AI, agent, and vendor inventory
A governed inventory of AI systems, agents, vendors, models, owners, data touched, tools accessed, and approval status.
The concrete outputs of an assessment, mapped to each other and provenance-stamped, followed by a complete worked example: one obligation traced from a signed contract to an enforced control to evidence an auditor can re-verify.
Every assessment produces concrete artifacts mapped to each other and provenance-stamped, so you can move from "what did we accept?" to "what do we owe?" to "who owns it?" to "what is allowed?" to "what proves it?" in one pass.
A governed inventory of AI systems, agents, vendors, models, owners, data touched, tools accessed, and approval status.
Every obligation from your contracts, DPAs, SLAs, regulations, standards, and control requirements, connected to the owners and controls that satisfy it.
DPA §7.2 → Encryption at rest → AES-256 controlThe specific controls each obligation demands, mapped across SOC 2, ISO 27001, ISO 42001, NIST AI RMF, and HIPAA, with EU AI Act and GDPR tracked as obligations, each tied to its risk level, owner, evidence, and remediation status.
Open gaps turned into assigned work, each with an owner, due date, workflow status, and test that confirms it is closed.
Gap · owner · due date · retest → closedEvery obligation, finding, and control carries a chain-of-custody your auditor can re-verify independently.
evidence · SHA-256 a3f4…c001 · verified ✓One export that shows leadership, auditors, and customers what you owe, who owns it, what is open, and what is proven met, with ready-made views for board AI risk, vendor AI exposure, high-risk systems, agent governance, and remediation status. Reports are generated from mapped obligations, controls, approvals, evidence, exceptions, workflows, and activity history.
by obligation · owner · status · proven metAn insurance example, end to end: an MGA books-and-records clause triaged to a NAIC or NYDFS obligation, then mapped to controls, evidence, a governed AI agent, and a board-ready report, all from a single assessment.
Illustrative sample output, not customer data"The MGA shall maintain complete books and records of all delegated underwriting and claims activity, including any AI systems used, and make them available to the carrier and its regulators on request."
Candidate obligationMaintain records of AI use in underwriting/claims and produce them on examiner request. Candidate mapping to NAIC AI Model Bulletin §4 (documentation) & NYDFS Circular Letter 7. Counsel-reviewable, not legal advice.
SourcesClaims Triage Agent that routes incoming claims to the right adjuster queue, drafts a recommended disposition, and flags suspected fraud for human review.
Tools it can callAutonomous adverse claim decisions are blocked. The agent may recommend; a person approves before any customer-facing action.
| Task | Owner | Due date | Status |
|---|---|---|---|
| Assign control owner | Compliance | This week | Ready for review |
| Collect vendor retention evidence | Vendor Risk | 30 days | Evidence needed |
| Confirm encryption coverage | Security | Q2 review | In progress |
| Schedule quarterly access review | Compliance | Next review cycle | Open |
| Generate audit-ready summary | Legal | Q2 review | Open |
| Evidence | Source | Control | Status |
|---|---|---|---|
| AI system inventory export | MGA agmt | AI inventory | Verified |
| Records retention schedule | Books & records | Retention | Needed |
| Exam-readiness packet | NAIC / NYDFS | Exam-readiness | In progress |
| Delegated-authority log | Oversight | Oversight | Verified |
| Policy acknowledgement | AI Policy | Governance | Verified |
Watch the ninety second demo, or bring us one contract and we will show you the full pass live.