Skip to content

Compliance (Beta)

Manifest Platform provides a compliance management system that maps platform security controls to industry frameworks, tracks your organization's adherence, and generates the evidence artifacts needed for audits. Instead of maintaining compliance spreadsheets manually, you configure your target frameworks and the platform continuously evaluates your posture.

Supported Compliance Frameworks

Framework Focus Controls Mapped
SOC 2 Type II Security, availability, processing integrity, confidentiality, privacy 85+
ISO 27001:2022 Information security management system (ISMS) 90+
HIPAA Protected health information safeguards 45+
GDPR EU data protection and individual rights 50+
NIST AI RMF 1.0 AI risk governance, mapping, measurement, and management 60+
EU AI Act Risk classification, transparency, and documentation for AI systems 40+

Framework updates

When regulatory bodies release updated versions of these frameworks, Manifest Platform publishes updated control mappings. You receive a notification in the compliance dashboard when new mappings are available.

Compliance Dashboard

The compliance dashboard is the central hub for understanding your organization's compliance posture.

Overview Panel

The overview panel shows:

  • Compliance score per framework -- Percentage of controls satisfied, displayed as a gauge for each active framework
  • Control status breakdown -- Counts of controls in each state: Satisfied, Partially Satisfied, Not Satisfied, Not Applicable
  • Trend chart -- Compliance score over time, highlighting when scores improved or regressed
  • Action items -- Prioritized list of controls that need attention, sorted by risk severity

Control Detail View

Click any control to see:

  • Control description -- What the framework requires
  • Platform mapping -- Which Manifest Platform features satisfy this control
  • Evidence -- Automatically collected evidence (audit log excerpts, configuration snapshots, policy records)
  • Manual attestation -- Space for human reviewers to add notes, upload documents, and mark manual verification
  • Status history -- Timeline of when the control's status changed and why

Setting Up Compliance

Activating Frameworks

  1. Navigate to Security > Compliance
  2. Click Add Framework
  3. Select the target framework from the list
  4. Review the control inventory and mark any controls as Not Applicable for your organization
  5. Click Activate

Initial Assessment

After activating a framework, the platform runs an initial assessment that:

  1. Scans your current configuration (authentication settings, role assignments, audit log configuration, encryption settings)
  2. Evaluates each control against the detected configuration
  3. Assigns an initial status to each control
  4. Generates a gap report highlighting controls that require action
graph TD
    ACT["Activate Framework"] --> SCAN["Scan Configuration"]
    SCAN --> EVAL["Evaluate Controls"]
    EVAL --> SAT["Satisfied"]
    EVAL --> PART["Partially Satisfied"]
    EVAL --> NOT["Not Satisfied"]
    PART --> GAP["Gap Report"]
    NOT --> GAP
    GAP --> REMEDIATE["Remediation Actions"]

Policy Management

Policies are configurable rules that enforce compliance requirements across the platform. When a policy is active, the platform evaluates it continuously and flags violations.

Built-in Policies

Manifest Platform ships with policies mapped to common compliance requirements:

Policy Framework Mapping What It Enforces
MFA Required SOC 2 CC6.1, ISO 27001 A.8.5 All users must have multi-factor authentication enabled
API Key Rotation SOC 2 CC6.1, ISO 27001 A.8.5 API keys must be rotated within a configured interval
Audit Log Retention SOC 2 CC7.2, HIPAA 164.312(b) Audit logs must be retained for the minimum period
Data Residency GDPR Art. 44-49 Data must remain within specified geographic regions
Model Allowlist NIST AI RMF Map 1.1 Only approved AI models may be used in production
PII Detection GDPR Art. 5, HIPAA 164.502 Agent inputs/outputs are scanned for personally identifiable information
Deployment Approval SOC 2 CC8.1, ISO 27001 A.8.32 Production deployments require approval from designated reviewers

Creating Custom Policies

  1. Go to Security > Compliance > Policies
  2. Click Create Policy
  3. Define the policy rule using the policy builder
  4. Map the policy to one or more compliance controls
  5. Set the enforcement mode: Enforce (block violations) or Monitor (alert only)
  6. Click Save and Activate

Policy Violations

When a policy is violated, the platform:

  1. Records the violation in the audit log with event type policy.violation
  2. Updates the affected compliance control's status
  3. Sends a notification to the configured alert channel
  4. If the policy enforcement mode is Enforce, blocks the action that caused the violation

View violations in the Compliance > Violations tab.

Compliance Reporting

Generate reports for internal reviews or external auditors.

Report Types

Report Contents
Posture Summary High-level compliance scores, control status breakdown, and trend analysis
Gap Analysis Controls that are not satisfied or partially satisfied, with remediation guidance
Evidence Package Collected evidence for each control — audit log excerpts, configuration snapshots, policy records, and manual attestations
Control Matrix Full mapping of platform controls to framework requirements, exportable as a spreadsheet

Generating Reports

  1. Navigate to Security > Compliance > Reports
  2. Select the report type
  3. Choose the target framework(s) and date range
  4. Click Generate
  5. Download in PDF, CSV, or JSON format

Schedule recurring reports

Set up automated report generation on a weekly or monthly cadence. Reports are delivered to a configured email distribution list or saved to your organization's document store.

Continuous Compliance

Rather than treating compliance as a periodic exercise, Manifest Platform evaluates your posture continuously.

  • Real-time control evaluation -- When configuration changes, the platform re-evaluates affected controls immediately
  • Drift detection -- If a previously satisfied control falls out of compliance (e.g., a user disables MFA), the platform flags it within minutes
  • Automated evidence collection -- Audit logs, configuration snapshots, and policy evaluations are gathered automatically, reducing manual evidence preparation
  • Regression alerts -- Get notified when your compliance score drops below a threshold