Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt

Use this file to discover all available pages before exploring further.

Evidence is what turns “we have policies” into “we can prove it”. Observatory collects evidence automatically where it can (runs, evaluations, alerts) and lets reviewers attach manual artefacts where it can’t (sign-offs, screenshots, external reports).

Types of evidence

SourceWhat it capturesCollection
Automated — runsA successful or violating run that satisfies (or breaches) a control.Automatic.
Automated — policy evaluationsAn evaluation result tied to a policy and run.Automatic.
Automated — alert eventsAn alert and its resolution.Automatic.
Manual — documentUploaded PDFs, screenshots, sign-off forms.Manual.
Manual — text attestationA reviewer’s typed statement.Manual.

Workflow

Every piece of evidence goes through review unless the control is explicitly configured to auto-approve automated sources.

Reviewing evidence

1

Open Evidence

The default view shows everything in the Draft state ordered by oldest first.
2

Inspect the artefact

For automated evidence, the run, evaluation, or alert is linked. For manual evidence, the upload is rendered inline.
3

Pick a control

Map the evidence to one or more controls (e.g. an EU AI Act requirement). One artefact can support multiple controls.
4

Approve or reject

Approving moves the artefact into the audit-ready set. Rejecting requires a reason — useful for training the team on what’s acceptable.

Gap analysis

The Gaps card flags controls that have no approved evidence. Use it to prioritise:
  • Sort by framework (EU AI Act, NIST, ISO 42001)
  • Sort by severity of the underlying control
  • See last-approved-evidence age — anything older than a quarter shows as stale
GET /api/evidence/gaps?framework=eu-ai-act
Returns the controls that lack approved evidence and the time since the last approval.

API

EndpointUse
GET /api/evidenceList with filters (state, control, framework).
POST /api/evidenceSubmit manual evidence.
POST /api/evidence/{id}/approveApprove.
POST /api/evidence/{id}/rejectReject with reason.
POST /api/evidence/collectTrigger an automated collection run.
GET /api/evidence/gapsGap analysis.
Static routes (/collect, /gaps) are defined before /{org_id} in the router. Maintain that order on forks.

Policies

Many evidence sources are policy evaluations.

Compliance

Where mapped evidence shows up in the heatmap.
Last modified on June 2, 2026