AI GOVERNANCE • ISO 42001 • AUDIT EXECUTION

AI governance that runs, not just reports

Runtime controls for AI systems in production. When auditors ask, you're already ready.

Runtime enforcement Immutable audit logs ISO 42001 aligned

Enforce approvals, log decisions, maintain policy boundaries — continuously, not just at assessment time.

How Graille works

Start with a readiness scan. Stay audit-ready with the control plane.

Readiness Scan

Find the gaps

One-time baseline assessment. No runtime access, no code execution.

Entry point Free / low-cost

Control Plane

Close & enforce

Approvals, gating, policy enforcement, immutable logs. Ongoing governance.

The product Runtime enforcement

Audit

Prove it

On-demand evidence export. When auditors ask, you're already ready.

The outcome

Evidence-first governance

Governance begins with evidence

In audits, governance is not evaluated by intent, policies, or architecture diagrams. It is evaluated by evidence.

For AI systems — especially those using large language models — this evidence is often fragmented, implicit, or entirely missing. Teams know how their systems behave, but cannot demonstrate how decisions are controlled, reviewed, or logged in a way auditors can verify.

Graille is designed to make AI governance auditable before it is enforceable.

Assess
Define audit expectations before enforcement exists.
Produce
Generate explicit evidence and control gap categories.
Enforce
Apply runtime controls only after posture is defined.

AUDIT EVIDENCE FLOW

From AI system design to audit-ready evidence

Graille defines how AI system behavior is assessed, documented, and reviewed — so governance is auditable before it is enforced.

AI system design

Code, prompts, and agent workflows

Build

System behavior

Decisions, responses, and actions

Observe

Governance assessment

Prepare No runtime access

Evidence artifacts

Logs, approvals, controls mapping

Document

Audit & oversight

Internal audit, procurement, regulators

Enforce Runtime

Why AI systems change what auditors ask for

Traditional audit frameworks assume deterministic systems, static logic, and fixed control points.

AI systems introduce:

Prompt-driven decision logic
Agent-based workflows
Human-in-the-loop approvals
Dynamic model routing and tool invocation

Auditors now expect organizations to demonstrate how AI behavior is governed, reviewed, logged, and constrained over time — not just that policies exist.

Graille is purpose-built to meet these audit expectations.

Adopt governance at your pace

Graille supports governance maturity through three independent layers. Each layer delivers audit value on its own.

Assessment

Establish audit readiness through structured, evidence-focused analysis. Defines evidence expectations and control gaps without runtime access.

Evidence expectations and findings
Control gaps without deploying agents
SOC / ISO-aligned audit language

See Audit Readiness Scan

Assurance

Maintain readiness as systems evolve and changes introduce new risk. Keeps audit posture current between reviews.

Detect governance drift as systems change
Maintain readiness between reviews
Historical posture over time

See Continuous Assurance

Control

Enforce governance at runtime to prevent policy violations before they occur. Preserves immutable, auditable history.

Policy gating before execution
Human-in-the-loop approvals
Immutable audit logs

Explore Control Plane

Start with assessment. Add assurance as systems change. Enforce controls when required.

Product

Graille Audit Readiness Scan

A structured, independent assessment of LLM-based applications. Organizations submit a source archive or connect a repository to receive a formal audit readiness report focused on AI-specific governance controls. No deployment required.

Pay-per-scan Secure checkout required

What you get

Executive-level readiness summary
Identified control gaps and risk categories
Evidence expectations commonly requested by auditors
Clear remediation categories (non-prescriptive)

Evidence artifacts

Representative structure of a Graille audit readiness report.

Generate audit readiness report No runtime access required What auditors expect

Designed for

Pre-audit preparation
Enterprise sales and due-diligence review
Internal governance and risk assessment

Assessment methodology

Graille assessments are performed using a structured and repeatable methodology designed to support audit defensibility.

Control-oriented analysis (not vulnerability scanning)
Evidence-based findings derived from static system behavior
Consistency across assessments to support comparability over time
Conservative interpretation aligned with audit practice

Audit expectation: Evidence must be reproducible and independently reviewable.

