Skip to content
Compliance & audit — the honesty model

Compliance you can defend to a regulator.

A compliance claim is only worth what its honesty can survive. Assay's model is built on the one truth most compliance tools won't say out loud: a tool can disprove a control, but it can never prove conformance. So we measure what can be measured, gate what we caught failing, and leave the declaration where the law puts it — with a named person. We measure; you declare; we never certify.

Trust and transparency

The honest truth most compliance tools won't tell you.

Disprove, never prove

A fired check is a real failure — a live CVE, a leaked secret, a missing label. But no automated pass proves the absence of all failures. A clean result is necessary, not sufficient.

Most regimes are organizational

NIS2, DORA, GDPR and their peers regulate the organization — governance, incident handling, resilience. Tooling touches only a slice; the rest is judgement and process.

No tool is accepted as proof

Under none of these laws is a scanner's badge accepted as proof of conformance — none. Anyone selling a "compliant" stamp from a crawl is selling snake oil.

Integrity

The integrity keystone.

The failure-gate

We won't let you pass what we caught failing.

A caught failure pre-sets the control to Fail and locks it. Marking it Pass requires a written justification, reproduced in full in an Integrity section of the artifact. A thermometer you can hide readings from is rigged; this one can't be.

Provenance on every line

Who stands behind each claim is always visible.

Every verdict states how it was reached: tool-verified · evidence-assisted · AI-drafted-and-reviewed · human attestation — so a buyer, an auditor or a competent authority sees which claims a machine stands behind and which a person does.

Why the candour is the productA compliance claim is only worth what its honesty can survive — an auditor, a regulator, and a court. Everything in the model exists so the claim survives all three.
Where the pieces liveThe measurement vocabulary — what can be tool-evidenced per framework — lives on Watchdog's catalog and the cai dimensions. The signed Conformance Pack is activated here → Compliance & signing pack.

Declare it honestly — and make it stick.

We measure; you declare; we never certify.