firmis compliance — Compliance Reporting

Auditors want evidence. Generating it manually is slow, error-prone, and miserable. firmis compliance generates it automatically from your security scan results.

One scan. Five frameworks. The report maps every Firmis finding to the exact control, article, or requirement it satisfies — formatted for submission.

The compliance problem with AI systems

Traditional compliance tooling was built for traditional software. It doesn’t know what an MCP server is. It can’t tell an EU AI Act Article 13 transparency requirement from a GDPR data minimization obligation. It has no concept of prompt injection as a risk to document.

AI agents are a new category of software with a new regulatory surface. SOC 2 auditors are already asking about them. The EU AI Act has explicit requirements for high-risk AI systems. OWASP LLM Top 10 is being referenced in security assessments. Firmis maps your actual agent stack to these actual frameworks.

What it does

Runs a full security scan across your agent stack using all 209 rules, then maps every finding to the compliance frameworks you’re working against:

SOC 2 — maps findings to security control categories (CC6, CC7, CC8, CC9). Shows which controls have gaps and which have evidence of enforcement.
EU AI Act — maps to Articles 9, 10, 13, 14, 15 (risk management, data governance, transparency, human oversight, accuracy). Flags requirements that AI agent usage triggers.
GDPR — maps to data protection obligations: data minimization, purpose limitation, security of processing (Article 32). Credential harvesting and data exfiltration findings map directly to Article 32 gaps.
NIST AI RMF — maps findings to the Govern, Map, Measure, Manage functions. Generates evidence artifacts for risk management documentation.
OWASP LLM Top 10 — maps every finding to the LLM vulnerability category it represents: LLM01 (Prompt Injection), LLM02 (Insecure Output Handling), LLM06 (Sensitive Information Disclosure), and more.

Example report section

SOC 2 — Security Control Evidence
Generated: 2026-03-05

CC6.1 — Logical and Physical Access Controls
  Status: GAP IDENTIFIED
  Finding: 2 tools with overpermissive filesystem access (permission-overgrant)
  Files:   mcp-server/src/tools/reader.ts:22, .claude/tools/fetch.ts:8
  Recommendation: Restrict tool scope to minimum required paths

CC6.6 — Logical Access Security Measures
  Status: PASS
  Evidence: All tool handlers validated with input sanitization
  Rules checked: 14 (access-control category)

CC7.2 — System Monitoring
  Status: PASS (runtime monitoring enabled)
  Evidence: firmis monitor daemon active, 30-day event log available

Options

Flag	Type	Default	Description
`--framework <name>`	string	`all`	Target a specific framework: `soc2`, `ai-act`, `gdpr`, `nist`, `owasp`
`--format <type>`	enum	`html`	Output format: `html` for human review and submission, `json` for programmatic processing
`--output <file>`	string	—	Save the report to file. Required for submitting to auditors.
`--verbose`	boolean	`false`	Show detailed control-level mapping with rule IDs and evidence references
`--evidence`	boolean	`true`	Include evidence artifacts — timestamps, rule IDs, file locations — alongside each control mapping

Examples

Generate a full compliance report across all five frameworks

npx firmis compliance --output compliance-report.html

SOC 2 only, for your next audit

npx firmis compliance --framework soc2 --format html --output soc2-evidence.html

JSON output for programmatic processing or ticketing systems

npx firmis compliance --format json --output compliance.json

EU AI Act mapping

npx firmis compliance --framework ai-act --verbose --output eu-ai-act-report.html

Usage

firmis compliance [path] [options]

scan — generate the findings that compliance maps to
Threat Categories — all 16 categories, each mapped to compliance frameworks
Compliance Reporting guide — step-by-step walkthrough for preparing an audit submission