Constraints: Graille does not use opaque risk scores, speculative heuristics, or undisclosed weighting models.

Scope of assessment

LLM integration patterns and external dependencies
Prompt handling and data exposure risk
Presence or absence of:
- Logging and traceability mechanisms
- Approval and escalation pathways
- Policy boundaries and guardrails
- Change accountability indicators
Alignment with common enterprise audit expectations (SOC-style / ISO-style controls)

Output format

Outputs are structured for audit, procurement, and internal oversight review.

Readiness summary and evidence expectations
Control gaps across logging, approvals, policy boundaries
Non-prescriptive remediation categories

Commonly used for pre-audit preparation, enterprise procurement review, and internal audit planning.

Scope boundaries & limitations

To preserve audit integrity and minimize risk, Graille operates within strict boundaries:

No execution of customer code
No modification of repositories
No access to production environments
No runtime monitoring unless explicitly deployed
No retention of source artifacts beyond report generation

Limitations: Graille does not provide legal opinion, certification, or regulatory approval.

Reports are intended to support - not replace - formal audit processes.

Product

Graille Continuous Assurance

Audit readiness can degrade as systems change. Continuous assurance enables organizations to preserve an audit-grade control timeline: immutable control snapshots, explicit diffs between scans, and defensible evidence continuity as systems evolve.

Subscription Per repository

What you get

Tamper-evident control snapshots via hash-chained history
Regression vs improvement detection between scans
Evidence continuity across releases and deployments
Change-management documentation for audit narratives

Assurance timeline

Control posture tracked across scans with regression detection.

Common use cases

Ongoing compliance posture monitoring
Change-management documentation for releases
Audit defensibility across development cycles
Demonstrating governance continuity to regulators

Start assurance Checkout for continuous coverage Start with a scan

How it works

Each scan produces an immutable control snapshot. Snapshots are hash-chained to form a tamper-evident timeline, ensuring governance history cannot be altered retroactively.

Control snapshots per scan, mapped to specific controls
Diff-driven analysis: regressions vs improvements
Hash-chained history for audit integrity

Audit expectation: Governance posture should be demonstrable at any point in time, not just during reviews.

What it detects

Control drift: what changed, when, and in which commit
Regressions: controls that weakened between scans
Improvements: controls that strengthened over time
Evidence gaps: controls that lost supporting artifacts

Regression summaries are structured for inclusion in audit narratives and change-management documentation.

Evidence continuity

Continuous assurance maintains evidence continuity across your development lifecycle. When auditors ask "what was your control posture on date X?", you can answer with cryptographically verifiable snapshots.

Point-in-time posture retrieval
Cross-release comparison reports
Exportable evidence packages per snapshot

GitHub integration

Connect repositories directly for automated scanning. Assurance runs on push/merge to the default branch (main) and can be triggered manually from the dashboard.

One-click GitHub App installation
Automatic scans on merge to default branch
Regression alerts via Slack/Teams (incoming webhooks) or custom webhook endpoints
Dashboard visibility across all connected repos

Assessment identifies gaps. Governance closes them.

What is our current exposure?

Audit readiness assessments answer this question.

How do we ensure these controls cannot be bypassed?

Some organizations must also demonstrate this. It cannot be met through reporting alone.

Product

Graille Control Plane (Invite-Only)

For organizations operating LLM systems in regulated or high-risk environments. The Graille Control Plane provides runtime governance to enable assurance by design.

Invite-only Runtime enforcement

Capabilities

Policy enforcement prior to model execution
Mandatory approvals for defined risk events
Immutable, tamper-evident audit logs
Separation of duties between engineering and oversight functions

Control plane

Availability: Invite-only. Offered to organizations with established assessment maturity.

Book a demo 15-min walkthrough • Invite-only access

Runtime enforcement

Governance decisions happen before execution, not after review
Approvals and gating for defined risk events
Preserves immutable, auditable history

Audit evidence by design

Tamper-evident audit logs
Separation of duties between engineering and oversight
Clear policy boundaries and enforcement outcomes

Why it is invite-only

Governance systems introduce risk if deployed without appropriate context.

