regscale-cli 6.21.1.0__py3-none-any.whl → 6.21.2.0__py3-none-any.whl

regscale/integrations/commercial/wizv2/policy_compliance.py

@@ -9,8 +9,8 @@ import re
 from datetime import datetime
 from typing import Dict, List, Optional, Iterator, Any
 
-from regscale.core.app.utils.app_utils import error_and_exit, check_license
 from regscale.core.app.application import Application
+from regscale.core.app.utils.app_utils import error_and_exit, check_license, get_current_datetime
 from regscale.integrations.commercial.wizv2.async_client import run_async_queries
 from regscale.integrations.commercial.wizv2.constants import (
     WizVulnerabilityType,
@@ -20,23 +20,36 @@ from regscale.integrations.commercial.wizv2.constants import (
     FRAMEWORK_SHORTCUTS,
     FRAMEWORK_CATEGORIES,
 )
+from regscale.integrations.commercial.wizv2.data_fetcher import PolicyAssessmentFetcher
+from regscale.integrations.commercial.wizv2.finding_processor import (
+    FindingConsolidator,
+    FindingToIssueProcessor,
+)
+from regscale.integrations.commercial.wizv2.policy_compliance_helpers import (
+    ControlImplementationCache,
+    AssetConsolidator,
+    IssueFieldSetter,
+    ControlAssessmentProcessor,
+)
 from regscale.integrations.commercial.wizv2.wiz_auth import wiz_authenticate
 from regscale.integrations.compliance_integration import ComplianceIntegration, ComplianceItem
 from regscale.integrations.scanner_integration import (
     ScannerIntegrationType,
     IntegrationAsset,
     IntegrationFinding,
+    issue_due_date,
 )
 from regscale.models import regscale_models
 
 logger = logging.getLogger("regscale")
 
 
+# Constants for file operations
 JSON_FILE_EXT = ".json"
 JSONL_FILE_EXT = ".jsonl"
-
-## WIZ_POLICY_QUERY moved to constants
-
+MAX_DISPLAY_ASSETS = 10  # Maximum number of asset names to display in descriptions
+CACHE_CLEANUP_KEEP_COUNT = 5  # Number of recent cache files to keep during cleanup
+WIZ_URL = "https://api.wiz.io/graphql"
 
 # Safer, linear-time regex for control-id normalization.
 # Examples supported: 'AC-4', 'AC-4(2)', 'AC-4 (2)', 'AC-4-2', 'AC-4 2'
@@ -83,8 +96,8 @@ class WizComplianceItem(ComplianceItem):
         filtered = [
             sc for sc in subcategories if sc.get("category", {}).get("framework", {}).get("id") == target_framework_id
         ]
-        # Fallback to original list if filter removes everything (defensive)
-        return filtered if filtered else subcategories
+        # Return filtered results - if empty, the control_id will be empty (framework filtering working as intended)
+        return filtered
 
     @property
     def resource_id(self) -> str:
@@ -178,12 +191,15 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
 
     title = "Wiz Policy Compliance Integration"
     type = ScannerIntegrationType.CONTROL_TEST
-    # Enable component creation/mapping like scanner integrations
-    options_map_assets_to_components: bool = True
+    # Use wizId field for asset identification (matches other Wiz integrations)
+    asset_identifier_field = "wizId"
+    # Do not create assets - they come from separate inventory import
+    options_map_assets_to_components: bool = False
     # Do not create vulnerabilities from compliance policy results
     create_vulnerabilities: bool = False
-    # Enable scan history; we will record issue counts
-    enable_scan_history: bool = True
+    # Do not create scan history - this is compliance report ingest, not a vulnerability scan
+    enable_scan_history: bool = False
+
     # Control whether JSONL control-centric export is written alongside JSON
     write_jsonl_output: bool = False
 
@@ -199,6 +215,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         create_issues: bool = True,
         update_control_status: bool = True,
         create_poams: bool = False,
+        regscale_module: Optional[str] = "securityplans",
         **kwargs,
     ):
         """
@@ -214,9 +231,11 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         :param bool create_issues: Whether to create issues for failed compliance
         :param bool update_control_status: Whether to update control implementation status
         :param bool create_poams: Whether to mark issues as POAMs
+        :param Optional[str] regscale_module: RegScale module string (overrides default parent_module)
         """
         super().__init__(
             plan_id=plan_id,
+            parent_module=regscale_module,
             catalog_id=catalog_id,
             framework=self._map_framework_id_to_name(framework_id),
             create_issues=create_issues,
@@ -226,6 +245,10 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             **kwargs,
         )
 
+        # Override parent_module if regscale_module is provided
+        if regscale_module:
+            self.parent_module = regscale_module
+
         self.wiz_project_id = wiz_project_id
         self.client_id = client_id
         self.client_secret = client_secret
@@ -245,21 +268,87 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             self.policy_cache_dir, f"policy_assessments_{wiz_project_id}_{framework_id}.json"
         )
 
+        # Initialize helper classes for cleaner code organization
+        self._control_cache = ControlImplementationCache()
+        self._asset_consolidator = AssetConsolidator()
+        self._issue_field_setter = IssueFieldSetter(self._control_cache, plan_id, regscale_module or "securityplans")
+        self._finding_consolidator = FindingConsolidator(self)
+        self._finding_processor = FindingToIssueProcessor(self)
+        self._assessment_processor = ControlAssessmentProcessor(
+            plan_id,
+            regscale_module or "securityplans",
+            self.scan_date,
+            self.title,
+            self._map_framework_id_to_name(framework_id),
+        )
+
     def fetch_compliance_data(self) -> List[Any]:
         """
-        Fetch compliance data from Wiz GraphQL API.
+        Fetch compliance data from Wiz GraphQL API and filter to framework-specific
+        items for existing assets only.
 
-        :return: List of raw compliance data (will be converted by base class)
+        :return: List of filtered raw compliance data
         :rtype: List[Any]
         """
         # Authenticate if not already done
         if not self.access_token:
             self.authenticate_wiz()
 
-        # Fetch raw policy assessments and return them
-        # The base class will call create_compliance_item() on each
-        self.raw_policy_assessments = self._fetch_policy_assessments_from_wiz()
-        return self.raw_policy_assessments
+        # Load existing assets early for filtering
+        self._load_regscale_assets()
+
+        # Use the data fetcher for cleaner code
+        fetcher = PolicyAssessmentFetcher(
+            wiz_endpoint=self.wiz_endpoint or WIZ_URL,
+            access_token=self.access_token,
+            wiz_project_id=self.wiz_project_id,
+            framework_id=self.framework_id,
+            cache_duration_minutes=self.cache_duration_minutes,
+        )
+
+        all_policy_assessments = fetcher.fetch_policy_assessments()
+
+        if not all_policy_assessments:
+            logger.info("No policy assessments fetched from Wiz")
+            self.raw_policy_assessments = []
+            return []
+
+        # Filter to only items with existing assets in RegScale
+        filtered_assessments = self._filter_assessments_to_existing_assets(all_policy_assessments)
+
+        self.raw_policy_assessments = filtered_assessments
+        return filtered_assessments
+
+    def _filter_assessments_to_existing_assets(self, assessments: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
+        """
+        Filter assessments to only include items with existing assets and control IDs.
+
+        :param assessments: List of raw assessments from Wiz
+        :return: Filtered list of assessments
+        """
+        assets_exist = getattr(self, "_regscale_assets_by_wiz_id", {})
+        filtered_assessments = []
+        skipped_no_control = 0
+        skipped_no_asset = 0
+
+        for assessment in assessments:
+            # Convert to compliance item to check framework and asset existence
+            temp_item = WizComplianceItem(assessment, self)
+
+            # Skip if no control ID (not in selected framework)
+            if not temp_item.control_id:
+                skipped_no_control += 1
+                continue
+
+            # Skip if asset doesn't exist in RegScale (use cached lookup)
+            if temp_item.resource_id not in assets_exist:
+                skipped_no_asset += 1
+                continue
+
+            filtered_assessments.append(assessment)
+        logger.debug(f"Skipped {skipped_no_control} assessments with no control ID for framework.")
+        logger.debug(f"Skipped {skipped_no_asset} assessments with no existing asset in RegScale.")
+        return filtered_assessments
 
     def create_compliance_item(self, raw_data: Any) -> ComplianceItem:
         """
@@ -309,66 +398,268 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
 
     def fetch_assets(self, *args, **kwargs) -> Iterator[IntegrationAsset]:
         """
-        Fetch assets grouped to components by asset types like scanner integrations,
-        and upsert existing assets (no duplicates). Only assets for items already
-        filtered to the selected framework are considered.
+        No assets are created in policy compliance integration.
+        Assets come from separate Wiz inventory import.
+        """
+        return iter([])
+
+    def fetch_findings(self, *args, **kwargs) -> Iterator[IntegrationFinding]:
+        """
+        Create consolidated findings grouped by control, with all affected resources under each control.
 
