EU AI Act
Annex III high-risk articles, Articles 9-15 risk management and transparency, Art. 27 fundamental rights impact assessment, Art. 50 user disclosure templates. Audit package structures the customer's pre-Aug-2 evidence position.
What shipped, what changed, what's next.
A readable view of recent KoraSafe™ ships, grouped by product milestone. Customer-facing changes only.
Limited Preview
What's shipped today
More regulatory frameworks mapped end-to-end
HIPAA
PHI minimum-necessary detection grounded in §164.502(b), evidence package framing, BAA preparation alongside SOC 2 Type I. Healthcare solutions surface and trust-security disclosures both reflect the live platform.
NAIC Model Bulletin
Dedicated extraction prompt covering definitions, governance, risk management, vendor oversight, consumer notices, documentation, and regulatory disclosure. Audit package, vendor attestation log (§2.3), and consumer disclosure surfaces all live.
GDPR
DPIA workflow, processing-activities Records of Processing, breach notification API, Art. 25 privacy-by-design checklist, sector pack mapping. Lawful-basis register in Preview.
NAIC depth for insurance carriers
Adverse-action records linked to fairness findings, per-state adoption catalog (CO, CT, IL, OH, PA, TN, UT pre-seeded), vendor attestation log. Carriers in NAIC-adopting states get the audit artifacts an examiner will ask for, in one place.
GDPR organizational requirements
Org-level Data Protection Officer designation per Articles 37-39, Article 9 special-category PII tagging, and EU AI Act PDF compliance report export. Controllers running KoraSafe™ under GDPR get the designation surface and the tagging spine.
Evidence customers can hand an auditor
Evidence packets, cryptographically signed
Bundled governance artifacts with cryptographic integrity signatures so an auditor can verify offline. Each packet includes policy versions, finding lifecycles, control evaluations, and the audit chain.
External auditor portal
Time-boxed magic-link invitations, eight-hour session tokens, ninety-day access window. Phase 1 shipped single-customer scope; Phase 2A then added multi-customer engagement across orgs under one auditor-firm grant. Auditor-firm SSO follows in Phase 2B.
SOC 2 scope tagging
AI systems carry a SOC 2 scope flag. Audit findings annotate the Trust Services Criterion they support.
Tamper-evident audit chain v2
Tamper-evident hash chaining with periodic checkpoints. A signed verifier endpoint lets downstream auditors confirm the chain has not been edited since the prior verification.
BAA tracking spine
In-platform BAA portfolio: vendor counterparties, scope of PHI, renewal dates, active status. Automated alerts fire ahead of renewal dates; every state transition writes an audit entry. Coverage maps to HIPAA §164.314(a)(1) organizational requirements.
Finding-to-regulation trace chain
Every finding now links directly to the regulatory article that triggered it. Following the chain leads from finding to obligation to source span. Auditors get a deterministic answer to "which regulation drove this?"
HIPAA Safeguard mapping for guardian findings
Guardian findings auto-bucket into HIPAA Safeguards: §164.308 administrative, §164.310 physical, §164.312 technical, §164.314(a) BAA. The HIPAA evidence packet pulls the buckets directly, so audit-ready findings show up under the safeguard an examiner expects. Mapper service live; the mapping reference table lands alongside the next packet refresh.
Governance event stream now persisting reliably
The governance event stream now reliably persists every event with per-tenant isolation and deduplication, so retries never produce duplicate records. Webhooks are cryptographically signed and retry automatically on failure. Register a webhook endpoint via the API or the admin console.
Sector audit-package generator (fin-us + hc-us)
Generate regulator-readable audit packages keyed by sector pack. The hc-us variant carries HIPAA evidence; the fin-us variant carries NAIC Model Bulletin + SR 11-7 + ECOA evidence. JSON by default, regulator-readable PDF on request, 90-day rolling window by default. Same endpoint also serves framework-keyed variants (EU AI Act, GDPR, NIST AI RMF, ISO 42001, SOC 2, NAIC, HIPAA).
Database security audit: clean
Independent security review returned zero critical findings. Database access controls, row-level isolation, and function scoping all passed in full.
Capabilities that landed end-to-end
Peer benchmarking
Opt-in cohort signals comparing governance maturity, finding rates, and control coverage across sector, size band, and region. Privacy-preserving anonymization enforced before any signal release. Backend live; Preview distribution.
Peer benchmarking remediation metric updated
The remediation_close_rate benchmark now counts only findings that reach the verified closed state. Earlier resolved status clicks remain visible in findings workflows, but no longer inflate the quarterly peer-benchmarking close-rate snapshot.
