Policy Coverage
The policy coverage workflow analyzes your uploaded policy documents against the controls of one or more compliance frameworks and produces a per-control coverage report — showing which controls are met, partially met, or missing.
It runs as a slash command inside expert chat: send a user message that begins with /policy-coverage to POST /v1/expert.
Command
/policy-coverage [--frameworks fw1,fw2] [--docs docid1,docid2]
| Flag | Required | Description |
|---|---|---|
--frameworks |
No | Comma-separated framework IDs to evaluate against. Defaults to the frameworks detected from your corpus. |
--docs |
No | Comma-separated document IDs to scope the analysis to specific uploads. Defaults to your full policy corpus. |
Discover this and every other command, with live usage strings, via
GET /v1/slash-commands.
How it works
For each control in the selected frameworks, the workflow:
- Retrieves the most relevant passages from your uploaded policy corpus.
- Runs gap analysis of those passages against the control requirement.
- Records a verdict and a short summary with source citations.
The result is a per-control report you can hand to your GRC team to prioritize remediation.
Example
Run a coverage report of your whole corpus against PCI DSS v4:
curl -N -X POST https://compliance.secberus.ai/v1/expert \
-H "authorization: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"messages": [
{ "role": "user", "content": "/policy-coverage --frameworks pci_dss_v4" }
]
}'
Scope to two frameworks and a specific document:
curl -N -X POST https://compliance.secberus.ai/v1/expert \
-H "authorization: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"messages": [
{ "role": "user", "content": "/policy-coverage --frameworks pci_dss_v4,iso_27001_2022 --docs doc_01h9z…" }
]
}'
The response streams back as Server-Sent Events, one control at a time, each with a verdict:
data: PCI DSS v4 · 8.3.6 (password length) → MEETS_OR_EXCEEDS
data: Source: access-control-policy.pdf — "minimum 14 characters…"
data: PCI DSS v4 · 10.2.1 (audit logging) → INSUFFICIENT
data: Gap: no policy passage addresses logging of administrative actions.
Prerequisites
- At least one document of type
policyuploaded to your corpus. See the Documents API. - Valid framework IDs (from
GET /v1/frameworks).
Related
- Audit Readiness — the evidence-side counterpart: assess whether your evidence satisfies controls.
- Policy Generation — close the gaps this report surfaces by drafting compliant policy text.