ExampleCo Showcase

How a hypothetical company could say what is proved.

The safest public OpenCompliance demo is not a claim that “ExampleCo is compliant.” It is a synthetic package showing corridor by corridor what ExampleCo can prove today, what still depends on signed attestation, and what blocks issuance. That is what the public ExampleCo showcase pack now does.

Showcase pack Builder script Repository map

What the showcase contains

4 Scoped corridors

3 Issued outcomes

1 Blocked outcome

10 Proved claims

9 Attested claims

4 Lean-backed proved claims

Narrative

The right public story

ExampleCo can show a buyer or auditor a replayable package with four different corridor outcomes. One corridor is a clean cyber baseline. One is a narrow issued mixed corridor. One is an honest AI-governance corridor where most of the value is still documentary. One is a blocked corridor that becomes a punch-list instead of a fake badge.

That is a much stronger demonstration than a single generic “we are compliant” statement.

Public Root

Direct public artifacts

The generated showcase report and summary live in the public examples repo, and the builder script lives in the public conformance repo. The site page is explanatory, but the GitHub artifacts are the main evidence surface.

showcase-report.json: machine-readable aggregate of corridor outcomes, framework view, and artifact links.
showcase-summary.md: human-readable version of the same story.
build_showcase_manifest.py: the public builder that regenerates the showcase from the corridor artifacts.

The workflow

Step 1

Define narrow corridors

Split the company story into specific surfaces: cyber hygiene, mixed issued controls, AI governance, and blocked slices. Do not jump straight to whole-framework claims.

Step 2

Collect typed evidence

Machine exports become typed claims. Training, incident procedure, and oversight material stay as signed attestations. The split is explicit from the start.

Step 3

Run Verify per corridor

Each corridor emits a proof bundle, classification result, trust-surface report, verification result, and either a certificate or a punch-list.

Step 4

Publish public-safe artifacts

Trust-surface reports, replay bundles, witness receipts, transparency logs, and OSCAL-shaped projections can be published without leaking private operating detail.

Step 5

Aggregate for buyers

The showcase builder turns separate corridor artifacts into one company-level package while preserving scope boundaries and outcome differences.

Step 6

Stay honest in language

ExampleCo says what is proved, what is attested, and what is blocked. It does not say “ISO 27001 is proved” or “the AI Act is automated.”

Four corridor story

Cyber Baseline

Clean machine-checkable slice

The cyber baseline corridor issues cleanly with five proved claims and no attestations. It is the strongest current demonstration of what a narrow provable slice looks like.

Safe statement: ExampleCo can say the scoped managed admin and endpoint baseline enforces MFA, default-deny network boundaries, secure configuration, patching, and malware protection.

Trust surface Certificate Artifacts

Issued Mixed Corridor

Realistic near-term issuance

The issued corridor combines machine proofs with signed operational attestations. It shows the narrow path most companies are likely to use first.

Safe statement: ExampleCo can say the scoped identity, logging, access-review, training, restore, and incident-runbook corridor has no blocking gaps, while still disclosing which parts are proved and which parts are attested.

Trust surface Certificate Artifacts

AI Governance

Documentary by design

The AI-governance corridor is intentionally mixed. Four claims are attested, one disclosure control is proved. That is a more honest current AI story than pretending governance is fully machine-checkable.

Safe statement: ExampleCo can say AI context, risk process, oversight, and monitoring are documented and signed, and that AI-generated content disclosure is mechanically demonstrated on the scoped assistant surface.

Trust surface Certificate Artifacts

Blocked Corridor

Failure is first-class

The failed corridor does not issue. It produces a typed punch-list with one machine failure and one judgment-required blocker. This is the corridor that makes the whole framework believable.

Safe statement: ExampleCo can say this corridor is not issuance-ready, and can hand over a typed remediation package instead of hiding the failure.

Trust surface Punch-list Artifacts

What ExampleCo should say, and not say

Say This

“Here are our scoped corridor artifacts. This cyber baseline is mechanically demonstrated. This issued corridor mixes proofs and signed attestations. This AI governance corridor is mostly documentary. This failed corridor is not issuance-ready and comes with a typed remediation list.”

Do Not Say

“OpenCompliance proved our ISO 27001 compliance,” “we automated the AI Act,” or “one green badge means everything is done.” The framework is most credible when the boundaries stay visible.

Rebuild the showcase

Private Working Tree

cd projects/dev/opencompliance
python3 conformance/scripts/build_showcase_manifest.py \
  --showcase-root fixtures/public/exampleco-showcase \
  --check

Public Multi-Repo Checkout

cd conformance
python3 scripts/build_showcase_manifest.py \
  --examples-root ../examples \
  --showcase-root exampleco-showcase \
  --check

python3 scripts/validate_public_examples.py \
  --examples-root ../examples \
  --specs-root ../specs \
  --schema-root ../evidence-schema