Product

What Castle gives your team.

The concrete outputs of an assessment, mapped to each other and provenance-stamped, followed by a complete worked example: one obligation traced from a signed contract to an enforced control to evidence an auditor can re-verify.

01 What you get

The outputs Castle gives your team.

Every assessment produces concrete artifacts mapped to each other and provenance-stamped, so you can move from "what did we accept?" to "what do we owe?" to "who owns it?" to "what is allowed?" to "what proves it?" in one pass.

01

AI, agent, and vendor inventory

A governed inventory of AI systems, agents, vendors, models, owners, data touched, tools accessed, and approval status.

02

Contract, regulatory, and control obligation map

Every obligation from your contracts, DPAs, SLAs, regulations, standards, and control requirements, connected to the owners and controls that satisfy it.

DPA §7.2 Encryption at rest AES-256 control
03

Required controls

The specific controls each obligation demands, mapped across SOC 2, ISO 27001, ISO 42001, NIST AI RMF, and HIPAA, with EU AI Act and GDPR tracked as obligations, each tied to its risk level, owner, evidence, and remediation status.

04

Owner-assigned remediation workflow

Open gaps turned into assigned work, each with an owner, due date, workflow status, and test that confirms it is closed.

Gap · owner · due date · retest closed
05

Evidence & provenance trail

Every obligation, finding, and control carries a chain-of-custody your auditor can re-verify independently.

evidence · SHA-256 a3f4…c001 · verified ✓
06

Audit-ready and board-ready reporting

One export that shows leadership, auditors, and customers what you owe, who owns it, what is open, and what is proven met, with ready-made views for board AI risk, vendor AI exposure, high-risk systems, agent governance, and remediation status. Reports are generated from mapped obligations, controls, approvals, evidence, exceptions, workflows, and activity history.

by obligation · owner · status · proven met
02 Worked example

One obligation, fully governed.

An insurance example, end to end: an MGA books-and-records clause triaged to a NAIC or NYDFS obligation, then mapped to controls, evidence, a governed AI agent, and a board-ready report, all from a single assessment.

Illustrative sample output, not customer data
Obligation Map / assessment / obligation #1 High priority
Detected clause (MGA delegated-authority agreement)

"The MGA shall maintain complete books and records of all delegated underwriting and claims activity, including any AI systems used, and make them available to the carrier and its regulators on request."

Candidate obligation

Maintain records of AI use in underwriting/claims and produce them on examiner request. Candidate mapping to NAIC AI Model Bulletin §4 (documentation) & NYDFS Circular Letter 7. Counsel-reviewable, not legal advice.

Sources
MGA agreementNAIC AI BulletinNYDFS CL-7AI Policy
Mapped controls
AI system inventoryRecords retentionExam-readiness packetLoggingDelegated-authority oversight
Duty typeExpects (regulator guidance) OwnerCompliance / Market Conduct Sources4 documents Controls5 mapped StatusHigh priority
Insurance obligation graph · candidate clause → obligation → control → evidenceIllustrative sample data
Agent Governance / assessment / agent #1 Human approval required
Governed agent

Claims Triage Agent that routes incoming claims to the right adjuster queue, drafts a recommended disposition, and flags suspected fraud for human review.

Tools it can call
ClaimCenter APIEmailDocument store
Data it can access
Policyholder PIIClaims records
Actions allowed
CategorizeRouteFlag for review
Risk tierTier 1 · high AutonomyRecommends, does not decide Human approvalRequired before any claim action EscalationClaims Operations Lead LoggingOn OwnerClaims
Policy decision

Autonomous adverse claim decisions are blocked. The agent may recommend; a person approves before any customer-facing action.

Agent reach → allowed actions → human in the loop, on the obligation graphIllustrative sample data
Remediation Plan 5 tasks
TaskOwnerDue dateStatus
Assign control ownerComplianceThis weekReady for review
Collect vendor retention evidenceVendor Risk30 daysEvidence needed
Confirm encryption coverageSecurityQ2 reviewIn progress
Schedule quarterly access reviewComplianceNext review cycleOpen
Generate audit-ready summaryLegalQ2 reviewOpen
2 open · 1 in progress · 1 evidence · 1 readyIllustrative sample data
Evidence Trail provenance log
EvidenceSourceControlStatus
AI system inventory exportMGA agmtAI inventoryVerified
Records retention scheduleBooks & recordsRetentionNeeded
Exam-readiness packetNAIC / NYDFSExam-readinessIn progress
Delegated-authority logOversightOversightVerified
Policy acknowledgementAI PolicyGovernanceVerified
Provenance: AI system inventory export
Source documentMGA agreement, books-and-records clause Control mappedAI system inventory + records retention OwnerCompliance / Market Conduct Review periodQuarterly · current Evidence statusVerified HashSHA-256 a3f4…c001 ✓
3 verified · 1 in progress · 1 neededIllustrative sample data
Board-Ready Report / export / executive summary one-click export
7
High-priority AI / vendor obligations
4
Open remediation items
3
Control areas missing evidence
Audit-ready control coverage82%
Owner accountabilitySecurity 5 · Compliance 3 (assigned) Review cadenceQuarterly
Generated from the obligation graphSample figures for illustration only

See it on your own obligations.

Watch the ninety second demo, or bring us one contract and we will show you the full pass live.

Talk to Castle