The obligation graph for AI governance

Stop chasing compliance across spreadsheets.

Know what you owe, who owns it, and what proves it is handled. CastleGRC maps every obligation to its owner and its evidence in one place. Built for insurers: carriers, MGAs, and TPAs.

For insurers

One-click NAIC examiner packet: examiner-ready AI model-validation evidence for your next NAIC or NYDFS review, refreshed every exam cycle.

Obligation graph live mapping
For risk, compliance, and the board

Outcomes you can take to the examiner, the carrier, and the board.

Exam readiness

Exam-ready, not exam-panicked

Hand a NAIC or NYDFS examiner evidence that is already assembled, source-dated, and independently verifiable. Preparation becomes an export, not a fire drill under a deadline.

Ownership

Every obligation has an owner

Know what you owe, who owns it, and what proves it is handled, across contracts, regulations, vendors, and models, in one connected place instead of scattered spreadsheets.

Verifiable proof

Proof the other side can check

Signed evidence a carrier or auditor verifies on their own machine, offline, without installing Castle and without taking your word for it.

AI oversight

Cover the AI that acts

Control what your models and agents actually do at the action boundary, with every allow, deny, and block recorded on a tamper-evident chain.

The difference

Not another GRC module. An obligation graph.

GRC tools silo vendor risk, policy, and compliance. CastleGRC links them: models, vendors, contracts, regulations, and policies in one connected graph.

Every obligation has an owner and the evidence to prove it.
When the auditor asks, the trail is already there.

Governs the AI and cloud you already run
01 The cost

When the obligation is trapped between systems, you can't prove it's handled.

02 How it works

Map it once. Prove it forever.

The graph advantage

Follow one obligation across every connection.

Agentic AI

Govern the agents that act, beyond the models you approved.

Runtime enforcement

Turn a written rule into one that holds.

See it work

A live allow, deny, and block, in under ninety seconds.

This is the real product, not a mockup. Watch Castle authorize an in-policy action, deny regulated data to an unapproved vendor, block a tool outside the agent's declared reach, and catch a forged record on the audit chain.

Real terminal output and operator console. Built and tested, early access.
03 Why it is different

Most GRC tools track frameworks. CastleGRC connects what you signed to what must be governed.

04 Who it is for

Built for the teams on the hook when the auditor asks.

Built to connect to where AI already happens
05 Getting started

Pull scattered obligations into governance you can defend.

01

Connect your sources

Contracts, policies, regulations, and your AI and vendor inventory.

02

Confirm what matters

Review each candidate obligation and assign it an owner.

03

Report with proof

Audit-ready and board-ready, with verifiable evidence behind every claim.

CastleGRC is the testing engine. AuditBoard, Workiva, and ServiceNow are your filing cabinet. We pull the AI evidence, stamp it so anyone can verify it, and hand you a workpaper to file in the system of record you already run.

For the technical buyer

Under the hood.

The detail your security and architecture reviewers will ask for, tucked away so it does not slow down everyone else.

Technical specs and architecture
  • Obligation graph. Obligations, owners, controls, evidence, vendors, models, contracts, states, and regimes are nodes in one connected graph, with cross-entity traversal.
  • Tamper-evident evidence. Governance events are recorded on a hash-chained log, and every node and edge carries a write-once integrity stamp, so a changed record is detectable.
  • Independent verification. Evidence packets verify offline against a deterministic procedure, with optional public anchoring of hashes only. A one-click NAIC examiner packet bundles Exhibits A-D, a signed attestation, the standalone verifier, and a verify-first cover sheet into one portable deliverable the examiner checks offline.
  • Deployment. Runs in your environment, with an air-gapped mode that is fail-closed for sensitive data.
  • Frameworks. SOC 2, ISO 27001, ISO 42001, NIST AI RMF, and HIPAA, with EU AI Act and GDPR tracked as obligations.
  • Content-guardrail governance. Ingest NeMo Guardrails / Llama Guard / Presidio decisions as hash-chained, obligation-mapped evidence; reconcile declared-vs-actual rails.

Early access. Not SOC 2 certified, and no external penetration test yet. Regulatory content is candidate reference material, counsel reviewable, not legal advice.

Now onboarding design partners

We are building Castle with our first design partners.

Castle is in early access: built, tested, and honest about it. We do not show logos we have not earned. What we offer instead is a product you can verify yourself, a stage we state plainly, and a seat at the table for the teams shaping it now.

Insurance-first

We go deep on carriers, MGAs, and TPAs before we go wide, so the obligation libraries and exam workflows fit the way your industry is actually examined.

Verifiable, not asserted

Every material claim is checkable. Download a sample examiner packet and verify it offline before you ever talk to us.

Independent by design

Castle governs AI regardless of which platform runs it, and stays neutral toward the tools it sits above. Oversight only counts when it is independent.

Verify it yourself

Don't take our word for it.

CastleGRC is in early access with no production customers yet. Everything material is checkable first.

Get in touch

Bring us the obligation your tools can't connect.

We are working with a small number of design partners, advisors, and channel partners. If you own AI governance, vendor risk, compliance, legal, security, or advisory work for a regulated enterprise, we would like to see the contracts, obligations, approvals, evidence, workflows, and AI systems your current tools cannot connect.

Design partners GRC co-founder / advisor Channel & white-label