Compliance Packs
Compliance Packs are pre-built sets of CHAM policies designed to align your AI governance with specific regulatory frameworks.
Overview
Configuring governance policies from scratch for every regulatory requirement is time-consuming and error-prone. Compliance Packs give you a head start by providing curated policy sets mapped to the requirements of major compliance frameworks. Apply a pack with one click and get immediate governance coverage for a specific regulation.
Available Packs
HIPAA -- 8 Policies
For organizations handling protected health information (PHI):
| Policy | Purpose |
|---|---|
| PHI Access Control | Restricts which agents can access PHI-related services |
| Minimum Necessary | Enforces minimum necessary data access principle |
| Audit Logging | Ensures all PHI-related actions are fully logged |
| Encryption Requirement | Blocks actions that would transmit PHI without encryption |
| Access Revocation | Enforces immediate grant revocation on deauthorization |
| Breach Notification Trigger | Flags potential breach scenarios for immediate review |
| Business Associate Check | Validates third-party service authorization |
| Data Retention Limit | Enforces data retention windows on stored PHI |
SOC 2 -- 10 Policies
For organizations pursuing or maintaining SOC 2 compliance:
| Policy | Purpose |
|---|---|
| Change Management | Requires approval for production changes |
| Access Review | Enforces periodic access grant reviews |
| Incident Response | Triggers alerts on anomalous governance events |
| Logical Access Control | Restricts actions based on agent role and scope |
| Data Classification | Enforces handling rules based on data sensitivity |
| Monitoring and Alerting | Ensures continuous governance monitoring |
| Vendor Management | Validates actions targeting third-party services |
| Encryption in Transit | Blocks unencrypted outbound data actions |
| Availability SLA | Rate limits to prevent agent-caused outages |
| Audit Trail Integrity | Enforces hash chain verification schedules |
GDPR -- 9 Policies
For organizations processing data of EU residents:
| Policy | Purpose |
|---|---|
| Lawful Basis Check | Requires documented lawful basis for data processing |
| Data Minimization | Restricts data collection to stated purposes |
| Right to Erasure | Supports data deletion action workflows |
| Consent Verification | Validates consent before processing personal data |
| Cross-Border Transfer | Blocks transfers to non-adequate jurisdictions without safeguards |
| Data Protection Impact | Flags high-risk processing for DPIA review |
| Breach Notification | Triggers 72-hour notification workflow on detection |
| Record of Processing | Maintains processing activity records |
| Purpose Limitation | Blocks actions that use data beyond stated purposes |
FINRA + SOX -- 8 Policies
For financial services organizations:
| Policy | Purpose |
|---|---|
| Trade Surveillance | Monitors agent actions involving trade execution |
| Communication Archive | Ensures all outbound communications are archived |
| Segregation of Duties | Prevents single agents from executing conflicting actions |
| Material Change Control | Requires multi-level approval for material changes |
| Financial Data Integrity | Validates data accuracy for financial reporting actions |
| Insider Trading Prevention | Blocks actions during restricted trading windows |
| Regulatory Reporting | Ensures timely filing of required reports |
| Record Retention | Enforces retention schedules for governed financial actions |
EU AI Act -- 9 Policies
For organizations deploying AI within EU jurisdiction:
| Policy | Purpose |
|---|---|
| Risk Classification | Classifies agent actions by EU AI Act risk categories |
| High-Risk Oversight | Enforces human oversight for high-risk AI operations |
| Transparency | Requires disclosure when AI is acting autonomously |
| Technical Documentation | Validates that actions reference documented AI systems |
| Conformity Assessment | Triggers assessment workflow for new agent registrations |
| Prohibited Practice Block | Blocks actions classified as prohibited under the Act |
| Bias Detection | Flags actions with potential discriminatory outcomes |
| Post-Market Monitoring | Ensures ongoing monitoring of deployed AI actions |
| Incident Reporting | Triggers reporting workflow for serious AI incidents |
NIST AI RMF -- 7 Policies
Aligned with the NIST AI Risk Management Framework:
| Policy | Purpose |
|---|---|
| Risk Identification | Tags actions with identified AI risk categories |
| Impact Assessment | Requires impact analysis for high-consequence actions |
| Continuous Monitoring | Enforces ongoing governance telemetry |
| Accountability Assignment | Requires named responsible party for governed actions |
| Bias and Fairness | Flags actions for fairness review |
| Explainability | Requires governance reasoning for all decisions |
| Lifecycle Governance | Enforces governance across the full AI lifecycle |
Applying a Compliance Pack
- Navigate to Compliance Packs in the sidebar
- Select the pack you want to apply
- Review the policies that will be created
- Click Apply Pack
- The policies are created in an active state and immediately begin governing actions
TIP
You can apply multiple packs. If two packs contain overlapping policies, the more restrictive policy takes precedence. Review applied policies after applying multiple packs to check for any conflicts.
WARNING
Compliance packs provide a strong starting point but are not a substitute for legal and compliance review. Each pack is designed to map to the regulatory framework's requirements, but your organization's specific implementation may require additional policies or configuration adjustments.
Customizing Pack Policies
After applying a pack, all created policies are fully editable. You can:
- Adjust thresholds and configuration values
- Deactivate policies that do not apply to your use case
- Add supplemental policies for requirements unique to your organization
Related Features
- Governance Policies -- View and manage all policies including pack-created ones
- Framework Builder -- Generate a complete governance framework for your organization
- Threat Simulation -- Test compliance pack policies against attack scenarios