What Is Compliance Mapping?

Compliance audits require evidence. For process controls and infrastructure controls, evidence collection is well-established — access logs, change management records, and infrastructure configurations are readily available. For architectural controls, evidence is typically produced through self-assessment — an engineer states that the architecture meets a control requirement, and the auditor accepts or challenges that assertion.

Compliance mapping automates architectural evidence by extracting it directly from code analysis. Instead of an engineer asserting that "data flows are documented," the compliance mapping shows the actual data flow paths extracted from the dependency graph. Instead of asserting that "single points of failure are identified," the mapping shows the SPOF manifest with dependent counts.

This evidence is more reliable than self-assessment (it is extracted from code, not stated from memory), more current (it is generated from the latest scan, not the last time someone updated a spreadsheet), and more defensible under audit scrutiny.

Compliance mapping operates by defining a mapping matrix between architectural analysis outputs and compliance framework controls.

For each compliance framework (SOC 2, HIPAA, etc.), the relevant architectural controls are identified — controls that relate to system architecture, data flow, access boundaries, change management, and risk assessment.

Each control is mapped to one or more architectural analysis outputs: dependency graphs satisfy documentation controls, SPOF analysis satisfies risk identification controls, blast radius data satisfies change impact controls, and supply chain audits satisfy vendor management controls.

The mapping engine evaluates the analysis results against each control and produces an evidence record: the control requirement, the architectural finding that addresses it, the data supporting the finding, and a compliance status (met, partially met, not met, not applicable).

The resulting compliance report is delivered in DOCX format for auditor consumption and JSON format for programmatic integration with GRC (Governance, Risk, and Compliance) systems.