Compliance Cockpit
Enterprise Feature - The Compliance Cockpit is available exclusively on the Enterprise tier.
The Compliance Cockpit is MeetLoyd's integrated compliance command center, built specifically for enterprises deploying AI agents in regulated industries. It transforms regulatory burden into competitive advantage with automated evidence collection, real-time compliance monitoring, and audit-ready reporting.
Overview
Access the Compliance Cockpit from the top navigation bar (Enterprise tier, admin/owner role only). The Cockpit provides:
- Real-time compliance scores across all enabled governance packs
- Unified regulation management for GDPR, HIPAA, EU AI Act, SOX, DORA, ISO 27001, ISO 42001, NIS2
- Automated evidence collection from governance events
- Risk registry for AI risk management
- Impact assessments (AIIA, DPIA, FRIA)
- Policy lifecycle management with version control
- External auditor portal with token-based access
- Scheduled reporting in PDF, CSV, and Excel formats
Navigation
The Cockpit has its own dedicated layout (like Openspace) with sidebar navigation:
| Section | Description |
|---|---|
| Overview | Compliance dashboard with scores, trends, and alerts |
| Regulations | Browse enabled governance packs and their controls |
| Assessments | AI Impact, Data Protection, and Fundamental Rights assessments |
| Risk Registry | Track, assess, and treat AI-related risks |
| Controls | Control matrix with effectiveness tracking |
| Evidence Vault | Cryptographically verified audit evidence |
| Violations | Track violations with SLA management |
| Reports | Generate and schedule compliance reports |
| Policies | Policy documents with acknowledgment workflow |
| Auditor Sessions | Manage external auditor access |
Regulations & Frameworks
The Compliance Cockpit integrates with MeetLoyd's governance packs system. When you enable a governance pack, its controls automatically appear in the Cockpit.
Supported Frameworks
| Framework | Governance Pack | Key Focus |
|---|---|---|
| GDPR | gdpr | Data protection, privacy rights |
| HIPAA | hipaa | Healthcare data protection |
| EU AI Act | eu_ai_act | AI system requirements, human oversight |
| SOX | sox | Financial controls, segregation of duties |
| DORA | dora | Digital operational resilience |
| ISO 27001 | iso_27001 | Information security management |
| ISO 42001 | iso_42001 | AI management system |
| NIS2 | nis2 | Network and information security |
| SOC 2 | soc2 | Trust service criteria |
| PCI-DSS | pci_dss | Payment card security |
Viewing Controls
GET /api/compliance/frameworks/{framework}/controls
Example response:
{
"framework": "eu_ai_act",
"score": 92,
"summary": {
"total": 15,
"passing": 13,
"failing": 0,
"warning": 2,
"notConfigured": 0
},
"controls": [
{
"id": "EUAIA-1",
"name": "Risk Management System",
"category": "risk_management",
"status": "passing",
"evidence": [...]
}
]
}
Evidence Vault
The Evidence Vault stores audit evidence with cryptographic verification to ensure integrity.
Evidence Types
| Type | Description |
|---|---|
auto_collected | Automatically captured from governance events |
manual_upload | Manually uploaded documents (PDF, images, etc.) |
generated_report | System-generated compliance reports |
Auto-Collection
The Cockpit automatically collects evidence from governance events:
- Violations (high/critical severity) - Captured as violation evidence
- Remediations - Proof of issue resolution
- Configuration changes - Audit trail of governance settings
Configure auto-collection in Settings → Compliance → Evidence Collection.
File Upload
Upload evidence with security scanning and hash verification:
POST /api/compliance-cockpit/evidence/upload
Content-Type: multipart/form-data
file: <binary>
metadata: {
"title": "Q1 Security Audit Report",
"description": "External penetration test results",
"type": "manual_upload",
"packIds": ["iso_27001"],
"periodStart": "2026-01-01",
"periodEnd": "2026-03-31"
}
Supported file types: PDF, TXT, CSV, JSON, PNG, JPEG, DOCX, XLSX, PPTX Maximum file size: 50MB
Hash Verification
All evidence files are hashed with SHA-256 on upload. Verify integrity at any time:
POST /api/compliance-cockpit/evidence/{id}/verify
Response:
{
"verified": true,
"storedHash": "a1b2c3d4...",
"computedHash": "a1b2c3d4...",
"hashMatch": true
}
Hash status values:
pending- Not yet verifiedverified- Hash matches stored valuetampered- Hash mismatch detectederror- Verification failed (file unreadable)
Risk Registry
Track and manage AI-related risks with the Risk Registry.
Risk Fields
| Field | Description |
|---|---|
| Title | Risk name |
| Description | Detailed risk description |
| Category | operational, technical, compliance, security, reputational, financial |
| Likelihood | rare, unlikely, possible, likely, almost_certain |
| Impact | minimal, minor, moderate, major, severe |
| Inherent Score | Calculated from likelihood × impact |
| Treatment Status | identified, analyzing, treating, monitoring, closed |
| Treatment Plan | Mitigation strategy |
| Owner | Assigned user |
| Review Date | Next review deadline |
Creating a Risk
POST /api/compliance-cockpit/risks
{
"title": "LLM Hallucination in Customer Support",
"description": "Risk of AI agent providing incorrect information to customers",
"category": "operational",
"likelihood": "possible",
"impact": "moderate",
"treatmentPlan": "Implement fact-checking layer and human review for critical responses",
"packIds": ["eu_ai_act"],
"reviewDate": "2026-04-01"
}
Impact Assessments
Conduct structured assessments for AI systems.