-        - Deduplicate by resource_id
-        - Yield assets with component_names set to their inferred group
-        - Always yield unique assets for bulk upsert (create or update)
+        This approach groups by control first, then collects all resources that fail that control.
+        This results in one finding per control with multiple resources, making consolidation much easier.
         """
-        logger.info("Fetching assets from compliance items...")
+        if not self.failed_compliance_items:
+            return
 
-        # Ensure caches are loaded for downstream lookups
-        self._load_existing_records_cache()
+        # Use the finding consolidator for cleaner code
+        yield from self._finding_consolidator.create_consolidated_findings(self.failed_compliance_items)
 
-        processed_resources = set()
-        for compliance_item in self.all_compliance_items:
-            resource_id = getattr(compliance_item, "resource_id", None)
-            if not resource_id or resource_id in processed_resources:
-                continue
+    def _get_all_control_ids_for_compliance_item(self, compliance_item: WizComplianceItem) -> List[str]:
+        """
+        Get ALL control IDs that a compliance item maps to.
 
-            asset = self.create_asset_from_compliance_item(compliance_item)
-            if asset:
-                # Derive component grouping from the source asset type (not control)
-                component_name = self._get_component_name_from_source_type(compliance_item)
-                if isinstance(getattr(asset, "component_names", None), list) and component_name:
-                    if component_name not in asset.component_names:
-                        asset.component_names.append(component_name)
+        Wiz policies can map to multiple controls (e.g., one policy failure might affect
+        AC-4(2), AC-4(4), and SC-28(1) controls). This method returns all of them.
 
-                processed_resources.add(resource_id)
-                yield asset
+        :param WizComplianceItem compliance_item: Compliance item to extract control IDs from
+        :return: List of control IDs this policy maps to
+        :rtype: List[str]
+        """
+        if not compliance_item.policy:
+            return []
 
-    def fetch_findings(self, *args, **kwargs) -> Iterator[IntegrationFinding]:
+        subcategories = compliance_item._get_filtered_subcategories()
+        if not subcategories:
+            return []
+
+        # Extract control IDs and deduplicate in one pass
+        unique_control_ids = []
+        seen = set()
+
+        for subcat in subcategories:
+            external_id = subcat.get("externalId", "")
+            if external_id and external_id not in seen:
+                seen.add(external_id)
+                unique_control_ids.append(external_id)
+
+        return unique_control_ids
+
+    def _group_compliance_items_by_control(self) -> Dict[str, Dict[str, WizComplianceItem]]:
         """
-        Produce at most one finding per (asset, control) pair to avoid duplicates.
+        Group failed compliance items by control ID.
 
-        Dedupe key: (resource_id, control_id), case-insensitive.
+        :return: Dictionary mapping control IDs to resource dictionaries
+        :rtype: Dict[str, Dict[str, WizComplianceItem]]
         """
-        logger.info("Fetching findings from failed compliance items (dedup by asset-control)...")
+        control_to_resources = {}  # {control_id: {resource_id: compliance_item}}
 
-        seen_keys: set[tuple[str, str]] = set()
         for compliance_item in self.failed_compliance_items:
             if not isinstance(compliance_item, WizComplianceItem):
-                finding = super().create_finding_from_compliance_item(compliance_item)
-                if finding:
-                    yield finding
                 continue
 
             asset_id = (compliance_item.resource_id or "").lower()
-            control = (compliance_item.control_id or "").upper()
-            if not asset_id or not control:
+            if not asset_id:
                 continue
 
-            key = (asset_id, control)
-            if key in seen_keys:
+            # Get ALL control IDs that this policy assessment maps to
+            all_control_ids = self._get_all_control_ids_for_compliance_item(compliance_item)
+            if not all_control_ids:
                 continue
-            seen_keys.add(key)
 
-            finding = self.create_finding_from_compliance_item(compliance_item)
+            # Add this resource to each control it fails
+            for control_id in all_control_ids:
+                control = control_id.upper()
+
+                if control not in control_to_resources:
+                    control_to_resources[control] = {}
+
+                # Use the first compliance item we find for this resource-control pair
+                # (there might be duplicates from multiple policy assessments)
+                if asset_id not in control_to_resources[control]:
+                    control_to_resources[control][asset_id] = compliance_item
+
+        return control_to_resources
+
+    def _create_consolidated_findings(
+        self, control_to_resources: Dict[str, Dict[str, WizComplianceItem]]
+    ) -> Iterator[IntegrationFinding]:
+        """
+        Create consolidated findings from grouped control-resource mappings.
+
+        :param Dict[str, Dict[str, WizComplianceItem]] control_to_resources: Control groupings
+        :yield: Consolidated findings
+        :rtype: Iterator[IntegrationFinding]
+        """
+        for control_id, resources in control_to_resources.items():
+
+            # Use the first compliance item as the base for this control's finding
+            base_compliance_item = next(iter(resources.values()))
+
+            # Create a consolidated finding for this control
+            finding = self._create_consolidated_finding_for_control(
+                control_id=control_id, compliance_item=base_compliance_item, affected_resources=list(resources.keys())
+            )
+
             if finding:
                 yield finding
 
+    def _create_consolidated_finding_for_control(
+        self, control_id: str, compliance_item: WizComplianceItem, affected_resources: List[str]
+    ) -> Optional[IntegrationFinding]:
+        """
+        Create a consolidated finding for a control with all affected resources.
+
+        :param str control_id: The control ID (e.g., 'AC-4(2)')
+        :param WizComplianceItem compliance_item: Base compliance item for this control
+        :param List[str] affected_resources: List of Wiz resource IDs that fail this control
+        :return: Consolidated finding with all affected resources
+        :rtype: Optional[IntegrationFinding]
+        """
+        # Filter to only resources that exist as assets in RegScale
+        asset_mappings = self._build_asset_mappings(affected_resources)
+
+        if not asset_mappings:
+            return None
+
+        # Create the base finding using the control-specific approach
+        finding = self._create_finding_for_specific_control(compliance_item, control_id)
+        if not finding:
+            return None
+
+        # Update the asset identifier and description with consolidated info
+        self._update_finding_with_consolidated_assets(finding, asset_mappings)
+        return finding
+
+    def _build_asset_mappings(self, resource_ids: List[str]) -> Dict[str, Dict[str, str]]:
+        """
+        Build asset mappings for resources that exist in RegScale.
+
+        :param List[str] resource_ids: List of Wiz resource IDs
+        :return: Mapping of resource IDs to asset information
+        :rtype: Dict[str, Dict[str, str]]
+        """
+        asset_mappings = {}
+
+        for resource_id in resource_ids:
+            if self._asset_exists_in_regscale(resource_id):
+                asset = self.get_asset_by_identifier(resource_id)
+                if asset and asset.name:
+                    asset_mappings[resource_id] = {"name": asset.name, "wiz_id": resource_id}
+                else:
+                    # Fallback to resource ID if asset name not found
+                    asset_mappings[resource_id] = {"name": resource_id, "wiz_id": resource_id}
+
+        return asset_mappings
+
+    def _update_finding_with_consolidated_assets(
+        self, finding: IntegrationFinding, asset_mappings: Dict[str, Dict[str, str]]
+    ) -> None:
+        """
+        Update a finding with consolidated asset information.
+
+        :param IntegrationFinding finding: Finding to update
+        :param Dict[str, Dict[str, str]] asset_mappings: Asset mapping information
+        :return: None
+        :rtype: None
+        """
+        # Update the asset identifier to include all asset names (clean format for POAMs)
+        consolidated_asset_identifier = self._create_consolidated_asset_identifier(asset_mappings)
+        finding.asset_identifier = consolidated_asset_identifier
+
+        # Update finding description to indicate multiple resources
+        asset_names = [info["name"] for info in asset_mappings.values()]
+        if len(asset_names) > 1:
+            finding.description = f"{finding.description}\n\nThis control failure affects {len(asset_names)} assets: {', '.join(asset_names[:MAX_DISPLAY_ASSETS])}"
+            if len(asset_names) > MAX_DISPLAY_ASSETS:
+                finding.description += f" (and {len(asset_names) - MAX_DISPLAY_ASSETS} more)"
+
+    def _create_finding_for_specific_control(
+        self, compliance_item: WizComplianceItem, control_id: str
+    ) -> Optional[IntegrationFinding]:
+        """
+        Create a finding for a specific control ID from a compliance item.
+
+        This is similar to create_finding_from_compliance_item but ensures the finding
+        uses the specific control ID rather than just the first one.
+
+        :param WizComplianceItem compliance_item: Source compliance item
+        :param str control_id: Specific control ID to create finding for
+        :return: Integration finding for this specific control
+        :rtype: Optional[IntegrationFinding]
+        """
+        try:
+            control_labels = [control_id] if control_id else []
+            severity = self._map_severity(compliance_item.severity)
+            policy_name = self._get_policy_name(compliance_item)
+            title = f"{policy_name} ({control_id})" if control_id else policy_name
+            description = self._compose_description(policy_name, compliance_item)
+
+            finding = self._build_finding(
+                control_labels=control_labels,
+                title=title,
+                description=description,
+                severity=severity,
+                compliance_item=compliance_item,
+            )
+
+            # Set the specific control ID for this finding
+            finding.rule_id = control_id
+            finding.affected_controls = self._normalize_control_id_string(control_id)
+
+            # Ensure unique external_id for each control to prevent unwanted updates
+            finding.external_id = f"wiz-policy-control-{control_id.upper()}-{self.framework_id}"
+
+            self._set_assessment_id_if_available(finding, compliance_item)
+            return finding
+
+        except Exception as e:
+            logger.error(f"Error creating finding for control {control_id}: {e}")
+            return None
+
+    def _asset_exists_in_regscale(self, resource_id: str) -> bool:
+        """
+        Check if an asset with the given Wiz resource ID exists in RegScale.
+
+        :param str resource_id: Wiz resource ID to check (stored in RegScale asset wizId field)
+        :return: True if asset exists, False otherwise
+        :rtype: bool
+        """
+        if not resource_id:
+            return False
+
+        try:
+            # Check if we have a cached lookup of existing assets
+            if not hasattr(self, "_regscale_assets_by_wiz_id"):
+                self._load_regscale_assets()
+
+            return resource_id in self._regscale_assets_by_wiz_id
+        except Exception:
+            return False
+
+    def _load_regscale_assets(self) -> None:
+        """
+        Load all existing assets from RegScale into a Wiz ID-based lookup cache.
+        Wiz resource IDs are stored in the RegScale asset wizId field.
+        """
+        try:
+            logger.info("Loading existing assets from RegScale for asset existence checks...")
+            # Get all assets for the current plan
+            existing_assets = regscale_models.Asset.get_all_by_parent(
+                parent_id=self.plan_id,
+                parent_module=self.parent_module,
+            )
+
+            # Create Wiz ID-based lookup cache (Wiz resource ID -> RegScale asset)
+            self._regscale_assets_by_wiz_id = {asset.wizId: asset for asset in existing_assets if asset.wizId}
+            logger.info(f"Loaded {len(self._regscale_assets_by_wiz_id)} existing assets for lookup")
+
+        except Exception as e:
+            logger.error(f"Error loading RegScale assets: {e}")
+            # Initialize empty cache to avoid repeated failures
+            self._regscale_assets_by_wiz_id = {}
+
     def _map_framework_id_to_name(self, framework_id: str) -> str:
         """
         Map framework ID to framework name.
@@ -531,7 +822,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             first_seen=self.scan_date,
             last_seen=self.scan_date,
             scan_date=self.scan_date,
-            asset_identifier=compliance_item.resource_id,
+            asset_identifier=self._get_regscale_asset_identifier(compliance_item),
             vulnerability_type="Policy Compliance Violation",
             rule_id=compliance_item.control_id,
             baseline=compliance_item.framework,
@@ -567,9 +858,8 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
                     assess = self._assessment_by_impl_today.get(impl_id)
                     if assess:
                         finding.assessment_id = assess.id
-                        logger.debug(f"Set finding.assessment_id = {assess.id} for control '{ctrl_norm}'")
-        except Exception as e:
-            logger.debug(f"Error setting finding assessment ID: {e}")
+        except Exception:
+            pass
 
