| EN-P-1 | Wallet instance integrity verification missing | 🟠 high | platform | | compliance#1 |
| EN-P-2 | WSCD/WSCA via FIDO sign extension | 🔴 critical | platform | SID-KEY-01, SID-KEY-03 | compliance#2 |
| EN-P-3 | Credential re-issuance functionality missing | 🟡 medium | platform | | compliance#3 |
| EN-P-4 | Anti-tampering and obfuscation controls missing | 🟢 low | platform | | compliance#4 |
| EN-S-1 | Partial audit logging and SIEM | 🟡 medium | platform | SID-AUDIT-01, SID-OPS-06 | compliance#5 |
| EN-S-2 | Partial asset classification and cryptographic documentation | 🟡 medium | platform | SID-CRYPTO-01, SID-CRYPTO-02, SID-CRYPTO-03, SID-CRYPTO-04, SID-CRYPTO-05 | compliance#6 |
| EN-S-3 | Partial SDLC, change management and vulnerability scanning | 🟡 medium | platform | SID-OPS-04, SID-OPS-05, SID-OPS-08 | compliance#7 |
| EN-S-4 | Partial wallet unit security and lifecycle | 🟡 medium | platform | SID-AUTH-01, SID-AUTH-02, SID-TRANS-02, SID-TRANS-03, SID-HARD-04 | compliance#8 |
| EN-S-5 | Partial transport and instance protection | 🟡 medium | platform | SID-TRANS-01, SID-AUTH-04, SID-CRYPTO-03 | compliance#9 |
| EN-P-5 | Partial user authentication and session controls | 🟠 high | platform | SID-AUTH-01, SID-AUTH-02, SID-AUTH-03, SID-KEY-01, SID-KEY-03, SID-CRYPTO-02 | compliance#10 |
| EN-P-6 | Partial key management and credential operations | 🟡 medium | platform | SID-CRYPTO-02, SID-CRYPTO-03, SID-KEY-01, SID-KEY-03 | compliance#11 |
| EN-P-7 | Partial hardening and error handling | 🟡 medium | platform | SID-HARD-01, SID-HARD-02, SID-HARD-05, SID-ACCESS-02, SID-TRANS-04 | compliance#12 |
| EN-P-8 | Partial trust list freshness and status checking | 🟡 medium | platform | SID-TRUST-02, SID-TRUST-04, SID-DATA-03 | compliance#13 |
| P-3 | Enterprise identity fields stored as plaintext | 🟡 medium | platform | SID-DATA-06 | compliance#14, go-wallet-backend#86 |
| P-4 | Incomplete right-to-erasure cascade | 🟡 medium | platform | SID-PRIV-03 | compliance#15, go-wallet-backend#87, go-wallet-backend#89 |
| ISO-O-8 | Partial segregation of duties | 🟢 low | platform | SID-ORG-02, SID-ACCESS-01 | compliance#16 |
| ISO-O-9 | Partial threat intelligence coverage | 🟡 medium | platform | SID-ORG-03, SID-TRUST-02 | compliance#17 |
| ISO-O-10 | Partial information classification | 🟢 low | platform | SID-DATA-01, SID-DATA-02 | compliance#18 |
| ISO-O-11 | Partial access rights management | 🟢 low | platform | SID-ACCESS-01, SID-ACCESS-04 | compliance#19 |
| ISO-O-12 | Partial supply chain security | 🟡 medium | platform | SID-ORG-04, SID-OPS-04 | compliance#20 |
| ISO-O-13 | Partial incident assessment and evidence handling | 🟡 medium | platform | SID-OPS-01, SID-AUDIT-01 | compliance#21 |
| ISO-O-14 | Partial PII protection | 🟠 high | platform | SID-PRIV-01, SID-DATA-01, SID-DATA-02 | compliance#22 |
| ISO-P-2 | Partial security event reporting | 🟢 low | platform | SID-PPL-04, SID-AUDIT-01 | compliance#23 |
| ISO-PH-2 | Partial storage media controls | 🟢 low | platform | SID-PHY-02, SID-CRYPTO-03 | compliance#24 |
| ISO-T-3 | Secure development lifecycle gaps | 🟡 medium | platform | SID-OPS-08 | compliance#25 |
| ISO-T-5 | Partial endpoint and privileged access controls | 🟡 medium | platform | SID-AUTH-02, SID-HARD-03, SID-HARD-05, SID-CRYPTO-02 | compliance#26 |
| ISO-T-6 | Partial vulnerability and malware protection | 🟡 medium | platform | SID-OPS-04, SID-HARD-05 | compliance#27 |
| ISO-T-7 | Partial logging and monitoring | 🟡 medium | platform | SID-AUDIT-01, SID-OPS-06 | compliance#28 |
| ISO-T-8 | Partial network security | 🟡 medium | platform | SID-TRANS-01, SID-TRANS-04, SID-HARD-03 | compliance#29 |
| ISO-T-9 | Partial data leakage prevention | 🟢 low | platform | SID-HARD-01, SID-HARD-05, SID-PRIV-01 | compliance#30 |