Compliance

Overview

Compliance is the governance component of Monago that aggregates policies, assets, audit, and risk signals into framework readiness scoring. A tenant administrator subscribes to the frameworks that apply, after which Monago computes per-clause readiness and per-dimension maturity automatically.

Supported frameworks include both international standards and Indonesian regulations, among others:

UU PDP 2022 — Indonesia's Personal Data Protection law.
POJK 11/2022 — Otoritas Jasa Keuangan, IT risk management.
NIST AI RMF 1.0 — NIST AI Risk Management Framework.
ISO/IEC 42001:2023 — AI management system standard.
ISO/IEC 27001:2022 — Information security management.

Why the compliance subsystem matters:

Multi-framework requirements — organisations typically have to comply with several frameworks in parallel. Tracking manually per framework is inefficient and error-prone.
Evidence automation — every policy, asset, and audit log entry is automatically linked to a framework clause through the framework_mapping field. Manual mapping becomes an audit-prep bottleneck.
Posture visibility — the dashboard shows readiness percentage, gap clauses, and maturity level per framework.
Audit preparation — the forensic-query audit (4-eyes / dual approval) satisfies privileged access control requirements.

Audience for this page: compliance officers and tenant administrators managing framework subscriptions and monitoring readiness posture.

Concepts

Term	Definition
Framework subscription	A tenant's active subscription to one framework. Enables readiness scoring and posture tracking for every clause.
Framework version	A point-in-time snapshot of the framework. New versions (e.g. UU PDP amendments) are added as new versions without invalidating historical readiness.
Clause	An atomic compliance requirement (e.g. UU PDP Pasal 39). Holds a `priority_weight` (critical, high, normal).
Evidence reference	A pointer from a clause to an artifact satisfying it (policy_version, asset, audit_row, risk_snapshot).
Readiness score	Percentage of clauses with active evidence.
Gap clauses	Clauses without active evidence. Sorted by priority descending.
Maturity matrix	A per-dimension level mapping. A 5-level scale.

Setup

Prerequisites

The admin role to subscribe or unsubscribe.
Policies and assets with the framework_mapping field set (the primary signal for clause coverage detection).
A clear picture of which frameworks apply to the organisation's context.

Open Compliance

Select Compliance from the sidebar.

Framework tab

Click Subscribe to framework.

Pick a framework

UU PDP 2022, POJK 11/2022, NIST AI RMF, ISO 42001, or ISO 27001.

Target certification (optional)

Fill target_certification_date for an internal audit roadmap.

Submit

Click Subscribe.

After subscription, Monago automatically links policies and assets that have been annotated with framework_mapping to the clauses of the framework as evidence references. The audit log records the subscription event.

Manage subscriptions

The Framework tab shows the subscriptions table: framework and version, status, target certification, subscribe date, and actions.

Unsubscribing is a soft suspend — evidence references are retained for audit. Re-subscribing restores posture tracking immediately.

Usage

Posture tab

Per-framework readiness cards:

Readiness percentage (0-100%).
Critical clauses coverage.
Maturity level (1-5) — aggregated from the dimension matrix.
Click a card to drill down to detail.

Cards are colour-coded:

Green (90-100%): production-ready.
Yellow (70-89%): mature with some gaps.
Orange (40-69%): in-progress.
Red (0-39%): early-stage.

Gap analysis tab

The per-clause table for the selected framework:

Code + title — identifier and clause name.
Category — clause grouping.
Priority — Critical, High, or Normal.
Evidence status — Covered or Gap.

Filter by priority, category, or status. Sort descending by priority.

Gap clauses are action items for the compliance officer — high-priority gaps require new policies or assets to close.

Evidence tab

A list of every active evidence reference:

Clause addressed.
Type — policy_version, asset, audit_row, or risk_snapshot.
Reference — link to the source artifact.
Created at.

Use case: drill into specific evidence when an auditor asks which policy or asset covers a particular clause.

Maturity matrix tab

Per-dimension level (1-5):

NIST AI RMF dimensions:

GOVERN — governance and policy framework.
MAP — context and risk identification.
MEASURE — assessment and monitoring.
MANAGE — risk treatment and incident response.

ISO/IEC 42001 phases:

PLAN — establish the AI management system.
DO — implement and operate.
CHECK — monitor and measure.
ACT — continual improvement.

Level interpretation:

Level	Label	Meaning
1	Initial	Ad-hoc, no documented process
2	Managed	Documented but inconsistent
3	Defined	Standardised process
4	Quantitatively managed	Metrics-driven
5	Optimising	Continual improvement

Forensic query audit (privileged access)

For sensitive data extraction (audit log export, personal data for regulator requests), Monago applies the 4-eyes / dual approval principle:

Submit a request

A tenant administrator submits a forensic query request through the API.

