Compliance Reports

MITRITY automatically generates compliance reports from your governance data. Every policy decision, audit event, credential access, and security incident is captured and can be packaged into evidence for SOC 2, GDPR, ISO 27001, and other compliance frameworks. Reports provide auditors and stakeholders with structured, verifiable evidence of your AI agent governance posture.

Overview

Compliance reports aggregate governance data across a defined time period and present it in a structured format aligned with specific compliance frameworks. Reports can be:

• Generated on demand from the dashboard or API
• Scheduled for automatic generation (weekly, monthly, quarterly)
• Downloaded as PDF documents
• Shared via a secure link with auditors or stakeholders

Each report type is tailored to the requirements of its target framework, pulling relevant data from policies, audit logs, security events, credential broker activity, and ML analytics.

Report Types

MITRITY supports five report types:

SOC 2

A report aligned with the AICPA SOC 2 Trust Services Criteria, covering security, availability, processing integrity, confidentiality, and privacy as they relate to AI agent governance.

Report sections:

Section	Content
Control Environment	Organizational commitment to governance, policy coverage, enforcement mode progression
Risk Assessment	Agent risk scores, drift analysis, anomaly detection results
Control Activities	Policy decisions (allow/deny/alert/hold), approval workflow outcomes, credential broker activity
Monitoring Activities	Injection detection events, DLP events, delegation chain audits, threat intelligence matches
Information & Communication	Notification configuration, alert response times, incident documentation

Key metrics included:

• Total governance decisions and breakdown by type
• Policy coverage (% of agent actions covered by explicit policies)
• Mean time to respond to hold/approval requests
• Injection detection accuracy (true positive rate, false positive rate)
• Credential lease compliance (% of leases within TTL limits)

GDPR

A report aligned with GDPR Articles 5, 25, 30, 32, 33, and 35, focusing on data protection and privacy controls for AI agents processing personal data.

Report sections:

Section	Content
Data Processing Activities (Art. 30)	Agents processing personal data, tools accessing PII, data flows
Data Protection by Design (Art. 25)	Default deny policies, permission boundaries, scope restrictions
Security Measures (Art. 32)	Encryption, access controls, credential management, injection detection
Data Breach Detection (Art. 33)	DLP events, sensitive exfiltration attempts, response actions
Impact Assessment (Art. 35)	Agent risk scores, data access patterns, cross-border data flows

Key metrics included:

• Agents with access to PII-tagged tools
• DLP events involving personal data
• Sensitive data exfiltration attempts (blocked and detected)
• Credential access to PII-containing systems
• Data retention compliance for audit logs

ISO 27001

A report aligned with ISO 27001:2022 Annex A controls, mapped to AI agent governance controls.

Report sections:

Section	Content
A.5 Information Security Policies	Policy definitions, enforcement modes, update history
A.6 Organization of Information Security	RBAC configuration, team roles, access scopes
A.8 Asset Management	Agent inventory, tool catalog, credential inventory
A.9 Access Control	Agent permissions, credential grants, delegation governance
A.12 Operations Security	Audit log completeness, monitoring configuration, incident response
A.16 Information Security Incident Mgmt	Security events, injection attempts, DLP incidents, response times

Executive Summary

A high-level report designed for non-technical stakeholders. Provides a clear overview of governance posture, risk trends, and key metrics.

Report sections:

Section	Content
Governance Overview	Total agents and policies; enforcement mode distribution
Risk Dashboard	Agent risk score distribution, trend over period
Key Metrics	Decision breakdown, approval queue performance, incident count
Trends	Week-over-week changes in key metrics
Recommendations	Automated recommendations based on data (e.g., "3 agents have elevated drift scores")

Asset Inventory

A comprehensive inventory of all governed assets — agents, tools, credentials, and environments.

