Sandbox tier is free forever — every framework, every agent, every audit-trail event. Paid tiers add seats, BYOC sovereignty, and a signed SLA.

Which frameworks does ReguNav cover?

24 frameworks including EU AI Act, ISO/IEC 42001:2023, ISO/IEC 27001:2022, ISO/IEC 27701:2019, GDPR, HIPAA Security & Privacy, SOC 2 Type II, SOC 1 Type II, PCI DSS 4.0.1, NIST AI Risk Management Framework, NIST CSF 2.0, DORA, CCPA / CPRA, NIS2 Directive, EU Cyber Resilience Act, India DPDP Act, Brazil LGPD, China PIPL, Japan APPI, Australia Privacy Act, UK GDPR + DPA 2018, HuggingFace Model Card, HAARF — Healthcare AI Agents Regulatory Framework, FedRAMP.

Does ReguNav use LLMs to grade compliance?

No. Verdicts are 100% deterministic — same inputs + framework version produces the same output, replayable by fingerprint. LLMs may help draft remediation but never gate compliance decisions.

Compliance · AI · Code Constitution

Three steps to know if ReguNav fits.

For CFOs, COOs, Heads of Risk, and General Counsel. Skip the architecture diagrams — see the deliverable, the problem solved, and the ROI you'll quote to the board.

Start with my driver →Book a POC walkthrough

New · Compliance-to-Architecture Framework™ v0.1 → framework.regunav.com

Compliance-firstAI-firstAgent-first

ReguNav™ — ship AI faster. Survive every audit.

A compliance platform that maps a single control to 24 populated frameworks at once — EU AI Act, ISO/IEC 42001, ISO/IEC 27001, ISO/IEC 27701, GDPR, UK GDPR, HIPAA, SOC 2, SOC 1, PCI DSS, NIST AI RMF, NIST CSF, DORA, NIS2, EU CRA, CCPA, LGPD, DPDP, PIPL, APPI, Australia Privacy Act. Vault-pattern credentials — your tokens stay in YOUR GitHub Secrets, never in ours. Audit-defensible evidence packs without spreadsheets or GRC vendor lock-in.

Start free — 2-minute setup →Book a 15-min walkthrough See sample reports ↓

Free Sandbox tier forever · No credit card · Apache-2.0 SDKs · EU data residency (Frankfurt)

Board · DPO · CISO · Auditor · Regulator — download a real PDF per stakeholder, generated by the live engine.

Compliance heatmap + risk heat-signature — see your posture at a glance, rendered from your D1 rows.

Regulatory glossary — 760 clauses + controls across 24 frameworks, searchable, with crosswalks.

Frameworks

Rails (live)

Agents

Rails (preview)

Engines

Policy rules

Compliance workflows

The status quo costs more than the audit.

Boards adopt policies. Auditors sample controls quarterly. Engineers ship daily. The artefacts the four groups exchange — screenshots, spreadsheets, emails — are produced after the fact, refreshed manually, and never reconciled.

Status quo

One control mapped manually to one framework. Re-mapped for every new auditor.
Evidence collected at audit time. Stale by the time the auditor opens the request.
FRIA / Annex IV / RoPA / DPIA each in its own spreadsheet. None reconciled.
GRC vendor lock-in: data export costs more than the renewal.
Engineers asked the same question quarterly. Different answers each time.

With ReguNav™

One control mapped once. The crosswalk graph propagates to every populated framework.
Evidence assembled at the moment of change — WORM hash-chained, auditor-pullable.
FRIA / Annex IV / RoPA / DPIA generated from the same canonical model. Always reconciled.
Apache-2.0 SDK + dictionaries + framework registry. Vault-pattern credentials. No lock-in.
Deterministic engines: same inputs → same outputs. Replay any prior state by fingerprint.

Compliance journey

Where are you on the journey?

Six stages, every regulated industry. Click any stage to see the pain today vs the artefact ReguNav delivers — and the proof you can hand your board.

Most teams today

Legal counsel sends a 40-page memo. Half of it is hedging. The team prints it, no one reads past page 5.

With ReguNav

Tell us your driver (audit, deadline, regulator). We narrow 24 frameworks to the 1–3 that actually bind you.

Artefact you can show

Scoped applicability report — frameworks, clauses, your supervisor named.

Five roles. Five artefacts. One platform.

Compliance is a four-stakeholder relay race today: board adopts, lead executes, auditor samples, engineer ships. Every handoff loses information. ReguNav™ gives each role the artefact it owns, rooted in the same canonical model.

