An auditor is not a checklist — it is the active role that gathers evidence, weighs it against a standard, and renders a judgment. STACK Auditor performs that role continuously across every framework you owe, with the AI-era reach that human auditors and incumbent platforms structurally lack.
One control, every framework.
STACK Auditor maps your Compass posture, cloud config, identity provider, model endpoints, agents, and vector stores onto SOC 2, ISO 27001, HIPAA, PCI, FedRAMP, NIST AI RMF, ISO 42001, EU AI Act, DORA, and HITRUST. Evidence collects itself, auditors log in, audits stop being projects.
The job to be done
Continuous compliance evidence and audit operations for the AI-era stack. STACK Auditor maps your Compass posture, cloud config, code repos, identity provider, model endpoints, agents, and vector stores onto the control catalogs of SOC 2, ISO 27001:2022, ISO 27701, HIPAA, PCI DSS 4.0, GDPR/CCPA, FedRAMP, CMMC Level 2, NIST CSF 2.0, NIST AI RMF, ISO 42001, EU AI Act, DORA, and HITRUST. Evidence collects itself on a continuous cadence, lives in an auditor-ready portal external auditors can log straight into, and stays fresh. One control written once satisfies criteria across every framework it touches.
Why it doesn’t exist yet
Vanta, Drata, Secureframe, and Sprinto own SMB SOC 2 / ISO but were built before the AI stack existed — they cannot pull evidence from a model endpoint, an agent, or a vector store. AuditBoard, Hyperproof, OneTrust, and ServiceNow GRC own enterprise but are GRC software, not evidence platforms — the customer still pays a Big Four firm to fill them by hand. Nobody connects compliance evidence back to a security posture roadmap.
The naming logic
An auditor is not a checklist — it is the active role that gathers evidence, weighs it against a standard, and renders a judgment. STACK Auditor performs that role continuously across every framework you owe, with the AI-era reach that human auditors and incumbent platforms structurally lack.
What ships in the first release
A focused first cut. Everything below is on the GA scope; the roadmap goes deeper from there.
SOC 2 + ISO 27001
Type 1 and Type 2. AICPA TSC mapping. ISO 27001:2022 Annex A and ISO 27701 privacy controls — bundled when you need both.
HIPAA + HITRUST
Security Rule + AI-specific PHI handling. HITRUST CSF for healthcare enterprise. BAA-ready architecture from day one.
PCI + DORA + NYDFS
PCI DSS 4.0, EU DORA for financial services, NYDFS Part 500. Sector-specific evidence packs out of the box.
FedRAMP + CMMC
FedRAMP Moderate (then High), CMMC Level 2 for defense industrial base. State variants — StateRAMP, TX-RAMP — coming.
NIST AI RMF + ISO 42001
The AI moat. EU AI Act high-risk obligations, NIST AI RMF subcategories, ISO 42001 management system controls — fully mapped.
Compass-Linked
Every audit gap auto-creates a Compass roadmap initiative with the recommended STACK product remediation. Compliance drives posture, posture proves compliance.
Questions design partners are asking
Straight answers about scope, integrations, and how this fits the rest of the Stack platform.
Do you replace Vanta or Drata?
For SMB, yes — Auditor covers the same SOC 2 / ISO 27001 / HIPAA workflow and adds the AI-stack evidence they can't. For enterprises already on Vanta, we extend it by feeding AI-layer evidence directly into their existing tenant.
How is evidence collected?
Read-only API integrations with cloud providers, identity, code, model endpoints, agent platforms, vector stores, and the rest of the Stack product family. Evidence is timestamped, hashed, and exportable.
Can external auditors log in?
Yes. Auditors get a scoped portal with the evidence packs for the engagement, can request more, and sign off control by control. The portal is what wins repeat business — your auditor recommends you to their next client.
How does it work with Compass?
Every framework control links to a Compass capability. An audit gap becomes a Compass roadmap initiative; closing a Compass gap raises the framework readiness score. One artifact, two reports.
What about EU AI Act high-risk systems?
Full Annex IV technical documentation generation, conformity assessment workflow, post-market monitoring, and incident reporting — out of the box.