

A missing or unsigned policy document is one of the most common audit findings β€” and one of the easiest to fix. The Compliance Agent includes a library of policy templates ready to customize, sign, and attach to the evidence package.

Policy Template Frameworks Satisfied Estimated Customization Time
Information Security Policy SOC 2, HIPAA, NIST, PCI-DSS, ISO 27001 30 minutes
Acceptable Use Policy SOC 2, HIPAA, NIST 15 minutes
Access Control and Password Policy SOC 2, HIPAA, PCI-DSS, NIST 20 minutes
Incident Response Plan SOC 2, HIPAA, NIST, PCI-DSS 45 minutes
Business Continuity and Disaster Recovery Plan SOC 2, HIPAA, NIST, PCI-DSS 1–2 hours
Vendor Risk Management Policy SOC 2, HIPAA, PCI-DSS 30 minutes
Data Classification and Handling Policy SOC 2, HIPAA, PCI-DSS, NIST 20 minutes
Change Management Policy SOC 2, PCI-DSS, NIST 20 minutes
HIPAA Privacy Policy and Notice of Privacy Practices HIPAA 30 minutes
Penetration Testing and Vulnerability Management Policy SOC 2, PCI-DSS, NIST 20 minutes
Policy Acknowledgment Tracking

Policies signed via the Gridlock policy library are digitally signed with a timestamp and the signatory's identity. For employee policies (AUP, security awareness), the agent tracks who has signed and who has not, sends automated reminders to unsigned employees, and generates a signature completion report for the evidence package. No more chasing employees during audit week.

Remediation Workflow

Identifying a gap is only useful if it gets fixed. The Compliance Agent converts every gap finding into a structured remediation task and tracks it through to completion.

How a Gap Becomes an Action

  1. Gap Identified: A control scores below 60 or drops two maturity levels from its previous assessment.
  2. Task Created: The agent creates a remediation task with: the control ID, the specific gap description, suggested remediation steps, estimated effort, expected score gain, and a suggested assignee based on the control's technical domain.
  3. Assignment: The task is routed to the dashboard's remediation queue. Your team can assign it to a technician, set a due date, and link it to a PSA ticket.
  4. Execution: The assigned technician works the remediation steps. Many steps include exact commands or configuration changes (e.g., "Run auditpol /set /category:* /success:enable /failure:enable on all domain controllers").
  5. Verification: After the due date, the agent re-assesses the control automatically. If the score improves above threshold, the task is closed and the compliance score updates. If not, the task is flagged for review.
  6. Evidence Captured: The re-assessment result and timestamp are added to the evidence vault as proof of remediation.
Remediation Deadlines and SLA

Critical-severity gaps (controls at Level 0 or controls flagged as critical by the framework) have a default 30-day remediation deadline. If the gap is not resolved within 30 days, the Account Manager agent receives a churn risk signal and the MSP is notified via dashboard alert. You can adjust default remediation deadlines per client in the compliance settings.

Compliance History & Trend Tracking

Every assessment result is stored as a timestamped snapshot. The compliance dashboard shows your clients' scores over time β€” not just where they are, but how they got there and whether the trajectory is positive.

Trend Signals Tracked

Signal What It Indicates Dashboard Display
Score improvement > 10 pts in 30 days Active remediation in progress, strong momentum Green trend arrow + "Improving" label
Score stable within +/- 3 pts over 60 days Maintained compliance, no major changes Flat trend arrow + "Stable" label
Score decline > 5 pts in 30 days New gap introduced (config change, new system, lapsed policy) Red trend arrow + alert notification to MSP
Critical control drops to Level 0 or 1 High-severity gap that may block audit readiness Critical badge + immediate alert to dashboard and email
Audit Readiness Score crosses 85 Client is ready for an audit engagement Green banner + suggested next step (schedule auditor)

Using History for QBRs

The compliance history chart is designed to be shown directly to clients during Quarterly Business Reviews. It demonstrates the tangible value of your MSP engagement: the client can see their score at the start of your engagement, the upward trajectory as remediation was completed, and where they stand today relative to their audit readiness target.

Report Generation

Three report types can be generated on demand from the compliance dashboard. All reports are available in PDF and as a structured JSON export for import into client GRC tools.

Report Types

Report Audience Contents Typical Use Case
Executive Summary Report Client leadership, board Overall score, framework status, top 5 gaps, trend chart, remediation progress QBR presentation, board reporting
Technical Gap Report IT staff, compliance team Full control-by-control scoring, gap descriptions, remediation steps, evidence status Remediation planning, internal IT review
Audit Evidence Package External auditor All collected evidence, organized by control, with chain-of-custody timestamps SOC 2, HIPAA, or PCI-DSS audit engagement
White-Label Reports

All three report types are fully white-labeled. Your company logo, name, and brand colors replace Gridlock branding. Clients see a professional compliance report from your MSP β€” which strengthens your brand as the compliance expert, not ours. Configure white-labeling under Settings → Branding.

FAQ

Does the Compliance Agent replace a formal auditor?

No. SOC 2, PCI-DSS, and ISO 27001 require attestation or certification from an accredited third-party auditor. The Compliance Agent cannot issue a SOC 2 report or PCI-DSS attestation of compliance. What it does is prepare your client so thoroughly that the formal audit becomes faster and cheaper. Clients who use the Compliance Agent typically find that auditor-billable time drops by 40–60% because the evidence is already organized and the critical gaps are already remediated before the auditor starts work.

How does the agent assess controls it cannot pull data for automatically?

Controls that require human attestation (e.g., physical security, employee training completion, vendor agreements) are flagged as "requires attestation." The agent generates a structured questionnaire for the designated client contact. Responses are collected through the client portal, timestamped, and stored in the evidence vault alongside the automated evidence. The control score is held at the prior level (or Level 0 for new controls) until attestation is completed.

How often does the agent re-assess controls?

By default, controls are re-assessed daily for high-frequency evidence types (access logs, patch status) and weekly for lower-frequency items (policy signatures, backup logs). A full framework re-score runs every 7 days and updates the dashboard. You can trigger a manual re-assessment at any time from the compliance dashboard β€” useful immediately after completing a remediation task to see the score update before a client meeting.

What plan is required for the Compliance Agent?

The Compliance Agent is available on Pro ($299/mo) and Ultimate ($499/mo) plans. The Ultimate plan unlocks multi-framework simultaneous assessments (e.g., HIPAA + NIST + SOC 2 for a single client at the same time) and the full policy template library. Pro includes single-framework assessment and the top 5 policy templates. Starter does not include the Compliance Agent.