Compliance Officer

Pain today

Reads four GRC dashboards to answer one auditor question.

Artefact you own

Single navigator: risks → controls → evidence → frameworks. One link, one source.

Engineering Lead

Pain today

Asked the same compliance question every quarter. Pulled from work twice a month.

Artefact you own

Code Constitution™ runs inline on every PR. Compliance check-runs ≈ unit tests.

AI/ML Governance Lead

Pain today

EU AI Act August 2026. FRIA template lives in someone's Google Drive.

Artefact you own

FRIA workflow + GPAI Annex XI/XII docs + HuggingFace model-card conformance checker.

Auditor (internal + external)

Pain today

Receives 80-tab spreadsheet 24h before the audit. No tamper-evidence.

Artefact you own

Read-only auditor portal: tenant-scoped URL handover, WORM hash-chain verification.

Board / Executive

Pain today

Quarterly compliance update is a slide deck. Last quarter's data, no drill-down.

Artefact you own

Composite risk index 0–100, live. Drill down to obligation → control → evidence.

Sovereign AI · jurisdiction-aware engine

One platform. Every regulator. Every authority. Every timer.

Generic GRC platforms assume GDPR. ReguNav resolves the right authority, the right SLA timer, and the right submission format for the visitor's jurisdiction — automatically. The same incident report shipped to ICO in the UK (72h), to a member-state DPA in the EU (variable), and to state AGs + SEC in the US (different again).

United Kingdom

ICO · MHRA · NCSC · FCA · PRA · Ofcom · DSIT · NHS Digital

United States

FDA · ONC · HHS-OCR · NIST · SEC · CCPA · Joint Commission

European Union

EDPB · ENISA · EU AI Office · ESMA · EBA · EIOPA

Gulf (GCC)

SDAIA · UAE TDRA · Qatar NCSA · Bahrain PDPA · Oman · Kuwait

Canada

OPC (PIPEDA / CPPA) · Health Canada · OSFI

Australia

OAIC · TGA · APRA · ASIC · ACSC

India

MeitY · DPDP Board · RBI · SEBI · IRDAI

Where every framework actually stands.

No hand-curated marketing inventory. The table below is derived directly from the open-source@regunav/frameworksregistry — 24 of 24 framework modules ship populated clause/control/question libraries, 20 participate in the cross-framework crosswalk graph (97 edges).

Framework	Version	Clauses	Controls	Status
Australia Privacy Act	1988 (Cth); amended 2022 (Enforcement & Other Measures)	16	12	PopulatedCrosswalked
Brazil LGPD	13.709/2018	18	12	PopulatedCrosswalked
CCPA / CPRA	2024	17	13	PopulatedCrosswalked
China PIPL	2021	18	12	PopulatedCrosswalked
DORA	(EU) 2022/2554	22	14	PopulatedCrosswalked
EU AI Act	(EU) 2024/1689	30	16	PopulatedCrosswalked
FedRAMP	Rev. 5 — 2024-05	28	18	PopulatedCrosswalked
GDPR	(EU) 2016/679	28	15	PopulatedCrosswalked
HIPAA Security & Privacy	2013 Omnibus	20	15	PopulatedCrosswalked
India DPDP Act	2023	16	11	PopulatedCrosswalked
ISO/IEC 27001:2022	2022	17	15	PopulatedCrosswalked
ISO/IEC 27701:2019	2019	15	12	PopulatedCrosswalked
ISO/IEC 42001:2023	2023	24	15	PopulatedCrosswalked
Japan APPI	2003 (Act No. 57); amended 2020 (effective 2022) + 2021	17	12	PopulatedCrosswalked
NIS2 Directive	2022/2555	17	14	PopulatedCrosswalked
NIST AI Risk Management Framework	1.0	20	14	PopulatedCrosswalked
NIST CSF 2.0	2.0	22	15	PopulatedCrosswalked
PCI DSS 4.0.1	4.0.1	12	14	PopulatedCrosswalked
SOC 2 Type II	2017 TSC	13	15	PopulatedCrosswalked
UK GDPR + DPA 2018	2018	16	10	PopulatedCrosswalked
EU Cyber Resilience Act	2024	18	13	Populated
HAARF — Healthcare AI Agents Regulatory Framework	1.0	12	21	Populated
HuggingFace Model Card	2024.04	9	0	Populated
SOC 1 Type II	SSAE 18 AT-C 320 (2017)	13	14	Populated

Populated — clauses, controls and self-assessment questions ship in the framework module. Crosswalked — framework appears in the CROSSWALKS edge set.