     def create_asset_from_compliance_item(self, compliance_item: ComplianceItem) -> Optional[IntegrationAsset]:
         """
@@ -616,7 +906,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
 
             asset = IntegrationAsset(
                 name=compliance_item.resource_name,
-                identifier=compliance_item.resource_id,
+                identifier=f"{compliance_item.resource_name} ({compliance_item.resource_id})",
                 external_id=compliance_item.resource_id,
                 other_tracking_number=compliance_item.resource_id,  # For deduplication
                 asset_type=asset_type,
@@ -640,8 +930,8 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             return None
 
     def create_scan_history(self):  # type: ignore[override]
-        """Create or reuse scan history using base behavior."""
-        return super().create_scan_history()
+        """No scan history created for compliance report ingest."""
+        return None
 
     def _create_asset_notes(self, compliance_item: WizComplianceItem) -> str:
         """
@@ -741,12 +1031,11 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         # Try cache first unless forced refresh
         cached_nodes = self._load_assessments_from_cache()
         if cached_nodes is not None:
-            logger.info(f"Using cached Wiz policy assessments ({len(cached_nodes)})")
+            logger.info("Using cached Wiz policy assessments")
             return cached_nodes
 
         # Only include variables supported by the query (avoid validation errors)
         page_size = 100
-        logger.info(f"Using Wiz policy assessments page size (first): {page_size}")
         base_variables = {"first": page_size}
 
         # Try multiple filter key variants to avoid schema differences across tenants
@@ -768,7 +1057,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
                     total=1,
                 )
                 results = run_async_queries(
-                    endpoint=self.wiz_endpoint or "https://api.wiz.io/graphql",
+                    endpoint=self.wiz_endpoint or WIZ_URL,
                     headers=headers,
                     query_configs=[
                         {
@@ -863,7 +1152,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
                     # If endpoint is not set (tests), short-circuit to async path mock
                     if not self.wiz_endpoint:
                         results = run_async_queries(
-                            endpoint="https://api.wiz.io/graphql",
+                            endpoint=WIZ_URL,
                             headers=headers,
                             query_configs=[
                                 {
@@ -892,7 +1181,6 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
                     )
                 except Exception as exc:  # noqa: BLE001 - propagate last error
                     last_error = exc
-                    logger.debug(f"Filter variant {fv} failed: {exc}")
 
         msg = f"Failed to fetch policy assessments after trying all filter variants: {last_error}"
         logger.error(msg)
@@ -929,9 +1217,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         variant_name = self._variant_name(filter_variant)
         progress.update(
             task,
-            description=(
-                f"[#f68d1f]Fetching Wiz policy assessments (limit: {page_size}, " f"variant: {variant_name})..."
-            ),
+            description=(f"[#f68d1f]Fetching Wiz policy assessments (limit: {page_size}, variant: {variant_name})..."),
             advance=1,
         )
 
@@ -957,7 +1243,8 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             completed=1,
             total=1,
         )
-        logger.info(f"Successfully fetched {len(filtered_nodes)} policy assessments")
+        logger.info("Successfully fetched Wiz policy assessments")
+
         return filtered_nodes
 
     def _execute_wiz_policy_query_paginated(
@@ -1158,12 +1445,10 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
                     for control_id, ctrl in control_agg.items():
                         jf.write(json.dumps(ctrl, ensure_ascii=False) + "\n")
                 logger.info(f"Policy compliance JSONL written to: {file_path_jsonl}")
-            # Best-effort cleanup to keep artifacts directory tidy
-            self._cleanup_artifacts(artifacts_dir, keep=5)
+            self._cleanup_artifacts(artifacts_dir, keep=CACHE_CLEANUP_KEEP_COUNT)
             return file_path
 
         except Exception as e:
-            logger.error(f"Failed to write policy data to JSON: {str(e)}")
             error_and_exit(f"Failed to write policy data to JSON: {str(e)}")
 
     def _build_control_aggregation(self) -> Dict[str, Dict[str, Any]]:
@@ -1300,7 +1585,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             logger.error(f"Error parsing JSONL {jsonl_path}: {exc}")
         return aggregated
 
-    def _cleanup_artifacts(self, dir_path: str, keep: int = 5) -> None:
+    def _cleanup_artifacts(self, dir_path: str, keep: int = CACHE_CLEANUP_KEEP_COUNT) -> None:
         """
         Keep the most recent JSON and JSONL policy_compliance_report files, delete older ones.
 
@@ -1330,8 +1615,8 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
                     except Exception:
                         # Non-fatal; continue cleanup
                         pass
-        except Exception as e:
-            logger.debug(f"Artifact cleanup skipped: {e}")
+        except Exception:
+            pass
 
     def load_or_create_framework_mapping(self) -> Dict[str, str]:
         """
@@ -1439,7 +1724,6 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             return nodes
 
         except Exception as e:
-            logger.error(f"Failed to fetch security frameworks: {str(e)}")
             error_and_exit(f"Failed to fetch security frameworks: {str(e)}")
 
     def _create_framework_mapping(self, frameworks: List[Dict[str, Any]]) -> Dict[str, str]:
@@ -1515,6 +1799,45 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
 
         return self.framework_mapping.get(framework_id, framework_id)
 
+    def sync_compliance(self) -> None:
+        """
+        Override base sync_compliance to ensure proper order for controlId/assessmentId assignment.
+
+        CRITICAL: Control assessments MUST be created BEFORE issues are processed
+        to ensure controlId and assessmentId can be properly set.
+        """
+        logger.info(f"Starting {self.title} compliance sync with proper assessment ordering...")
+
+        try:
+            scan_history = self.create_scan_history()
+            self.process_compliance_data()
+
+            # Step 1: Sync assets first
+            self._sync_assets()
+
+            # Step 2: CRITICAL - Pre-populate control implementation cache BEFORE creating assessments
+            logger.info("🔧 Pre-populating control implementation cache for issue processing...")
+            self._populate_control_implementation_cache()
+
+            # Step 3: Create control assessments BEFORE issues (ensures assessmentId is available)
+            logger.info("🔧 Creating control assessments BEFORE issue processing...")
+            self._sync_control_assessments()
+
+            # Step 3.5: CRITICAL - Refresh assessment cache after assessments are created
+            logger.info("🔧 Refreshing assessment cache with newly created assessments...")
+            self._refresh_assessment_cache_after_creation()
+
+            # Step 4: NOW process issues with controlId and assessmentId properly set
+            logger.info("🔧 Processing issues with control and assessment IDs available...")
+            self._sync_issues()
+
+            self._finalize_scan_history(scan_history)
+
+            logger.info(f"Completed {self.title} compliance sync with proper assessment ordering")
+
+        except Exception as e:
+            error_and_exit(f"Error during compliance sync: {e}")
+
     def sync_policy_compliance(self, create_issues: bool = None, update_control_status: bool = None) -> None:
         """
         Main method to sync policy compliance data from Wiz.
@@ -1543,8 +1866,11 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             if update_control_status is not None:
                 self.update_control_status = update_control_status
 
