Compliance Export
| Field | Value |
|---|---|
| Document ID | ASCEND-GOV-004 |
| Version | 2026.04 |
| Last Updated | April 2026 |
| Author | Ascend Engineering Team |
| Publisher | OW-KAI Technologies Inc. |
| Classification | Enterprise Client Documentation |
| Compliance | SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4 |
Reading Time: 10 minutes | Skill Level: Advanced
Overview
ASCEND provides enterprise-grade compliance export capabilities supporting SOX, PCI-DSS, HIPAA, GDPR, SOC 2, NIST, and ISO frameworks. Generate audit-ready reports with cryptographic verification and scheduled delivery.
note
Compliance exports generate point-in-time snapshots of your governance data. Schedule exports before audit windows to ensure reports reflect the correct reporting period.
Supported Frameworks
| Framework | Description | Default Retention |
|---|---|---|
SOX | Sarbanes-Oxley Act | 7 years |
PCI_DSS | Payment Card Industry | 1 year |
HIPAA | Health Insurance Portability | 6 years |
GDPR | General Data Protection | 6 years |
SOC2 | Service Organization Control | 7 years |
NIST | NIST Cybersecurity Framework | 3 years |
ISO27001 | ISO Information Security | 3 years |
Export Formats
| Format | Content Type | Use Case |
|---|---|---|
JSON | application/json | API integration |
CSV | text/csv | Spreadsheet analysis |
XML | application/xml | Legacy systems |
PDF | application/pdf | Official reports |
XLSX | Excel spreadsheet | Business users |
Get Framework Information
List All Frameworks
curl "https://pilot.owkai.app/api/compliance-export/frameworks" \
-H "Authorization: Bearer owkai_..."
Response:
{
"frameworks": [
{
"value": "sox",
"name": "SOX",
"display_name": "Sarbanes-Oxley Act"
},
{
"value": "pci_dss",
"name": "PCI_DSS",
"display_name": "PCI Data Security Standard"
},
{
"value": "hipaa",
"name": "HIPAA",
"display_name": "Health Insurance Portability"
}
],
"export_formats": ["json", "csv", "xml", "pdf", "xlsx"],
"report_types": ["audit_trail", "access_log", "policy_changes", "risk_assessment", "incident_report"]
}
Get Framework Details
curl "https://pilot.owkai.app/api/compliance-export/frameworks/sox" \
-H "Authorization: Bearer owkai_..."
Response:
{
"framework": "sox",
"display_name": "Sarbanes Oxley",
"supported_reports": ["audit_trail", "policy_changes", "access_log"],
"default_retention_days": 2555,
"required_fields": ["actor_id", "timestamp", "action", "outcome"],
"data_classification": "confidential"
}
Creating Exports
Create Export Job
curl -X POST "https://pilot.owkai.app/api/compliance-export/exports" \
-H "Authorization: Bearer owkai_..." \
-H "Content-Type: application/json" \
-d '{
"framework": "sox",
"report_type": "audit_trail",
"export_format": "pdf",
"start_date": "2025-10-01T00:00:00Z",
"end_date": "2025-12-31T23:59:59Z",
"include_pii": false,
"filters": {
"risk_level": ["high", "critical"],
"event_type": ["USER_ACTION", "POLICY_VIOLATION"]
}
}'
Response:
{
"id": 123,
"framework": "sox",
"report_type": "audit_trail",
"export_format": "pdf",
"start_date": "2025-10-01T00:00:00Z",
"end_date": "2025-12-31T23:59:59Z",
"status": "pending",
"progress_percent": 0,
"created_at": "2025-12-15T10:30:00Z"
}
Quick Export
curl -X POST "https://pilot.owkai.app/api/compliance-export/quick-export/sox/audit_trail?\
days=30&export_format=json" \
-H "Authorization: Bearer owkai_..."
Response:
{
"job_id": 124,
"status": "pending",
"framework": "sox",
"report_type": "audit_trail",
"period_days": 30,
"status_url": "/api/compliance-export/exports/124"
}
Export Job Management
Check Export Status
curl "https://pilot.owkai.app/api/compliance-export/exports/123" \
-H "Authorization: Bearer owkai_..."
