Glossary

What an organization's documentation, controls, and most recent audit assert to be true.

The actual current configuration and behavior of systems.

The gap between attested state and live state.

Findings aging beyond their dispositioned timeframe without closure or re-acceptance.

Divergence between written policy, the template, and actual practice.

A verifiable record that a control operated as intended.

The risk-proportionate record that a release was reviewed, approved, deployed, monitored, and evidenced.

How recently evidence reflects the current state.

Operating controls and producing evidence as a daily state, not a periodic project.

AI tools, agents, or APIs in use without formal inventory or review.

What a control is meant to achieve, independent of any framework.

An owned record of applicable laws, frameworks, and contractual obligations, mapped to the controls that implement them.

The controlled line between production and non-production environments.

The recorded decision for a finding: remediate, mitigate, or formally risk-accept.

Sustaining readiness through the rhythm an org already runs, not a compliance season.