-            # Step 3: Process and sync using the base class
-            self.process_compliance_data()
+            # Step 3: Sync using the overridden method (which ensures proper ordering)
+            logger.info(
+                f"🔧 Sync parameters: create_issues={self.create_issues}, update_control_status={self.update_control_status}"
+            )
+
             self.sync_compliance()
 
             # Step 4: Write data to JSON file for reference (post-processing)
@@ -1554,7 +1880,6 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             logger.info("Policy compliance sync completed successfully")
 
         except Exception as e:
-            logger.error(f"Policy compliance sync failed: {str(e)}")
             error_and_exit(f"Policy compliance sync failed: {str(e)}")
 
     def sync_wiz_compliance(self) -> None:
@@ -1587,180 +1912,1054 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         finding: IntegrationFinding,
     ) -> regscale_models.Issue:
         """
-        Create/update the issue, then set it as a child of the asset and attach affected controls and remediation.
+        Create/update the issue with ALL fields set BEFORE saving.
+
+        This method ensures proper data flow:
+        1. Check for existing issues to prevent duplicates
+        2. Pre-populate compliance fields on the finding
+        3. Use parent class logic which saves with all fields set
 
-        - Parent the issue to the asset (parentId=asset.id, parentModule='assets')
-        - Populate affectedControls with all failed control IDs for the asset
-        - Ensure remediationDescription contains Wiz remediationInstructions
+        This fixes the duplicate issue creation problem by using proper
+        duplicate detection and avoids double-saving.
         """
-        # Defer to base to handle dedupe and asset identifier consolidation (newline-delimited)
-        # The base class will now automatically handle finding.assessment_id -> issue.assessmentId
-        issue = super().create_or_update_issue_from_finding(title, finding)
+        # Load cache if not already loaded for duplicate detection
+        self._load_existing_records_cache()
 
-        # Post-processing for compliance-specific fields
-        try:
-            self._update_issue_affected_controls(issue, finding)
-            issue.assetIdentifier = self._compute_consolidated_asset_identifier(issue, finding)
-            self._set_control_and_assessment_ids(issue, finding)
-            if getattr(self, "create_poams", False):
-                issue.isPoam = True
-            self._reparent_issue_to_asset(issue, finding)
-            issue.save(bulk=True)
-        except Exception as e:
-            logger.error(f"Error in post-issue processing: {e}")
-            import traceback
+        # CRITICAL: Pre-populate compliance fields on the finding BEFORE parent call
+        # This ensures the parent class saves the issue with all fields already set
+        self._populate_compliance_fields_on_finding(finding)
 
-            logger.debug(traceback.format_exc())
+        # CRITICAL FIX: If assessment_id is set, prepare the finding for assessment parenting
+        if hasattr(finding, "assessment_id") and finding.assessment_id:
+            assessment_id = finding.assessment_id
+            logger.debug(f"🔄 PRE-SETTING ASSESSMENT PARENT: assessmentId={assessment_id}")
 
-        return issue
+            # Add parent override fields to the finding for the ScannerIntegration to use
+            finding._override_parent_id = assessment_id
+            finding._override_parent_module = "assessments"
 
-    # -------- Helpers to reduce complexity --------
-    def _update_issue_affected_controls(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
+            logger.debug(f"   ✅ Finding will use parent: assessments #{assessment_id}")
+
+        # Check for existing issue by external_id first
+        external_id = finding.external_id
+        existing_issue = self._find_existing_issue_cached(external_id)
+
+        if existing_issue:
+            return self._update_existing_issue_with_compliance_fields(existing_issue, title, finding)
+        else:
+            # Set finding context for our override method to access
+            self._current_finding_context = finding
+            try:
+                # Parent class will now create/save the issue with compliance fields already set
+                return super().create_or_update_issue_from_finding(title, finding)
+            finally:
+                # Clean up context
+                if hasattr(self, "_current_finding_context"):
+                    delattr(self, "_current_finding_context")
+
+    def _update_existing_issue_with_compliance_fields(
+        self, existing_issue: regscale_models.Issue, title: str, finding: IntegrationFinding
+    ) -> regscale_models.Issue:
         """
-        Update the affected controls field on an issue from a finding.
+        Update existing issue with basic fields and enhance with compliance-specific fields.
 
-        :param regscale_models.Issue issue: Issue to update
-        :param IntegrationFinding finding: Finding with control information
-        :return: None
-        :rtype: None
+        :param existing_issue: The existing issue to update
+        :param title: New issue title
+        :param finding: Finding with updated data
+        :return: Updated issue with all fields set
+        """
+
+        # Update basic fields (similar to parent class logic)
+        existing_issue.title = title
+        existing_issue.description = finding.description
+        existing_issue.severity = finding.severity
+        existing_issue.status = finding.status
+        existing_issue.dateLastUpdated = self.scan_date
+
+        # Set control-related field
+        if getattr(finding, "control_labels", None):
+            existing_issue.affectedControls = ",".join(finding.control_labels)
+        elif getattr(finding, "affected_controls", None):
+            existing_issue.affectedControls = finding.affected_controls
+
+        # Enhance with compliance-specific fields
+        self._enhance_issue_with_compliance_fields(existing_issue, finding)
+
+        # CRITICAL FIX: Handle assessment parenting for existing issues too
+        if hasattr(finding, "assessment_id") and finding.assessment_id:
+            assessment_id = finding.assessment_id
+
+            # Set assessment as the parent
+            existing_issue.parentId = assessment_id
+            existing_issue.parentModule = "assessments"
+            existing_issue.assessmentId = assessment_id
+
+        existing_issue.save()
+
+        return existing_issue
+
+    def _create_or_update_issue(
+        self,
+        finding: IntegrationFinding,
+        issue_status,
+        title: str,
+        existing_issue=None,
+    ):
+        """
+        Override parent method to handle assessment parenting correctly.
+
+        CRITICAL FIX: Check if the finding has assessment parent overrides and apply them.
         """
-        if getattr(finding, "affected_controls", None):
+        # Get consolidated asset identifier
+        asset_identifier = self.get_consolidated_asset_identifier(finding, existing_issue)
+
+        # Prepare issue data
+        issue_title = self.get_issue_title(finding) or title
+        description = finding.description or ""
+        remediation_description = finding.recommendation_for_mitigation or finding.remediation or ""
+        is_poam = self.is_poam(finding)
+
+        if existing_issue:
+            logger.debug(
+                "Updating existing issue %s with assetIdentifier %s", existing_issue.id, finding.asset_identifier
+            )
+
+        # If we have an existing issue, update its fields instead of creating a new one
+        issue = existing_issue or regscale_models.Issue()
+
+        # CRITICAL FIX: Check for parent overrides from the finding
+        if hasattr(finding, "_override_parent_id") and hasattr(finding, "_override_parent_module"):
+            parent_id = finding._override_parent_id
+            parent_module = finding._override_parent_module
+            logger.debug(f"🔄 USING OVERRIDE PARENT: {parent_module} #{parent_id}")
+        else:
+            parent_id = self.plan_id
+            parent_module = self.parent_module
+
+        # Update all fields (copying from ScannerIntegration but with override parent)
+        issue.parentId = parent_id
+        issue.parentModule = parent_module
+        issue.vulnerabilityId = finding.vulnerability_id
+        issue.title = issue_title
+        issue.dateCreated = finding.date_created
+        issue.status = issue_status
+        issue.dateCompleted = (
+            self.get_date_completed(finding, issue_status)
+            if issue_status == regscale_models.IssueStatus.Closed
+            else None
+        )
+        issue.severityLevel = finding.severity
+        issue.issueOwnerId = self.assessor_id
+        issue.securityPlanId = self.plan_id if not self.is_component else None
+        issue.identification = finding.identification
+        issue.dateFirstDetected = finding.first_seen
+
+        # Ensure a due date is always set using configured policy defaults (e.g., FedRAMP)
+        if not finding.due_date:
+            try:
+                base_created = finding.date_created or issue.dateCreated
+                finding.due_date = issue_due_date(
+                    severity=finding.severity,
+                    created_date=base_created,
+                    title=self.title,
+                )
+            except Exception:
+                # Final fallback to a Low severity default if anything goes wrong
+                base_created = finding.date_created or issue.dateCreated
+                finding.due_date = issue_due_date(
+                    severity=regscale_models.IssueSeverity.Low,
+                    created_date=base_created,
+                    title=self.title,
+                )
+        issue.dueDate = finding.due_date
+        issue.description = description
+        issue.sourceReport = finding.source_report or self.title
+        issue.recommendedActions = finding.recommendation_for_mitigation
+        issue.assetIdentifier = asset_identifier
+        issue.securityChecks = finding.security_check or finding.external_id
+        issue.remediationDescription = remediation_description
+        issue.integrationFindingId = self.get_finding_identifier(finding)
+        issue.poamComments = finding.poam_comments
+        issue.cve = finding.cve
+
+        # CRITICAL: Set assessmentId (this is the key fix)
+        issue.assessmentId = finding.assessment_id
+        logger.debug(f"✅ SETTING assessmentId = {finding.assessment_id} with parent = {parent_module} #{parent_id}")
+
+        control_id = self.get_control_implementation_id_for_cci(finding.cci_ref) if finding.cci_ref else None
+        issue.controlId = control_id
+
+        # Add the control implementation ids and the cci ref if it exists
+        cci_control_ids = [control_id] if control_id is not None else []
+        if finding.affected_controls:
             issue.affectedControls = finding.affected_controls
-        elif getattr(finding, "control_labels", None):
-            issue.affectedControls = ",".join(finding.control_labels)
+        elif finding.control_labels:
+            issue.affectedControls = ", ".join(sorted({cl for cl in finding.control_labels if cl}))
+
+        issue.controlImplementationIds = list(set(finding._control_implementation_ids + cci_control_ids))  # noqa
+        issue.isPoam = is_poam
+        issue.basisForAdjustment = (
+            finding.basis_for_adjustment if finding.basis_for_adjustment else f"{self.title} import"
+        )
+        issue.pluginId = finding.plugin_id
+        issue.originalRiskRating = regscale_models.Issue.assign_risk_rating(finding.severity)
+        issue.changes = "<p>Current: {}</p><p>Planned: {}</p>".format(
+            finding.milestone_changes, finding.planned_milestone_changes
+        )
+        issue.adjustedRiskRating = finding.adjusted_risk_rating
+        issue.riskAdjustment = finding.risk_adjustment
+        issue.operationalRequirement = finding.operational_requirements
+        issue.deviationRationale = finding.deviation_rationale
+        issue.dateLastUpdated = get_current_datetime()
+        issue.affectedControls = finding.affected_controls
+
+        if finding.cve:
+            issue = self.lookup_kev_and_update_issue(cve=finding.cve, issue=issue, cisa_kevs=self._kev_data)
+
+        if existing_issue:
+            logger.debug(f"💾 Saving existing issue {issue.id} with assessmentId={issue.assessmentId}")
+            issue.save(bulk=True)
+        else:
+            logger.info(f"💾 Creating new issue with assessmentId={issue.assessmentId}")
+            issue = issue.create_or_update(
+                bulk_update=True, defaults={"otherIdentifier": self._get_other_identifier(finding, is_poam)}
+            )
+            self.extra_data_to_properties(finding, issue.id)
+
+        self._handle_property_and_milestone_creation(issue, finding, existing_issue)
+        return issue
 