Report sections:

Section	Content
Agent Inventory	All agents with status, risk score, enforcement mode, last seen
Tool Catalog	All tools by category with usage statistics
Credential Inventory	All credentials (no values) with grant count, active leases, rotation status
Environment Summary	All environments with agent count, policy count, activity level

Generating Reports

Via the Dashboard

1. Navigate to Compliance > Reports.
2. Click Generate Report.
3. Select the report type.
4. Choose the time period:
   • Preset: Last 7 days, Last 30 days, Last 90 days, Last 12 months
   • Custom: Specify start and end dates
5. Optionally filter by environment.
6. Click Generate.

The report is generated asynchronously. A progress indicator shows the current status. Most reports complete within 1-5 minutes depending on data volume.

Via the API

curl -X POST https://api.mitrity.com/api/v1/reports \
  -H "Authorization: Bearer mk_live_your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "soc2",
    "period": {
      "start_date": "2026-01-01T00:00:00Z",
      "end_date": "2026-03-01T00:00:00Z"
    },
    "environment_id": "env_production",
    "title": "SOC 2 Evidence Report — Q1 2026"
  }'

Response:

{
  "data": {
    "id": "rpt_8k2m4n",
    "type": "soc2",
    "title": "SOC 2 Evidence Report — Q1 2026",
    "status": "generating",
    "period": {
      "start_date": "2026-01-01T00:00:00Z",
      "end_date": "2026-03-01T00:00:00Z"
    },
    "environment_id": "env_production",
    "created_by": "user_jsmith",
    "created_at": "2026-03-01T10:00:00Z"
  },
  "meta": {
    "request_id": "req_rpt001",
    "timestamp": "2026-03-01T10:00:00Z"
  }
}

Report Parameters

Parameter	Type	Required	Description
type	enum	Yes	Report type: soc2, gdpr, iso27001, executive_summary, asset_inventory
period.start_date	datetime	Yes	Start of the reporting period (ISO 8601)
period.end_date	datetime	Yes	End of the reporting period (ISO 8601)
environment_id	string	No	Scope to a specific environment
title	string	No	Custom title for the report

Report Lifecycle

Statuses

Status	Description
generating	Report is being generated (data collection and formatting in progress)
completed	Report is ready for download
failed	Report generation encountered an error (see error field)
expired	Report has been deleted after the retention period

Polling for Completion

curl https://api.mitrity.com/api/v1/reports/rpt_8k2m4n \
  -H "Authorization: Bearer mk_live_your-api-key"

Response (completed):

{
  "data": {
    "id": "rpt_8k2m4n",
    "type": "soc2",
    "title": "SOC 2 Evidence Report — Q1 2026",
    "status": "completed",
    "period": {
      "start_date": "2026-01-01T00:00:00Z",
      "end_date": "2026-03-01T00:00:00Z"
    },
    "environment_id": "env_production",
    "page_count": 42,
    "data_points": 128450,
    "file_size_bytes": 2458600,
    "download_url": "/api/v1/reports/rpt_8k2m4n/download",
    "created_by": "user_jsmith",
    "created_at": "2026-03-01T10:00:00Z",
    "completed_at": "2026-03-01T10:03:45Z"
  },
  "meta": {
    "request_id": "req_rpt002",
    "timestamp": "2026-03-01T10:05:00Z"
  }
}

Downloading Reports

PDF Download

curl -o report.pdf https://api.mitrity.com/api/v1/reports/rpt_8k2m4n/download \
  -H "Authorization: Bearer mk_live_your-api-key"

Reports are generated as PDF documents stored in a GCS bucket with 90-day retention. After 90 days, the file is deleted but the report metadata is retained.

