Skip to main content
A Control is an organization-level compliance requirement that Policy Set Rules reference and enforce. Controls let you define a requirement once — “redact SSNs in output,” for example — and reuse it across every Policy Set and project that needs it, while keeping a single source of truth for audits.

Fields

  • Name (required)
  • Description (optional)
  • Regulation — the framework this control maps to: GDPR, HIPAA, SOC 2, ISO 27001, PCI DSS, CCPA, NIST AI RMF, EU AI Act, DORA, FedRAMP, PIPEDA, LGPD, MAS TRM, or APRA CPS 234
  • Severityhigh, medium, or low
  • OperatorANY or ALL, determining how the control’s composed Criteria combine to trigger the control
  • Composed Criteria — the Criteria that make up this control

Status

Controls move through draft, pending_review, approved, rejected, and deprecated. Only approved controls can be referenced by a Policy Set Rule.

Where Controls are used

A Policy Set Rule references one or more Controls under its controlNids. When a request is evaluated, each referenced Control’s Criteria are checked according to its operator (ANY/ALL), and the Rule’s configured action (block, flag, redact, or human_review) is taken if the Control triggers.