-    def _compute_consolidated_asset_identifier(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> str:
+    def _populate_compliance_fields_on_finding(self, finding: IntegrationFinding) -> None:
         """
-        Compute a consolidated asset identifier list for an issue.
+        Pre-populate compliance-specific fields on the finding before issue creation.
 
-        Aggregates all affected asset identifiers for the same control into a newline-delimited string.
+        This ensures controlId and assessmentId are set on the finding object
+        so the parent class can save the issue with all fields in one operation.
 
-        :param regscale_models.Issue issue: Issue to consolidate identifiers for
-        :param IntegrationFinding finding: Finding with asset information
-        :return: Newline-delimited string of asset identifiers
-        :rtype: str
+        The parent class expects:
+        - finding.assessment_id -> issue.assessmentId
+        - finding.cci_ref -> calls get_control_implementation_id_for_cci() -> issue.controlId
+
+        :param finding: Finding to populate with compliance fields
         """
-        delimiter = "\n"
-        identifiers: set[str] = set()
-        # Collect identifiers from all failed items matching this control
         try:
-            normalized_rule = self._normalize_control_id_string(finding.rule_id)
-            for item in self.failed_compliance_items:
-                try:
-                    item_ctrl = self._normalize_control_id_string(getattr(item, "control_id", None))
-                    res_id = getattr(item, "resource_id", None)
-                    if normalized_rule and item_ctrl == normalized_rule and res_id:
-                        identifiers.add(res_id)
-                except Exception:
-                    continue
+            # Set compliance fields on the finding itself before issue creation
+            if hasattr(finding, "rule_id") and finding.rule_id:
+                control_id = self._normalize_control_id_string(finding.rule_id)
+                if control_id:
+
+                    # Get control implementation ID
+                    impl_id = self._issue_field_setter._get_or_find_implementation_id(control_id)
+                    if impl_id:
+                        # Store the control ID as cci_ref so parent class calls our override method
+                        finding.cci_ref = control_id
+                        # Cache the implementation ID for our override method
+                        finding._wiz_control_implementation_id = impl_id
+
+                        # Get assessment ID and set it on the finding (parent class uses this directly)
+                        assess_id = self._issue_field_setter._get_or_find_assessment_id(impl_id)
+                        if assess_id:
+                            finding.assessment_id = assess_id
         except Exception:
             pass
-        # Merge with existing identifiers and current finding
-        if issue.assetIdentifier:
-            identifiers |= {e for e in (issue.assetIdentifier or "").split(delimiter) if e}
-        if finding.asset_identifier:
-            identifiers.add(finding.asset_identifier)
-        return delimiter.join(sorted(identifiers))
 
-    def _set_control_and_assessment_ids(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
+    def _enhance_issue_with_compliance_fields(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
         """
-        Set control implementation and assessment IDs on an issue.
+        Enhance an issue with compliance-specific fields (controlId and assessmentId).
 
-        :param regscale_models.Issue issue: Issue to update
-        :param IntegrationFinding finding: Finding with control information
-        :return: None
-        :rtype: None
+        NOTE: This method is now primarily for the existing issue update path.
+        New issues should have fields set via _populate_compliance_fields_on_finding.
+
+        :param issue: Issue object to enhance
+        :param finding: Finding with control data
         """
         try:
-            ctrl_norm = self._normalize_control_id_string(finding.rule_id)
-            impl_id = None
-            if ctrl_norm and hasattr(self, "_impl_id_by_control"):
-                impl_id = self._impl_id_by_control.get(ctrl_norm)
-            if impl_id:
-                issue.controlId = impl_id
-            assess_id = getattr(finding, "assessment_id", None)
-            if not assess_id and impl_id and hasattr(self, "_assessment_by_impl_today"):
-                assess = self._assessment_by_impl_today.get(impl_id)
-                assess_id = assess.id if assess else None
-            if assess_id:
-                issue.assessmentId = assess_id
+            # Set control implementation and assessment IDs using our field setter
+            if hasattr(finding, "rule_id") and finding.rule_id:
+                control_id = self._normalize_control_id_string(finding.rule_id)
+                if control_id:
+                    result = self._issue_field_setter.set_control_and_assessment_ids(issue, control_id)
+                    if not result.success:
+                        logger.warning(f"Failed to set compliance fields for '{control_id}': {result.error_message}")
         except Exception:
             pass
 
-    def _reparent_issue_to_asset(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
+    def get_control_implementation_id_for_cci(self, cci: Optional[str]) -> Optional[int]:
+        """
+        Override parent method to return control implementation ID for Wiz control IDs.
+
+        The parent class calls this method when finding.cci_ref is set, and uses the
+        returned value to set issue.controlId. We store our control implementation
+        ID on the finding and return it here.
+
+        :param cci: Control identifier (e.g., 'AC-2(1)') stored in finding.cci_ref
+        :return: Control implementation ID if found, None otherwise
         """
-        Reparent an issue to be a child of its associated asset.
+        # Check if this is a call with our cached implementation ID on the current finding
+        if hasattr(self, "_current_finding_context"):
+            finding = self._current_finding_context
+            if (
+                hasattr(finding, "_wiz_control_implementation_id")
+                and hasattr(finding, "cci_ref")
+                and finding.cci_ref == cci
+            ):
+                impl_id = finding._wiz_control_implementation_id
+                return impl_id
+
+        # Fallback: try to look it up directly (for edge cases)
+        if cci:
+            control_id = self._normalize_control_id_string(cci)
+            if control_id:
+                impl_id = self._issue_field_setter._get_or_find_implementation_id(control_id)
+                if impl_id:
+                    return impl_id
+
+        # Final fallback to parent class behavior
+        return super().get_control_implementation_id_for_cci(cci)
+
+    def _populate_control_implementation_cache(self) -> None:
+        """
+        Pre-populate the control implementation and assessment caches.
+
+        CRITICAL: This ensures controlId and assessmentId can be reliably set on issues.
+        This method loads control implementations and their associated assessments into
+        cache to enable fast lookups during issue processing.
 
-        :param regscale_models.Issue issue: Issue to reparent
-        :param IntegrationFinding finding: Finding with asset identifier
         :return: None
         :rtype: None
         """
         try:
-            asset = self.get_asset_by_identifier(finding.asset_identifier)
-            if not asset:
-                asset = self._ensure_asset_for_finding(finding)
-            if asset and getattr(asset, "id", None):
-                issue.parentId = asset.id
-                issue.parentModule = "assets"
-        except Exception:
-            # If asset lookup fails, keep existing parent
-            pass
+            from regscale.models import regscale_models
 
