# Compliance Governance Prover MCP > Compliance Governance Prover forces AI analysis beyond vague best practices. It acts like an external auditor, demanding that every compliance claim names the specific law, maps controls to articles, documents evidence artifacts, quantifies risk exposure with money and severity scores, and assigns ownership to a named person. ## Overview - **Category:** ai-ml - **Price:** Free - **Tags:** compliance, governance, gdpr, soc2, pci-dss, regulatory, audit, risk-management ## Description Most large language models treat compliance like abstract advice. They'll tell you 'you should follow GDPR' or 'your security posture is low risk.' But that kind of talk doesn't pass an actual audit. This MCP forces the AI agent to prove its claims using five specific, audit-grade axes. Instead of accepting vague statements, it demands precise details: Which article in which law applies? What technical control satisfies that exact clause? When was the last test run on that control, and what does the report say? If there’s a gap, how bad is it, and what's the dollar cost to fix it? This tool turns generalized statements into structured compliance reports. It takes an LLM’s theoretical assessment and makes it production-ready. You can find this MCP running on Vinkius, connecting your preferred AI client to rigorous governance standards. ## Tools ### validate_compliance_governance This tool forces an audit-grade check, requiring the AI to cite specific laws, map controls, document evidence artifacts, quantify risk gaps, and assign named accountability. ## Prompt Examples **Prompt:** ``` Our SaaS platform complies with industry standards and has security measures in place. We follow best practices for data protection. The team reviews compliance periodically. ``` **Response:** ``` REGULATIONS_UNNAMED — 'Industry standards' is not a regulation. 'Best practices' is not a law. Name the specific regulation: GDPR Article 6(1)(a) — lawful basis for processing. SOC 2 CC6.1 — logical access controls. PCI DSS Requirement 3.4 — render PAN unreadable. For each: jurisdiction, applicability rationale, and the specific articles that apply to your data processing operations. ``` **Prompt:** ``` GDPR Art. 6(1)(a) — consent-based processing, EU jurisdiction. Control: ConsentManager SDK with granular opt-in, audit log. Evidence: penetration test (2025-03-15), 94% coverage, report #PT-2025-Q1. Gap: Art. 17 erasure SLA — severity 3, €2M exposure, €45K remediation, 6-week timeline. Owner: Sarah Chen (DPO), quarterly review, escalation to CISO within 48h. ``` **Response:** ``` COMPLIANCE_PROVEN — Audit-grade compliance analysis validated. Regulations: GDPR Art. 6(1)(a) with jurisdiction and basis. Controls: ConsentManager SDK with granular consent and audit logging. Evidence: penetration test dated 2025-03-15, 94% coverage, report referenced. Gaps: Art. 17 erasure scored severity 3, €2M exposure, €45K remediation, 6-week timeline. Accountability: Sarah Chen (DPO), quarterly review, 48h CISO escalation. Production-ready compliance posture. ``` **Prompt:** ``` We comply with GDPR Article 32 — security of processing. Controls: encryption at rest (AES-256) and TLS 1.3 in transit. Last audit: Q2 2024. Risk level: low. Owner: Engineering team, reviews annually. ``` **Response:** ``` GAPS_UNQUANTIFIED — Regulation and controls pass, but gap analysis fails. 'Low risk' is not a measurement — assign severity (1-5), calculate fine exposure (Art. 83: up to €20M or 4% global turnover), estimate remediation cost, and set a timeline. Also: 'engineering team' is not an owner — name a person. And Q2 2024 audit is over a year old — what is the next scheduled assessment? ``` ## Capabilities ### Audit-Grade Validation It verifies that compliance claims cite specific regulations by name, jurisdiction, and article number. ### Control Mapping It ensures every claimed regulation is directly paired with a named technical or procedural control. ### Evidence Documentation The tool requires naming specific audit artifacts, like reports and test dates, backing up all claims. ### Risk Quantification It forces the calculation of compliance gaps using severity scores, estimated fine exposure in currency, and remediation costs. ### Accountability Assignment Compliance ownership moves from 'the team' to a specific named person with defined review schedules. ## Use Cases ### Responding to an External Auditor A compliance officer needs to prove GDPR Article 32 adherence. Instead of submitting a memo stating 'we use encryption,' the agent runs this MCP, and it forces the submission of specific penetration test reports (date: Q1-2024) and confirms the AES-256 implementation details. ### Launching a New Product Line A product manager has vague internal security plans. They run this MCP to force gap quantification, which immediately identifies that they haven't assigned ownership or calculated the financial exposure for a critical PCI DSS requirement. ### Post-Incident Review After a minor data leak, the risk team uses the tool. It forces them to go beyond 'we fixed it' and quantify the residual risk, naming the specific control failure, assigning accountability, and defining the remediation timeline. ### Board Reporting The CISO needs a high-assurance compliance report for the board. This MCP provides the necessary structured output, confirming that every claim has been vetted against both technical controls and named executive accountability. ## Benefits - Stop accepting general statements. This MCP forces the AI agent to cite specific laws, jurisdictions, and article numbers for every claim, making your compliance proof concrete. - You quantify risk accurately. Instead of saying 'low risk,' it calculates severity (1-5) and estimates fine exposure in actual currency amounts for any identified gaps. - Ownership is never vague again. The tool demands a named individual owner, a defined review cadence, and an escalation path for every control. - Evidence becomes actionable. It requires naming specific audit artifacts, like reports or test results, alongside their coverage dates, eliminating undocumented claims. - It forces proper mapping. Your agent must link each regulatory article to a corresponding technical or procedural control, leaving no gaps in the governance chain. ## How It Works The bottom line is you get an audit-ready assessment that moves past general best practices into provable, structured governance documentation. 1. You provide the AI agent with existing compliance documentation or general statements about your system. 2. The MCP runs the data through its structured governance framework, forcing the AI to check five required axes (Regulations, Controls, Evidence, Gaps, and Accountability). 3. It returns a formal verdict: either 'COMPLIANCE_PROVEN' with all details validated, or a rejection detailing exactly which compliance axis failed. ## Frequently Asked Questions **How does Compliance Governance Prover handle 'best practices'? What is its scope?** The tool rejects best practices. It requires you to name a specific law, jurisdiction, and article number (like GDPR Art 6(1)(a)). General guidelines are not enough for an audit-grade assessment. **Can the Compliance Governance Prover just tell me if I'm compliant?** No. It doesn't certify compliance; it provides analytical support by forcing structured thinking. If any of the five axes fail, it names the exact governance flaw. **Does this MCP require me to have financial data to run a test?** Yes, quantifying gaps requires specific financial inputs—like fine exposure (e.g., 2% annual turnover) and remediation costs—to provide accurate risk scores. **Is the Compliance Governance Prover better than using an internal checklist?** Yes. An internal checklist is a manual process; this MCP automates the rigorous, multi-axial validation against external regulatory requirements and forces structured evidence documentation. **What happens if I use the validate_compliance_governance tool with missing information?** The tool will return an error detailing which compliance axis failed, such as CONTROLS_UNMAPPED or EVIDENCE_MISSING, telling you exactly what data point is lacking.