Response:
{
"id": 123,
"framework": "sox",
"report_type": "audit_trail",
"export_format": "pdf",
"status": "completed",
"progress_percent": 100,
"file_size_bytes": 2458624,
"record_count": 15420,
"data_classification": "confidential",
"created_at": "2025-12-15T10:30:00Z",
"completed_at": "2025-12-15T10:32:00Z",
"expires_at": "2025-12-22T10:32:00Z",
"download_url": "/api/compliance-export/exports/123/download"
}
List All Exports
curl "https://pilot.owkai.app/api/compliance-export/exports?\
framework=sox&status=completed&limit=50" \
-H "Authorization: Bearer owkai_..."
Response:
[
{
"id": 123,
"framework": "sox",
"report_type": "audit_trail",
"status": "completed",
"record_count": 15420,
"created_at": "2025-12-15T10:30:00Z",
"download_url": "/api/compliance-export/exports/123/download"
},
{
"id": 121,
"framework": "sox",
"report_type": "policy_changes",
"status": "completed",
"record_count": 342,
"created_at": "2025-12-14T10:30:00Z",
"download_url": "/api/compliance-export/exports/121/download"
}
]
Downloading Exports
Download File
curl "https://pilot.owkai.app/api/compliance-export/exports/123/download" \
-H "Authorization: Bearer owkai_..." \
-o sox_audit_trail_123.pdf
Response headers include:
Content-Disposition: attachment; filename="sox_audit_trail_123.pdf"
X-Export-Hash: a1b2c3d4e5f6g7h8i9j0...
X-Record-Count: 15420
Verify Export Integrity
curl -X POST "https://pilot.owkai.app/api/compliance-export/exports/123/verify?\
hash_value=a1b2c3d4e5f6g7h8i9j0..." \
-H "Authorization: Bearer owkai_..."
Response:
{
"job_id": 123,
"provided_hash": "a1b2c3d4e5f6g7h8i9j0...",
"is_valid": true,
"verified_at": "2025-12-15T10:40:00Z"
}
Download Audit Trail
curl "https://pilot.owkai.app/api/compliance-export/exports/123/downloads" \
-H "Authorization: Bearer owkai_..."
Response:
[
{
"id": 1,
"export_job_id": 123,
"downloaded_by": "auditor@company.com",
"downloaded_at": "2025-12-15T10:35:00Z",
"ip_address": "192.168.1.100",
"verified_hash": true
}
]
Scheduled Reports
Create Schedule
curl -X POST "https://pilot.owkai.app/api/compliance-export/schedules" \
-H "Authorization: Bearer owkai_..." \
-H "Content-Type: application/json" \
-d '{
"name": "Weekly SOX Audit Trail",
"description": "Automated weekly SOX compliance report",
"framework": "sox",
"report_type": "audit_trail",
"export_format": "pdf",
"cron_expression": "0 6 * * 1",
"timezone": "America/New_York",
"email_recipients": ["compliance@company.com", "auditor@company.com"],
"webhook_url": "https://hooks.company.com/compliance",
"retention_days": 90
}'
Response:
{
"id": 10,
"name": "Weekly SOX Audit Trail",
"framework": "sox",
"report_type": "audit_trail",
"cron_expression": "0 6 * * 1",
"timezone": "America/New_York",
"is_active": true,
"next_run_at": "2025-12-16T06:00:00-05:00",
"created_at": "2025-12-15T10:45:00Z"
}
Common Cron Expressions
| Schedule | Cron Expression | Description |
|---|---|---|
| Daily at 6 AM | 0 6 * * * | Every day |
| Weekly Monday | 0 6 * * 1 | Every Monday at 6 AM |
| Monthly 1st | 0 6 1 * * | First day of month |
| Quarterly | 0 6 1 1,4,7,10 * | First day of quarter |
List Schedules
curl "https://pilot.owkai.app/api/compliance-export/schedules?active_only=true" \
-H "Authorization: Bearer owkai_..."
