| name | grc-system-boundary-diagram |
| description | Use when creating a draw.io diagram for compliance scope, authorization boundaries, trust boundaries, in-scope/out-of-scope systems, and system context diagrams in a GRC, security, audit, compliance, privacy, cloud, or risk context. |
| allowed-tools | Write, Bash, Read, WebFetch |
GRC system boundary diagram
Use this skill to structure the GRC content and visual pattern for compliance scope, authorization boundaries, trust boundaries, in-scope/out-of-scope systems, and system context diagrams. Then use the drawio skill to generate the native editable .drawio file and optional PNG/SVG/PDF export.
Common Requests
- FedRAMP authorization boundary
- SOC 2 system boundary
- PCI CDE boundary
- HIPAA ePHI boundary
Recommended Elements
Include these when relevant:
- systems
- actors
- identity providers
- data stores
- monitoring
- boundaries
- inherited services
- exclusions
- control overlays
Recommended Output Pattern
Produce a Architecture boundary diagram, trust-zone diagram, or system context diagram. Choose a layout that matches the audience:
- Executive: compact lifecycle/capability view with business impact labels.
- Auditor/assessor: explicit evidence, owner, control, cadence, and scope labels.
- Practitioner/engineering: operational systems, data paths, automation, failure/exception paths, and implementation detail.
draw.io Instructions
- Load and follow the
drawio skill.
- Generate native mxGraphModel XML directly. Do not generate Mermaid as the final artifact.
- Use descriptive lowercase hyphenated filenames.
- Include a legend when colors, edge styles, or containers have compliance meaning.
- Validate XML well-formedness before finalizing.
- If PNG/SVG/PDF is requested, export with embedded diagram XML when the draw.io CLI is available.
Visual Conventions
- Blue: systems, platforms, services, and automated collectors.
- Green: implemented controls, approvals, validated evidence, and compliant outcomes.
- Orange/red: risks, findings, exceptions, overdue items, gaps, and failed controls.
- Gray: manual tasks, external parties, optional steps, and out-of-scope areas.
- Dashed containers: audit scope, trust boundaries, authorization boundary, or responsibility boundary.
- Solid edges: primary process or system flow.
- Dashed edges: evidence or attestation flow.
- Dotted edges: optional, manual, exception, or escalation flow.
Quality Bar
- Make ownership explicit.
- Label regulated data, control IDs, frameworks, and evidence repositories when known.
- Show decision criteria where the process branches.
- Avoid generic boxes like "Compliance" without a role, system, artifact, or action.
- Prefer editable source of truth over screenshots.