{
  "$schema": "https://privateflow.ai/schemas/compliance-framework-mapping-v1.json",
  "disclaimer": "Illustrative mock-only output. Does not represent a real audit, a real tenant, or a certified control mapping. It is a planning example, not a submission package, and uses simplified mock fields; every value has been synthesized.",
  "report": {
    "id": "rpt_illustrative_0001",
    "generatedAt": "2026-04-21T09:00:00Z",
    "scope": {
      "frameworks": ["ISO 27001:2022", "SOC 2 TSC 2017", "EU AI Act Annex III"],
      "asOf": "2026-04-20",
      "window": "Q1 2026"
    },
    "owner": {
      "tenantId": "your-tenant-id",
      "reviewer": "compliance-lead@your-org.example"
    }
  },
  "summary": {
    "controlsEvaluated": 148,
    "controlsOnTrack": 122,
    "gapsOpen": 17,
    "gapsClosedThisWindow": 9,
    "evidenceAttached": 284,
    "evidenceStale": 11,
    "overallReadiness": "On track with targeted remediation"
  },
  "controlRows": [
    {
      "frameworkId": "ISO 27001:2022 - A.5.23",
      "control": "Information security for use of cloud services",
      "evidenceKind": "vendor-review",
      "verdict": "allow",
      "lastEvidenceAt": "2026-04-17T14:22:11Z",
      "owner": "vendor-ops"
    },
    {
      "frameworkId": "ISO 27001:2022 - A.8.24",
      "control": "Use of cryptography",
      "evidenceKind": "key-rotation-log",
      "verdict": "review",
      "lastEvidenceAt": "2026-02-28T08:10:00Z",
      "owner": "security",
      "note": "Rotation log older than 60-day policy. Remediation scheduled."
    },
    {
      "frameworkId": "SOC 2 CC6.1",
      "control": "Logical and physical access controls",
      "evidenceKind": "access-review",
      "verdict": "allow",
      "lastEvidenceAt": "2026-04-12T16:44:08Z",
      "owner": "it-ops"
    },
    {
      "frameworkId": "SOC 2 CC7.2",
      "control": "Monitors system components and operation",
      "evidenceKind": "alert-coverage-scan",
      "verdict": "review",
      "lastEvidenceAt": "2026-04-03T11:02:55Z",
      "owner": "sre",
      "note": "Two new services missing standard alert routing."
    },
    {
      "frameworkId": "EU AI Act Art. 9",
      "control": "Risk management system",
      "evidenceKind": "risk-register-snapshot",
      "verdict": "allow",
      "lastEvidenceAt": "2026-04-18T09:30:00Z",
      "owner": "ai-governance"
    },
    {
      "frameworkId": "EU AI Act Art. 14",
      "control": "Human oversight",
      "evidenceKind": "hitl-trace-sample",
      "verdict": "allow",
      "lastEvidenceAt": "2026-04-18T09:31:41Z",
      "owner": "ai-governance"
    },
    {
      "frameworkId": "EU AI Act Art. 15",
      "control": "Accuracy, robustness, and cybersecurity",
      "evidenceKind": "eval-run-summary",
      "verdict": "block",
      "lastEvidenceAt": "2026-04-20T07:55:02Z",
      "owner": "ml-quality",
      "note": "Open gap: evaluation coverage below target for one deployed agent. Remediation window: 14 days."
    }
  ],
  "nextSteps": [
    {
      "gapId": "gap-0471",
      "target": "ISO 27001:2022 - A.8.24 - Use of cryptography",
      "remediationDue": "2026-05-12",
      "owner": "security"
    },
    {
      "gapId": "gap-0472",
      "target": "SOC 2 CC7.2 - Monitors system components",
      "remediationDue": "2026-05-05",
      "owner": "sre"
    },
    {
      "gapId": "gap-0473",
      "target": "EU AI Act Art. 15 - Accuracy, robustness, cybersecurity",
      "remediationDue": "2026-05-04",
      "owner": "ml-quality"
    }
  ]
}