ExampleCo Showcase
How a hypothetical company could say what is proved.
The safest public OpenCompliance demo is not a claim that “ExampleCo is compliant.” It is a synthetic package showing corridor by corridor what ExampleCo can prove today, what still depends on signed attestation, and what blocks issuance. That is what the public ExampleCo showcase pack now does.
What the showcase contains
Narrative
The right public story
ExampleCo can show a buyer or auditor a replayable package with four different corridor outcomes. One corridor is a clean cyber baseline. One is a narrow issued mixed corridor. One is an honest AI-governance corridor where most of the value is still documentary. One is a blocked corridor that becomes a punch-list instead of a fake badge.
That is a much stronger demonstration than a single generic “we are compliant” statement.
Public Root
Direct public artifacts
The generated showcase report and summary live in the public examples repo, and the builder script lives in the public conformance repo. The site page is explanatory, but the GitHub artifacts are the main evidence surface.
- showcase-report.json: machine-readable aggregate of corridor outcomes, framework view, and artifact links.
- showcase-summary.md: human-readable version of the same story.
- build_showcase_manifest.py: the public builder that regenerates the showcase from the corridor artifacts.
The workflow
Step 1
Define narrow corridors
Split the company story into specific surfaces: cyber hygiene, mixed issued controls, AI governance, and blocked slices. Do not jump straight to whole-framework claims.
Step 2
Collect typed evidence
Machine exports become typed claims. Training, incident procedure, and oversight material stay as signed attestations. The split is explicit from the start.
Step 3
Run Verify per corridor
Each corridor emits a proof bundle, classification result, trust-surface report, verification result, and either a certificate or a punch-list.
Step 4
Publish public-safe artifacts
Trust-surface reports, replay bundles, witness receipts, transparency logs, and OSCAL-shaped projections can be published without leaking private operating detail.
Step 5
Aggregate for buyers
The showcase builder turns separate corridor artifacts into one company-level package while preserving scope boundaries and outcome differences.
Step 6
Stay honest in language
ExampleCo says what is proved, what is attested, and what is blocked. It does not say “ISO 27001 is proved” or “the AI Act is automated.”
Four corridor story
Cyber Baseline
Clean machine-checkable slice
The cyber baseline corridor issues cleanly with five proved claims and no attestations. It is the strongest current demonstration of what a narrow provable slice looks like.
Safe statement: ExampleCo can say the scoped managed admin and endpoint baseline enforces MFA, default-deny network boundaries, secure configuration, patching, and malware protection.
Issued Mixed Corridor
Realistic near-term issuance
The issued corridor combines machine proofs with signed operational attestations. It shows the narrow path most companies are likely to use first.
Safe statement: ExampleCo can say the scoped identity, password-policy, managed-WAF, centralized-monitoring, logging, storage-encryption, access-review, training, restore, and incident-runbook corridor has no blocking gaps, while still disclosing which parts are proved and which parts are attested.
AI Governance
Documentary by design
The AI-governance corridor is intentionally mixed. Ten claims are attested, five are proved, and one automated-decision boundary remains explicit human judgment. That is a more honest current AI story than pretending governance is fully machine-checkable.
Safe statement: ExampleCo can say AI context, risk process, oversight, monitoring, evaluation, data-quality governance, and supplier-transfer governance are documented and signed, and that AI-generated content disclosure, provenance metadata, typed task-envelope state, rights-ready run-trace retention, and privacy-notice publication state are mechanically demonstrated on the scoped assistant surface. It still should not imply that lawful basis, rights handling in production, retention adequacy, or controller-processor legality are already fully automated.
Blocked Corridor
Failure is first-class
The failed corridor does not issue. It produces a typed punch-list with one machine failure and one judgment-required blocker. This is the corridor that makes the whole framework believable.
Safe statement: ExampleCo can say this corridor is not issuance-ready, and can hand over a typed remediation package instead of hiding the failure.
What the AI corridor still needs next
Live Inputs
Operator-fed task envelopes, not synthetic snapshots
The corridor now has typed task-envelope and privacy-notice artifacts, but a serious buyer-facing package should collect them from live control-plane exports and rights operations rather than only synthetic ExampleCo fixtures.
Rights And Intervention
How people can stop or correct the system
The package should now go beyond a retained rights-ready run trace and show real access, rectification, erasure, objection, and human-override operations on the scoped assistant surface.
Action Trace
Reconstruct significant actions
If the agent can take consequential actions, ExampleCo should now be able to reconstruct the relevant inputs, tool calls, approvals, and policy checks for that run from live traces rather than only the synthetic public-safe examples.
Retention And Vendors
Memory, subprocessors, and transfers
The corridor now discloses supplier-transfer governance and privacy-notice publication state, but it should next expose live recipient, processor, and transfer evidence plus memory-retention enforcement rather than only governance assertions.
Worked example for a buyer or DPO
Scenario
An assistant handles a rights-related support request
Suppose ExampleCo uses a scoped assistant to triage an access or deletion-related request. A serious assurance package should let a reviewer see the declared task purpose, the approved tools and stores, the blocked accesses, the human escalation points, and the retention window for the resulting trace.
Checklist
What the reviewer should ask for
- Task-purpose and lawful-basis record, ideally tied to a typed task envelope.
- Rights-ready action log and human override trace, not just policy statements.
- Retention and deletion evidence for the run and any memory it created.
- Supplier, recipient, and transfer map for any model or connector vendors involved.
- Clear statement of what is proved, what is attested, and what still requires judgment.
What ExampleCo should say, and not say
Say This
“Here are our scoped corridor artifacts. This cyber baseline is mechanically demonstrated. This issued corridor mixes proofs and signed attestations. This AI governance corridor is mostly documentary. This failed corridor is not issuance-ready and comes with a typed remediation list.”
Do Not Say
“OpenCompliance proved our ISO 27001 compliance,” “we automated the AI Act,” or “one green badge means everything is done.” The framework is most credible when the boundaries stay visible.
Rebuild the showcase
Private Working Tree
cd projects/dev/opencompliance
python3 conformance/scripts/build_showcase_manifest.py \
--showcase-root fixtures/public/exampleco-showcase \
--checkPublic Multi-Repo Checkout
cd conformance
python3 scripts/build_showcase_manifest.py \
--examples-root ../examples \
--showcase-root exampleco-showcase \
--check
python3 scripts/validate_public_examples.py \
--examples-root ../examples \
--specs-root ../specs \
--schema-root ../evidence-schema