Compliance Reports
Supported modes: Hosted Available in: Solo Teams -- View pricing
Control Zero generates heuristic compliance reports that evaluate your AI governance posture against established frameworks. Reports are generated on demand based on your current policy configuration and audit log activity.
Available report types
OWASP AI Top 10
Evaluates your project against the OWASP Top 10 for LLM Applications, covering prompt injection, insecure output handling, model denial of service, excessive agency, and more.
Each of the 10 OWASP categories maps to one check. The check status is derived from your active policies:
| Check | What it evaluates |
|---|---|
| LLM01 | Deny policies exist to restrict LLM access |
| LLM02 | Output governance layer is active |
| LLM03 | Training data (not applicable, inference-only) |
| LLM04 | Rate limiting is enforced |
| LLM05 | Model restriction policies are in place |
| LLM06 | Secrets are runtime-injected, not logged |
| LLM07 | At least one policy governs tool access |
| LLM08 | Deny policies restrict agent actions |
| LLM09 | Audit trail is maintained for all governed actions |
| LLM10 | API keys are stored encrypted |
SOC 2
Evaluates your project against a subset of the SOC 2 Trust Services Criteria (TSC) relevant to AI governance:
| Check | Criteria |
|---|---|
| CC1 | Governance framework is established |
| CC2 | Audit logging is active (checks last 30 days) |
| CC3 | Policy-based risk controls are enforced |
| CC6 | API key authentication and scoping |
| CC7 | Monitoring and anomaly detection |
| CC8 | Policy versioning and change audit trail |
How reports are generated
Reports are generated server-side by evaluating your current project state:
-
Policy scan -- The system reads all active policies for the project and checks whether deny policies, model restrictions, and tool access controls exist.
-
Audit log analysis (SOC 2 only) -- The system queries the last 30 days of audit log data to determine volume and policy enforcement activity.
-
Scoring -- Each applicable check receives a status of
pass,fail, orwarning. The overall score is(pass_count / applicable_count) * 100.
Checks marked not_applicable (e.g., training data poisoning for an
inference-only platform) are excluded from the score calculation.
Export options
Reports can be exported in two formats:
JSON export
Returns the full report structure as a JSON file, including all check details, scores, and remediation suggestions. Suitable for programmatic consumption and integration with GRC tools.
Endpoint: GET /api/projects/{projectID}/compliance/export?framework=owasp_ai_top10&format=json
CSV export
Returns a flat CSV file with one row per compliance check. Columns:
ID, Category, Title, Description, Status, Details,
Remediation. Suitable for spreadsheet review and manual audit
documentation.
Endpoint: GET /api/projects/{projectID}/compliance/export?framework=soc2&format=csv
How to interpret the scores
| Score range | Interpretation |
|---|---|
| 90-100 | Strong governance posture. Minor warnings may remain. |
| 70-89 | Good foundation. Address warnings to strengthen. |
| 50-69 | Gaps exist. Review failing checks and add policies. |
| Below 50 | Large gaps. Prioritize deny policies and tool access controls. |
Status meanings
- pass -- The check is satisfied by your current configuration.
- fail -- A required control is missing. See the remediation field.
- warning -- The control exists but could be stronger.
- not_applicable -- The check does not apply to your deployment.
Using reports in the dashboard
- Navigate to Governance > Compliance in the dashboard.
- Select a framework (OWASP AI Top 10 or SOC 2).
- Click Generate to create a fresh report.
- Review the score summary and individual check results.
- Use the Export JSON or Export CSV buttons to download.
Reports are generated on demand and reflect the current state of your project at generation time. They are not stored persistently -- generate a new report whenever you need an updated assessment.