OverviewGetting startedConnectionsMethodologyFrameworksCLI agentFAQ

Docs / Frameworks

Compliance framework lenses

Seven selectable lenses map assessment findings to the data-governance expectations of the frameworks your organization tracks.

How lenses work

Compliance framing is opt-in. Your organization selects zero or more frameworks during onboarding (editable in Settings). With none selected, reports stay framework-neutral. With lenses selected, every assessment maps its findings to each framework's data-governance expectations: the evidence already in place and the gaps still open, each tied to a specific measured finding.

One boundary, stated everywhere it matters: this is readiness to produce evidence. MortarIQ does not certify, audit, or guarantee compliance with anything.

The seven lenses

EU AI Act, Article 10

Data governance for high-risk AI: relevant, representative, accurate, complete training data with documented practices. Enforcement begins August 2, 2026.

NIST AI RMF

The voluntary US risk framework. Findings map to the Map and Measure functions: provenance, data quality, bias and representativeness.

ISO/IEC 42001

The certifiable AI management system. Findings map to the Annex A data-for-AI controls.

ISO/IEC 5259

The international standard for ML data quality (2024 to 2025). Findings map at the characteristic level: accuracy, completeness, consistency, timeliness, plus the ML-specific characteristics like representativeness and balance.

GDPR

PII classification, masking, retention, purpose limitation, and Article 30 records, driven by the PII inventory the scan produces.

SOC 2

Confidentiality and processing-integrity criteria: classification, access controls, audit logging, retention.

HIPAA

De-identification, access control, and minimum-necessary use, when your data contains health information.

ISO/IEC 5259 mapping

Every one of the 50 assessment requirements is mapped to the ISO/IEC 5259-2 data-quality characteristics, with declared coverage gaps where a characteristic needs data sampling or workload context the scan does not yet capture. The mapping is at the characteristic level of the published standard; we do not claim clause-level conformity.

Evidence, not certification

The practical output for a compliance program: when an auditor or regulator asks how you govern data feeding AI systems, your reports show measured controls (classification coverage, masking state, lineage, retention) with dates, numbers, and history. What MortarIQ will never do is tell you that you are compliant; that judgment belongs to you and your advisors.

Questions?

Email support@intellibricks.app. See also our security practices and the exact SQL we run.