A five-phase GRC Compliance Lifecycle with 48 skills across 30+ regulations covering scope, assessment, remediation, certification, and monitoring.

The Compliance plugin implements a full GRC (Governance, Risk, and Compliance) lifecycle, providing structured workflows for regulatory compliance management — from scoping applicable regulations through assessment, remediation, certification, and continuous monitoring.

The Five Phases

Phase	Skills	Command Prefix	Purpose
Scope	4	`/compliance:regulatory-landscape`, etc.	Map the regulatory landscape, prioritize obligations, select control frameworks
Assess	30	`/compliance:nis2`, `/compliance:gdpr`, etc.	Run per-regulation compliance assessments across 30+ frameworks
Remediate	5	`/compliance:gap-analysis`, etc.	Analyze gaps, map controls, plan evidence collection and remediation
Certify	4	`/compliance:audit-readiness`, etc.	Prepare for audits, package evidence, track certifications
Monitor	4	`/compliance:continuous-monitoring`, etc.	Continuously monitor compliance posture, track renewals, report status

The Compliance Lifecycle

The methodology follows a structured compliance lifecycle:

Scope (Phase 0): Map the regulatory landscape for your organization, prioritize compliance obligations by risk and business impact, select control frameworks, and build a phased compliance roadmap.

Assess (Phase 1): Run detailed compliance assessments against 30+ regulations and frameworks. Each assessment evaluates your current posture, identifies gaps, and produces structured findings. This is the largest phase — assessments span security and trust frameworks (NIS2, SOC 2, ISO 27001), privacy regulations (GDPR, CCPA, LGPD), sector-specific requirements (HIPAA, PCI DSS, FedRAMP, DORA), BaaS obligations (KYC/AML, payment networks), AI governance (EU AI Act, ISO 42001), accessibility standards (EAA, ADA/WCAG), and operational frameworks (ISO 22301, vendor TPRM).

Remediate (Phase 2): Synthesize assessment findings into actionable remediation — gap analysis across all assessed regulations, control mapping to avoid duplicate work, evidence collection planning, policy gap identification, and implementation planning.

Certify (Phase 3): Prepare for formal audits and certifications — audit readiness assessments, evidence packaging, auditor selection guidance, and certification tracking.

Monitor (Phase 4): Maintain compliance posture post-certification — continuous monitoring strategies, regulatory change tracking, renewal calendar management, and compliance reporting.

Compliance as the Master Assessment Layer

Compliance is the master assessment layer in the GRC triad. While Legal drafts policies and Security implements technical controls, Compliance evaluates whether those controls actually satisfy regulatory requirements. The Compliance plugin reads artifacts from both the Legal and Security domains to produce its assessments.

Artifact Flow

Each phase reads from previous phases and writes to .metapowers/compliance/<topic>/:

.metapowers/compliance/<topic>/
  00-scope.md                  ← Scope phase output
  01-assess/                   ← Per-regulation assessment directory
    nis2.md
    soc2.md
    gdpr.md
    ...
  02-remediate.md              ← Remediate phase output
  03-certify.md                ← Certify phase output
  04-monitor.md                ← Monitor phase output

Utility Skills

Four utility skills work across all phases without prerequisites:

/compliance:compliance-questionnaire — Generate and answer compliance questionnaires
/compliance:cross-regulation-map — Map overlapping requirements across regulations
/compliance:compliance-score — Calculate compliance readiness scores
/compliance:regulation-research — Research specific regulations and requirements

Quality Gates

The plugin enforces phase ordering:

Soft gates check that Scope artifacts exist before running later phases
You can bypass with --skip-checks when needed (logged to skip-log.md)
Utility skills have no prerequisites

Important Disclaimer

All content generated by the Compliance plugin is AI-generated and intended for planning and documentation assistance purposes only. It does not replace professional legal advice, certified compliance audits, or regulatory counsel. Always have qualified compliance professionals and legal counsel review any compliance plans before relying on them for regulatory obligations.

Compliance Domain Overview