Compliance Reports
Generate audit-ready evidence for regulatory compliance.
Inkog generates compliance reports that map directly to EU AI Act articles, OWASP LLM Top 10, and NIST AI RMF controls.
Overview
Compliance reports serve multiple purposes:
- Internal Audits - Verify governance controls before deployment
- Regulatory Submissions - Evidence for EU AI Act compliance
- Customer Due Diligence - Proof of security posture for enterprise customers
- Insurance Applications - Demonstrate AI risk management
Generating Reports
Basic Compliance Scan
# Generate JSON compliance report
inkog . --policy eu-ai-act -output json > compliance_report.jsonSARIF for GitHub Security
# Generate SARIF for GitHub Security tab
inkog . -output sarif > results.sarifGovernance-Focused Report
# Focus on governance controls only
inkog . --policy governance -output json > governance_report.jsonReport Structure
Governance Score
The governance score (0-100) summarizes overall compliance:
{
"governance_score": 92,
"eu_ai_act_readiness": "READY"
}| Score | Readiness | Description |
|---|---|---|
| 90-100 | READY | Meets all governance requirements |
| 70-89 | PARTIAL | Some controls missing or incomplete |
| 0-69 | NOT_READY | Significant governance gaps |
Article Mapping
Each EU AI Act article is assessed individually:
{
"article_mapping": {
"Article 14": {
"article": "Article 14",
"status": "PASS",
"description": "Human Oversight",
"finding_count": 0
},
"Article 12": {
"article": "Article 12",
"status": "PASS",
"description": "Record-Keeping",
"finding_count": 0
},
"Article 15": {
"article": "Article 15",
"status": "PARTIAL",
"description": "Accuracy, Robustness and Cybersecurity",
"finding_count": 2
}
}
}Framework Mapping
Industry frameworks are also assessed:
{
"framework_mapping": {
"OWASP LLM06": {
"framework": "OWASP LLM06",
"status": "PASS",
"finding_count": 0
},
"NIST GOVERN 1.2": {
"framework": "NIST GOVERN 1.2",
"status": "PASS",
"finding_count": 0
},
"ISO 42001": {
"framework": "ISO 42001",
"status": "PARTIAL",
"finding_count": 1
}
}
}Finding Details
Each finding includes compliance mapping:
{
"findings": [
{
"id": "finding-001",
"pattern_id": "universal_missing_oversight",
"file": "agent.py",
"line": 42,
"severity": "HIGH",
"message": "High-risk action 'execute_trade' has no human approval gate",
"risk_tier": "risk_pattern",
"governance_category": "oversight",
"compliance_mapping": {
"eu_ai_act_articles": ["Article 14.1", "Article 14.4"],
"nist_categories": ["GOVERN 4.1"],
"owasp_items": ["LLM06"],
"cwe_ids": ["CWE-1113"]
}
}
]
}Using Reports
For Internal Audits
- Run Inkog before each deployment
- Review findings with the security team
- Fix any governance gaps
- Archive the passing report
# Pre-deployment check
inkog . --policy eu-ai-act -output json | tee deployment_audit_$(date +%Y%m%d).jsonFor Regulatory Submission
EU AI Act requires documentation of compliance measures. Use Inkog reports as evidence:
# Generate timestamped compliance evidence
inkog . --policy eu-ai-act -output json > \
compliance_evidence_$(date +%Y%m%d_%H%M%S).jsonThe report shows:
- Which controls are implemented
- How they were verified
- When the scan was performed
For CI/CD Integration
Block deployments that fail governance checks:
# GitHub Actions example
- name: Governance Check
run: |
inkog . --policy governance
if [ $? -ne 0 ]; then
echo "Governance checks failed"
exit 1
fiFor Customer Due Diligence
Enterprise customers often require security evidence:
# Generate report for customer
inkog . --policy comprehensive -output json > security_posture.json
# Include in customer-facing documentation
jq '{
governance_score,
eu_ai_act_readiness,
finding_summary: {
total: (.findings | length),
by_severity: (.findings | group_by(.severity) | map({(.[0].severity): length}) | add)
}
}' security_posture.jsonReport Retention
Maintain compliance reports for audit purposes:
| Purpose | Recommended Retention |
|---|---|
| Regulatory (EU AI Act) | Entire AI system lifespan |
| Internal Audit | 3 years minimum |
| Customer Evidence | Duration of contract |
| CI/CD History | 1 year minimum |
Best Practices
1. Automate Report Generation
Generate reports automatically as part of CI/CD:
- name: Generate Compliance Report
run: inkog . --policy eu-ai-act -output json > reports/compliance.json
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: compliance-report
path: reports/compliance.json2. Track Trends Over Time
Store historical reports to track improvement:
# Store with timestamp
inkog . -output json > reports/$(date +%Y-%m-%d).json
# Compare to previous
diff <(jq .governance_score reports/2025-12-01.json) \
<(jq .governance_score reports/2025-12-21.json)3. Set Passing Thresholds
Define minimum acceptable scores:
# Require 90+ governance score
SCORE=$(inkog . --policy governance -output json | jq .governance_score)
if [ "$SCORE" -lt 90 ]; then
echo "Governance score $SCORE is below threshold (90)"
exit 1
fi4. Generate Multiple Formats
Different stakeholders need different formats:
# For security team (JSON)
inkog . -output json > report.json
# For GitHub Security (SARIF)
inkog . -output sarif > report.sarif
# For executives (summary)
inkog . -output textExample: Complete Compliance Workflow
#!/bin/bash
# compliance_check.sh
set -e
echo "Running EU AI Act compliance check..."
# Generate report
inkog . --policy eu-ai-act -output json > /tmp/compliance.json
# Check readiness
READINESS=$(jq -r '.eu_ai_act_readiness' /tmp/compliance.json)
SCORE=$(jq '.governance_score' /tmp/compliance.json)
echo "Governance Score: $SCORE/100"
echo "EU AI Act Readiness: $READINESS"
if [ "$READINESS" != "READY" ]; then
echo ""
echo "FAILING ARTICLES:"
jq -r '.article_mapping | to_entries[] | select(.value.status != "PASS") | " - \(.key): \(.value.status)"' /tmp/compliance.json
echo ""
echo "FINDINGS:"
jq -r '.findings[] | " - [\(.severity)] \(.message) (\(.file):\(.line))"' /tmp/compliance.json
exit 1
fi
echo "All governance checks passed!"
# Archive passing report
cp /tmp/compliance.json "reports/compliance_$(date +%Y%m%d_%H%M%S).json"Related
Last updated on