Agent governance

Every agent is trained by a named auditor.

This is specialist accountability, surfaced as a product feature. Each framework agent has a designated Trained by field — the credentialed SME whose review methodology, finding language, and evidence standards the agent absorbs through the redline loop. Prompt traces, source references, and approval gates stay visible so the auditor can see where AI helped and where a human signed off.

Agents in production

SMEs assigned

1 / 12

Avg calibration

81%

Redline loop

Human override rate

1.8%

the auditor still decides

Filter

SOC 2 Auditor Agent

SOC 2 · auditor

SME TBD

Role-plays a senior AICPA SOC practitioner. Challenges weak evidence, cites 2017 TSC with 2022 Points of Focus, and raises the concerns a real practitioner raises in fieldwork.

Trained by

— awaiting workspace SME —

AICPA SOC Practitioner

Calibration

78%

Artifacts

1,242

Findings

2026-04-22override rate · 1.13%

Specialty: CC6.1–CC8.1 · logical access + system operations

HITRUST r2 Assessor Agent

HITRUST r2 · auditor

SME assigned

Role-plays a HITRUST CCSFP performing a pre-assessment walkthrough. Preserves native references and flags assessor evidence gaps without copying proprietary requirement text.

Trained by

named

HITRUST Reviewer

HITRUST CSF Assessor (CCSFP)

Calibration

91%

Artifacts

2,014

Findings

131

2026-04-23override rate · 0.45%

Specialty: 01.b–01.v · access control family + 11.a incident reporting

CMS EDE Auditor Agent

CMS EDE · auditor

SME TBD

Role-plays a CMS EDE third-party auditor performing a Year 9 Operational Readiness Review. Cites guidance by name and date.

Trained by

— awaiting workspace SME —

CMS EDE Third-party Auditor

Calibration

73%

Artifacts

518

Findings

2026-04-22override rate · 4.05%

Specialty: Phase 1 / 2 / 3 ORR + MARS-E 2.2 + Privacy Act

HIPAA Security Rule Reviewer

HIPAA · auditor

SME TBD

Reviews ePHI safeguards against 45 CFR § 164 Subpart C. Flags risk-analysis gaps per 164.308(a)(1)(ii)(A) and HHS OCR enforcement patterns.

Trained by

— awaiting workspace SME —

CHSPP

Calibration

84%

Artifacts

1,680

Findings

2026-04-21override rate · 0.65%

Specialty: 164.308 Administrative + 164.312 Technical Safeguards

PCI DSS 4.0.1 QSA Agent

PCI 4.0.1 · auditor

SME TBD

Writes findings to the v4.0.1 Report on Compliance template. Tracks future-dated requirements (effective 2025-03-31).

Trained by

— awaiting workspace SME —

PCI QSA

Calibration

69%

Artifacts

392

Findings

2026-04-20override rate · 4.59%

Specialty: Req 3 PAN protection · Req 8 MFA · Req 10 logging · Req 11 scanning

ISO 42001 Lead Auditor Agent

ISO 42001 · auditor

SME TBD

Reviews AI Management System clauses against ISO/IEC 42001:2023. Integrates NIST AI RMF (AI 100-1) and Generative AI Profile (AI 600-1) references.

Trained by

— awaiting workspace SME —

ISO 42001 Lead Auditor / CAISS

Calibration

76%

Artifacts

264

Findings

2026-04-22override rate · 3.03%

Specialty: A.6.1 AI impact assessment · A.7.2 data quality · A.9.2 responsible use

Cross-Framework Mapping Agent

Cross-FW · mapping

SME TBD

Reads one evidence artifact and produces structured cross-framework control mappings with calibrated confidence, evidence type, and auditor-grade rationale.

Trained by

— awaiting workspace SME —

Framework SME Panel

Calibration

88%

Artifacts

4,421

Findings

2026-04-23override rate · 1.85%

Specialty: Calibrated confidence + evidence typing

Source Library Ingestion Agent

Intake · ingestion

SME TBD

Classifies, dedupes, and extracts requirements from a client's local source folder. Metadata-only (filenames, sizes, timestamps) — contents never leave the browser.

Trained by

— awaiting workspace SME —

CMS zONE-aware SME

Calibration

82%

Artifacts

1,029

Findings

2026-04-23override rate · 3.3%

Specialty: CMS EDE Year 9 source taxonomy

RAG Artifact Generator

RAG · generator

SME TBD

Drafts policies, procedures, SSP sections, POA&M entries, and control narratives grounded in the client corpus. Inline citation chips. Refuses to generate without source anchor.

Trained by

— awaiting workspace SME —

House-style SME

Calibration

85%

Artifacts

631

Findings

2026-04-23override rate · 7.45%

Specialty: Auditor-accept score loop (Karpathy)

Gap Analyzer

Gap · gap

SME TBD

Identifies missing, stale, or weak evidence per framework. Proposes a prioritized remediation plan that maximizes cross-framework reuse.

Trained by

— awaiting workspace SME —

Engagement lead SME

Calibration

80%

Artifacts

892

Findings

146

2026-04-23override rate · 2.47%

Specialty: Stale/weak/missing evidence triage

Control Testing Agent

Test · testing

SME TBD

Executes auditor-style test procedures against the client's evidence — identifies exactly where the flow fails with cited artifacts and user-level specificity.

Trained by

— awaiting workspace SME —

Senior test-lead SME

Calibration

74%

Artifacts

156

Findings

2026-04-23override rate · 12.18%

Specialty: Per-step pass/partial/fail with evidence citations

Evidence Reviewer Agent

Review · evidence review

SME TBD

Objective, dispassionate summary of the evidence state per framework. Feeds the Auditor agents for the pre-audit simulation.

Trained by

— awaiting workspace SME —

Framework SME (any)

Calibration

87%

Artifacts

3,114

Findings

2026-04-23override rate · 0.48%

Specialty: Evidence typing + reuse signal

How the training works

Each ControlFrame agent runs the redline loop: Propose → Act → Evaluate → Reflect → Refine. The named SME reviews a draft, marks their changes, and the agent captures the pattern into a firm-tunable retrieval corpus. Over time, the agent's drafts approach the SME's auditor-accept threshold — without ever replacing the SME's signature. Judgment, sign-off, and accountability stay human.