Intelligence & reporting

Persona Reports

Four consumption layers over the compliance intelligence loop — each report is built from live obligation findings, enforcement activity, and Evidence Vault records. Available in IRIS Cloud.

Four personas

ReportAudienceWhat you get
Executive summary Board, CEO, GC Posture score (0–100), 30-day trend, top risks, frameworks in scope, agents governed, policies enforced, evidence record count. Export as PDF.
CISO report Security leadership Per-framework coverage (controls satisfied, open blockers, nearest deadlines), open findings list, 30-day enforcement stats (blocks, HITL approvals, violations by agent), admin activity summary.
Platform report Platform / ML engineering Agent inventory (framework, risk level, policy coverage, open blockers), blockers grouped by owner, drift events, provisioning health, quota usage bars.
Auditor packages External assessors Assessor-grade evidence bundle per framework — see below.

Auditor packages (assessor-grade)

Built for Schellman, Coalfire, and similar SOC 2, ISO 42001, and FedRAMP engagements. Each package is deterministic, hash-verifiable, and re-fetchable.

Control matrix

One row per control in the selected framework. Each row includes:

Evidence manifest

Sorted list of every evidence record referenced in the control matrix:

Assessors can independently verify any hash against Evidence Vault exports — no trust-the-vendor PDF required.

Deterministic package hash

Each package includes a package_hash: SHA-256 of the canonical JSON payload (sorted keys, no whitespace). The same inputs always produce the same hash. When you re-fetch a persisted artifact, IRIS recomputes the hash and confirms it matches — detecting any tampering between generation and handoff.

Persisted artifacts

Generated packages are stored as re-fetchable artifacts in your org. List prior packages, download JSON, or export PDF. Every generation writes an audit log entry with framework key and package hash.

Supported frameworks

Generate auditor packages for any framework in your obligation map — including SOC 2, ISO 42001, FedRAMP Moderate, HIPAA, EU AI Act, Colorado AI Act, AIUC-1, and others bundled in IRIS.

# IRIS Cloud console → Reports → Auditor Package
# Or via API (requires audit_export entitlement):
POST /reports/auditor-package?framework=iso42001
GET /reports/artifacts
GET /reports/artifacts/{id}

Plan availability

Persona reports are IRIS Cloud capabilities. Community (local OSS) does not include cloud reports. Paid cloud plans gate each layer:

CapabilityReports includedPlans
basic_reporting Platform report (agent inventory, blockers, drift, provisioning health) Business, Trial, Enterprise, Partner
advanced_reporting Executive summary + CISO report (posture score, framework coverage, enforcement stats) Business, Trial, Enterprise, Partner
audit_export Auditor packages (control matrix, evidence manifest, package hash, persisted artifacts) Business, Trial, Enterprise, Partner

The iris:auditor role has read-only access to intelligence and report endpoints — scoped for external assessors without write permissions.

Local alternative. For OSS-only workflows, iris certify and iris evidence report produce framework certification scores and evidence exports from your local vault. Auditor packages in IRIS Cloud add persisted artifacts, deterministic hashing, and multi-framework control matrices across your entire fleet.