> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Gap analysis & heatmap

> Cross-framework view that prioritises remediation by the impact of closing each gap.

The gap analysis and heatmap views answer two questions at once: where do we stand against every framework, and where will one piece of work move the most needles?

***

## The heatmap

Each cell in the heatmap is one requirement × one framework. The colour is the status:

| Colour | Status       |
| ------ | ------------ |
| Green  | Met          |
| Yellow | Partial      |
| Red    | Gap          |
| Grey   | Out of scope |

Reading the heatmap horizontally tells you about cross-framework overlap. A red row across all three frameworks means closing that single requirement closes three gaps at once.

***

## Gap analysis

The gap analysis is the heatmap pivoted: list of all open gaps, sorted by remediation impact.

### Sort options

| Sort by                    | Use for                          |
| -------------------------- | -------------------------------- |
| **Cross-framework impact** | Maximise leverage. Default sort. |
| **Severity**               | Tackle the worst gaps first.     |
| **Estimated effort**       | Quick wins first.                |
| **Framework**              | Scope to one auditor's view.     |

### What "impact" measures

A single requirement's impact is `count of frameworks affected × max severity`. So an EU AI Act high-severity gap that also fails NIST and ISO 42001 outranks an isolated low-severity gap, even if the latter looks scarier individually.

***

## Reading the heatmap

<Steps>
  <Step title="Start with the rows">
    Sort by severity descending. The top rows are the most painful gaps.
  </Step>

  <Step title="Look at the row's colour pattern">
    A row red across all three columns is high-leverage. A row red in one column only is framework-specific.
  </Step>

  <Step title="Click the cell">
    Each cell drills into the requirement detail — backing controls, current evidence, what's missing.
  </Step>

  <Step title="Take action">
    Either provide manual evidence, schedule an [assessment](../governance/assessments), or fix the underlying telemetry/policy that drives the control.
  </Step>
</Steps>

***

## Exporting

Both views support PDF and CSV export. The exported gap analysis is the format most GRC teams paste into their tracking tool.

```http theme={"system"}
POST /api/compliance/heatmap/export
GET  /api/compliance/gaps?sort=impact
```

***

## Related resources

<CardGroup cols={2}>
  <Card title="Evidence" icon="folder-open" href="../governance/evidence">
    The mechanism for closing manual-evidence gaps.
  </Card>

  <Card title="Compliance overview" icon="circle-check" href="./overview">
    Per-framework views the heatmap aggregates.
  </Card>
</CardGroup>