Stop chasing compliance across spreadsheets.
Know what you owe, who owns it, and what proves it is handled. CastleGRC maps every obligation to its owner and its evidence in one place. Built for insurers: carriers, MGAs, and TPAs.
One-click NAIC examiner packet: examiner-ready AI model-validation evidence for your next NAIC or NYDFS review, refreshed every exam cycle.
Outcomes you can take to the examiner, the carrier, and the board.
Exam-ready, not exam-panicked
Hand a NAIC or NYDFS examiner evidence that is already assembled, source-dated, and independently verifiable. Preparation becomes an export, not a fire drill under a deadline.
Every obligation has an owner
Know what you owe, who owns it, and what proves it is handled, across contracts, regulations, vendors, and models, in one connected place instead of scattered spreadsheets.
Proof the other side can check
Signed evidence a carrier or auditor verifies on their own machine, offline, without installing Castle and without taking your word for it.
Cover the AI that acts
Control what your models and agents actually do at the action boundary, with every allow, deny, and block recorded on a tamper-evident chain.
Not another GRC module. An obligation graph.
GRC tools silo vendor risk, policy, and compliance. CastleGRC links them: models, vendors, contracts, regulations, and policies in one connected graph.
Every obligation has an owner and the evidence to prove it.
When the auditor asks, the trail is already there.
When the obligation is trapped between systems, you can't prove it's handled.
- Unmapped. Obligations accepted in contracts and DPAs that compliance never sees.
- Unowned. Gaps with no owner, no control, and no test that closes them.
- Unproven. Evidence scattered across tools when the auditor asks for the source.
Map it once. Prove it forever.
- Map what you owe. Obligations from your contracts, DPAs, SLAs, policies, and regulations, in one place.
- Give each one an owner, a control, and a due date.
- Prove it on demand. Every obligation links to the evidence that satisfies it.
Follow one obligation across every connection.
- Pick a model, vendor, contract, or state and see every obligation it touches.
- Track deadlines and overdue items, owner attached.
- States and regulators are first-class, tracked as reference material, counsel reviewable.
Govern the agents that act, beyond the models you approved.
- Register every agent: what it can reach, what it may do, who signs off.
- Score each action by fixed rules, so high-impact actions are never ungoverned.
- Human in the loop, every decision on the audit trail.
Turn a written rule into one that holds.
- Your AI layer asks CastleGRC before acting, and stops the moment it says no.
- A disallowed tool, data class, vendor, or action never runs.
- Govern the content guardrails you run: every rail decision (jailbreak, toxicity, PII) becomes obligation-mapped, independently verifiable evidence.
A live allow, deny, and block, in under ninety seconds.
This is the real product, not a mockup. Watch Castle authorize an in-policy action, deny regulated data to an unapproved vendor, block a tool outside the agent's declared reach, and catch a forged record on the audit chain.
Most GRC tools track frameworks. CastleGRC connects what you signed to what must be governed.
- Contracts are first-class. The duties buried in your DPAs and SLAs get governed.
- One connected map for vendor risk, policy, and compliance, instead of separate tools.
- Evidence that holds up, traced to a verifiable source, independent of the platforms it governs.
Built for the teams on the hook when the auditor asks.
- AI governance, compliance, and risk leads.
- Vendor risk, legal, privacy, and security teams.
- Insurance carriers, MGAs, and TPAs first.
Pull scattered obligations into governance you can defend.
Connect your sources
Contracts, policies, regulations, and your AI and vendor inventory.
Confirm what matters
Review each candidate obligation and assign it an owner.
Report with proof
Audit-ready and board-ready, with verifiable evidence behind every claim.
CastleGRC is the testing engine. AuditBoard, Workiva, and ServiceNow are your filing cabinet. We pull the AI evidence, stamp it so anyone can verify it, and hand you a workpaper to file in the system of record you already run.
Under the hood.
The detail your security and architecture reviewers will ask for, tucked away so it does not slow down everyone else.
Technical specs and architecture
- Obligation graph. Obligations, owners, controls, evidence, vendors, models, contracts, states, and regimes are nodes in one connected graph, with cross-entity traversal.
- Tamper-evident evidence. Governance events are recorded on a hash-chained log, and every node and edge carries a write-once integrity stamp, so a changed record is detectable.
- Independent verification. Evidence packets verify offline against a deterministic procedure, with optional public anchoring of hashes only. A one-click NAIC examiner packet bundles Exhibits A-D, a signed attestation, the standalone verifier, and a verify-first cover sheet into one portable deliverable the examiner checks offline.
- Deployment. Runs in your environment, with an air-gapped mode that is fail-closed for sensitive data.
- Frameworks. SOC 2, ISO 27001, ISO 42001, NIST AI RMF, and HIPAA, with EU AI Act and GDPR tracked as obligations.
- Content-guardrail governance. Ingest NeMo Guardrails / Llama Guard / Presidio decisions as hash-chained, obligation-mapped evidence; reconcile declared-vs-actual rails.
Early access. Not SOC 2 certified, and no external penetration test yet. Regulatory content is candidate reference material, counsel reviewable, not legal advice.
We are building Castle with our first design partners.
Castle is in early access: built, tested, and honest about it. We do not show logos we have not earned. What we offer instead is a product you can verify yourself, a stage we state plainly, and a seat at the table for the teams shaping it now.
Insurance-first
We go deep on carriers, MGAs, and TPAs before we go wide, so the obligation libraries and exam workflows fit the way your industry is actually examined.
Verifiable, not asserted
Every material claim is checkable. Download a sample examiner packet and verify it offline before you ever talk to us.
Independent by design
Castle governs AI regardless of which platform runs it, and stays neutral toward the tools it sits above. Oversight only counts when it is independent.
Don't take our word for it.
CastleGRC is in early access with no production customers yet. Everything material is checkable first.
- Watch the 90 second demo: a live allow, deny, and block.
- Download a sample one-click NAIC examiner packet (demo data, signed with a demo key), then verify it yourself offline: unzip it, open
00-START-HERE.md, and runpython castle_verify.py packet.json. No Castle install, no trust required. - Verify a packet in your browser: the same castle_verify.py, unmodified, running on a Python runtime compiled to WebAssembly on this site, so checking a packet is one drag and drop with zero install. The packet format itself is an open specification (v0.2 draft), and the verifier is byte-identical to the copy in that public repository.
- Read the architecture and the honest limits.
Bring us the obligation your tools can't connect.
We are working with a small number of design partners, advisors, and channel partners. If you own AI governance, vendor risk, compliance, legal, security, or advisory work for a regulated enterprise, we would like to see the contracts, obligations, approvals, evidence, workflows, and AI systems your current tools cannot connect.