Skip to main content
The gap analysis and heatmap views answer two questions at once: where do we stand against every framework, and where will one piece of work move the most needles?

The heatmap

Each cell in the heatmap is one requirement × one framework. The colour is the status: Reading the heatmap horizontally tells you about cross-framework overlap. A red row across all three frameworks means closing that single requirement closes three gaps at once.

Gap analysis

The gap analysis is the heatmap pivoted: list of all open gaps, sorted by remediation impact.

Sort options

What “impact” measures

A single requirement’s impact is count of frameworks affected × max severity. So an EU AI Act high-severity gap that also fails NIST and ISO 42001 outranks an isolated low-severity gap, even if the latter looks scarier individually.

Reading the heatmap

1

Start with the rows

Sort by severity descending. The top rows are the most painful gaps.
2

Look at the row's colour pattern

A row red across all three columns is high-leverage. A row red in one column only is framework-specific.
3

Click the cell

Each cell drills into the requirement detail — backing controls, current evidence, what’s missing.
4

Take action

Either provide manual evidence, schedule an assessment, or fix the underlying telemetry/policy that drives the control.

Exporting

Both views support PDF and CSV export. The exported gap analysis is the format most GRC teams paste into their tracking tool.

Evidence

The mechanism for closing manual-evidence gaps.

Compliance overview

Per-framework views the heatmap aggregates.
Last modified on June 1, 2026