One evidence upload. 24 audits passed.

Every framework ships with its full control library + clause-level crosswalk graph. Map a control once — we propagate it across EU AI Act, ISO 42001, ISO 27001, ISO 27701, GDPR, UK GDPR, SOC 2, HIPAA, PCI DSS, NIST AI RMF, NIST CSF, DORA, NIS2, EU CRA, CCPA, HAARF (healthcare AI), Hugging Face model cards — automatically.

Control library

113

controls mapped

Crosswalks

ISO 42001NIST AI RMFISO 27001

Sample clauses

▸Art. 9 — Risk management
▸Art. 10 — Data & data governance
▸Art. 14 — Human oversight
▸Art. 15 — Accuracy, robustness, cybersecurity
▸Art. 27 — FRIA
▸Art. 72 — Post-market monitoring

Evidence pack (sample)

FRIA report · Conformity declaration · Annex IV technical doc

Activate EU →

Sample · illustrative only

Board-ready posture. Zero spreadsheets.

Aggregate score. Per-framework drill-down. 30-day immutable audit trail. Your tenant starts empty and fills as your team maps controls and uploads evidence — no synthetic data, no demo masquerading as production.

Aggregate compliance score

of 100

Across all activated frameworks

Controls per framework

EU113

ISO39

ISO93

ISO49

GDPR99

HIPAA78

SOC64

PCI271

Audit-trail events · last 30 days

Why your team writes the same SOP five times.

A single risk-management procedure already satisfies controls in five frameworks. Without ReguNav you re-author it five times. With ReguNav you upload it once — the crosswalk graph maintains the clause-level equivalences. That's ~80% of compliance busywork eliminated.

Your control

Risk-Management SOP v3

Document defining how your AI risk register is populated, scored, escalated, and reviewed quarterly.

Evidence on file · v3 approved 2 weeks ago

satisfies

→EU AI ActArt. 9

Risk-management system

→ISO/IEC 42001§ 6.1

AI risk treatment

→NIST AI RMFMAP-1.1

Context characterized

→ISO/IEC 27001A.5.4

Management responsibilities

→SOC 2CC3.1

Risk-identification process

5×

framework coverage

evidence upload

duplicate procedures

~80%

work eliminated

Worked example

One control. Many obligations.

A single reusable control satisfies multiple clauses across multiple frameworks, drives a concrete architecture capability, emits a single evidence stream, and lands inside every audit pack that needs it. Below is a real control object, mapped against real clause references from the populated framework modules.

Control object

CTRL-IAM-ACCESS-REVIEW-001

Periodic review of identity and access rights against business-need-to-know. Owner-approved, scheduled, evidenced.

Reusable across frameworks

Satisfies

↳ISO/IEC 27001A.5.15
Access control
↳SOC 2CC6.1
Logical access — registration + authorisation of users
↳PCI DSSReq. 7
Restrict access to system components on need-to-know
↳NIST CSFPR.AA
Identity management, authentication + access control

Requires (architecture)

↳ RBAC / ABAC enforcement
↳ Identity event logs
↳ Scheduled review workflow

Emits (evidence)

↳ Quarterly access-review attestation
↳ Reviewer + approver identities
↳ Revocation log + delta

Appears in (audit packs)

↳ SOC 2 Type II
↳ ISO 27001 SoA
↳ PCI DSS ROC + AOC

Clause references above ship verbatim in @regunav/frameworks — ISO 27001 A.5.15, SOC 2 CC6.1, PCI DSS Req. 7 and NIST CSF PR.AA are real clause records in the registry.

Before. After.

Compliance turns into architecture. Architecture turns into runtime policy. Runtime turns into evidence. Evidence turns into the audit pack — without anyone re-typing it five times.

Before

Compliance lives in side-systems

✗Regulation lives in PDFs
✗Controls live in spreadsheets
✗Evidence lives in folders
✗Architecture lives in engineers' heads
✗Audit packs assembled manually

After

Compliance is the graph itself

✓Source clause mapped to obligation
✓Obligation mapped to reusable control
✓Control mapped to system capability
✓Policy enforced at runtime
✓Evidence captured continuously
✓Audit pack generated from the graph

31 deterministic agents. Replayable byte-for-byte.

No black-box LLMs. Each agent does one narrow job with the same output for the same input. Every assertion cites its source clause. Every artifact survives a tier-1 audit. If an output is ever challenged, you replay the exact run.

Pick your industry. Skip the discovery call.

