Compliance Framework
How IronWorks tracks GDPR, CCPA, SOC 2, HIPAA, and PCI-DSS requirements across your AI workforce using the Compliance Director agent.
Overview
The IronWorks compliance framework is implemented through the Compliance Director — an AI agent role available exclusively on the Enterprise plan. The Compliance Director is not a checklist tool or a static policy document. It is an active agent that monitors your AI workforce's operations, flags regulatory gaps as they emerge, and produces structured compliance reports.
The key design principle is separation between detection and remediation. The Compliance Director can see everything, but it cannot change anything. When it identifies a gap, it creates a compliance-tagged issue and assigns it to the appropriate human or agent owner. Fixing the gap is a human decision. The Compliance Director's job is to make sure nothing goes unnoticed.
The Compliance Director reports directly to the CEO and operates independently from all other departments. This independence mirrors how human compliance functions work in regulated industries — the compliance officer should not report to the same person whose operations they are auditing.
Regulatory Frameworks Tracked
GDPR — General Data Protection Regulation
The Compliance Director monitors for GDPR obligations across the following areas:
- Lawful basis for processing — verifies that any data processing performed by AI agents has an identifiable lawful basis (consent, legitimate interest, contract performance, legal obligation)
- Data subject rights — flags if the system handles personal data in ways that would make subject access, erasure, or portability requests difficult to fulfill
- Data minimization — reviews agent configurations and playbooks for unnecessary collection or retention of personal data
- Breach notification timelines — monitors incident response playbooks to verify 72-hour notification obligations are captured in procedure
- International data transfers — flags any integrations or data flows that may involve transfers outside the EEA without appropriate safeguards
CCPA — California Consumer Privacy Act
For organizations with California residents as customers or employees, the Compliance Director tracks:
- Right to opt out of sale — reviews agent workflows for any data sharing that may constitute "sale" under CCPA definitions
- Consumer request handling — monitors whether processes exist to fulfill access, deletion, and correction requests within 45-day statutory timelines
- Privacy notice requirements — flags outdated or missing disclosures in agent-generated customer communications
- Sensitive personal information — identifies handling of CPRA-defined sensitive categories (health data, precise geolocation, financial data) and checks for appropriate consent mechanisms
SOC 2 — System and Organization Controls
The Compliance Director monitors all five SOC 2 Trust Service Criteria (TSC):
| Criteria | What the Compliance Director Monitors |
|---|---|
| Security | Access controls, encryption status, change management procedures, incident response procedures |
| Availability | Uptime monitoring configurations, disaster recovery procedures, capacity planning documentation |
| Confidentiality | Handling of confidential data categories, access restrictions, retention and disposal procedures |
| Processing Integrity | Completeness and accuracy of data processing, error detection and correction procedures |
| Privacy | Personal information collection, use, retention, disclosure, and disposal practices |
For organizations pursuing SOC 2 Type I or Type II certification, the Compliance Director can generate evidence summaries that align with the AICPA trust service criteria descriptions. These summaries are starting points for auditor review, not auditor output.
HIPAA — Health Insurance Portability and Accountability Act
For organizations handling protected health information (PHI), the Compliance Director monitors:
- PHI identification and handling — flags agent workflows or KB pages that contain or reference PHI categories (names, dates, geographic data, account numbers, biometric identifiers, and other HIPAA-defined identifiers)
- Minimum necessary standard — reviews whether agents access or transmit more PHI than is necessary for the stated purpose
- Business Associate Agreements (BAA) — flags integrations with third-party services that handle PHI and checks whether a BAA is documented
- Security Rule compliance — monitors administrative, physical, and technical safeguards relevant to the AI workforce (access controls, audit logs, encryption)
- Breach notification — verifies incident response procedures address HIPAA's 60-day notification obligation for breaches affecting 500+ individuals
PCI-DSS — Payment Card Industry Data Security Standard
For organizations that handle cardholder data, the Compliance Director monitors:
- Cardholder data environment (CDE) scope — flags agent workflows or integrations that may bring cardholder data into scope unexpectedly
- Access management — reviews whether access to cardholder data is restricted to agents and users with a documented need-to-know
- Logging and monitoring — verifies that audit trail coverage meets PCI-DSS Requirement 10 for systems that touch the CDE
- Network segmentation — flags configurations that might reduce segmentation between the CDE and other system components
- Vulnerability management — monitors whether security scanning and patching procedures for CDE systems are documented in playbooks
How the Compliance Director Creates Issues
When the Compliance Director identifies a compliance gap, it creates an issue with the following structure:
- Tag:
complianceplus the relevant regulation (e.g.,gdpr,soc2) - Priority: Set based on severity — high for active violations or imminent deadlines, medium for gaps that need attention, low for documentation improvements
- Description: A plain-language explanation of the gap, the regulation it relates to, the potential consequence of inaction, and a suggested remediation path
- Assignee: The role best positioned to address the gap (e.g., security-related gaps go to the Security Engineer, data handling gaps go to the CEO or designated DPO)
The Compliance Director does not close issues. Closing a compliance issue requires human confirmation that the gap has been addressed. This is intentional — automated detection, human remediation.
Compliance Reports
The Compliance Director can generate structured compliance reports on demand or on a recurring schedule via a playbook. A standard compliance report includes:
- Open compliance issues by regulation and severity
- Issues closed since the last report (with resolution notes)
- Regulatory changes or upcoming deadlines relevant to tracked frameworks
- A summary assessment by framework: compliant, partially compliant, or requires attention
- Recommended next actions ranked by risk priority
Reports are created as Knowledge Base pages and issued as issues assigned to the CEO. They can be exported in JSON format via the standard KB export.
Industry-Specific Regulations
Beyond the five core frameworks, the Compliance Director can be configured to track industry-specific requirements by updating its SOUL.md and AGENTS.md to include additional regulatory context. Examples include:
- FERPA — for education technology companies handling student records
- GLBA — for financial services firms subject to the Gramm-Leach-Bliley Act
- NIST CSF — for organizations using the NIST Cybersecurity Framework as a reference architecture
- ISO 27001 — for organizations pursuing information security management certification
- PIPEDA — for Canadian organizations handling personal information in commercial activities
Custom regulatory frameworks require manual configuration. Contact your account team for guidance on configuring the Compliance Director for industry-specific requirements beyond the five built-in frameworks.
Limitations
The Compliance Director is an AI monitoring layer, not a legal compliance service. Its output should be reviewed by qualified compliance professionals, not used as a substitute for legal advice. Specifically:
- The Compliance Director monitors what is visible within IronWorks — it cannot audit systems, contracts, or processes that exist outside the platform
- Regulatory interpretations can be jurisdiction-specific and fact-dependent. The Compliance Director applies general best practices, not legal opinions
- Regulatory frameworks evolve. The Compliance Director's monitoring rules are updated periodically, but there may be a lag between regulatory changes and updated monitoring logic
- The Compliance Director does not conduct penetration testing, vulnerability scanning, or code review — those functions belong to the Security Engineer
What to Read Next
To understand how the Compliance Director fits into the org chart and what permissions it holds, see Agents and Roles. To see the full Enterprise team pack configuration, see Team Packs. For the platform-level security controls the Compliance Director operates within, see Security and Privacy.
The Compliance Director is available exclusively on the Enterprise (Business) plan. View IronWorks pricing.