Skip to main content

Compliance Mapping Guide

This guide covers how to map your TealTiger policies to regulatory and security compliance frameworks — how to track coverage, identify gaps, generate reports, and create custom frameworks for your organization’s needs.
Compliance features require authentication and a team workspace. See the Getting Started Guide for setup.

Supported Frameworks

The playground ships with five built-in compliance frameworks:
FrameworkIDVersionControlsFocus Area
OWASP Top 10 for Agentic Applicationsowasp-asi-20241.010AI/LLM security risks
NIST AI Risk Management Frameworknist-ai-rmf-1.01.08AI risk governance
SOC2 Type IIsoc2-type-ii20178Security and availability
ISO 27001:2022iso-27001-202220228Information security management
GDPRgdpr-201820188Data protection and privacy

OWASP Top 10 for Agentic Applications (ASI 2024)

CodeTitleCategory
ASI01Prompt InjectionInput Security
ASI02Sensitive Information DisclosureData Protection
ASI03Supply Chain VulnerabilitiesSupply Chain
ASI04Data and Model PoisoningModel Security
ASI05Improper Output HandlingOutput Security
ASI06Excessive AgencyAccess Control
ASI07System Prompt LeakageConfiguration Security
ASI08Vector and Embedding WeaknessesRAG Security
ASI09MisinformationContent Quality
ASI10Unbounded ConsumptionResource Management

Mapping Policies to Frameworks

How to Map a Policy

  1. Open a policy in your workspace
  2. Click the “Compliance” tab
  3. Select a framework from the Framework Selector dropdown
  4. Find the requirement and click “Map”
  5. Add a note explaining how the policy addresses the requirement
  6. Click Save

Mapping Rules

  • A single policy can be mapped to multiple requirements across different frameworks
  • Multiple policies can be mapped to the same requirement (shared coverage)
  • Duplicate mappings (same policy + same requirement) are rejected automatically
  • Mappings can be removed at any time; removal is logged in the audit trail

Coverage Tracking

Navigate to the Compliance Dashboard from the sidebar to see:
  • Coverage percentage per framework — (mapped requirements / total requirements) × 100
  • Mapped vs. unmapped requirement counts
  • Unmapped requirements highlighted for gap identification

Generating Compliance Reports

Generating a Report

  1. Open the Compliance Dashboard
  2. Click “Generate Report”
  3. Select a framework (or generate for all)
  4. Optionally filter by date range or policy state
  5. Click Generate

What’s in a Report

SectionContents
Executive SummaryTotal policies, mapped policies, coverage percentage, average test coverage
Policy DetailsEach policy with version, author, approval status, mapped requirements
Test CoverageTest coverage metrics per policy
Audit SummaryTotal changes, approvals, deployments; recent audit events

Export Formats

  • PDF — formatted report with optional organization branding (name, logo, colors, footer)
  • CSV — tabular data for spreadsheet analysis

Creating Custom Frameworks

Define a custom framework using JSON: 
{
  "id": "my-org-framework-2026",
  "name": "My Organization Security Framework",
  "version": "1.0",
  "requirements": [
    {
      "id": "req-001",
      "frameworkId": "my-org-framework-2026",
      "code": "SEC-001",
      "title": "Input Validation",
      "description": "All AI inputs must be validated and sanitized",
      "category": "Input Security"
    }
  ]
}

Loading a Custom Framework

  1. Open the Compliance Dashboard
  2. Click “Add Custom Framework”
  3. Paste or upload your JSON definition
  4. Click Load Framework
The custom framework appears alongside built-in frameworks in the Framework Selector.

Compliance Examples

Example: Mapping a PII Detection Policy to OWASP ASI02

  1. Open your pii-detection policy → Compliance tab
  2. Select OWASP ASI 2024
  3. Map to ASI02 — Sensitive Information Disclosure
  4. Note: “Detects and redacts PII patterns in LLM outputs including emails, phone numbers, and SSNs”

Example: Cross-Framework Mapping

A budget enforcement policy can map to controls across several frameworks:
FrameworkControlMapping Note
OWASP ASI 2024ASI10 — Unbounded Consumption”Enforces per-request cost limits and daily budget caps”
NIST AI RMFMANAGE-1.1 — Risk Response”Implements automated cost risk response”
SOC2 Type IIA1.2 — Availability Monitoring”Monitors API cost and usage in real-time”

Best Practices

  • Start with OWASP ASI — most directly relevant for AI/LLM security policies
  • Map as you build — add compliance mappings when you create or update a policy
  • Write meaningful notes — explain specifically how the policy addresses the requirement
  • Aim for 100% on your primary framework — identify gaps early
  • Generate reports monthly — maintain a consistent compliance paper trail
  • Export as PDF for auditors — include your organization’s branding