-    def _update_scan_history(self, scan_history: regscale_models.ScanHistory) -> None:
+            logger.info("🔍 Pre-populating control implementation cache for issue processing...")
+
+            # Get all control implementations for this plan
+            implementations = regscale_models.ControlImplementation.get_all_by_parent(
+                parent_id=self.plan_id, parent_module=self.parent_module
+            )
+
+            if not implementations:
+                logger.warning("No control implementations found for this plan")
+                return
+
+            logger.info(f"Found {len(implementations)} control implementations to cache")
+
+            # Cache SecurityControl lookups to avoid repeated API calls
+            security_control_cache = {}
+            controls_mapped = 0
+            assessments_mapped = 0
+
+            for impl in implementations:
+                try:
+                    # Skip if no controlID reference
+                    if not hasattr(impl, "controlID") or not impl.controlID:
+                        continue
+
+                    # Get or cache the security control
+                    if impl.controlID not in security_control_cache:
+                        security_control = regscale_models.SecurityControl.get_object(object_id=impl.controlID)
+                        security_control_cache[impl.controlID] = security_control
+                    else:
+                        security_control = security_control_cache[impl.controlID]
+
+                    if security_control and hasattr(security_control, "controlId"):
+                        # Normalize and cache the control ID mapping
+                        normalized_id = self._normalize_control_id_string(security_control.controlId)
+                        if normalized_id:
+                            self._impl_id_by_control[normalized_id] = impl.id
+                            controls_mapped += 1
+
+                            # Also try to cache the most recent assessment
+                            try:
+                                assessments = regscale_models.Assessment.get_all_by_parent(
+                                    parent_id=impl.id, parent_module="controls"
+                                )
+                                if assessments:
+                                    # Get the most recent assessment
+                                    assessments.sort(key=lambda a: a.id if hasattr(a, "id") else 0, reverse=True)
+                                    self._assessment_by_impl_today[impl.id] = assessments[0]
+                                    assessments_mapped += 1
+                            except Exception:
+                                pass
+
+                except Exception:
+                    continue
+
+            logger.info("✓ Control implementation cache populated:")
+            logger.info(f"  - {controls_mapped} control ID mappings")
+            logger.info(f"  - {assessments_mapped} assessment mappings")
+
+        except Exception as e:
+            logger.error(f"Error populating control implementation cache: {e}")
+
+    def _refresh_assessment_cache_after_creation(self) -> None:
         """
-        Update scan history with severity breakdown of deduped compliance issues.
+        Refresh the assessment cache after control assessments have been created.
+
+        CRITICAL: This ensures that newly created assessments from the sync_control_assessments
+        step are available when processing issues. Without this, assessmentId will not be set
+        on issues because the cache only contains old assessments.
 
-        :param regscale_models.ScanHistory scan_history: Scan history record
+        :return: None
+        :rtype: None
         """
         try:
-            from regscale.core.app.utils.app_utils import get_current_datetime
+            from regscale.models import regscale_models
+            from datetime import datetime
+
+            logger.info("🔄 Refreshing assessment cache with newly created assessments...")
 
-            # Deduped pairs of (resource, canonical control)
-            seen_pairs: set[tuple[str, str]] = set()
-            severity_counts = {"Critical": 0, "High": 0, "Moderate": 0, "Low": 0}
+            refreshed_count = 0
+            today = datetime.now().date()
 
-            for it in self.failed_compliance_items:
+            # Only refresh assessments for implementations we know about
+            for control_id, impl_id in self._impl_id_by_control.items():
                 try:
-                    rid = (getattr(it, "resource_id", "") or "").lower()
-                    ctrl_norm = self._normalize_control_id_string(getattr(it, "control_id", "")) or ""
-                    if not rid or not ctrl_norm:
+                    # Get all assessments for this implementation
+                    assessments = regscale_models.Assessment.get_all_by_parent(
+                        parent_id=impl_id, parent_module="controls"
+                    )
+
+                    if not assessments:
                         continue
-                    key = (rid, ctrl_norm)
-                    if key in seen_pairs:
+
+                    # Find today's assessment (most recent created today)
+                    today_assessments = []
+                    for assessment in assessments:
+                        assessment_date = None
+                        try:
+                            # Try to get assessment date from various fields
+                            date_fields = ["actualFinish", "plannedFinish", "dateCreated"]
+                            for field in date_fields:
+                                if hasattr(assessment, field) and getattr(assessment, field):
+                                    date_value = getattr(assessment, field)
+                                    if isinstance(date_value, str):
+                                        from regscale.core.app.utils.app_utils import regscale_string_to_datetime
+
+                                        assessment_date = regscale_string_to_datetime(date_value).date()
+                                    elif hasattr(date_value, "date"):
+                                        assessment_date = date_value.date()
+                                    else:
+                                        assessment_date = date_value
+                                    break
+
+                            if assessment_date == today:
+                                today_assessments.append(assessment)
+                        except Exception:
+                            continue
+
+                    # Use most recent today's assessment, or fallback to most recent overall
+                    if today_assessments:
+                        best_assessment = max(today_assessments, key=lambda a: getattr(a, "id", 0))
+                    else:
+                        best_assessment = max(assessments, key=lambda a: getattr(a, "id", 0))
+
+                    # Update the cache
+                    self._assessment_by_impl_today[impl_id] = best_assessment
+                    refreshed_count += 1
+
+                except Exception:
+                    continue
+
+            logger.info(f"✓ Assessment cache refreshed: {refreshed_count} assessments updated")
+
+        except Exception as e:
+            logger.error(f"Error refreshing assessment cache: {e}")
+
+    def _find_control_implementation_id(self, control_id: str) -> Optional[int]:
+        """
+        Find control implementation ID by querying the database directly.
+        OPTIMIZED: Uses controlID field directly and caches SecurityControl lookups.
+
+        :param str control_id: Normalized control ID (e.g., 'AC-2(1)')
+        :return: Control implementation ID if found
+        :rtype: Optional[int]
+        """
+        try:
+            from regscale.models import regscale_models
+
+            # First check cache
+            if hasattr(self, "_impl_id_by_control") and control_id in self._impl_id_by_control:
+                cached_id = self._impl_id_by_control[control_id]
+                return cached_id
+
+            # Get all control implementations for this plan
+            implementations = regscale_models.ControlImplementation.get_all_by_parent(
+                parent_id=self.plan_id, parent_module=self.parent_module
+            )
+
+            # Create a cache for SecurityControl lookups to avoid repeated API calls
+            security_control_cache = {}
+
+            for impl in implementations:
+                try:
+                    # Use controlID field which references the SecurityControl
+                    if not hasattr(impl, "controlID") or not impl.controlID:
                         continue
-                    seen_pairs.add(key)
-
-                    sev = self._map_severity(getattr(it, "severity", None))
-                    if sev == regscale_models.IssueSeverity.Critical:
-                        severity_counts["Critical"] += 1
-                    elif sev == regscale_models.IssueSeverity.High:
-                        severity_counts["High"] += 1
-                    elif sev == regscale_models.IssueSeverity.Moderate:
-                        severity_counts["Moderate"] += 1
+
+                    # Check if we've already looked up this security control
+                    if impl.controlID not in security_control_cache:
+                        security_control = regscale_models.SecurityControl.get_object(object_id=impl.controlID)
+                        security_control_cache[impl.controlID] = security_control
                     else:
-                        severity_counts["Low"] += 1
+                        security_control = security_control_cache[impl.controlID]
+
+                    if security_control and hasattr(security_control, "controlId"):
+                        impl_control_id = self._normalize_control_id_string(security_control.controlId)
+
+                        if impl_control_id == control_id:
+                            logger.info(f"✓ Found control implementation {impl.id} for control {control_id}")
+                            # Cache it for future lookups
+                            if not hasattr(self, "_impl_id_by_control"):
+                                self._impl_id_by_control = {}
+                            self._impl_id_by_control[control_id] = impl.id
+                            return impl.id
                 except Exception:
                     continue
 