Update Schedule
curl -X PUT "https://pilot.owkai.app/api/compliance-export/schedules/10" \
-H "Authorization: Bearer owkai_..." \
-H "Content-Type: application/json" \
-d '{
"is_active": false
}'
Delete Schedule
curl -X DELETE "https://pilot.owkai.app/api/compliance-export/schedules/10" \
-H "Authorization: Bearer owkai_..."
Export Metrics
curl "https://pilot.owkai.app/api/compliance-export/metrics" \
-H "Authorization: Bearer owkai_..."
Response:
{
"total_exports": 156,
"by_framework": {
"sox": 45,
"pci_dss": 38,
"hipaa": 32,
"gdpr": 25,
"soc2": 16
},
"by_status": {
"completed": 148,
"pending": 3,
"processing": 2,
"failed": 3
},
"total_records_exported": 2456000,
"total_export_size_bytes": 158462000,
"supported_frameworks": ["sox", "pci_dss", "hipaa", "gdpr", "soc2", "nist", "iso27001"],
"supported_formats": ["json", "csv", "xml", "pdf", "xlsx"]
}
Report Types
Audit Trail
Complete audit log for specified time period:
{
"report_type": "audit_trail",
"includes": [
"All logged events",
"User actions",
"System events",
"Policy violations"
]
}
Access Log
User access and authentication events:
{
"report_type": "access_log",
"includes": [
"Login attempts",
"Session management",
"Permission changes",
"API access"
]
}
Policy Changes
Configuration and policy modifications:
{
"report_type": "policy_changes",
"includes": [
"Policy updates",
"Rule changes",
"Threshold modifications",
"Agent configuration"
]
}
Risk Assessment
Risk scoring and analysis:
{
"report_type": "risk_assessment",
"includes": [
"Risk score distribution",
"High-risk actions",
"Trend analysis",
"Mitigation actions"
]
}
Incident Report
Security incidents and responses:
{
"report_type": "incident_report",
"includes": [
"Security incidents",
"Kill-switch activations",
"Policy violations",
"Response actions"
]
}
Role Requirements
| Role | Create Export | Download | View History | Schedule |
|---|---|---|---|---|
admin | Yes | Yes | Yes | Yes |
compliance_officer | Yes | Yes | Yes | Yes |
auditor | Yes | Yes | Yes | No |
viewer | No | No | Yes | No |
SDK Integration
Compliance export is driven via the REST API. A higher-level
client.compliance.* namespace accessor is tracked as
SDK-NAMESPACE-FEATURE
for SDK 2.5. In the meantime, reuse your SDK-configured API key.
Create an Export Job (REST API)
# Create SOX audit_trail export for Q4 2025
JOB=$(curl -sS -X POST "https://pilot.owkai.app/api/compliance/exports" \
-H "Authorization: Bearer $ASCEND_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"framework": "sox",
"report_type": "audit_trail",
"export_format": "pdf",
"start_date": "2025-10-01T00:00:00Z",
"end_date": "2025-12-31T23:59:59Z"
}')
JOB_ID=$(echo "$JOB" | jq -r '.id')
echo "Export job created: $JOB_ID"
Poll Until Completed (REST API)
while true; do
STATUS=$(curl -sS -X GET "https://pilot.owkai.app/api/compliance/exports/$JOB_ID" \
-H "Authorization: Bearer $ASCEND_API_KEY" | jq -r '.status')
[ "$STATUS" = "completed" ] && break
[ "$STATUS" = "failed" ] && { echo "export failed"; exit 1; }
sleep 10
done
Download the Export (REST API)
curl -sS -X GET "https://pilot.owkai.app/api/compliance/exports/$JOB_ID/download" \
-H "Authorization: Bearer $ASCEND_API_KEY" \
-o "./sox_audit_q4_2025.pdf"
Best Practices
1. Schedule Regular Reports
# Weekly audit trail
client.compliance.create_schedule(
name="Weekly Audit",
framework="sox",
cron="0 6 * * 1"
)
2. Verify Downloaded Files
# Always verify hash after download
is_valid = client.compliance.verify_export(
job_id=job.id,
hash_value=calculated_hash
)
3. Use Appropriate Retention
# Match retention to compliance requirements
{
"retention_days": 2555 # 7 years for SOX
}
4. Exclude PII When Possible
# Minimize sensitive data exposure
{
"include_pii": false
}
Next Steps
- Audit Logging — Immutable audit system
- Analytics — Compliance analytics
- Risk Assessment — Risk scoring
Document Version: 2026.04 | Last Updated: April 2026
AI Governance Compliance Scoring (F3)
Starting with F3, compliance scores are dynamically calculated from the AI governance audit trail — agent_actions, risk_path_detections, and registered_agents. No scores are hardcoded or estimated.
