# Background Compliance frameworks can be created from scratch and used as a label to identify that your project has certain compliance requirements or needs additional oversight. With [custom compliance frameworks,](https://gitlab.com/groups/gitlab-org/-/epics/13295) the steps a user takes in order to create a compliance framework include: 1. At the instance level, select a group; 2. At the group level, navigate to the **Secure** tab on the left hand side navigation menu and select **Compliance center**; 3. Select **New Framework** on the top right hand corner of the screen; 4. On the **New Compliance Frameworks** page: 1. Edit the _Basic Information_ section to include the Name, Description, Background color and to set the framework as the default framework; 2. Edit the _Requirements_ section to include the Name & Description of the requirement under this Framework; 3. Edit the _Requirements_ section to select all the controls that are related to that requirement; and 4. Click on Create requirement 5. Repeat steps 4.1 - 4.4 for every new requirement users want to create under the framework 6. Click on **Create Framework**; and 7. Finally, go to the Policies section to create pipeline execution policies that are relevant for the newly created compliance framework and the enforcement of it's controls. # AI Governance Context This epic is a critical component of the broader [AI Governance Compliance vision](https://gitlab.com/groups/gitlab-org/-/work_items/18948). Compliance framework templates enable organizations to implement AI governance frameworks aligned with specific AI regulations (EU AI Act, NIST RMF, etc.) consistently across their systems. These templates serve as the foundation for connecting regulatory requirements with agentic audit events—when AI agents perform actions, those events are evaluated against framework requirements to automatically flag violations and maintain compliance visibility throughout the DevSecOps lifecycle. # Problem A key problem with this workflow is that steps 4.1 → 4.4 has the potential to be repeated multiple times in a single creation workflow. This is due to each framework having multiple requirements to enforce, and each requirement having multiple controls to enforce. This takes time to create and can potentially be a point of friction for ease of use in the creation workflow. Additionally, most of our users would be familiar with similar offerings in other tools which would eliminate this type of repetitive workflow, where templates are provided at the start of their compliance journey which allows them to immediately apply compliance frameworks to all associated items immediately via pre-packaged, OOTB templates. Without readily available templates aligned to AI regulations, organizations struggle to implement AI governance frameworks consistently. This friction increases the time and complexity of establishing compliance monitoring for AI systems, delaying the ability to track and audit AI agent behavior against regulatory requirements. # Current Assumptions or Pain Points The following are the pain point and benefits of addressing this issue: | Pain Point | Benefit | Description | |------------|---------|-------------| | Increases friction | Decreases friction | in the adoption, creation and usage of compliance frameworks, particularly for AI governance | | Increase time | Decreases time | to create and apply a compliance framework to all projects within the group | | Decreases usability | Increases usability | for compliance frameworks, particularly in the creation of multiple compliance frameworks | | Decreases user satisfaction | Increases user satisfaction | due to being able to create a compliance framework easily via multiple methods (e.g. in a template library level + at the individual framework level) | | Misaligned with | Aligns with | the [direction of the Compliance group](https://about.gitlab.com/direction/govern/compliance/), to achieve compliance **visibility** of **checks**, **violations** and **audit events** throughout the entire DevSecOps lifecycle | | Delays AI governance implementation | Enables rapid AI governance deployment | by providing pre-configured templates for AI regulations (EU AI Act, NIST RMF, etc.) | # Solution As part of the solutions mentioned in the [parent epic](https://gitlab.com/groups/gitlab-org/-/epics/16504), we want to explore creating a template library, which hosts OOTB framework templates with preconfigured requirements, controls and (potentially) policies which can be selected and applied almost immediately, barring a few configuration needs depending on the type of policy that is being attached to the template. These templates will be specifically designed to support AI governance compliance, with requirements mapped to AI regulations and controls. Each requirement will be structured to integrate with agentic audit events—when AI agents perform actions, those events are evaluated against the framework's requirements to automatically flag violations and maintain compliance visibility. Together with https://gitlab.com/groups/gitlab-org/-/epics/16499, we want to achieve the ideal workflow as mentioned in the [solution in the parent epic](https://gitlab.com/groups/gitlab-org/-/epics/16504#solution). We want the compliance framework library to be at the front of the compliance framework creation workflow that has the potential to help customers skip or efficiently move through steps 4.1 → 4.4 as quickly, swiftly and efficiently as possible. The template library could look something like the below (`only a mockup!`): {width="1000" height="670"} {width="1062" height="774"} # Audit Event Integration A key differentiator of this solution is the integration with agentic audit events. Framework requirements will be designed to accept audit event data from AI agents, enabling: - Automatic evaluation of audit events against framework requirements - Real-time violation detection when audit events breach requirement criteria - Compliance visibility across AI agent actions throughout the DevSecOps lifecycle - Audit trails that connect specific agent behaviors to regulatory requirements # Persona * [Cameron (Compliance Manager)](https://handbook.gitlab.com/handbook/product/personas/#cameron-compliance-manager) * AI Governance Officers and Security Teams managing AI systems # Next steps * [ ] Create solution validation issue * [ ] Have MoSCoW discussion or competitor analysis * [ ] Create designs * [ ] Start solution validation process * [ ] Finalise design * [ ] Close down research * [ ] Start working on it _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._ <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> > [!important] > This page may contain information related to upcoming products, features and functionality. > It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. > Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->