Platform

The audit evidence operating system

ControlFrame turns framework obligations into executable evidence plans, private-runner jobs, validated artifacts, reviewer decisions, and auditor-ready package gates.

Compliance OSauditor-ready foundation
Request platform workspace accessReview framework library
Beta

Agentic evidence command

Agent roles remain governed evidence work

Framework-shaped agents plan collection, inspect sufficiency, map artifacts, flag redaction risk, and draft reviewer next actions without bypassing human approval.

24
role prompts
11
evidence review roles
  • Agents show control references, evidence references, confidence, and risk flags.
  • Skeptical auditor and security gatekeeper roles keep weak evidence visible.
  • Agent output is positioned as recommendation, not approval.
Operator value: Makes AI useful for audit work because every recommendation stays tied to source evidence and reviewer gates.
Inspect agent workspace
Beta

Private runner custody

Credential and raw-evidence boundary

Private runners and approved connectors collect browser, API, cloud, identity, code, ticket, document, and storage evidence while target access stays inside the customer or operator boundary.

Signed
runner job packages
Hash
artifact custody metadata
  • Runner jobs can be claimed, leased, heartbeated, completed, failed, or retried.
  • Signed upload/download and object storage scaffolds keep artifact access controlled.
  • Demo mode is clearly separated from production evidence collection.
Operator value: Gives regulated teams a defensible path from source system to artifact vault without turning credentials into a SaaS-side shared secret.
Review private runner model
Beta

Audit package release gates

Package-grade release discipline

Evidence does not become package-ready because it exists. It moves through source mapping, validation, sensitive-data review, human decisions, manifest checks, and package readiness gates.

Review
human acceptance state
Manifest
export control surface
  • Package readiness calls out missing, stale, rejected, and sensitive artifacts.
  • Reviewer notes, client-visible notes, and internal notes stay separated.
  • Transfer ZIPs and sandbox data are labeled honestly before export.
Operator value: Turns evidence folders into a controlled release process auditors, clients, and internal reviewers can trust.
Inspect package readiness
Evidence execution chain

Every artifact has a route from obligation to release.

Obligation
01

Source-native requirement

source-bound

CMS EDE source rows and broader framework controls stay visible before collection starts.

Plan
02

Framework-native evidence contract

configured

ControlFrame defines expected artifacts, file formats, owners, due dates, and review gates by control.

Collect
03

Private runner or approved connector

guarded

Collection executes through private runner custody, source-system integrations, or controlled client upload.

Vault
04

Artifact metadata and hash

tracked

Artifacts carry storage references, source, file type, version, hash, sensitivity flags, and chain-of-custody events.

Review
05

Agent scoring plus human decision

human-gated

Agents flag sufficiency and risk. Reviewers accept, reject, request revisions, or hold for redaction.

Release
06

Package readiness and auditor room

release-gated

Only accepted, current, package-eligible evidence moves into manifests, reports, and controlled exports.

Market signal
AI
is now table stakes

Competitors market AI assistants, agents, mapping, validation, and remediation. ControlFrame differentiates on governed evidence execution.

300+
integration claims are common

Connector breadth matters, but the premium wedge is whether evidence is mapped, scored, reviewed, packaged, and defensible.

Audit
needs source-grade proof

Auditors still need artifacts, provenance, scope, timestamps, reviewer decisions, and package traceability.

Evidence execution layer

Beyond generic GRC

ControlFrame can feed GRC systems while owning the hard work of collecting and defending audit proof.

Regulated-system boundary

Private runner custody

Customer-side collection is the right posture for CMS EDE, healthcare, financial services, federal, and sensitive SaaS audits.

Package-grade artifacts

Auditor defensibility

Evidence scoring, source mapping, redaction, hash checks, and human gates turn artifacts into a reviewable package.

Framework intelligence fabric

Third-party frameworks share one evidence spine without pretending every module is equally deep.

CMS EDE stays the active showcase. Other frameworks are presented as maturity-labeled intelligence, planning, and evidence reuse lanes.
Active showcase

CMS EDE active wedge

Deep source-native CMS EDE evidence collection, private-runner workflow, evidence package gates, and sandbox agent demo.

source rowsbrowser flowsAPI artifactsredaction gatespackage readiness
Next seed

Enterprise framework expansion

SOC 2, HIPAA, HITRUST, PCI, ISO, NIST, FedRAMP, CMMC, and AI governance move through the same evidence execution chain.

access reviewschange evidencerisk analysisvulnerability evidencecontrol reuse
Planned intelligence

Integration and export fabric

Jira, GitHub, ServiceNow, S3-compatible storage, SharePoint, Google Drive, Slack, Teams, Confluence, and report exports are modeled as governed evidence channels.

ticketingsource controlobject storagecollaborationauditor exports