Compliance & audit — the honesty model
Compliance you can defend to a regulator.
A compliance claim is only worth what its honesty can survive. Assay's model is built on the one truth most compliance tools won't say out loud: a tool can disprove a control, but it can never prove conformance. So we measure what can be measured, gate what we caught failing, and leave the declaration where the law puts it — with a named person. We measure; you declare; we never certify.
Trust and transparency
The honest truth most compliance tools won't tell you.
Disprove, never prove
A fired check is a real failure — a live CVE, a leaked secret, a missing label. But no automated pass proves the absence of all failures. A clean result is necessary, not sufficient.
Most regimes are organizational
NIS2, DORA, GDPR and their peers regulate the organization — governance, incident handling, resilience. Tooling touches only a slice; the rest is judgement and process.
No tool is accepted as proof
Under none of these laws is a scanner's badge accepted as proof of conformance — none. Anyone selling a "compliant" stamp from a crawl is selling snake oil.
Integrity
The integrity keystone.
The failure-gate
We won't let you pass what we caught failing.
A caught failure pre-sets the control to Fail and locks it. Marking it Pass requires a written justification, reproduced in full in an Integrity section of the artifact. A thermometer you can hide readings from is rigged; this one can't be.
Provenance on every line
Who stands behind each claim is always visible.
Every verdict states how it was reached: tool-verified · evidence-assisted · AI-drafted-and-reviewed · human attestation — so a buyer, an auditor or a competent authority sees which claims a machine stands behind and which a person does.
Why the candour is the product
A compliance claim is only worth what its honesty can survive — an auditor, a regulator, and a court. Everything in the model exists so the claim survives all three.
Where the pieces live
The measurement vocabulary — what can be tool-evidenced per framework — lives on Watchdog's catalog and the cai dimensions. The signed Conformance Pack is activated here → Compliance & signing pack.
Declare it honestly — and make it stick.
Talk to usThe signing packWe measure; you declare; we never certify.