## Problem Compliance frameworks in GitLab are primarily labels for reporting, grouping, and audit purposes. Assigning a compliance framework to a project does not automatically configure the project's push rules, branch protections, or other governance settings to match the framework's requirements. An enterprise assigns "SOX Compliance" to a project. Nothing changes in the project's actual configuration. The framework is metadata, not enforcement. ## Agentic Context In an agentic SDLC, compliance framework assignment becomes part of the agent workflow: an agent creates a project, assigns the appropriate compliance framework based on the project's purpose, and expects the framework to configure all governance settings automatically. This is how the DAP Software Factory (&21067) and spec-driven SDLC workflows should operate: the agent assigns intent ("this is a SOX project"), the platform enforces the posture. This directly supports the AI Governance program's vision (&20421, &20418): agents operating within governed boundaries where the governance is declarative and automatic, not manual and reactive. ## Prior Art Previously proposed in #366650 (Epic &11598, closed May 2024), #338249, #338248, #338247 (all closed). New field evidence from regulated enterprise deployments and agentic workflows warrants revisiting. ## Field Evidence A Professional Services tool deployed at a regulated enterprise customer uses compliance framework assignment as part of an enforcement pipeline: when a framework is assigned, the corresponding governance profile is automatically applied. ## Proposal 1. Allow compliance frameworks to define associated governance settings 2. When a compliance framework is assigned to a project, automatically apply the associated settings 3. When removed, optionally revert to group defaults 4. Surface the relationship between frameworks and enforced settings in the UI 5. Support inheritance with group-level and instance-level policies ## DAP & AI Governance Cross-References - &14897 -- Custom compliance frameworks improvements (proposed parent epic) - &21067 -- DAP Software Factory (agents assign frameworks during project creation) - #588389 -- Use Compliance Frameworks to determine DAP availability (sibling) - #588234 -- Custom Agent Lifecycle Management (framework as lifecycle gate) - Epic &14897 -- active, due Mar 13, 2026 ## Part of Governance-as-Code Series This is one of 9 related issues: #591821, #591822, #591823, #591824, #591825, #591826, #591827, #591828, #591829