A witness is the one who can attest, under scrutiny, that something happened as claimed. STACK Witness attests — continuously and verifiably — that your security controls are doing what your policies and your Compass roadmap say they are.
Prove the controls actually work.
STACK Witness watches the controls your Compass roadmap says you have — MFA, key rotation, agent boundaries, encryption coverage, output policies — and verifies they are in effect, not just documented. Compass maturity stops being self-reported.
The job to be done
Continuous control validation. STACK Witness watches the controls your Compass roadmap says you have — MFA enforcement, key rotation, agent capability boundaries, backup restorability, encryption-at-rest coverage, output policy active — and verifies they are actually in effect, not just documented. Drift, lapse, or silent failure surfaces in minutes; your Compass maturity score moves from self-reported to observed. The same telemetry doubles as evidence for STACK Auditor.
Why it doesn’t exist yet
Posture management platforms tell you what is configured. GRC platforms record what people say is configured. Nobody continuously proves the gap between the two is zero. Wiz and Orca will flag a misconfiguration after attackers find it; Vanta will mark the control "passing" because the policy document exists. STACK Witness is the missing layer that watches the controls themselves — across cloud, identity, code, models, and agents.
The naming logic
A witness is the one who can attest, under scrutiny, that something happened as claimed. STACK Witness attests — continuously and verifiably — that your security controls are doing what your policies and your Compass roadmap say they are.
What ships in the first release
A focused first cut. Everything below is on the GA scope; the roadmap goes deeper from there.
Identity Controls
MFA enforcement, key rotation cadence, JIT access expiry, dormant credential cleanup. Verified per principal, per system.
Data Controls
Encryption-at-rest coverage, backup restorability (not just existence), data-residency enforcement, retention policy execution.
AI Controls
Agent capability boundary enforcement, model endpoint allowlist, output policy active, prompt-injection block-rate trending.
Drift Detection
Control state captured continuously; any lapse triggers a typed alert with blast-radius scoring before it shows up in an audit.
Compass Loop
Every witnessed control feeds the matching Compass capability score. Maturity becomes observed reality, not a survey response.
Audit Evidence
Validation records are timestamped, hashed, and exportable as evidence — the same artifact STACK Auditor presents to your assessor.
Questions design partners are asking
Straight answers about scope, integrations, and how this fits the rest of the Stack platform.
How is Witness different from a CSPM?
CSPMs check configuration; Witness checks behavior. CSPM tells you MFA is enabled in the IdP; Witness tells you the last 47 logins from finance actually completed an MFA challenge.
Does it replace my GRC platform?
No — it makes GRC honest. Witness feeds verified control state into Vanta, Drata, AuditBoard, or STACK Auditor as live evidence instead of self-attested checkboxes.
What controls ship at GA?
200+ pre-built checks spanning identity, data, network, code, model, and agent layers. Mapped to NIST CSF 2.0 functions and the top 10 framework control families.
How does this connect to Compass?
Each Witness check links to a Compass capability. As checks pass or drift, the Compass maturity score for that capability updates automatically — no quarterly survey required.