Intelligence & reporting

Compliance Intelligence

IRIS runs a continuous intelligence loop: understand what you're building, map what regulations apply and why, and surface what to do next — offline first, continuously in IRIS Cloud.

The intelligence loop

StageWhat IRIS does
ProfileDetect AI providers, frameworks, models, data categories, and deployment signals from your codebase and agent registry.
ObligationsMap the profile to applicable frameworks with triggered_by reasoning — which controls apply and why.
Next actionsPrioritize blockers and required items into a queue your team can work through.

In IRIS Cloud, the loop runs continuously: profiles refresh as your fleet changes, obligations diff over time, evidence auto-satisfies controls, and posture trends surface drift before audit season.

Quickstart: offline scan

Your first five minutes — no account, no network calls.

pip install iris-security-cli
iris compliance scan

Scans your project directory for AI providers (OpenAI, Anthropic, Google, AWS Bedrock), agent frameworks (LangChain, CrewAI, LlamaIndex), model identifiers, and sensitive data patterns. Evaluates against bundled regulatory registry rules with zero network access.

iris compliance scan --dir /path/to/project
iris compliance scan --format json

Connect to IRIS Cloud

Push your local profile to enable continuous monitoring, team workflows, and evidence-backed obligation tracking.

export IRIS_API_KEY=your-token
iris compliance scan --push

After push, open the Compliance Intelligence page in the IRIS Cloud console to review obligations, update status, and track posture trends.

Local (free/OSS) vs IRIS Cloud

CapabilityLocal (OSS)IRIS Cloud
Workload detection scanYesYes
Framework mapping + triggered_by reasoningYesYes
Top recommended actionsYes (top 5)Yes (full prioritized queue)
Continuous monitoringYes
Evidence auto-satisfactionYes
Posture trendsYes
Drift alertsYes
Agent registry mergeYes
Team obligation workflowsYes

Not tracing. Not routing.

Running LiteLLM or Langfuse? Keep them. IRIS doesn't do routing or tracing — it tells you which regulations apply to what you built and proves it with tamper-evident evidence. See Evidence Vault for the append-only ledger and Persona Reports for auditor-ready packages.

Complements runtime governance. Compliance intelligence answers which rules apply. Cedar enforcement answers whether each call complies. Use both: iris compliance scan for obligations, iris policy compile + guarded SDK clients for runtime.