Learn what compliance gaps are and how PartnerAlly helps you identify and resolve them.

Understanding Compliance Gaps

Compliance gaps are deficiencies where your organization's practices or documentation don't fully meet compliance framework requirements. PartnerAlly uses AI to automatically identify gaps and helps you systematically address them.

What Is a Compliance Gap?

A gap occurs when:

A required control isn't implemented
A policy doesn't cover required topics
Evidence is missing or insufficient
Procedures don't match framework requirements

Example Gaps

Framework	Gap Example	What's Missing
SOC 2	"No documented access review process"	Periodic access review procedure
ISO 27001	"Incident response plan lacks escalation"	Escalation procedures in IR plan
HIPAA	"No BAA template identified"	Business Associate Agreement template
GDPR	"Privacy policy missing retention periods"	Data retention disclosure

Gaps aren't failures—they're opportunities to improve. Every organization has gaps. What matters is how you identify and address them.

How Gaps Are Identified

AI Document Analysis

When you upload a policy or procedure document, PartnerAlly's AI:

Reads the document - Understands content and context
Maps to frameworks - Compares against control requirements
Identifies gaps - Finds missing or incomplete coverage
Scores confidence - Rates how certain the AI is about each gap
Creates gap entries - Adds gaps to your registry

Manual Gap Entry

You can also add gaps manually:

Gaps discovered during internal reviews
Auditor findings
Risk assessment results
Security incidents revealing weaknesses

Gap Properties

Each gap has these attributes:

Property	Description
Title	Brief description of the gap
Description	Detailed explanation of what's missing
Severity	Critical, High, Medium, or Low
Status	Open, In Progress, Resolved, Accepted
Framework	Which compliance framework it relates to
Control	Specific control requirement
Source	Document or assessment that identified it
AI Confidence	How certain the AI is (for AI-identified gaps)

Severity Levels

Gaps are categorized by severity:

Severity	Color	Typical Criteria
Critical	🔴 Red	Major compliance violation, audit failure risk
High	🟠 Amber	Significant deficiency, needs prompt action
Medium	🟢 Green	Moderate issue, reasonable timeline to fix
Low	🔵 Blue	Minor gap, address when convenient

Severity Assignment

AI assigns severity based on:

Framework requirements (mandatory vs. recommended)
Control criticality (security-critical vs. administrative)
Potential impact if not addressed
Auditor focus areas

Gap Lifecycle

Gaps move through these statuses:

Open → In Progress → Resolved
         ↓
      Accepted

Status Definitions

Status	Meaning
Open	Newly identified, not yet addressed
In Progress	Being worked on via workflow or task
Resolved	Fixed with evidence of remediation
Accepted	Risk accepted (documented and approved)

Gap Locations in PartnerAlly

Access gaps from multiple places:

Gaps Page

Full list with filtering, sorting, and bulk actions.

Dashboard

Summary counts by severity on the main dashboard.

Document Details

Gaps identified from a specific document.

Control Details

Gaps related to a specific control.

Why Gap Management Matters

For Audits

Auditors expect you to know your gaps
Demonstrating awareness and remediation plans is valuable
Resolved gaps show control maturity

For Security

Gaps often represent real security risks
Closing gaps improves your security posture
Reduces attack surface

For Compliance Programs

Tracking gaps shows program health
Gap trends reveal systemic issues
Resolution metrics demonstrate improvement

Gap vs. Risk vs. Finding

These terms are related but different:

Term	Definition	Source
Gap	Missing or incomplete compliance coverage	AI analysis, assessments
Risk	Potential negative outcome	Risk assessments, gap analysis
Finding	Auditor-identified deficiency	External audit reports

In PartnerAlly: