# Controls Controls checks are a special category of Policy Checks**.** Unlike traditional checks that validate a single configuration object or state of your app, Controls evaluate whether a governance process is operating effectively over time. Each Control represents a defined governance objective — for example: * **GOV\_0001 – Change Management** Controls are evaluated continuously based on audit events and lifecycle activity within your apps and environments. Where standard policy checks answer: > “Is this specific condition true?” Controls answer: > “Is this governance process functioning correctly and consistently?” *** ### How Controls Work Each Control is evaluated based on two configurable dimensions: 1. **Coverage Profile** 2. **Environment Scope** Together, these determine how rigorously the control is assessed and where it applies. *** ### Coverage Profile A **Coverage Profile** defines how a specific control is evaluated within AppControl. For each control (such as **GOV\_0001 – Change Management**), you select one Coverage Profile.\ The selected profile determines: * Which **audit events** are required as evidence * What governance conditions must be met * How strictly the control is evaluated Coverage Profiles allow you to align the control with your required level of assurance — from basic traceability to strict separation-of-duties enforcement. In other words: > The control defines *what must be governed.*\ > The coverage profile defines *how rigorously it must be evidenced.* *** #### How Coverage Profiles Are Evaluated When a Coverage Profile is selected, AppControl continuously evaluates compliance by analyzing audit events associated with the app and its environments. Evaluation happens in three layers: **1. Evidence Presence** AppControl verifies that all required evidence event types defined in the profile are present. Example: * If `CHANGE_APPROVED` is required, deployments without approval evidence will cause the control to fail. *** **2. Event Relationships** Some profiles require specific relationships between events, not just their existence. Examples: * A revision change must be linked to a deployment. * A deployment must be associated with an approval. * A configuration change must be linked to a release. * A change review must be associated with the release it governs. If required relationships are missing, the control will not meet the selected Coverage Profile. *** **3. Policy Validation** For stricter profiles, AppControl evaluates governance conditions such as: * Approval before deployment * Rollback registration * Separation of duties (review evidence independent of approval) These checks are executed automatically through Compliance Policies that analyze the underlying audit events. *** #### Compliance Outcome Based on the evaluation, AppControl determines whether the control is: * **Compliant** — All required evidence and relationships are present * **Non-Compliant** — Required governance conditions are not met The stricter the Coverage Profile, the more evidence and governance validation is required. *** ### Environment Scope Each Control also includes an **Environment Scope** setting. Environment Scope defines which types of environments are evaluated for compliance with the selected Coverage Profile. For example, you may choose to apply a control to: * Production only * Production and Acceptance * All environments This allows you to: * Enforce stricter governance in Production * Apply lighter requirements in Development * Align control enforcement with risk level Compliance is evaluated only for environments included in the defined scope. *** ### Continuous Evaluation Controls are not evaluated once — they are evaluated continuously. As new audit events are generated (deployments, approvals, configuration changes, reviews, rollbacks, etc.), AppControl automatically re-evaluates the control against the selected Coverage Profile and Environment Scope. This enables: * Continuous compliance monitoring * Immediate visibility into control failures * Ongoing assurance rather than periodic assessment *** ### Summary Controls introduce a structured, evidence-driven way to monitor governance processes across your Mendix landscape. Each Control: * Defines a governance objective * Uses a Coverage Profile to define required evidence and rigor * Uses Environment Scope to define where it applies * Is continuously evaluated based on audit events Together, this provides a configurable and transparent foundation for continuous security, quality, and compliance within AppControl. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bluestorm.io/checks/governance_control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.