Assessment Types
| Type | Full Name | When Required |
|---|---|---|
aiia | AI Impact Assessment | EU AI Act high-risk systems |
dpia | Data Protection Impact Assessment | GDPR high-risk processing |
fria | Fundamental Rights Impact Assessment | EU AI Act public sector |
Assessment Workflow
- Draft - Initial creation and section completion
- In Review - Submitted for approval
- Approved - Assessment approved by authorized reviewer
- Rejected - Returned for revisions
Creating an Assessment
POST /api/compliance-cockpit/assessments
{
"title": "Customer Service Agent AIIA",
"type": "aiia",
"description": "Impact assessment for customer-facing AI agent",
"agentIds": ["agent_abc123"],
"teamId": "team_xyz789"
}
Policies
Manage compliance policies with version control and acknowledgment tracking.
Policy Lifecycle
- Draft - Policy being written
- Published - Active policy requiring acknowledgment
- Archived - Superseded by newer version
Version Control
Each policy edit creates a new version. View version history:
GET /api/compliance-cockpit/policies/{id}/versions
Acknowledgments
Track who has acknowledged policies:
GET /api/compliance-cockpit/policies/{id}/acknowledgments
Require acknowledgment:
POST /api/compliance-cockpit/policies/{id}/acknowledge
Reports
Generate compliance reports on-demand or on a schedule.
Report Formats
| Format | Use Case |
|---|---|
| Board presentations, external sharing | |
| CSV | Data analysis, spreadsheet import |
| XLSX | Excel with multiple sheets |
On-Demand Generation
POST /api/compliance-cockpit/reports/generate
{
"reportType": "combined",
"packIds": ["gdpr", "eu_ai_act"],
"formats": ["pdf", "xlsx"],
"includeEvidence": true
}
Scheduled Reports
Automate report generation:
POST /api/compliance-cockpit/schedules
{
"name": "Monthly Compliance Report",
"reportType": "combined",
"packIds": ["gdpr", "hipaa"],
"frequency": "monthly",
"dayOfMonth": 1,
"format": ["pdf"],
"recipients": ["compliance@company.com", "ciso@company.com"],
"enabled": true
}
Download Reports
GET /api/compliance-cockpit/reports/{id}/download?format=pdf
Auditor Portal
Provide external auditors with secure, read-only access.
Creating an Auditor Session
POST /api/compliance-cockpit/auditor-sessions
{
"auditorName": "Deloitte - John Smith",
"auditorEmail": "john.smith@deloitte.com",
"auditorOrganization": "Deloitte",
"auditType": "iso_27001",
"scope": "Annual ISO 27001 surveillance audit",
"expiresAt": "2026-02-28T23:59:59Z",
"evidenceIds": ["evid_abc123", "evid_def456"]
}
Response includes a one-time access token:
{
"session": { ... },
"accessToken": "aud_abc123xyz..."
}
Important: The access token is only shown once. Share it securely with the auditor.
Auditor API
Auditors use the public portal API with their token:
# Get session info
GET /api/auditor-portal/session
X-Auditor-Token: aud_abc123xyz...
# List available evidence
GET /api/auditor-portal/evidence
# Download evidence
GET /api/auditor-portal/evidence/{id}/download
# View compliance status
GET /api/auditor-portal/compliance-status
# Submit findings
POST /api/auditor-portal/findings
{
"title": "Access Control Gap",
"description": "MFA not enforced for admin accounts",
"severity": "major",
"controlReference": "A.9.4.2",
"recommendation": "Enable MFA enforcement for all admin roles"
}
Finding Workflow
- Open - Finding submitted by auditor
- Responded - Organization has addressed the finding
- Closed - Auditor confirms resolution
- Disputed - Organization disputes the finding
Session Management
# List sessions
GET /api/compliance-cockpit/auditor-sessions
# Revoke session
POST /api/compliance-cockpit/auditor-sessions/{id}/revoke
Violations
Track governance violations with SLA management.
Violation Sources
Violations flow from the Governance Packs system:
- DLP policy violations
- Kill switch triggers
- Four-eyes principle bypasses
- Prompt injection attempts
- Budget overruns
SLA Tracking
Each violation has an SLA based on severity:
| Severity | Default SLA |
|---|---|
| Critical | 4 hours |
| High | 24 hours |
| Medium | 72 hours |
| Low | 7 days |
Remediation Workflow
- Open - Violation detected
- Acknowledged - Under investigation
- Remediated - Issue resolved
- Closed - Verified and closed
API Reference
Base URL
https://api.meetloyd.com/api/compliance-cockpit
Authentication
Standard MeetLoyd API authentication (JWT or API key).
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /overview | Dashboard summary |
| GET | /regulations | List enabled packs |
| GET | /regulations/{packId} | Pack details |
| GET | /assessments | List assessments |
| POST | /assessments | Create assessment |
| GET | /risks | List risks |
| POST | /risks | Create risk |
| GET | /controls | Control matrix |
| GET | /evidence | List evidence |
| POST | /evidence/upload | Upload evidence |
| POST | /evidence/{id}/verify | Verify hash |
| GET | /violations | List violations |
| GET | /reports | List reports |
| POST | /reports/generate | Generate report |
| GET | /reports/{id}/download | Download report |
| GET | /policies | List policies |
| POST | /policies | Create policy |
| GET | /auditor-sessions | List sessions |
| POST | /auditor-sessions | Create session |
Next: Learn about Governance Packs for the underlying control modules.