A compliance program (e.g. PCI or HIPAA) has controls (e.g. “Ensure encryption is enabled”) which contain mappings to CSPM plugins (e.g. “EBS Volume Encryption Enabled”) which produce findings.