Click your sector. We pre-activate the right frameworks, controls, and starter evidence pack — calibrated against tier-1 customers in that vertical. You sign in. You ship. No 6-week implementation engagement.

For Banking & Finance, ReguNav activates

EU AI ActDORAISO 27001SOC 2PCI DSS

Who is this for?

Compliance-to-architecture is not one job. The same control graph + evidence stream serves six different audiences — without forcing any of them to learn the others' tools.

Persona

Compliance teams

Translate obligations into controls and evidence.

Persona

Engineering teams

See what architecture capabilities each control requires.

Persona

Auditors

Trace each audit pack back to its source clause and underlying evidence.

Persona

AI governance teams

Map intended purpose, risk class, human oversight, and post-market monitoring.

Persona

CISOs

Connect controls to security architecture and policy-as-code.

Persona

Product teams

Know what must be built before launching in a given jurisdiction.

Stop hiring your way out of compliance.

Drag the sliders. We model your hours back + dollars saved using conservative tier-1 bank assumptions: $150/hr loaded compliance-officer rate, 6h saved per AI system per month, 18h per FRIA, 22h per framework activation. Mid-market customers report 2–3× higher.

AI systems in scope20

1500

Frameworks active5

113

FRIAs / year8

0120

Assumes $150/hr loaded compliance-officer rate · 6h saved per AI system per month · 18h saved per FRIA · 22h saved per framework activation. Conservative; mid-market customers report 2–3× higher.

Annual savings (your scenario)

$254,100

Hours saved / yr

1,694

FTE equivalent

0.9

That's 0.9 compliance FTEs you don't have to hire. Or your existing team gets 0.9× back to do strategic work.

Before · After

EU AI Act audit — drag the divider.

Same company, same regulation, two operating models.

With ReguNav

3 hours of prep

· Posture dashboard — live, every PR
· One signed URL to the auditor
· FRIA + Annex IV auto-rendered
· Evidence pack hash-verifiable

Hours of CISO time · sandbox free forever

Without ReguNav

3 weeks of prep

· Spreadsheet rollup — 11 weeks stale
· Email chains + screenshots per control
· FRIA drafted by consultants (€€€)
· Auditor: 47 PDFs → 200 follow-ups

3+ weeks CISO time · €40-120K consulting

↔ drag · arrow keys also work

Why teams switch from Vanta · Drata · OneTrust

SOC 2 alone won't pass an EU AI Act audit.

By August 2026, every high-risk AI system in the EU needs a FRIA, Annex IV technical documentation, and a CE-marked conformity assessment. ReguNav™ ships FRIA workflows + Annex IV templates + the conformity-assessment checklist out of the box — alongside SOC 2, ISO/IEC 27001, GDPR, HIPAA, DORA, NIS2 and 14 more frameworks from the same tenant.

Capability	ReguNav	OneTrust	Vanta	Drata	Secureframe	Sprinto
13-framework coverage (incl. EU AI Act + DORA + NIST AI RMF)	Yes	Partial	Partial	Partial	Partial	Partial
EU AI Act native (Annex III + GPAI + Art. 27 FRIA)	Yes	No	No	No	No	No
Event-driven by constitution (no batch / no post-facto)	Yes	No	No	No	No	No
Queryable event index — every action indexed in real time	Yes	No	No	No	No	No
Deterministic agents (replayable, byte-identical)	Yes	No	No	No	No	No
Cross-framework crosswalk graph (implicit coverage)	Yes	Partial	No	No	No	No
Edge-native runtime (design goal: sub-50ms p99 globally†)	Yes	No	No	No	No	No
BYOC compliance node (sovereign deployment)	Yes	Partial	No	No	No	No
EU data residency (Frankfurt eu-central-1)	Yes	Yes	Partial	Partial	Partial	Partial
Open-source SDKs + dictionaries (Apache-2.0)	Yes	No	No	No	No	No
Specialist marketplace (manage-many-tenants)	Yes	No	No	No	No	No
Sandbox tier free forever	Yes	No	No	No	No	Yes
Risk Navigator (composite + policy gaps)	Yes	Partial	No	No	No	No
Migration playbooks for 15 GRC platforms	Yes	No	No	No	No	No

Built for the seven people who own AI compliance.

Compliance never lives in one job title. From CISO to AI builder to external auditor, ReguNav's rails, agents, and dashboards adapt to who you are and what you ship — without forcing you to learn six different products.