Audit recorded

The audit log records the privileged-access query event with reason and request detail.

Second administrator approves

Dual approval is enforced in the production configuration.

Result delivered

The query result is encrypted and delivered offline.

This supports privileged access control under UU PDP Pasal 16-22 and POJK § audit.

Compliance mapping

Per-framework coverage matrix:

Framework	Coverage
UU PDP 2022 Pasal 16-22	Privileged access control: forensic 4-eyes + RBAC + audit log
UU PDP 2022 Pasal 39	Data accountability: layered PII detection + audit per request + evidence auto-mapping
POJK 11/2022 § governance	Policy engine + audit log + framework subscription
POJK 11/2022 § risk management	Risk subsystem + threshold-breach audit + evidence linked to clauses
ISO/IEC 42001:2023	AI management system pillars
NIST AI RMF 1.0	Map / Measure / Manage cycle + signal evidence + maturity matrix
ISO/IEC 27001:2022	Encryption at rest + audit + access control + risk treatment

Per-clause mapping detail and the evidence package are delivered in a separate procurement document — contact support@monago.io.

Troubleshooting

Readiness percentage stuck low

Inspect the Gap analysis tab — the list of gap clauses appears. Common causes:

A policy lacks the framework_mapping field — edit the policy and add a mapping.
The asset registry is empty — register AI assets in the Asset Registry.
The audit log is not yet mature (a new tenant, a sparse signal feed).

Resolution: prioritise critical gaps; add policies or assets that map to those clauses.

Evidence auto-mapping does not trigger

Auto-mapping runs on a fixed background cadence. Refresh the page after a policy change to see the latest update.

Check the framework_mapping shape:

"framework_mapping": [
  {"framework": "UU_PDP_2022", "clause": "Pasal 39"}
]

The framework enum and clause code must match the registered framework clauses in the backend catalogue.

No. Evidence references are retained in a soft-suspend state. Re-subscribing restores posture immediately.

Maturity level shows blank / N/A

The maturity-matrix evaluator needs a minimum sample size (tenants with sufficient audit history). New tenants see "Pending — insufficient data" until enough data accumulates.

Forensic query returns no response

Forensic queries are async (audit log + email notification to the administrator). Check the inbox and the Audit tab in Observability for query status.

FAQ

Yes. A tenant can subscribe to every applicable framework. Evidence references are shared — one policy can map to multiple clauses across multiple frameworks.

How do I onboard a new framework (e.g. a UU PDP amendment)?

New framework versions are managed by the Monago team and added to the catalogue on a regular cadence. Tenants receive an email notification when a new version is available. Migration is seamless: the old version is retained for historical posture, and the new version begins tracking from the subscription point.

What's the difference between Compliance and the Risk subsystem?

Risk — quantitative (0-100), per-asset, signal-driven, near-real-time, for operational vigilance.
Compliance — qualitative (Ready, Gap), per-framework clause, evidence-driven, daily aggregate, for audit readiness.

The two are complementary.

Posture tab

Capture per-framework cards for the executive summary.

Gap analysis tab

Export the gap list per framework.

Evidence tab

Compile the list of active evidence references as the audit pack.

Maturity matrix

Capture the matrix to demonstrate the maturity trajectory.

A procurement-grade audit deliverable template is available on request — contact support@monago.io.

Policies — framework_mapping feeds evidence auto-mapping.
Risk — the risk score informs the compliance posture.
Workspaces — workspace_id on evidence supports per-workspace posture.
BYOK — BYOK encryption is evidence for ISO 27001 clauses.

Compliance

Overview

Concepts

Setup

Prerequisites

Open Compliance

Framework tab

Pick a framework

Target certification (optional)

Submit

Manage subscriptions

Usage

Posture tab

Gap analysis tab

Evidence tab

Maturity matrix tab

Forensic query audit (privileged access)

Submit a request

Audit recorded

Second administrator approves

Result delivered

Compliance mapping

Troubleshooting

Readiness percentage stuck low

Evidence auto-mapping does not trigger

Maturity level shows blank / N/A

Forensic query returns no response

FAQ

How do I onboard a new framework (e.g. a UU PDP amendment)?

What's the difference between Compliance and the Risk subsystem?

Can workspace_admin manage subscriptions?

How is evidence revoked when a policy is removed?

Is PCI-DSS supported?

How do I prepare for an audit with regulator-approved documents?

Posture tab

Gap analysis tab

Evidence tab

Maturity matrix