Compliance framework assignment should trigger automatic policy enforcement

Problem

Compliance frameworks in GitLab are primarily labels for reporting, grouping, and audit purposes. Assigning a compliance framework to a project does not automatically configure the project's push rules, branch protections, or other governance settings to match the framework's requirements.

An enterprise assigns "SOX Compliance" to a project. Nothing changes in the project's actual configuration. The framework is metadata, not enforcement.

Agentic Context

In an agentic SDLC, compliance framework assignment becomes part of the agent workflow: an agent creates a project, assigns the appropriate compliance framework based on the project's purpose, and expects the framework to configure all governance settings automatically. This is how the DAP Software Factory (&21067) and spec-driven SDLC workflows should operate: the agent assigns intent ("this is a SOX project"), the platform enforces the posture.

This directly supports the AI Governance program's vision (&20421, &20418): agents operating within governed boundaries where the governance is declarative and automatic, not manual and reactive.

Prior Art

Previously proposed in #366650 (closed) (Epic &11598 (closed), closed May 2024), #338249 (closed), #338248 (closed), #338247 (closed) (all closed). New field evidence from regulated enterprise deployments and agentic workflows warrants revisiting.

Field Evidence

A Professional Services tool deployed at a regulated enterprise customer uses compliance framework assignment as part of an enforcement pipeline: when a framework is assigned, the corresponding governance profile is automatically applied.

Proposal

  1. Allow compliance frameworks to define associated governance settings
  2. When a compliance framework is assigned to a project, automatically apply the associated settings
  3. When removed, optionally revert to group defaults
  4. Surface the relationship between frameworks and enforced settings in the UI
  5. Support inheritance with group-level and instance-level policies

DAP & AI Governance Cross-References

  • &14897 -- Custom compliance frameworks improvements (proposed parent epic)
  • &21067 -- DAP Software Factory (agents assign frameworks during project creation)
  • #588389 -- Use Compliance Frameworks to determine DAP availability (sibling)
  • #588234 -- Custom Agent Lifecycle Management (framework as lifecycle gate)
  • Epic &14897 -- active, due Mar 13, 2026

Part of Governance-as-Code Series

This is one of 9 related issues: #591821, #591822, #591823, #591824, #591825, #591826, #591827, #591828, #591829

Edited by Falko Sieverding