> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gegentic.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Controls

> Org-level compliance controls that Policy Set Rules reference, mapped to specific regulatory frameworks.

A Control is an organization-level compliance requirement that [Policy Set](/governance/policy-sets) Rules reference and enforce. Controls let you define a requirement once — "redact SSNs in output," for example — and reuse it across every Policy Set and project that needs it, while keeping a single source of truth for audits.

## Fields

* **Name** (required)
* **Description** (optional)
* **Regulation** — the framework this control maps to: GDPR, HIPAA, SOC 2, ISO 27001, PCI DSS, CCPA, NIST AI RMF, EU AI Act, DORA, FedRAMP, PIPEDA, LGPD, MAS TRM, or APRA CPS 234
* **Severity** — `high`, `medium`, or `low`
* **Operator** — `ANY` or `ALL`, determining how the control's composed [Criteria](/compliance/criteria) combine to trigger the control
* **Composed Criteria** — the Criteria that make up this control

## Status

Controls move through `draft`, `pending_review`, `approved`, `rejected`, and `deprecated`. Only `approved` controls can be referenced by a Policy Set Rule.

## Where Controls are used

A Policy Set Rule references one or more Controls under its `controlNids`. When a request is evaluated, each referenced Control's Criteria are checked according to its operator (`ANY`/`ALL`), and the Rule's configured action (`block`, `flag`, `redact`, or `human_review`) is taken if the Control triggers.