Compliance Officer / DPO

→Map a control once → cover every framework
→FRIA + DPIA bundled in one pass
→Audit-trail per action, immutable
→Risk Navigator surfaces gaps before auditors do

AI Builder / Engineer

→Annex III + GPAI classifier API
→Replay any agent decision byte-for-byte
→TypeScript SDK + CLI + MCP server
→OpenAPI 3.1 across all 33 live rails

Auditor (internal + external)

→Read-only access across the tenant
→Audit-engine: plan → fieldwork → findings → sign-off
→Hash-chained sign-off, tamper-evident
→Per-finding remediation owners + due dates

CISO

→Multi-framework posture in one view
→Sub-processor list + DPA on Enterprise
→BYOK + BYOC for sovereignty
→DORA Art. 28 register + ICT incident workflow

Founder / GC

→Sandbox-to-Growth in one upgrade click
→Trust page in 60 seconds (white-label)
→Vendor questionnaire pre-fill (SIG / CAIQ)
→Open-source dictionaries — no vendor lock-in

Tier-1 Bank IT

→DORA + EU AI Act + ISO 27001 + SOC 2 in one tenant
→BYOC compliance node in your VPC
→Annual TLPT + ICT incident reporting
→Specialist console for your auditors

Pricing that doesn't punish you for compliance.

Sandbox is free forever — every framework, every agent, every audit-trail event. Growth and Enterprise scale with seats and BYOC sovereignty. Zero hidden meters. Apache-2.0 SDKs. Walk away anytime — your data is yours.

Starter

Sandbox · single tenant

✓1 framework
✓Up to 5 AI systems
✓Community support
✓Public trust page
✓API access

Start free now

The EU AI Act enforcement window opens August 2026. Be ready.

Spin up a tenant. Activate the right frameworks for your industry. Run your first FRIA. Under 10 minutes — no procurement, no demo gate, no credit card.

Start free — be audit-ready in 90 days →Talk to a compliance architect

Free Sandbox tier forever · No credit card · Apache-2.0 SDKs · GDPR-grade DPA on request

See what your stakeholders get

One platform. Seven stakeholder-ready report packs.

Every report below is rendered byte-for-byte by the live /v1/reporting/generate engine from your D1 records — board pack, regulator submission, auditor evidence, customer DPA, all without a slide deck or a consultant. Download the samples to see the structure your tenant output will follow.

Board / CEO

Compliance Executive Summary

Quarterly board pack — Q1 2026

Frameworks in scope7

Controls satisfied412

Controls in progress38

Multi-framework · 4.4 KBDownload PDF →

Data Protection Officer

GDPR Record of Processing & DPIA Roll-up

Article 30 + Article 35 register

Processing activities (Art. 30)47

DPIAs completed12

DPIAs requiring review3

GDPR · 4.2 KBDownload PDF →

CISO

ISO/IEC 27001:2022 — Statement of Applicability

Annex A control posture + risk register summary

Annex A controls (applicable)93

Implemented84

Partially implemented7

ISO 27001 · 4.2 KBDownload PDF →

External Auditor

SOC 2 Type II — Evidence Pack

Trust Services Criteria (Security, Availability, Confidentiality)

Controls in scope64

Evidence items1287

Sample-period months12

SOC 2 (AICPA TSC) · 4.1 KBDownload PDF →

Regulator (EU AI Office)

EU AI Act — Regulator Submission Pack

Articles 9, 11, 14, 17, 43 — high-risk AI system file

High-risk AI systems3

FRIAs on file (Art. 27)3

Conformity assessments (Art. 43)3

EU AI Act · 4.3 KBDownload PDF →

Head of Compliance

Multi-Framework Conformity Bundle

EU AI Act × ISO 42001 × ISO 27001 × GDPR — crosswalked

Frameworks in scope4

Unique controls (crosswalked)187

Single evidence → many frameworks412

Multi-framework · 4.0 KBDownload PDF →

FedRAMP PMO / Agency AO

FedRAMP Authorisation Pack

SSP + SAR + POA&M — Moderate baseline

FIPS 199 categorisationModerate

NIST 800-53 controls (baseline)325

Controls fully implemented312

FedRAMP · 6.6 KBDownload PDF →

Customer Trust / Procurement

Data-Processing Evidence Pack (DPA)

