Every framework. Every system. One view.

Data Hierarchy

Every view in Citadel flows from a three-level hierarchy: organization, system, environment. The ScopeSwitcher in the header lets you drill from your organization into any system, then into any environment. The change is immediate. All subsequent data (posture scores, findings, controls, evidence) flows from your selected scope. This is not just navigation. It is the trust boundary for every API call. When you select an environment, the platform tags your requests with scope identifiers. The backend validates permissions before returning data. Role-based access control follows the same boundaries: you might be an analyst for one system but carry read-only access to another.

This architecture supports complex organizational structures. Multi-tenanted teams can filter by business unit, compliance function, or production tier. The visual metaphor of nested hexagons (organization, system, environment, resource) makes the relationships explicit. No hunting through trees. No guessing what context you are in. Select your scope; the entire dashboard recomputes. Every metric, every finding, every action queue item reflects exactly the boundary you chose.

Posture Scoring

The platform maintains a ControlPosture record for every control in every assessment. That record holds implementation status, evidence sufficiency (a percentage based on how much evidence links to the control), and inheritance source (where the control came from: organizational policy, infrastructure baseline, or manual assertion). When you deploy new infrastructure and Sentinel detects it, ControlPosture updates. When evidence expires, ControlPosture updates. When you mark a control implemented and link evidence, ControlPosture updates. The score you see is a derived projection from an immutable event stream, recomputed after every relevant change across every active framework simultaneously.

Posture score aggregates those records into a single 0-100 metric. The algorithm weights controls by framework criticality. Evidence sufficiency acts as a confidence multiplier: an implemented control with weak evidence counts less than one with a strong chain of custody. The platform computes per-control-family and per-system breakdowns. You see immediately: "Access Control is 91%. System and Communications Protection is 68%." Role-based dashboards surface this differently: executives see cross-framework readiness, engineers see technical control concentration, compliance analysts see evidence gaps by age.

Action Queue

Every control that is not fully implemented is a candidate for an action. But not all actions are equally valuable. Implementing SC-7 (boundary protection) in a cloud environment might lift your posture 6 points. Implementing AT-3 (security training records) might lift it 0.8 points. The queue sorts by impact descending. You work through the highest-impact actions first. Your team gets unambiguous direction: here is what to do next. The ranking updates as you work. Close a finding mapped to AC-2, and that control's impact score drops because its evidence sufficiency just improved. A new action bubbles to the top.

Each action card includes: control ID and title, current status, impact delta (how many points implementing it adds), estimated effort, assignee suggestion, and a deep link to the full control view. You can assign actions to team members directly from the queue. When assigned, it becomes a compliance task with deadline tracking. All transitions log to the audit trail. If Sentinel detects an S3 bucket without encryption, the platform auto-creates a finding, maps it to SC-28, and the action queue surfaces "Implement S3 encryption" with impact score. You do not wait for a manual assessment. The queue shows the remediation path immediately.

Three Lenses

The Compliance Lens organizes by framework. Framework tabs run horizontally. Within each tab: control families, inheritance breakdown, evidence freshness. This lens answers: "Are we ready for assessment?" The Risk Lens organizes by severity and finding status. Critical findings surface first, colored red. Medium findings below. Risk-accepted findings separated with their expiry dates. This lens answers: "What could hurt us?" The Operational Health Lens organizes by infrastructure change. New resources flagged. Resources with configuration drift highlighted. Evidence freshness in a timeline view. POA&M milestones on a calendar. This lens answers: "What do we need to maintain daily?"

Users do not navigate between separate pages. Same dashboard. Same data. The switch changes how cards group and sort. Executives might favor Risk and Compliance. Engineers favor Operational Health and Risk. Auditors lock to Compliance lens during assessment preparation. Your role preferences set the default lens, but you can override anytime. One click. The entire dashboard reorganizes around a different question.

Phase Adaptation

Two layers are always present. The persistent base layer shows continuous posture: score trend, drift alerts, evidence freshness, upcoming deadlines. This layer never changes. Over that base sits a conditional overlay. When an active assessment exists, assessment-specific cards appear alongside the base. During PLANNING, the overlay emphasizes system setup, framework selection, team assignments. During IN_PROGRESS, it shifts to assessment completion percentage, gap count, evidence sufficiency. As you approach READY_FOR_ASSESSMENT, the overlay highlights the readiness checklist: "All controls have a status? Yes. All HIGH findings resolved? No, 3 remain." Each checklist item is a link to the relevant control or finding.

During UNDER_ASSESSMENT, the overlay becomes read-focused. It shows the snapshot the assessor is reviewing (frozen at assessment start), the live posture now, and a diff. You cannot edit controls during assessment, but you see all changes your team made, all evidence links, and the complete audit trail. In REMEDIATION, the overlay shows assessor findings with remediation evidence, verification status, and re-test schedule. When the assessment reaches AUTHORIZED, the overlay disappears. The base layer remains. You are in continuous monitoring mode. Same dashboard. No mode switch. The assessment was a photograph. You keep living.

Alerts & Notifications

Sentinel monitors four categories behind the scenes. Evidence freshness: a daily job checks every expiration date. If approaching threshold (default 14 days), your action queue surfaces "Refresh evidence for AC-2 (expires in 12 days)." If the date passes, the control degrades to AT_RISK. Drift detection: when infrastructure changes, Sentinel evaluates control impact. Material changes fire alerts: "New S3 bucket created without encryption. SC-28 may be degraded." You respond: remediate, accept risk, or mark out-of-scope. POA&M aging: overdue milestones trigger notifications to the responsible party and the assessment lead. Risk acceptance expiry: 60 days before a risk acceptance expires, you are notified to remediate or renew.

All alerts route through notification preferences. Some users want email for HIGH severity only. Others want Slack for everything. The platform routes each alert to: in-app notification, email via SES, Slack webhook, or silent (per user preference). Every notification includes a deep link. "Sarah created findings in SC-7" links directly to the findings. "Your POA&M for AC-2 is overdue" links to the POA&M detail. No alert fatigue. No spam. Just signal.

Cross-Capability Navigation

Every control title in the Compliance Lens is a link. Click SC-28. You jump to Rampart's SC-28 detail view: narratives, evidence, implementation plan. A back button returns you to Citadel. When you encounter a finding (say, "Unencrypted S3 bucket detected"), that finding originated in Sentinel. The finding card includes "View in Sentinel." Click it. You see the bucket details, remediation guidance from Vanguard, the exact configuration object. Remediate from Sentinel. The finding updates. Back to Citadel, the control's status refreshes. The Garrison link appears when viewing a system: "View inventory for this system" opens Garrison pre-filtered to that system's resources.

Alliance appears when viewing org-level trust. "Your partners' posture" takes you to Alliance's trust network view. Armory is always accessible via the sidebar: browse framework packs, IaC modules, capability packs. Deploy directly from Citadel context. Outposts appear in the evidence section when linked to controls. "Scan results from Vanguard" shows the latest scan. Click to jump to Vanguard's workbench. Run a new scan. Results sync back when complete. The navigation model: Citadel aggregates. When you need to drill deeper or take action, a single click takes you to the domain capability, always pre-scoped to your current context. You never lose context. You never get lost.