-            scan_history.vCritical = severity_counts["Critical"]
-            scan_history.vHigh = severity_counts["High"]
-            scan_history.vMedium = severity_counts["Moderate"]
-            scan_history.vLow = severity_counts["Low"]
-            scan_history.vInfo = 0
+            logger.warning(
+                f"⚠️ No control implementation found for control {control_id} among {len(implementations)} implementations"
+            )
+            return None
+        except Exception as e:
+            logger.error(f"Error finding control implementation for {control_id}: {e}")
+            return None
+
+    def _find_assessment_id_for_implementation(self, implementation_id: int) -> Optional[int]:
+        """
+        Find the most recent assessment ID for a control implementation.
+        IMPROVED: Better date handling and caching.
+
+        :param int implementation_id: Control implementation ID
+        :return: Assessment ID if found
+        :rtype: Optional[int]
+        """
+        try:
+            from regscale.models import regscale_models
+            from datetime import datetime
+            from regscale.core.app.utils.app_utils import regscale_string_to_datetime
+
+            # Check cache first
+            if hasattr(self, "_assessment_by_impl_today") and implementation_id in self._assessment_by_impl_today:
+                cached_assessment = self._assessment_by_impl_today[implementation_id]
+                if cached_assessment and hasattr(cached_assessment, "id"):
+                    logger.debug(
+                        f"Found cached assessment {cached_assessment.id} for implementation {implementation_id}"
+                    )
+                    return cached_assessment.id
+
+            # Get assessments for this control implementation
+            assessments = regscale_models.Assessment.get_all_by_parent(
+                parent_id=implementation_id, parent_module="controls"
+            )
+
+            if not assessments:
+                logger.warning(f"No assessments found for control implementation {implementation_id}")
+                return None
+
+            # Find the most recent assessment (preferably from today)
+            today = datetime.now().date()
+            today_assessments = []
+            recent_assessments = []
+
+            for assessment in assessments:
+                try:
+                    assessment_date = None
+
+                    # Try multiple date fields in order of preference
+                    date_fields = ["plannedStart", "actualFinish", "plannedFinish", "dateCreated"]
+                    for field in date_fields:
+                        if hasattr(assessment, field) and getattr(assessment, field):
+                            date_value = getattr(assessment, field)
+                            if isinstance(date_value, str):
+                                assessment_date = regscale_string_to_datetime(date_value).date()
+                            elif hasattr(date_value, "date"):
+                                assessment_date = date_value.date()
+                            else:
+                                assessment_date = date_value
+                            break
+
+                    if assessment_date:
+                        if assessment_date == today:
+                            today_assessments.append(assessment)
+                        else:
+                            recent_assessments.append((assessment, assessment_date))
+                    else:
+                        # Assessment with no parseable date
+                        recent_assessments.append((assessment, None))
+                except Exception:
+                    recent_assessments.append((assessment, None))
+
+            # Prefer today's assessments
+            if today_assessments:
+                # Sort by ID (highest/newest first) if multiple today
+                today_assessments.sort(key=lambda a: a.id if hasattr(a, "id") else 0, reverse=True)
+                assessment = today_assessments[0]
+                logger.info(
+                    f"✓ Found today's assessment {assessment.id} for control implementation {implementation_id}"
+                )
+                # Cache it for future lookups
+                if not hasattr(self, "_assessment_by_impl_today"):
+                    self._assessment_by_impl_today = {}
+                self._assessment_by_impl_today[implementation_id] = assessment
+                return assessment.id
+
+            # Fall back to most recent assessment
+            if recent_assessments:
+                # Sort by date (newest first), handling None dates
+                recent_assessments.sort(
+                    key=lambda x: (x[1] if x[1] else datetime.min.date(), x[0].id if hasattr(x[0], "id") else 0),
+                    reverse=True,
+                )
+                assessment = recent_assessments[0][0]
+                logger.info(f"✓ Found recent assessment {assessment.id} for control implementation {implementation_id}")
+                # Cache it even if not today's
+                if not hasattr(self, "_assessment_by_impl_today"):
+                    self._assessment_by_impl_today = {}
+                self._assessment_by_impl_today[implementation_id] = assessment
+                return assessment.id
+
+            logger.warning(f"⚠️ No usable assessments found for control implementation {implementation_id}")
+            return None
+        except Exception as e:
+            logger.error(f"Error finding assessment for control implementation {implementation_id}: {e}")
+            return None
+
+    def _reparent_issue_to_asset(self, issue: regscale_models.Issue) -> None:
+        """
+        Reparent issue to the control implementation instead of the security plan.
+        This ensures issues are properly associated with their control implementations.
+
+        :param regscale_models.Issue issue: Issue to reparent to control implementation
+        :param IntegrationFinding finding: Finding with control information
+        :return: None
+        :rtype: None
+        """
+        # If we have a control implementation ID, parent the issue to it
+        if issue.controlId:
+            issue.parentId = issue.controlId
+            issue.parentModule = "controls"
+        else:
+            # Fall back to security plan if no control implementation found
+            pass
+
+    def _update_scan_history(self, scan_history: regscale_models.ScanHistory) -> None:
+        """
+        No scan history updates for compliance report ingest.
+
+        :param regscale_models.ScanHistory scan_history: Scan history record (unused)
+        """
+        # No scan history for compliance report ingest
+        pass
+
+    def _process_control_assessments(self) -> None:
+        """
+        Process control assessments only for controls that have validated compliance items
+        with existing assets in RegScale. This ensures we don't create assessments for
+        controls that have no assets in our boundary.
+        """
+        logger.info("🎯 Starting control assessment processing for Wiz compliance integration")
+
+        # Ensure existing records cache is loaded
+        self._load_existing_records_cache()
+
+        implementations = self._get_control_implementations()
+        if not implementations:
+            logger.warning("No control implementations found for assessment processing")
+            return
+
+        # Get all potential control IDs from compliance data
+        all_potential_controls = set(self.passing_controls.keys()) | set(self.failing_controls.keys())
+        logger.debug(
+            f"Found {len(all_potential_controls)} potential controls from compliance data: {sorted(all_potential_controls)}"
+        )
+
+        # Validate each control has actual assets in our boundary before processing
+        validated_controls_with_assets = {}
+        validated_passing_controls = {}
+        validated_failing_controls = {}
 
