Remediation Tasks & POA&M

Remediation tasks track work to close compliance gaps. Compliance AI auto-creates tasks from gaps, links them to Jira/ServiceNow, tracks progress, and exports Plans of Action & Milestones (POA&M) for auditors.

Task Lifecycle

1. Gap identified in scan
2. Task created — Auto or manual
3. Assigned to responsible team with due date
4. In progress — Team updates status
5. Completed — Evidence attached (e.g., risk assessment PDF, test results)
6. Verified — Compliance AI confirms gap is closed
7. Closed — Removed from open gap list

Creating Remediation Tasks

Option 1: Auto-Create from Scan

1. Go to Scans > [Results] > Create Remediation Tasks
2. Select gaps to create tasks for:
   • All gaps
   • Critical/High only
   • Specific system or framework
3. Configure:
   • Integration: Jira, ServiceNow, or Asana
   • Assignee: Default owner (Compliance AI suggests)
   • Sprint/Iteration: Which planning cycle
   • Due Date: Based on priority
4. Click Create

Compliance AI creates one task per gap with full description and context.

Option 2: Manual Creation

1. Go to Compliance > Remediation > New Task
2. Fill in:
   • Title: What needs to be done
   • Description: Details and context
   • Effort: Hours estimate
   • Assignee: Responsible person
   • Due Date: Target date
   • Link Gap: Which gap does this close
   • Link Jira/ServiceNow: If already created there
3. Click Create

Task Status Tracking

Monitor progress with:

View	Shows
Dashboard	All open tasks, % complete, at-risk items
List	Sortable list of all tasks with status
Kanban	Tasks in To-Do, In-Progress, In-Review, Done columns
Timeline	Gantt chart of tasks and dependencies

Updating Task Progress

Team members update tasks:

1. Go to task
2. Update:
   • Status: To-Do → In-Progress → Review → Done
   • % Complete: 0-100%
   • Comment: Progress notes
   • Evidence: Attach completed work (PDFs, test results, logs)
3. Click Save

Compliance AI tracks velocity (tasks completed per week) and alerts if tasks are at-risk (approaching due date).

Evidence Attachment

When task is complete, attach proof:

Task	Evidence Examples
”Complete risk assessment”	RiskAssessment_ChatBot_Feb2024.pdf
”Implement access controls”	CloudTrail_access_log_export.csv
”Conduct fairness testing”	FairnessAudit_February_2024.pdf
”Complete staff training”	TrainingCompletion_Certificate.pdf

Evidence is stored in compliance repository and linked to gap.

POA&M (Plan of Action & Milestones)

Generate a POA&M document for auditors:

1. Go to Remediation > POA&M
2. Configure:
   • Scope: Critical + High tasks, or all
   • Timeframe: Current quarter, half-year, or full year
   • Format: OSCAL, PDF, CSV
3. Click Export

POA&M includes:

Column	Content
Control ID	Which requirement
Deficiency	What’s missing
Corrective Action	How we’ll fix it
Responsible Party	Who’s doing it
Milestone Due Date	When it will be done
Status	Not Started / In Progress / Complete
Evidence	Proof of completion

Example row:

Control: EU AI Act Article 6 (Risk Assessment)
Deficiency: Risk assessment for Vision System not documented
Action: Conduct DPIA per Annex III, engage DPO for review
Responsible: Sarah Chen (Compliance)
Due: March 31, 2024
Status: In Progress (60%)
Evidence: [Pending]

Integration with Jira/ServiceNow

If Jira/ServiceNow is configured:

1. Remediation tasks sync bidirectionally
2. Updates in Compliance AI sync to Jira/ServiceNow
3. Updates in Jira/ServiceNow sync back to Compliance AI
4. Evidence stored in Compliance AI links to Jira/ServiceNow ticket

Setup:

1. Go to Settings > Integrations > Jira (or ServiceNow)
2. Authenticate and grant permissions
3. Select default project/table
4. Click Enable

Task Dependencies

For complex remediation, link task dependencies:

Example:

• Task A: “Conduct risk assessment” (prerequisite)
• Task B: “Implement bias testing” (depends on Task A)
• Task C: “Document audit trail” (independent)

1. Go to Task B
2. Click Dependencies
3. Add Task A as prerequisite
4. If Task A is blocked, Task B is automatically blocked
5. Mark Task A complete to unblock Task B

Monitoring & Reporting

Remediation Dashboard

Shows:

• Open Tasks: Count and burn-down chart
• At-Risk Tasks: Tasks approaching due date
• Velocity: Tasks completed per week
• Assignee Workload: Tasks per person/team

Weekly Status Report

Auto-generated report showing:

• Tasks completed this week
• Tasks starting this week
• Blocked tasks (waiting for something)
• High-risk items needing escalation

Monthly Executive Briefing

Shows compliance improvement:

• % gaps closed this month
• Estimated completion date
• Risks to timeline
• ROI of remediation investment

Common Scenarios

Scenario 1: Major Project (40+ hour gap)

Break into subtasks:

• Task 1: Requirements gathering (8 hours)
• Task 2: Design & approval (4 hours)
• Task 3: Development (16 hours)
• Task 4: Testing & validation (8 hours)
• Task 5: Documentation & rollout (4 hours)

Set dependencies so sequential tasks unblock only after predecessor completes.

Scenario 2: Multi-Team Effort (Risk Assessment)

Tasks for each team:

• Compliance: Lead DPIA (4 hours)
• Data Science: Provide fairness testing results (8 hours)
• Security: Confirm safeguards implementation (2 hours)
• DPO: Review & sign-off (1 hour)

Set start dates so dependent teams can wait for upstream inputs.

Scenario 3: Vendor Dependency

Gap requires vendor action (e.g., “upgrade encryption”):

• Create task “Request SOC 2 attestation from vendor”
• Set assignee to Procurement/Vendor Management
• Due date: Target compliance deadline - 2 weeks (to allow time for vendor response + fallback)
• Set task as blocked until vendor responds

Next Steps

• Create tasks from gaps: Gap Analysis
• Track progress: Remediation dashboard
• Export POA&M for audit: Audit-Ready Reports