> For the complete documentation index, see [llms.txt](https://docs.balkan.id/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.balkan.id/compliance-controls-and-posture/compliance-overview.md).

# Compliance overview

{% hint style="info" %}
This feature is currently in Early Access. Contact us if you'd like to have this enabled for your tenant(s).
{% endhint %}

Compliance helps you measure how your environment aligns with supported frameworks such as SOC 2, ISO 27001, and HIPAA.

It evaluates connected integrations against framework criteria and surfaces violations, exceptions, and suppressions in one place.

This gives admins and risk managers a shared view of current posture, while keeping configuration controls separate from day-to-day monitoring.

Use [Compliance controls](/compliance-controls-and-posture/compliance-controls.md) to configure the model, and use [Compliance posture](/compliance-controls-and-posture/compliance-posture.md) to review live results.

<div data-with-frame="true"><figure><img src="/files/VjUVAHb1hXfctPDKLzZg" alt=""><figcaption></figcaption></figure></div>

***

### What you can do

* Monitor compliance posture across active frameworks.
* Suppress noise when a criterion does not apply.
* Accept risk with [scoped exceptions](/compliance-controls-and-posture/suppressions-and-exceptions.md#exceptions).
* Recompute violations after sync or configuration changes.

***

### Two work areas

#### Compliance Controls

Use [Compliance controls](/compliance-controls-and-posture/compliance-controls.md) in **Settings → Compliance** to manage how compliance is evaluated.

This area is available to admins. From here, you can:

* browse frameworks and criteria,
* add suppressions and create exception rules,
* review framework mappings and status,
* and queue a compliance recompute after configuration changes.

#### Compliance Posture

Use [Compliance posture](/compliance-controls-and-posture/compliance-posture.md) in **Dashboard → Compliance Posture** to monitor current results.

This area is available to admins and risk managers. From here, you can:

* review framework and criteria health,
* drill into framework summaries and severity trends,
* browse violations with filtering by entity, integration, and status,
* and add inline exceptions while reviewing live violations.

Separating controls from posture keeps configuration work with admins, while still letting risk managers manage accepted risk during review.

***

### How compliance violations work

Compliance violations are computed in the background.

The compute job evaluates identities, resources, connections, and credentials (i.e., entities) across your connected integrations.

Each framework criterion maps to one or more *controls*. When an entity fails a mapped control, BalkanID records a compliance violation with the relevant framework, criterion, severity, entity, integration, and source context.

You do not need to manage the underlying control types differently in everyday use (these are seeded by us). What matters in the UI is that a criterion is backed by one or more controls, and a failed control can produce one or more framework violations.

#### When computation runs

Compliance recomputes automatically when an integration sync introduces changes that can affect posture. For more on connected systems and their sync context, see [Viewing your application integrations](/getting-started/entitlement-data-discovery/viewing-your-application-integrations.md) and [Application Integrations](/getting-started/setting-up-your-tenant/application-integrations.md).

Admins can also queue a manual recompute from [Compliance controls](/compliance-controls-and-posture/compliance-controls.md#recompute-compliance-violations).

Manual recompute supports either:

* a single integration, or
* all integrations.

This is useful after changing suppressions, exceptions, control configuration, or after enabling new framework coverage.

#### Out-of-date posture warning

If control configuration changed after the last scan, BalkanID shows a warning on the posture summary.

This warning means the displayed statistics may no longer reflect the latest configuration.

Run a recompute from [Compliance controls](/compliance-controls-and-posture/compliance-controls.md#recompute-compliance-violations) to refresh posture data.

***

### Severity levels

Criteria and violations use five severity levels:

1. Critical
2. High
3. Medium
4. Low
5. Informational

These levels appear throughout the experience as colored risk chips. They help teams prioritize review and remediation.

***

### Criteria health states

* **Passing** — No active violations exist for the criterion.
* **Failing** — Active violations still need attention.
* **Passing with Exceptions** — All violations are excepted.
* **Fully Suppressed** — A blanket suppression covers the criterion.

These health states appear in [framework summaries and criteria tables](/compliance-controls-and-posture/compliance-posture.md#framework-detail-view). They help distinguish real control gaps from accepted risk and intentionally hidden noise. For the behavioral difference between hidden and visible risk, see [Suppressions and exceptions](/compliance-controls-and-posture/suppressions-and-exceptions.md).

***

### Learn more

* [Suppressions and exceptions](/compliance-controls-and-posture/suppressions-and-exceptions.md)
* [Compliance controls](/compliance-controls-and-posture/compliance-controls.md)
* [Compliance posture](/compliance-controls-and-posture/compliance-posture.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/compliance-controls-and-posture/compliance-overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.