Gap Analysis & Remediation Roadmap

After a scan, gaps are ranked by priority, effort, and impact. Use gap analysis to create a remediation roadmap — what to fix first, how long it takes, and how to fix it.

Gap Prioritization

Gaps are rated Critical > High > Medium > Low:

Priority	Means	Example
Critical	Audit blocker; must fix before auditor visits	Missing risk assessment for high-risk system
High	Significant compliance risk; fix in next 1-2 months	Insufficient access controls
Medium	Compliance improvement; fix in next 2-3 months	Training program incomplete
Low	Nice-to-have; fix when convenient	Documentation formatting

Recommendation: Fix all Critical gaps within 2 weeks; High gaps within 2 months.

Gap Effort Estimation

Compliance AI estimates hours to fix based on:

• Control complexity
• Required team involvement
• Integration with existing systems
• Testing requirements

Effort	Timeframe	Who Does It
Quick (< 4 hours)	1 day	Single person, straightforward task
Moderate (4-16 hours)	1 week	Small team, some integration work
Major (16-40 hours)	2-4 weeks	Multiple teams, system changes
Epic (40+ hours)	1-3 months	Major engineering effort, cross-functional

Example Gaps & Remediation

Gap 1: Missing Risk Assessment (Critical, Moderate Effort)

What’s missing: EU AI Act requires risk assessment for high-risk systems. Yours is not documented.

Why it matters: Auditors expect Annex III documentation. Without it, system cannot be deployed in EU legally.

Auto-suggested fix: Generate DPIA using Compliance AI’s DPIA tool (20 min) + customize with your data (2-4 hours)

Steps:

1. Go to DPIA & Assessments
2. Click “New DPIA”
3. Select your system
4. Review auto-generated draft
5. Customize risk assessment section
6. Have DPO review
7. Export and archive

Timeline: 1-2 days Owner: Compliance Officer + DPO Status: Assign task in Jira/ServiceNow

Gap 2: No Bias Testing (High, Moderate Effort)

What’s missing: EU AI Act + ISO 42001 require fairness/bias assessment. None documented.

Why it matters: High-risk systems must demonstrate no discrimination across demographic groups.

Auto-suggested fix: Run fairness tests using Compliance AI’s testing framework

Steps:

1. Ensure you have test data (5K+ samples recommended)
2. Go to Compliance > [System Name] > Fairness Testing
3. Upload test data
4. Run bias audit across protected groups (gender, age, race if available)
5. Export report showing disparate impact analysis
6. Document findings
7. If gaps found, plan mitigation (rebalance training data, add group-specific monitoring, etc.)

Timeline: 2-4 days Owner: Data Science team Tools: Compliance AI, Fairness libraries (AI Fairness 360, Fairlearn)

Gap 3: Audit Trail Incomplete (High, Major Effort)

What’s missing: No immutable audit log of model decisions/access

Why it matters: SOC 2, GDPR, ISO 42001 require audit trails proving who accessed data and when.

Auto-suggested fix: Implement logging and storage

Steps:

1. Assess current logging (do you log model API calls?)
2. If AWS: Enable CloudTrail, S3 logging, API Gateway logging
3. If Azure: Enable Azure Monitor, Activity Logs
4. If on-prem: Implement structured logging (ELK, Splunk, etc.)
5. Ensure logs are immutable (WORM storage, AWS Glacier Vault Lock)
6. Ensure retention (7+ years minimum)
7. Implement access controls on logs
8. Test log retrieval for incident response

Timeline: 2-4 weeks (if not already implemented) Owner: Infrastructure/Security team Complexity: Major (requires system design changes)

Gap Closure Workflow

1. Identify gap in scan results
2. Estimate effort (Compliance AI provides this)
3. Assign owner — Who is responsible
4. Create task — Auto-create Jira/ServiceNow ticket
5. Set deadline — Based on priority
6. Track progress — Team updates ticket
7. Mark complete — Link evidence (e.g., risk assessment PDF)
8. Re-scan — Run compliance scan again to verify closure

Bulk Task Creation

Create Jira/ServiceNow tasks for all gaps at once:

1. Go to Scans > [Results] > Create Tasks
2. Configure defaults:
   • Project: Jira project or ServiceNow table
   • Assignee: Default owner per gap
   • Sprint: Which sprint/release
   • Priority: Map compliance priority to Jira/ServiceNow
3. Click Create All

Compliance AI will create one task per gap with:

• Title (gap description)
• Description (why, what to do, effort estimate)
• Assignee (team suggested by Compliance AI)
• Due date (based on priority)
• Link back to gap in Compliance AI

Remediation Timeline

Typical organization:

Weeks 1-2: Fix Critical gaps (5-10 Critical tasks)

• Risk assessments, urgent access control fixes
• Time: 5-10 days of focused effort

Weeks 3-8: Fix High gaps (15-25 High tasks)

• Bias testing, training programs, monitoring setup
• Time: 4-6 weeks distributed across teams

Weeks 9-16: Fix Medium gaps (10-20 Medium tasks)

• Documentation refinements, policy updates
• Time: 4-8 weeks at 10-15 hours/week

Ongoing: Maintain (Low gaps, monitoring, training)

Total: ~4 months to “audit-ready” state for average organization

Next Steps

• Start remediation: Create Jira/ServiceNow tasks from gap list
• Track progress: See remediation dashboard (% gaps closed)
• Re-scan: After major fixes, re-scan to verify closure
• Generate reports: Audit-Ready Reports