Persona Reports
Four consumption layers over the compliance intelligence loop — each report is built from live obligation findings, enforcement activity, and Evidence Vault records. Available in IRIS Cloud.
Four personas
| Report | Audience | What you get |
|---|---|---|
| Executive summary | Board, CEO, GC | Posture score (0–100), 30-day trend, top risks, frameworks in scope, agents governed, policies enforced, evidence record count. Export as PDF. |
| CISO report | Security leadership | Per-framework coverage (controls satisfied, open blockers, nearest deadlines), open findings list, 30-day enforcement stats (blocks, HITL approvals, violations by agent), admin activity summary. |
| Platform report | Platform / ML engineering | Agent inventory (framework, risk level, policy coverage, open blockers), blockers grouped by owner, drift events, provisioning health, quota usage bars. |
| Auditor packages | External assessors | Assessor-grade evidence bundle per framework — see below. |
Auditor packages (assessor-grade)
Built for Schellman, Coalfire, and similar SOC 2, ISO 42001, and FedRAMP engagements. Each package is deterministic, hash-verifiable, and re-fetchable.
Control matrix
One row per control in the selected framework. Each row includes:
- Control ID — bundle rule identifier (e.g.
CO-001,B006) - Control text — obligation description from the regulatory bundle
- Status — satisfied, open, in progress, or not evaluated
- Evidence refs — linked Evidence Vault records with SHA-256 hashes
- Gaps — recommended remediation when status is open
Evidence manifest
Sorted list of every evidence record referenced in the control matrix:
evidence_id— vault record identifiersha256— tamper-evident hash of the event payloadagent_name,event_type,timestampretention_until— computed from your plan's evidence retention policy
Assessors can independently verify any hash against Evidence Vault exports — no trust-the-vendor PDF required.
Deterministic package hash
Each package includes a package_hash: SHA-256 of the canonical JSON payload (sorted keys, no whitespace). The same inputs always produce the same hash. When you re-fetch a persisted artifact, IRIS recomputes the hash and confirms it matches — detecting any tampering between generation and handoff.
Persisted artifacts
Generated packages are stored as re-fetchable artifacts in your org. List prior packages, download JSON, or export PDF. Every generation writes an audit log entry with framework key and package hash.
Supported frameworks
Generate auditor packages for any framework in your obligation map — including SOC 2, ISO 42001, FedRAMP Moderate, HIPAA, EU AI Act, Colorado AI Act, AIUC-1, and others bundled in IRIS.
# Or via API (requires audit_export entitlement):
POST /reports/auditor-package?framework=iso42001
GET /reports/artifacts
GET /reports/artifacts/{id}
Plan availability
Persona reports are IRIS Cloud capabilities. Community (local OSS) does not include cloud reports. Paid cloud plans gate each layer:
| Capability | Reports included | Plans |
|---|---|---|
basic_reporting |
Platform report (agent inventory, blockers, drift, provisioning health) | Business, Trial, Enterprise, Partner |
advanced_reporting |
Executive summary + CISO report (posture score, framework coverage, enforcement stats) | Business, Trial, Enterprise, Partner |
audit_export |
Auditor packages (control matrix, evidence manifest, package hash, persisted artifacts) | Business, Trial, Enterprise, Partner |
The iris:auditor role has read-only access to intelligence and report endpoints — scoped for external assessors without write permissions.
Local alternative. For OSS-only workflows, iris certify and iris evidence report produce framework certification scores and evidence exports from your local vault. Auditor packages in IRIS Cloud add persisted artifacts, deterministic hashing, and multi-framework control matrices across your entire fleet.