Compliance Automation Vocabulary — Checks, Violations, and Audit Trails
Practice the vocabulary used in automated compliance tooling: how to describe what a check does, how to report a violation, how to request and grant exceptions, and how audit trail language works in compliance reports and tickets.
Vocabulary Reference
- "this check verifies"
- Standard phrasing in a compliance check description: "This check verifies that all S3 buckets have server-side encryption enabled." Describes the control being evaluated, not the outcome.
- automated compliance report
- A machine-generated document listing all evaluated controls, their pass/fail status, resource scope, and timestamps — produced by tools like AWS Security Hub, Chef InSpec, or Prowler.
- "policy violation found"
- Standard output phrase when a compliance check fails: "Policy violation found: RDS instance db-prod-01 does not have deletion protection enabled."
- exception requested / exception granted
- Formal vocabulary for documented, time-bounded approvals to allow a known violation: "Exception requested for control CIS-2.1.1 — approved until 2026-09-01 with compensating control in place."
- audit trail
- The immutable log of who did what and when — essential for demonstrating compliance: "The audit trail shows the exception was approved by the CISO on 2026-06-01."
- compensating control
- An alternative security measure accepted in place of the primary control when the primary cannot be implemented — must be documented in the exception.