-            scan_history.dateLastUpdated = get_current_datetime()
-            scan_history.save()
+        for control_id in all_potential_controls:
+            # Get all compliance items for this control
+            control_items = self._get_validated_control_compliance_items(control_id)
+
+            if not control_items:
+                continue
+
+            # Check if we have any assets for the compliance items
+            asset_identifiers = set()
+            assets_found = 0
+
+            for item in control_items:
+                if hasattr(item, "resource_name") and item.resource_name:
+                    resource_id = getattr(item, "resource_id", "")
+                    # Verify the asset actually exists in RegScale
+                    if self._asset_exists_in_regscale(resource_id):
+                        asset_identifiers.add(item.resource_name)
+                        assets_found += 1
+                    else:
+                        logger.debug(
+                            f"Control {control_id}: Asset {resource_id} ({item.resource_name}) not found in RegScale"
+                        )
+            logger.debug(f"Found {assets_found} valid assets for control {control_id}")
+            if not asset_identifiers:
+                continue
+
+            # This control has valid assets, include it in processing
+            validated_controls_with_assets[control_id] = list(asset_identifiers)
+
+            # Preserve the pass/fail status for validated controls
+            if control_id in self.failing_controls:
+                validated_failing_controls[control_id] = self.failing_controls[control_id]
+            elif control_id in self.passing_controls:
+                validated_passing_controls[control_id] = self.passing_controls[control_id]
+
+        if not validated_controls_with_assets:
+            logger.warning("❌ No controls have assets in RegScale boundary - no control assessments will be created")
+            logger.info("📊 SUMMARY: 0 control assessments created (no assets exist in RegScale)")
+            return
+
+        assessments_created = 0
+        processed_impl_today: set[int] = set()
+
+        # Only process validated controls that have assets in our boundary
+        for control_id in validated_controls_with_assets.keys():
+            created = self._process_single_control_assessment(
+                control_id=control_id,
+                implementations=implementations,
+                processed_impl_today=processed_impl_today,
+            )
+            assessments_created += created
+
+        # Calculate stats only for validated controls
+        validated_control_ids = set(validated_controls_with_assets.keys())
+        passing_assessments = len([cid for cid in validated_control_ids if cid not in validated_failing_controls])
+        failing_assessments = len([cid for cid in validated_control_ids if cid in validated_failing_controls])
+
+        if assessments_created > 0:
             logger.info(
-                "Updated scan history %s (Critical: %s, High: %s, Medium: %s, Low: %s)",
-                getattr(scan_history, "id", 0),
-                severity_counts["Critical"],
-                severity_counts["High"],
-                severity_counts["Moderate"],
-                severity_counts["Low"],
+                f"✅ Created {assessments_created} control assessments: {passing_assessments} passing, {failing_assessments} failing"
             )
+        else:
+            logger.warning(
+                f"⚠️  No control assessments were actually created (0 assessments) despite finding {len(validated_controls_with_assets)} controls with assets"
+            )
+
+        logger.info(
+            f"📊 CONTROL ASSESSMENT SUMMARY: {assessments_created} assessments created for {len(validated_controls_with_assets)} validated controls"
+        )
+
+    def _sync_assessment_cache_from_base_class(self) -> None:
+        """
+        Sync assessments from base class cache to our control cache.
+
+        This ensures that assessments created by the base class ComplianceIntegration
+        are available to our IssueFieldSetter for linking issues to assessments.
+        """
+        try:
+            # Copy assessments from base class cache to our cache
+            base_cache = getattr(self, "_assessment_by_impl_today", {})
+            synced_count = 0
+
+            for impl_id, assessment in base_cache.items():
+                self._control_cache.set_assessment(impl_id, assessment)
+                synced_count += 1
+
+            logger.info(f"✅ Synced {synced_count} assessments from base class cache to control cache")
+
+        except Exception as e:
+            logger.warning(f"⚠️ Failed to sync assessment cache: {e}")
+
+    def _get_validated_control_compliance_items(self, control_id: str) -> List[ComplianceItem]:
+        """
+        Get validated compliance items for a specific control.
+        Only returns items that have existing assets in RegScale boundary.
+
+        :param str control_id: Control identifier to filter by
+        :return: List of validated compliance items for the control
+        :rtype: List[ComplianceItem]
+        """
+        validated_items: List[ComplianceItem] = []
+
+        for item in self.all_compliance_items:
+            # Check if this item matches the control
+            matches_control = False
+            if hasattr(item, "control_ids"):
+                item_control_ids = getattr(item, "control_ids", [])
+                if any(cid.lower() == control_id.lower() for cid in item_control_ids):
+                    matches_control = True
+            elif hasattr(item, "control_id") and item.control_id.lower() == control_id.lower():
+                matches_control = True
+
+            if not matches_control:
+                continue
+
+            # Additional validation: ensure the asset exists in RegScale
+            resource_id = getattr(item, "resource_id", "")
+            if resource_id and self._asset_exists_in_regscale(resource_id):
+                validated_items.append(item)
+            else:
+                logger.debug(
+                    f"Filtered out compliance item for control {control_id} - asset {resource_id} not in RegScale"
+                )
+
+        return validated_items
+
+    def _get_control_compliance_items(self, control_id: str) -> List[ComplianceItem]:
+        """
+        Get all compliance items for a specific control.
+        All items have already been filtered to framework-specific items with existing assets.
+
+        :param str control_id: Control identifier to filter by
+        :return: List of compliance items for the control
+        :rtype: List[ComplianceItem]
+        """
+        items: List[ComplianceItem] = []
+
+        for item in self.all_compliance_items:
+            # Check if this item matches the control
+            matches_control = False
+            if hasattr(item, "control_ids"):
+                item_control_ids = getattr(item, "control_ids", [])
+                if any(cid.lower() == control_id.lower() for cid in item_control_ids):
+                    matches_control = True
+            elif hasattr(item, "control_id") and item.control_id.lower() == control_id.lower():
+                matches_control = True
+
+            if matches_control:
+                items.append(item)
+
+        return items
+
+    # flake8: noqa: C901
+    def get_asset_by_identifier(self, identifier: str) -> Optional["regscale_models.Asset"]:
+        """
+        Override asset lookup for Wiz policy compliance integration.
+
+        For policy compliance, the identifier should be the Wiz resource ID.
+        We'll try multiple lookup strategies to find the corresponding RegScale asset.
+
+        :param str identifier: Asset identifier (should be Wiz resource ID)
+        :return: Asset if found, None otherwise
+        :rtype: Optional[regscale_models.Asset]
+        """
+
+        # First try the standard lookup by identifier (uses asset_map_by_identifier)
+        asset = super().get_asset_by_identifier(identifier)
+        if asset:
+            return asset
+
+        # If not found, try to find using our cached RegScale assets by Wiz ID
+        try:
+            if hasattr(self, "_regscale_assets_by_wiz_id") and self._regscale_assets_by_wiz_id:
+                # Direct lookup by Wiz ID (most common case)
+                if identifier in self._regscale_assets_by_wiz_id:
+                    regscale_asset = self._regscale_assets_by_wiz_id[identifier]
+                    return regscale_asset
+
+                # Fallback: check all assets for name/identifier matches
+                for wiz_id, regscale_asset in self._regscale_assets_by_wiz_id.items():
+                    # Check if asset name matches the identifier
+                    if regscale_asset.name == identifier:
+                        return regscale_asset
+
+                    # Also check identifier field
+                    if hasattr(regscale_asset, "identifier") and regscale_asset.identifier == identifier:
+                        return regscale_asset
+
+                    # Check other tracking number
+                    if (
+                        hasattr(regscale_asset, "otherTrackingNumber")
+                        and regscale_asset.otherTrackingNumber == identifier
+                    ):
+                        logger.debug(
+                            f"Found asset via otherTrackingNumber match: {regscale_asset.name} (Wiz ID: {wiz_id})"
+                        )
+                        return regscale_asset
+
+        except Exception:
+            pass
+
+        # Asset not found
+        return None
+
+    def _ensure_asset_for_finding(self, finding: IntegrationFinding) -> Optional["regscale_models.Asset"]:
+        """
+        Override asset creation for Wiz policy compliance integration.
+
+        We don't create assets in policy compliance integration - they come from
+        separate Wiz inventory import. If an asset isn't found, we skip the finding.
+
+        :param IntegrationFinding finding: Finding that needs an asset
+        :return: None (we don't create assets)
+        :rtype: Optional[regscale_models.Asset]
+        """
+        return None
+
+    def _process_consolidated_issues(self, findings: List[IntegrationFinding]) -> None:
+        """
+        Process pre-consolidated findings to create issues.
+
+        Since fetch_findings() now creates consolidated findings (one per control with all resources),
+        this method simply creates issues directly from each finding.
+
+        :param List[IntegrationFinding] findings: List of pre-consolidated findings to process
+        """
+        if not findings:
+            return
+
+        issues_processed = 0
+
+        for finding in findings:
+            try:
+                control_id = self._normalize_control_id_string(finding.rule_id) or finding.rule_id
+
+                # Create issue title
+                issue_title = self.get_issue_title(finding)
+
+                # Create issue directly from the consolidated finding
+                issue = self.create_or_update_issue_from_finding(title=issue_title, finding=finding)
+                if issue:
+                    issues_processed += 1
+
+                else:
+                    logger.debug(
+                        f"Failed to create issue for control {control_id} - create_or_update_issue_from_finding returned None"
+                    )
+
+            except Exception as e:
+                logger.error(f"Error processing consolidated issue for control {control_id}: {e}")
+
+        # Store the count for summary reporting
+        self._issues_processed_count = issues_processed
+
+    def _find_existing_issue_for_control(self) -> Optional["regscale_models.Issue"]:
+        """
+        Find existing issue for a specific control.
+
+        :param str control_id: Control ID to search for
+        :return: Existing issue if found
+        :rtype: Optional[regscale_models.Issue]
+        """
+        # This is a simplified check - in practice you might want to search by external_id or other fields
+        # that uniquely identify control-specific issues
+        return None  # For now, always create new issues
+
+    def sync_compliance(self, *args, **kwargs) -> None:
+        """Override sync to use consolidated issue processing and add summary reporting."""
+        # Initialize issue counter
+        self._issues_created_count = 0
+
+        try:
+            # Initialize cache dictionaries if not already initialized
+            if not hasattr(self, "_impl_id_by_control"):
+                self._impl_id_by_control = {}
+            if not hasattr(self, "_assessment_by_impl_today"):
+                self._assessment_by_impl_today = {}
+
+            # Ensure existing records cache is loaded before processing
+            self._load_existing_records_cache()
+
+            # CRITICAL: Pre-populate control implementation cache before any processing
+            logger.info("🎯 Pre-populating control implementation cache for reliable issue linking...")
+            self._populate_control_implementation_cache()
+
+            # Call parent's compliance data processing (assessments, etc.) but skip issue creation
+            original_create_issues = self.create_issues
+            self.create_issues = False  # Disable base class issue creation
+            super().sync_compliance()  # Call the base ComplianceIntegration.sync_compliance method
+            self.create_issues = original_create_issues  # Restore setting
+
+            # CRITICAL: Copy assessments from base class cache to our cache so IssueFieldSetter can find them
+            self._sync_assessment_cache_from_base_class()
+
+            # Now handle issue creation with consolidated logic
+            if self.create_issues:
+                findings = list(self.fetch_findings())
+                if findings:
+                    self._process_consolidated_issues(findings)
+
+            # Provide concise summary
+            issues_processed = getattr(self, "_issues_processed_count", 0)
+
+            if issues_processed > 0:
+                # Count actual unique issues in the database for this security plan
+                from regscale.models import regscale_models
+
+                actual_issues = len(
+                    regscale_models.Issue.get_all_by_parent(parent_id=self.plan_id, parent_module=self.parent_module)
+                )
+
+                logger.info(
+                    f"📊 SUMMARY: Processed {issues_processed} policy violations resulting in {actual_issues} consolidated issues for failed controls for assets in RegScale"
+                )
+            else:
+                logger.info("📊 SUMMARY: No issues processed - no failed controls with existing assets")
+
         except Exception as e:
-            logger.error(f"Error updating scan history: {e}")
+            error_and_exit(f"Error during Wiz compliance sync: {e}")
+
+    def _get_regscale_asset_identifier(self, compliance_item: "WizComplianceItem") -> str:
+        """
+        Get the appropriate RegScale asset identifier for a compliance item.
+
+        For Wiz integrations, the asset_identifier_field is "wizId", so we need to return
+        the Wiz resource ID that will match what's stored in the RegScale Asset's wizId field.
+
+        :param WizComplianceItem compliance_item: Compliance item with resource information
+        :return: Wiz resource ID that matches the RegScale Asset's wizId field
+        :rtype: str
+        """
+        resource_id = getattr(compliance_item, "resource_id", "")
+        resource_name = getattr(compliance_item, "resource_name", "")
+
+        # For Wiz policy compliance, the asset identifier should be the Wiz resource ID
+        # because that's what gets stored in RegScale Asset's wizId field (asset_identifier_field = "wizId")
+        if resource_id:
+            return resource_id
+
+        # Fallback (should not normally happen since resource_id is required)
+        return resource_name or "Unknown Resource"
+
+    def _create_consolidated_asset_identifier(self, asset_mappings: Dict[str, Dict[str, str]]) -> str:
+        """
+        Create a consolidated asset identifier with only asset names (one per line).
+
+        Format: "Asset Name 1\nAsset Name 2\nAsset Name 3"
+        This format provides clean, human-readable asset names for POAMs and issues
+        without cluttering them with Wiz resource IDs.
+
+        :param Dict[str, Dict[str, str]] asset_mappings: Map of Wiz resource IDs to asset info
+        :return: Consolidated identifier string with asset names only
+        :rtype: str
+        """
+        if not asset_mappings:
+            return ""
+
+        # Create entries that show only asset names (one per line)
+        identifier_parts = []
+        # Sort by asset name for consistent ordering
+        sorted_mappings = sorted(asset_mappings.items(), key=lambda x: x[1]["name"])
+        for wiz_id, asset_info in sorted_mappings:
+            asset_name = asset_info["name"]
+            wiz_resource_id = asset_info["wiz_id"]
+
+            # Format: Just the asset name (no Wiz resource ID for cleaner POAMs)
+            if asset_name != wiz_resource_id:
+                # Asset was successfully mapped, show only the name
+                identifier_part = asset_name
+            else:
+                # Asset lookup failed, use the Wiz resource ID as fallback
+                identifier_part = wiz_resource_id
+
+            identifier_parts.append(identifier_part)
+
+        # Join with newlines for multi-asset issues
+        consolidated_identifier = "\n".join(identifier_parts)
+        logger.debug(
+            f"Created consolidated asset identifier with {len(identifier_parts)} assets: {consolidated_identifier}"
+        )
+        return consolidated_identifier
 
 
 def resolve_framework_id(framework_input: str) -> str: