## Problem GitLab has no mechanism to detect when project settings deviate from a desired compliance posture. Audit events log what changed, but they don't compare current state against a desired policy definition. An enterprise that defines "all projects must require signed commits and 2 approvals on the default branch" has no way to discover which of their 500 projects are non-compliant without manually checking each one. GitLab has drift detection for Terraform/IaC configurations, but not for its own project settings. This breaks **continuous compliance**: organizations cannot verify their compliance posture is maintained over time. ## Agentic Context Agents with write access (via DAP flows, MCP tools, or API tokens) can modify project settings as part of their workflows. As agent volume scales, settings changes happen faster than human review cycles. Drift detection must cover agent-initiated changes alongside human changes. This connects directly to the agentic audit events being designed by the AI Governance team (sec-section-ai-experiments-team/product-management#43), which track agent actions but do not yet compare resulting state against desired governance policies. ## Field Evidence A Professional Services tool deployed at a regulated enterprise customer compares every project's current state (push rules, branch protections, compliance frameworks) against a YAML-defined desired state and reports every mismatch. This is used for compliance audits (SOX, PCI-DSS) and pre-remediation planning. The capability does not exist natively. ## Proposal 1. Allow administrators to define desired governance state for project settings at group/instance level (push rules, branch protections, compliance frameworks) 2. Provide a drift detection scan that compares current project settings against desired state 3. Surface non-compliant projects in the Compliance Center (similar to how violations are surfaced today) 4. Generate audit events for detected drift 5. Support scheduled scans (e.g., daily compliance check) for continuous compliance ## Connection to Existing Work - #546119 -- "Proactive Security Configuration Change Monitoring" (same problem from audit events angle) - #421912 -- "Overview of compliance related status" (natural UI home for drift results) - #421914 -- "Action for adherence checks and violations" (remediation actions after drift detected) ## DAP & AI Governance Cross-References - &14897 -- Custom compliance frameworks improvements (proposed parent epic) - &18954 -- Comprehensive AI Audit Event System (drift detection generates audit events) - #584155 -- Design: Agentic Audit Events (detection mechanism) - #585927 -- DAP Governance: Enforceable security policies (drift in agent-managed settings) - #584692 -- DAP Flow Session Traceability (governance events feed session traces) ## Part of Governance-as-Code Series This is one of 9 related issues: #591821, #591822, #591823, #591824, #591825, #591826, #591827, #591828, #591829