Cross-Framework Coverage
Reports surface framework coverage two ways: a deterministic Framework coverage readout (no AI) and an AI-assisted Cross-framework coverage rollup. They answer different questions.
Framework coverage (how far your answers reach)
The Framework coverage panel on Reports shows, for each of the 17 built-in frameworks, how many of its controls your answered questions already touch — "answered N / M controls (X%)" with a progress bar. A lighter track behind the bar shows what the question bank can assess for that framework, so you can tell "we haven't done it yet" from "the bank doesn't cover it." This is computed directly from your yes/partial answers and the question→control mappings — no AI, no approval step. Org admins get a View link to each framework's controls.
Cross-framework coverage (one answer, mapped everywhere)
Once you've answered a HIPAA question yes or partial and attached evidence, Sherpa can suggest which controls in other frameworks — SOC 2, ISO 27001, NIST CSF, and more — that same evidence also satisfies. One answer becomes coverage across your whole framework portfolio.
How it works
- On the assessment page, open a question you've answered with evidence and click Map to other frameworks.
- Sherpa compares the question's regulatory intent against the control catalog and proposes matches, each with a confidence score and a one-line rationale.
- An org admin reviews the proposals and approves the ones that genuinely apply. Approved mappings are recorded against your organization.
- The Cross-framework coverage panel on Reports rolls up, per framework, how many controls your answered HIPAA work now covers — and lists the source HIPAA question codes (e.g. "covered by SR-1.1, PR-2.3") so each mapping's provenance is visible.
Grounding & safety
- Only the question text, its regulatory text, and the control catalog are sent to the model — never your evidence file contents, never patient data.
- Sherpa only proposes mappings above a confidence threshold, and an empty result is normal — a wrong mapping is worse than none.
- Nothing is recorded until an admin approves it. Approvals are org-scoped: they never alter the shared question bank.