Finding to rule
Each finding names the exact policy rule or guardian condition that fired, with the input context that triggered it.
Immutable audit trail for AI governance.
Every finding traces back through the rule that fired, the control it satisfies, and the regulation article it cites. Every AI system in your registry carries a provenance record, a signed software bill of materials, and a known-vulnerability scan. Every auditor session is time-boxed, scoped, and revocable. One platform, one chain, three audiences (your governance team, your auditor, your regulator).
Trace: finding to citation
Every finding carries the rule, the control, and the regulation clause it touches.
Logs explain what happened. Audit trace explains accountability, which is what auditors and regulators actually ask for. Each finding chains through a minimum four hops: the rule or guardian that fired, the control it supports, the framework clause it cites, and back to the model version that produced it. Tamper-evident on the record itself; any external auditor can verify the chain independently.
Rule to control
The rule maps to the control it satisfies, by control ID. Your control owners see what evidence each control is accruing in real time.
Control to framework
Article-level citations and cross-framework mappings (EU AI Act, GDPR, ISO 42001, SR 11-7, NIST AI RMF) so the same control satisfies obligations across multiple frameworks.
Break-glass trace
Dual-approval emergency exceptions keep their own trace separate from the main chain. When something gets bypassed in production, the audit record shows who, when, and why.
Supply-chain provenance + SBOMs
Which model, from where, with what known issues.
Procurement teams, regulators, and security reviewers all want the same answer: what's in the AI supply chain, where it came from, what's known about it. KoraSafe™ captures provenance per AI system, generates signed CycloneDX 1.5 SBOMs, matches against NVD and OSV vulnerability feeds, and scores vendor risk on a versioned rubric.
CycloneDX 1.5 SBOMs, signed
Signed SBOMs per provenance record in the CycloneDX 1.5 format. SHA-256 component hashes and SPDX license identifiers where the upstream source supplies them.
NVD and OSV vulnerability matching
CVEs from NVD and package vulnerabilities from OSV match against captured provenance with exact, inferred, and false-positive confidence levels. Triage states track new, reviewed, mitigated, and won't-fix.
Vendor risk scoring on a versioned rubric
Each model scores against named drivers: lineage gaps, missing system cards, lifecycle warnings, license unknowns, active vulnerability exposure, metadata freshness. Bands run low through critical so risk committees can compare across models.
Provider provenance ingest
Hugging Face, OpenAI, and Anthropic provenance records normalize into one record shape. Vulnerability matching is wired for Hugging Face today; OpenAI and Anthropic match-paths follow as their advisory streams stabilize.
Auditor portal: time-boxed external access
Your auditor reads the evidence; never needs a platform account.
When you invite an external auditor, they get magic-link access to the evidence packets you scoped, no platform account required. Sessions expire after eight hours of inactivity; access windows close after ninety days; you can revoke either at any moment. Single-customer and multi-customer engagements run today.
Magic-link invitations
Customer admins invite auditors by email. The auditor clicks once, gets a time-limited view of the evidence they were invited to review, and never needs to create a KoraSafe™ account.
Time-boxed access
Sessions expire after eight hours of inactivity. Access windows close after ninety days. Customers can revoke either at any moment from the audit settings page.
Multi-customer engagement
One auditor firm reviews evidence across multiple customer organizations under a single grant. Per-engagement scopes stay isolated with cross-tenant row-level security.
Evidence-packet picker
Inside the session, the auditor sees every engagement packet the firm has been granted for the current customer. The picker enforces grant scope; an auditor cannot see engagements they were not given.
Action audit trail
Every auditor action (open packet, download evidence, comment) writes to the platform audit log with the auditor session ID, customer org ID, and timestamp.
Customer-side controls
Customers see active sessions, revoke individual auditors, extend access windows, and pull the audit log for the engagement from the audit settings dashboard.
What ships now, what your team owns, what's still coming
Trace, provenance, SBOMs, and the auditor portal (single-customer and multi-customer engagements) all ship today. Vendor risk scoring covers license, provenance, and known-vulnerability dimensions. Vulnerability matching is wired end-to-end for Hugging Face models. Your governance team still owns the decision on which findings warrant remediation versus acceptance; KoraSafe™ captures the trace and the evidence behind each call.
Four-hop trace + tamper-evident chain + auditor PDF export
CycloneDX 1.5 SBOMs + NVD + OSV matching + vendor risk
Coming next
Auditor-firm SSO + broader vendor vulnerability paths
See the audit chain in the product
Decision trace, hash-chained, tamper-evident, ready for any external auditor.
If your next exam, SOC 2 audit, or regulator inquiry is on the calendar, the chain is ready.
Start your free trial for onboarding. Trace, provenance, supply-chain SBOMs, and auditor portal access in one platform.