Use when mapping a set of regulatory or framework requirements against an organization's current controls to surface gaps, prioritize remediation, and produce an attorney-ready draft gap analysis.
When to use
A user says "map our controls to the regulation," "do a gap analysis," or "show me where we're exposed against this framework."
A compliance or legal team needs a structured first-pass matrix before a formal audit, regulatory examination, or board presentation.
An organization has received a new regulation or framework (see rule-change-summary) and now needs to assess readiness.
Counsel needs to organize factual information about current controls against a requirement set before advising on remediation priorities.
A user provides a specific regulation, framework standard, or internal policy and a description of existing controls, and asks for a comparison.
Required inputs
Requirement source: the actual regulation, framework, standard, or policy text — uploaded or pasted. If not provided, stop and request it. Do not construct requirements from model background knowledge; every requirement listed in the matrix must trace to this source.
Control description: a description of the organization's current controls, policies, procedures, systems, and practices relevant to the requirement source. This may be a control inventory, a narrative description, policy documents, or process descriptions. The more specific, the more useful the matrix.
Organization context: business type, size, and any relevant regulatory status (e.g., licensed entity, registered filer, covered entity) that affects applicability of specific requirements.
Scope boundaries (optional but recommended): which parts of the organization, business lines, or systems are in scope for this analysis. If not provided, flag as [SCOPE: CONFIRM with attorney].
Priority areas (optional): if the user identifies specific requirements or control areas to focus on, note them and address them first.
Optional: the practice group's practice-profiles/regulatory.md if it has been populated and is loaded alongside this skill. If present, the skill uses its Standard Positions, Source-of-Truth Documents, and Escalation Thresholds tables to benchmark the output against the group's standing control library and escalation criteria. If absent, the skill proceeds without practice-profile benchmarking and asks the user to supply standing positions inline if needed.
If the requirement source is not provided, stop and request it. If control descriptions are too vague to enable meaningful mapping, ask targeted follow-up questions.
Use when building an ongoing compliance-program tracker for a framework — mapping requirements to controls, owners, and evidence, building an audit calendar, and surfacing evidence gaps and remediation items for attorney review and audit readiness.
When to use
A user says "track our compliance with this framework," "help us prepare for our SOC 2 audit," or "build a compliance dashboard and evidence plan."
An organization needs an ongoing tracker — a control inventory, an audit calendar, and evidence management — rather than a one-time gap analysis.
A team is preparing for an audit or examination and needs an evidence-collection plan and a priority view.
Required inputs
Framework or requirement source: the actual standard, regulation, or framework text — uploaded or pasted. If not provided, stop and request it. Do not construct requirements from model background knowledge; every requirement in the tracker must trace to this source.
Control inventory: a description of the organization's current controls relevant to the framework — the controls, their owners, where evidence is stored, and when evidence was last collected. The more specific the inventory, the more useful the tracker.
Audit context: any known audit dates, the audit period or reporting window, and the assessor if known.
Organization context: business type and any regulatory status that affects which requirements apply.
Scope boundaries (optional but recommended): which entities, business lines, or systems are in scope. If not provided, flag as [SCOPE: CONFIRM with attorney].
Optional: the practice group's practice-profiles/regulatory.md if it has been populated and is loaded alongside this skill. If present, the skill uses its Standard Positions, Source-of-Truth Documents, and Escalation Thresholds tables to benchmark the tracker against the group's standing program design, cadence, and ownership conventions. If absent, the skill proceeds without practice-profile benchmarking and asks the user to supply standing positions inline if needed.
If the framework source is not provided, stop and request it.
Use when structuring a memo that assesses potential enforcement exposure for a described practice, conduct, or set of facts, to produce attorney-ready draft analysis for review.
When to use
A user asks to "assess our enforcement risk," "memo out the exposure here," or "what could a regulator do."
A client describes a business practice or past conduct and wants to understand how a regulator might view it.
Counsel needs a structured first-pass risk assessment to organize facts and frame the legal analysis before drafting advice.
An internal compliance or legal team needs to document a risk assessment for audit, governance, or privilege log purposes.
The user provides (or references) specific regulatory rules and asks for analysis of whether those rules are implicated.
Required inputs
Conduct or practice at issue: a concrete description of what happened or is happening. If vague, ask for specifics — dates, actors, decisions, volumes, systems affected.
Regulator(s): the agency or agencies the user believes have jurisdiction (e.g., SEC, CFPB, FTC, state AG, FDA). Do not invent or assume regulators.
Rule(s) or framework: the specific rule, statute, or guidance the user believes may be implicated. If the user cannot identify rules, note this as a gap and flag it as an attorney verification item; do not supply rules from model knowledge without clearly marking them [UNVERIFIED — attorney must confirm].
Relevant facts: who, what, when, where, why. Ask follow-up questions if the factual record is incomplete.
Client posture: are we counseling the entity under review, a potential whistleblower, an industry participant, or another role? This affects tone and analytical framing.
Jurisdiction and governing law: state/federal, domestic/cross-border. Flag as [CONFIRM] if unclear.
If any required input is missing, stop and request it. Do not fabricate facts, rules, or regulatory history.
Use when summarizing a regulatory rule change, proposed rule, or official guidance document and its practical impact on an organization, based on the actual document provided.
When to use
A user says "summarize this new rule," "what does this guidance require," or "what changed from the old rule."
Counsel or a compliance team receives a final or proposed rule and needs a structured first-pass summary to brief leadership or begin gap analysis.
An organization needs to understand effective dates, compliance deadlines, and who within the organization is affected.
A user provides a Federal Register notice, agency guidance, proposed rule text, or similar official document and asks for its significance.
Preliminary scoping is needed before commissioning a full compliance gap review (see compliance-gap-matrix).
Required inputs
The official document: the full text of the rule, proposed rule, guidance, or notice — uploaded or pasted. This is mandatory. If it is not provided, stop and request it before proceeding. Do not summarize rules from model background knowledge alone.
Organization description: a brief description of the organization's business, size, and the activities likely to be regulated, so the impact summary is relevant.
Prior rule or baseline (if available): the text or description of the prior rule, if the user wants a "what changed" comparison. If not provided, flag that the comparison is limited to what the document itself states about changes.
Jurisdiction and regulatory context: confirm which agency issued the document and in what jurisdiction (federal, state, foreign). Flag as [CONFIRM] if not evident from the document.
If the official document is not provided, stop and request it. Do not proceed on the basis of a description alone. Do not invent rule text, citations, or dates.