Compliance Intelligence
IRIS runs a continuous intelligence loop: understand what you're building, map what regulations apply and why, and surface what to do next — offline first, continuously in IRIS Cloud.
The intelligence loop
| Stage | What IRIS does |
|---|---|
| Profile | Detect AI providers, frameworks, models, data categories, and deployment signals from your codebase and agent registry. |
| Obligations | Map the profile to applicable frameworks with triggered_by reasoning — which controls apply and why. |
| Next actions | Prioritize blockers and required items into a queue your team can work through. |
In IRIS Cloud, the loop runs continuously: profiles refresh as your fleet changes, obligations diff over time, evidence auto-satisfies controls, and posture trends surface drift before audit season.
Quickstart: offline scan
Your first five minutes — no account, no network calls.
iris compliance scan
Scans your project directory for AI providers (OpenAI, Anthropic, Google, AWS Bedrock), agent frameworks (LangChain, CrewAI, LlamaIndex), model identifiers, and sensitive data patterns. Evaluates against bundled regulatory registry rules with zero network access.
iris compliance scan --format json
Connect to IRIS Cloud
Push your local profile to enable continuous monitoring, team workflows, and evidence-backed obligation tracking.
iris compliance scan --push
After push, open the Compliance Intelligence page in the IRIS Cloud console to review obligations, update status, and track posture trends.
Local (free/OSS) vs IRIS Cloud
| Capability | Local (OSS) | IRIS Cloud |
|---|---|---|
| Workload detection scan | Yes | Yes |
Framework mapping + triggered_by reasoning | Yes | Yes |
| Top recommended actions | Yes (top 5) | Yes (full prioritized queue) |
| Continuous monitoring | — | Yes |
| Evidence auto-satisfaction | — | Yes |
| Posture trends | — | Yes |
| Drift alerts | — | Yes |
| Agent registry merge | — | Yes |
| Team obligation workflows | — | Yes |
Not tracing. Not routing.
Running LiteLLM or Langfuse? Keep them. IRIS doesn't do routing or tracing — it tells you which regulations apply to what you built and proves it with tamper-evident evidence. See Evidence Vault for the append-only ledger and Persona Reports for auditor-ready packages.
Complements runtime governance. Compliance intelligence answers which rules apply. Cedar enforcement answers whether each call complies. Use both: iris compliance scan for obligations, iris policy compile + guarded SDK clients for runtime.