Security Score Formula
The AI governance security score is derived entirely from agent governance signals. User-level metrics (e.g., MFA adoption) are reported separately under "User Access Controls."
security_score = approval_rate * 0.35
+ human_review_rate * 0.35
+ (100 - avg_risk_score) * 0.30
| Component | Weight | Source | Range |
|---|---|---|---|
approval_rate | 0.35 | % of actions that passed governance review | 0-100 |
human_review_rate | 0.35 | % of actions with human-in-the-loop review | 0-100 |
100 - avg_risk_score | 0.30 | Inverted average risk — lower risk = higher score | 0-100 |
Returns null if no governed actions exist (no evidence to produce a score).
Low SOX Scores
SOX scores heavily weight human review rates. A low SOX score (e.g., 17%) indicates that governed actions lack human-in-the-loop review — this reflects a real governance gap, not a platform error. To improve SOX scores, ensure high-risk actions have reviewed_by populated.
Compliance Frameworks
SOX (Sarbanes-Oxley) — IT General Controls
| Control ID | Control Name | Signal | Effectiveness Threshold |
|---|---|---|---|
| SOX-ITGC-01 | Access Controls | Approval + denial rate across governed actions | >= 70%: effective |
| SOX-ITGC-02 | Change Management | Human review rate | >= 80%: effective |
| SOX-ITGC-03 | Computer Operations | Inverted avg risk score + kill switch events | Risk < 60 and kill switches < 5: effective |
| SOX-Section-404 | Internal Controls | Composite security score formula | >= 60: effective |
HIPAA — Technical Safeguards (§164.312)
| Control ID | Control Name | Signal |
|---|---|---|
| HIPAA-164.312(a) | Access Control | All governed actions pass authorization |
| HIPAA-164.312(b) | Audit Controls | All agent actions logged to audit trail |
| HIPAA-164.312(c) | Integrity | No active destructive_write risk path detections |
| HIPAA-164.312(d) | Authentication | All actions linked to registered agent identities |
PCI-DSS v4.0
| Control ID | Control Name | Signal |
|---|---|---|
| PCI-DSS-Req7 | Restrict Access | Authorization controls deny unauthorized actions |
| PCI-DSS-Req10 | Log and Monitor | All agent actions logged with risk scores |
| PCI-DSS-Req11 | Test Security | Risk path detection pipeline active with detections |
NIST AI RMF
| Control ID | Function | Signal |
|---|---|---|
| GOVERN-1 | Accountability | Registered agents with active status |
| GOVERN-4 | Human Oversight | Human review rate >= 50% |
| MAP-1 | Context Mapping | AI agent inventory complete |
| MAP-3 | AI Categorization | Agents categorized (autonomous/supervised) |
| MEASURE-2 | Risk Measurement | Risk scoring + MITRE detections active |
| MANAGE-1 | Risk Treatment | Denial rate + kill switch events |
| MANAGE-4 | Documentation | Governance reports generated from auditable pipeline |
Insufficient Evidence
When no governed actions exist for a control in the selected time range:
{
"control_id": "SOX-ITGC-01",
"control_name": "Access Controls",
"status": "insufficient_evidence",
"score": null,
"evidence_count": 0,
"finding": "No governed actions found for this control in the selected time range."
}
API Access
Compliance scores are available via:
- Analytics endpoint:
GET /api/enterprise-users/analytics— includescompliance_metricswith all framework scores - Report generation:
POST /api/enterprise-users/generate-report— generates full compliance reports with control-level detail - Security Graph export:
GET /api/v1/graph/export— includes compliance mapping in the PDF report