Diff vs SLA map
I was shuddering at the implied faff & error-risk of building a config/per-app spec for Legal Obligations, but it looks like it's just running a diff on Found Permissions. Purely intra-code and relying on human response thereafter. Which is vastly more robust.
And very useful, I'd've thought.