Home· Govern· Control & Governance
Control & Governance · M.02

Auditor-ready. Always.

Every action by every operator and agent — captured, signed, and queryable. Your SOC 2, ISO 27001, HIPAA evidence is a query, not a 6-week scramble.

Book a demo ← Back to Govern loop
control.surface · live SOC 2 · ISO 27001 · HIPAA · CONTINUOUS
Active controls · cross-system
312 · controls measured continuously
SOC 2 CC6.1 · access control
94 evidence items · auto
PASS
ISO 27001 A.8.3 · media handling
28 attestations
PASS
HIPAA §164.308(a)(5)
2 stale acknowledgements
REMEDIATE
change-mgmt · 1,420 changes
100% peer-reviewed
PASS
Live · the policy grid 6 decisions × 4 rules · pass/fail in real time · evidence captured
SOC 2 · CC8.1 MARGIN · FLOOR PRICING · APPROVAL DATA · RETENTION DECISION 01 DECISION 02 DECISION 03 DECISION 04 DECISION 05 18 / 20 PASSED · 2 ROUTED FOR REVIEW · ALL EVIDENCE CAPTURED
▸ Vault deposit
What this guardrail produces
▸ 12 mo in vault → first tier unlocked
▸ Evidence
Compliance posture · audit-readiness · evidence-completeness score
▸ Tier unlocked
Tier 4 · rated paperTier 3 · insurance-linked
Guardrail rule: every policy decision hash-chained to evidence record — see /the-vault for the full underwriting fabric.
What it looks like

Trail. Approve. Frame.

Hash-chained audit trail. Tiered approvals with SLA. Compliance frameworks pre-mapped.

§ 01 · Audit trail

QT-0892 lineage · hash-chained

4 events · all signed
QT-0892 created0x4a72…
floor rule fired0x9b3c…
VP Ops approved0x18d4…
quote.send0xe2a8…
§ 02 · Approval chain

Tiered routing · SLA enforced

QT-0892 · margin override
REP MGR VP CFO
§ 03 · Frameworks

SOC2 · SOX · ISO · NIST

Q3 audit window · coverage
SOC 2 Type II98%
SOX 404100%
ISO 2700194%
NIST CSF v291%
The problem

Your audit is a fire drill.

Six weeks before audit, the security team starts pulling screenshots, exporting logs, asking engineers to re-attest. Half the controls fail because the evidence wasn't captured continuously.

Without Control & Governance

Today's status quo

  • Pre-audit scramble — 6 weeks of screenshots, exports, attestations
  • Evidence captured at point-in-time — gaps for the rest of the year
  • Agent / automation actions invisible to the audit trail
  • New regulations (DORA, AI Act) bolted on as separate compliance projects
With Control & Governance

What changes

  • Evidence captured continuously — audits are queries, not projects
  • Every operator and agent action logged, signed, attributable
  • Cross-framework mapping (SOC 2 → ISO → HIPAA → DORA) — one control, many badges
  • New regulations onboard as policy edits, not net-new infrastructure
Capabilities

What's inside.

The six capabilities that make this module work end-to-end. Pick any one as your starting point — they compound.

01

Action-level capture

Every read, write, and decision — by humans and agents — captured with actor, timestamp, justification, and approval chain. Tamper-evident.

Capture · Signed
02

Continuous control evidence

Controls run continuously. Evidence accrues passively. When the auditor asks, the answer's already on the shelf.

Continuous · Evidence
03

Cross-framework mapping

One control maps to many frameworks. Adding ISO 27001 to your SOC 2 program is a mapping exercise, not a new program.

SOC · ISO · HIPAA
04

Agent governance

AI agents act under named roles, named policies, and named guardrails. Every agent decision logged with its policy version and inputs.

Agents · Policy
05

Customer trust portal

External-facing trust portal with live control status. Prospects' security teams answer their own questions without a 14-day SIG cycle.

Trust · Portal · SIG
06

Regulatory horizon

DORA, AI Act, GDPR updates, sectoral regs — tracked, mapped, and surfaced as policy edits before they bind you.

Horizon · Regulator
The autonomous loop

From action to evidence.

Every action — by a human, an agent, an integration — captured on the wire. Controls evaluate continuously. Evidence accrues. Audit becomes a read, not a write.

§ 01 · Capture

Every action

Humans, agents, integrations — captured with actor, justification, approval chain.

Realtime
§ 02 · Evaluate

Controls run

Each control runs continuously against the live action stream. Failures fire instantly.

< 5min
§ 03 · Map

Cross-framework

One control maps to SOC 2, ISO, HIPAA, DORA — evidence reused, not re-collected.

Auto
§ 04 · Surface

Audit + trust

Internal dashboards for owners. External trust portal for customers. Continuous.

Live
Policy you can read

Controls as policy artifacts.

Each control is a policy artifact: stated objective, evidence sources, evaluation cadence, owner, framework mappings. Auditable, version-controlled, queryable.

When a regulation changes, you edit the policy. The control re-evaluates. Evidence re-accrues. No 'compliance project.'

control · CC6.1-access.alm
# Control · access management
control "access-quarterly-review":

  objective = "Per-system access reviewed quarterly"

  # framework mappings — one control, many badges
  maps_to = [
    "SOC2.CC6.1",
    "ISO27001.A.9.2.5",
    "HIPAA.164.308.a.4",
    "DORA.Art28"
  ]

  # evidence sources
  evidence = [
    iam.access_review_completion(),
    iam.user_role_history(90d),
    audit_log.access_grants(90d)
  ]

  # evaluation
  cadence    = "continuous"
  pass_when  = evidence.complete and reviewer.signed
  owner      = "head-of-iam"

  # external visibility
  trust_portal.show = true
Where it lives

Connects to every system auditors care about.

Identity

IAM + IDP

Okta, Azure AD, Google Workspace — access events captured live.

Cloud

Infrastructure

AWS, GCP, Azure — config changes, IAM grants, security findings.

Endpoint

MDM + EDR

Jamf, Intune, CrowdStrike — endpoint posture into the control surface.

GRC

Vendor mgmt

Vanta, Drata, OneTrust — coexists; Allometry adds the agent + cross-loop layer.

Real outcomes

"Our SOC 2 audit went from a six-week project to a three-day review. The auditor pulled their own evidence from the trust portal. We added ISO 27001 the same year with no extra headcount."

Sami Okonkwo CISO · Operator D
−93%Audit prep time
1 → 4Frameworks held
100%Action coverage
Operator D · security review SOC 2 + ISO 27001 + HIPAA
Pairs with

This module doesn't work alone.

Govern · M.12

Inventory Management

Stock adjustments, reorder approvals, and asset disposals captured on the same audit trail.

Open module →Price · M.01

Quoting Engine

Every margin override and discount exception logged — MSA-aware pricing keeps the audit trail clean.

Open module →Govern · M.10

Market Intelligence

Competitive moves and demand forecasts feed governance posture — risk in plain numbers.

Open module →
See it on your data

Map your existing controls.

Send your current SOC 2 / ISO scope. We'll map it to Allometry's control surface and show you what shifts from project to query.

Book a demo See the full Govern loop
Govern loop § 2 of 4