FAIR risk decomposition
Factor Analysis of Information Risk Monte Carlo layer in front of the existing adaptive risk score, with the factor breakdown UI now surfacing loss event frequency and loss magnitude factors on the score breakdown page (low / mode / high values, confidence and source signal per factor). Quantitative loss-magnitude framing for systems where ordinal scales are insufficient.
Vendor attestation log (NAIC §2.3)
Persisted vendor AI attestations for sub-processors, with retention metadata and audit-package inclusion. Available to insurers under NAIC Model Bulletin obligations.
Configurable retention windows
Each organization sets retention windows for findings, audit logs, and evidence packets between thirty and three thousand six hundred fifty days. Defaults: three years for findings, seven years for evidence packets.
Shadow AI triage UI
Discoveries land in a review inbox with the matched evidence span, file path, and commit reference. Analysts register, dismiss with reason, escalate, or mark experimental. Every state transition writes an audit entry.
Governance index board pack + methodology PDF
Board-ready PDF export of the governance index with weighted components, snapshot hash, and methodology pinning. Download from the governance index Methodology screen. Quarterly scheduled recompute keeps boardroom cadence even when nothing else moves.
Edge-agent operator status
Platform-side read of every registered edge agent for an organization with last-seen timestamp, cert serial, and a connected / stale / offline state. Customer-cloud edge agent in Preview, with operator UI shipping alongside.
Multi-customer auditor engagement (auditor portal Phase 2A)
One auditor firm can review evidence across multiple customer organizations under a single grant, with per-engagement scopes preserved. Cross-tenant RLS keeps each customer isolated. Auditor firm SSO follows in Phase 2B once a Big 4 IdP onboards.
Governance event stream
Every meaningful state change emits a governance event: a finding state transition, a risk score crossing a threshold, an attestation lapsing. The GET /api/governance-events endpoint serves the org's event stream with filtering by event_type, finding_id, and pagination. The polling endpoint is live.
Multi-packet auditor session resolver
Inside a magic-link auditor session, the firm sees every engagement packet they've been granted for the current customer, not just one. Powers the multi-packet picker in the auditor portal UI. Cross-tenant RLS enforces that an auditor browsing engagement A can never see engagement B without an explicit grant.
Developer plugin coverage expanding
KoraSafe Governance is now available on the JetBrains Marketplace
The JetBrains plugin is live for IntelliJ IDEA, PyCharm, WebStorm, GoLand, RubyMine, and AppCode. Local analysis by default; cloud checks opt-in. Install from Settings > Plugins > Marketplace by searching KoraSafe Governance, or visit the Marketplace listing. The VS Code and Chrome extensions are available via direct install on GitHub.
Platform claims aligned with shipped features
Connector claims pruned
Detection-governance pages now list only Presidio, Portkey, and LangSmith (the connectors that actually ship). Bedrock, Lakera, and Azure Content Safety claims removed from product pages and the platform Live preview.
Cryptographic claims qualified
Security-primitives page now distinguishes platform-layer encryption at rest from application-layer per-tenant key wrapping (roadmap), and edge-agent client-cert mTLS from internal service-to-service mTLS.
Marketing scope re-tensed
Shadow AI discovery now names the live source (VS Code extension and repo scans) and enumerates roadmap sources (identity, spend, browser, procurement) explicitly. Native telemetry shipper is on the near-term roadmap.
EU AI Act post-Aug-2 framing
Coverage map rewrites across guide, standards, podcasts, and agent.json so the post-enforcement language reflects what KoraSafe™ actually maps versus what is not yet covered.
Refresh-rhythm claims become truthful
Risk-assessment 'On run' tile updated to 'Quarterly snapshot' to reflect the scheduled recompute. Methodology pages now reference the quarterly snapshot alongside the event-driven recompute path.
Peer benchmarking privacy model corrected
Peer benchmarking page no longer claims differential privacy as the privacy model. The actual primitive is privacy-preserving anonymization (cohort size >=5), enforced at query time with cohort-suppression below the threshold. Peer benchmarking backend ships that model; the page now matches.
A readable highlight reel, not a release log
This page covers customer-facing changes worth surfacing, grouped by milestone rather than calendar week. New cards appear when there's enough of substance; quiet weeks are quiet on purpose.
For a dated commit-level view, see the GitHub history. For platform announcements, watch the blog. For product feedback, email Contact-us@korasafe.ai.