Organizations often expend substantial resources to manually determine a state of compliance of their assets (e.g., information, technology, processes, people, etc.) in pursuit of their goals and mission. For instance, organizations often use human developers to manually perform operations, such as (1) interpreting authority documents (e.g., SoX, PCI, and other regulations) to determine controls that are applicable to an asset; (2) interpreting whether a control applies to an asset; (3) determining how to apply the control to targeted assets; (4) determining how to test integrity of an application of the control; and (5) generating test results to validate proper implementation of the control. Accordingly, substantial time, manual effort, and hard-learned expertise regarding compliant use of the organization's information technology (IT) environment is traditionally used to determine the state of compliance.
Developers traditionally expend substantial effort to extract knowledge from technology because the developers lack guidance and face a vast unstructured body of data to find, interpret in a control context, and stay abreast of as technology, practices, and authority documents evolve. The manual aspect of conventional techniques for determining compliance often causes such techniques to be relatively inefficient. Moreover, conventional techniques typically determine compliance one authority document at a time, leading to further inefficiency. Furthermore, the inefficiencies of conventional techniques are often compounded by relatively high error rates, trial failures, expensive experts to assist in performing the compliance techniques, and/or multiple iterations to successfully implement such techniques.