Policy Coverage

The policy coverage workflow analyzes your uploaded policy documents against the controls of one or more compliance frameworks and produces a per-control coverage report — showing which controls are met, partially met, or missing.

It runs as a slash command inside expert chat: send a user message that begins with /policy-coverage to POST /v1/expert.


Command

/policy-coverage [--frameworks fw1,fw2] [--docs docid1,docid2]
Flag Required Description
--frameworks No Comma-separated framework IDs to evaluate against. Defaults to the frameworks detected from your corpus.
--docs No Comma-separated document IDs to scope the analysis to specific uploads. Defaults to your full policy corpus.

Discover this and every other command, with live usage strings, via GET /v1/slash-commands.


How it works

For each control in the selected frameworks, the workflow:

  1. Retrieves the most relevant passages from your uploaded policy corpus.
  2. Runs gap analysis of those passages against the control requirement.
  3. Records a verdict and a short summary with source citations.

The result is a per-control report you can hand to your GRC team to prioritize remediation.


Example

Run a coverage report of your whole corpus against PCI DSS v4:

curl -N -X POST https://compliance.secberus.ai/v1/expert \
  -H "authorization: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "messages": [
      { "role": "user", "content": "/policy-coverage --frameworks pci_dss_v4" }
    ]
  }'

Scope to two frameworks and a specific document:

curl -N -X POST https://compliance.secberus.ai/v1/expert \
  -H "authorization: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "messages": [
      { "role": "user", "content": "/policy-coverage --frameworks pci_dss_v4,iso_27001_2022 --docs doc_01h9z…" }
    ]
  }'

The response streams back as Server-Sent Events, one control at a time, each with a verdict:

data: PCI DSS v4 · 8.3.6 (password length) → MEETS_OR_EXCEEDS
data:   Source: access-control-policy.pdf — "minimum 14 characters…"
data: PCI DSS v4 · 10.2.1 (audit logging) → INSUFFICIENT
data:   Gap: no policy passage addresses logging of administrative actions.

Prerequisites

  • At least one document of type policy uploaded to your corpus. See the Documents API.
  • Valid framework IDs (from GET /v1/frameworks).
  • Audit Readiness — the evidence-side counterpart: assess whether your evidence satisfies controls.
  • Policy Generation — close the gaps this report surfaces by drafting compliant policy text.