Secure Sharing

Generate a time-limited sharing link for auditors:

curl -X POST https://api.mitrity.com/api/v1/reports/rpt_8k2m4n/share \
  -H "Authorization: Bearer mk_live_your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "expires_in_hours": 72,
    "password_protected": true
  }'

Response:

{
  "data": {
    "share_url": "https://mitrity.com/shared/reports/rpt_8k2m4n?token=abc123xyz",
    "expires_at": "2026-03-04T10:00:00Z",
    "password_protected": true,
    "password": "MtR-4k2m-8n3p"
  },
  "meta": {
    "request_id": "req_share001",
    "timestamp": "2026-03-01T10:10:00Z"
  }
}

Listing Reports

curl "https://api.mitrity.com/api/v1/reports?type=soc2&status=completed&limit=10" \
  -H "Authorization: Bearer mk_live_your-api-key"

Response:

{
  "data": [
    {
      "id": "rpt_8k2m4n",
      "type": "soc2",
      "title": "SOC 2 Evidence Report — Q1 2026",
      "status": "completed",
      "period": {
        "start_date": "2026-01-01T00:00:00Z",
        "end_date": "2026-03-01T00:00:00Z"
      },
      "page_count": 42,
      "created_at": "2026-03-01T10:00:00Z",
      "completed_at": "2026-03-01T10:03:45Z"
    }
  ],
  "meta": {
    "request_id": "req_rpt003",
    "timestamp": "2026-03-01T11:00:00Z",
    "next_cursor": null,
    "total": 1
  }
}

List Filters

Parameter	Type	Description
type	enum	Filter by report type
status	enum	Filter by status
created_after	datetime	Reports created after this timestamp
created_before	datetime	Reports created before this timestamp
limit	integer	Results per page (default: 10, max: 50)
cursor	string	Pagination cursor

Scheduled Reports

Automate report generation on a recurring schedule:

Creating a Schedule

curl -X POST https://api.mitrity.com/api/v1/reports/schedules \
  -H "Authorization: Bearer mk_live_your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "executive_summary",
    "frequency": "monthly",
    "day_of_month": 1,
    "period_days": 30,
    "environment_id": "env_production",
    "title_template": "Executive Summary — {month} {year}",
    "notify_emails": ["ciso@company.com", "compliance@company.com"]
  }'

Schedule Frequencies

Frequency	Description	Period
weekly	Every week on the specified day	Last 7 days
monthly	Every month on the specified day	Last 30 days
quarterly	Every quarter (Jan 1, Apr 1, Jul 1, Oct 1)	Last 90 days

Listing Schedules

curl https://api.mitrity.com/api/v1/reports/schedules \
  -H "Authorization: Bearer mk_live_your-api-key"

Report Content Details

Data Integrity

Every report includes a data integrity section with:

• Event count: Total audit events analyzed
• Time coverage: Percentage of the period covered by active governance monitoring
• Data completeness: Any gaps in data collection (e.g., gateway disconnections)
• Report hash: SHA-256 hash of the report content for tamper detection

Evidence Linking

Reports include direct links to the underlying evidence in the MITRITY dashboard. Auditors can click through from a report finding to the specific audit events, policy configurations, or security incidents that generated the finding.

Report Versions

When you regenerate a report for the same period, the new report is linked to the previous version. This provides a version history showing how your governance posture evolved over time.

Best Practices

Generate Reports Before Audits

Generate reports at least one week before an audit to allow time for review and to address any gaps the report identifies.

Use Environment Scoping

For multi-environment setups, generate separate reports for each environment. Production compliance evidence should not be diluted by development activity.

Schedule Executive Summaries Monthly

Monthly executive summaries keep leadership informed and build a continuous record of governance improvement.

Archive Reports

Download and archive reports in your organization's document management system. While MITRITY retains reports for 90 days, long-term archival is your responsibility.

Review Data Completeness

Before sharing a report with an auditor, check the data completeness section. If gateway disconnections caused data gaps during the period, note this for the auditor and consider extending the reporting period to capture complete data.

Combine Report Types

For a comprehensive audit, generate both the framework-specific report (SOC 2, GDPR, or ISO 27001) and the Asset Inventory. The inventory provides the baseline context that auditors need to understand the framework report.

Related Documentation

• ML Insights — ML-driven analytics and drift scoring
• RBAC — Role-based access control
• Environments — Multi-environment management
• Tool Catalog — Tool definitions and compliance tags
• API Overview — Full API reference