Clearly defined audit objectives
Appropriate policy design
Correct operational ownership

This approach protects audit defensibility for all parties.

Audit Execution

Graille AEP: Audit Execution Platform

While other tools help you track compliance, AEP executes audit procedures automatically — AI agents collect evidence, test controls, and generate reports under strict governance. Built for ISO 42001. Ready for ISO 27001, SOC 2, and beyond.

Multi-framework ISO 42001 • ISO 27001 • SOC 2

What makes AEP different

Traditional compliance tools are management platforms — they help you track policies and collect evidence manually. AEP is an audit execution platform — AI agents execute audit procedures under strict governance, producing audit-ready evidence automatically.

Automated evidence collection mapped to framework controls
AI agents execute control tests under governance controls
Gap analysis and remediation tracking with agent proposals
Audit defense mode: replay any execution with full provenance
One-click readiness reports for auditors

Framework coverage

ISO 42001 — AI Management Systems (first-mover, full coverage)
ISO 27001 — Information Security Management
SOC 2 — Trust Services Criteria
EU AI Act — Regulatory readiness (roadmap)
Internal Audit — Enterprise audit automation (roadmap)

Book a demo See audit execution in action Learn about Control Plane

Why start with ISO 42001?

ISO 42001 is new, underserved, and urgently needed by companies deploying AI. Existing tools (Vanta, Scytale, etc.) were built for older frameworks. AEP is purpose-built for AI governance — and the same execution engine scales to ISO 27001, SOC 2, and beyond.

Book a demo See audit execution in action

How audit execution works

Create an engagement (ISO 42001, ISO 27001, SOC 2, etc.)
AI agents collect evidence automatically where possible
Control tests execute under AIC governance with human review
Gap analysis identifies remediation priorities
Generate audit-ready workpapers and reports

Audit expectation: Every agent action is logged, replayable, and tied to the methodology that authorized it.

Audit agents

Evidence Collector — Auto-collects system artifacts mapped to framework controls
Control Tester — Executes test procedures with pass/fail/exception results
Gap Analyzer — Identifies control gaps and proposes remediation
Workpaper Generator — Produces auditor-ready reports and evidence packages

All agents operate under AIC Control Plane governance. Nothing executes without authorization. Nothing completes without human review.

Audit defense mode

When external auditors challenge a control, activate audit defense mode to demonstrate:

The policy version that was in effect
The evidence that satisfies the control
The approval chain that reviewed it
The methodology that was documented

Regulators can audit the system without leaving their office. Full replay, full provenance, full transparency.

Additional context

For audit teams

Audience, fit guidance, and quick answers to common audit questions.

Audience

Audit stakeholders

Graille is designed for teams who must explain — and defend — how AI behavior is governed using evidence an auditor can verify.

Primary users

Compliance and risk teams Security leadership AI governance committees Enterprise procurement reviewers

Oversight conversations

External auditors Enterprise customers Regulators and internal oversight bodies

What they need

Audit-aligned language and evidence expectations Repeatable findings and gap categories Clear governance posture that can be reviewed

Fit check

Best fit vs. not ideal

Graille is built for audit defensibility and governance evidence. If that is not the goal, you may not need this workflow.

Best fit when

You expect audit, procurement, or regulator review
You need evidence artifacts, not just policies
You want a repeatable methodology for AI governance

Not ideal when

Consumer experimentation or hobby projects
Applications without audit or compliance requirements
Teams seeking vulnerability scanning or penetration testing

FAQ

Audit FAQ

Is the audit readiness scan sufficient on its own?

Yes. Many organizations use Graille exclusively for assessment and documentation.

Does Graille provide certification or regulatory approval?

No. Graille provides evidence-ready analysis aligned with existing audit frameworks.

Is deployment required for the scan?

No. The assessment is static and non-intrusive.

Next step

Stop preparing for audits. Start being ready.

See where you stand with a readiness scan. Then stay audit-ready with runtime governance that enforces policy continuously.

Explore the control plane Start with a readiness scan