Sub-processor register, transfer mechanisms, security attestations

Sub-processors22

Risk-tier high3

SCCs in force (cross-border)9

GDPR + ISO 27001 · 4.3 KBDownload PDF →

Healthcare AI Lead

HAARF Healthcare AI Verification Pack

C1-C8 categories · L1 Foundation (85 reqs) · MHRA AI Airlock anchored

AI agents in scope4

HAARF requirements (L1)85

Satisfied (L1)79

HAARF · 5.1 KBDownload PDF →

AI Builder / ML Lead

Model Card + Annex IV Technical Documentation

EU AI Act Art. 11 + HF Model Card spec — one document, two regimes

Models in scope6

GPAI threshold breached1

Training compute disclosed (FLOPs)1.4e25

EU AI Act + HF Model Card · 5.9 KBDownload PDF →

Risk Officer

Enterprise Risk Register & Residual-Risk Treatment Plan

ISO 31000 framing × ISO 27005 × ISO 42001 Cl. 6.1

Risks registered87

Residual-high (top quartile)8

Treatments in flight14

ISO 31000 + ISO 27005 + ISO 42001 · 6.2 KBDownload PDF →

Internal Auditor

Internal Audit Findings Report

Q1 2026 cycle — controls sampled across 7 frameworks

Controls sampled96

Pass88

Pass with observation5

Multi-framework · 4.0 KBDownload PDF →

Privacy Engineering

DPIA + FRIA Combined Dossier

GDPR Art. 35 × EU AI Act Art. 27 — shared section bridging the two regimes

AI systems requiring FRIA3

Processing requiring DPIA5

Combined DPIA+FRIA documents3

GDPR + EU AI Act · 4.7 KBDownload PDF →

Samples generated from synthetic demo-tenant data. Real reports run on your own D1 rows and are content-addressed (sha256) so they're replayable byte-for-byte for auditor walk-throughs. Source: services/api/src/routes/reporting.ts.

See your posture at a glance

Compliance heatmap + Risk heat-signature.

Every board pack and every internal-audit walk-through opens with the same two visualisations. The platform renders them deterministically from your /v1/controls and /v1/risk-register rows — no spreadsheet, no manual colouring, no consultant.

Coverage heatmap — framework × control area

One control evidences obligations across multiple frameworks; cell shows the % of obligations satisfied for that intersection.

≥ 95% 88-94% 80-87% 70-79% < 70%

Risk heat-signature — likelihood × impact

Residual risks from your risk register plotted on the canonical 5×5 grid. Each bubble is one risk, labelled by ID.

Extreme (≥16) High (10-15) Medium (6-9) Low (3-5) Minimal (1-2)

Synthetic demo-tenant data shown — your dashboard renders these from your own D1 rows in real time.

Sector packs

Three packs out of the box. Each one a vertical-grade compliance bundle.

View full catalogue →

Sector packs bundle the regulator-authored frameworks + rule packs + evidence templates a specific vertical needs. Activate one pack, get the entire stack pre-mapped to your tenant.

Maritime

30 anchor frameworks · pre-mapped

Anchor frameworks across flag-state, class-society, port-state-control and cyber regimes — IMO SOLAS, MARPOL, STCW, EU MRV, BIMCO cyber, IACS UR E26/E27.

IMO SOLASMARPOLSTCWEU MRVBIMCO cyberIACS UR E26/E27

Legal

26 anchor frameworks · pre-mapped

Anchor frameworks for law firms — SRA Code, ABA Model Rules, CCBE Code, AML, sanctions regimes — covering solicitors, barristers, in-house counsel and trustee practice.

SRA CodeABA Model RulesCCBE CodeAMLSanctions

Oil & Gas

30 anchor frameworks · pre-mapped

30+ frameworks covering upstream / midstream / downstream HSE, integrity and trading.

OSHA PSMSeveso IIINORSOKAPI standardsEU ETS/CBAM

Roadmap: banking-grade · PCI QSA · HIPAA pharma · public-sector.

With vs without

With ReguNav™. Without ReguNav™.

Four common compliance tasks. Each one, two ways.

Task

Map a new control to every populated framework

Without ReguNav™

Three days of spreadsheet work, one analyst, two reviewers, six rounds of QA.

With ReguNav™

One PR to the crosswalk graph. Mapped to every populated framework on merge.

Task

Produce evidence for SOC 2 CC6.1

Without ReguNav™

Email engineering. Wait. Screenshot. Email auditor. Email back. PDF the screenshot.

With ReguNav™

Auditor opens the WORM-sealed evidence pack URL. Hash-chain verified inline.

Task

Run a FRIA on a new high-risk AI system

Without ReguNav™

Google Doc template. 11 stakeholders. 6 weeks. 4 review cycles.

With ReguNav™

FRIA workflow with pre-filled clauses from EU AI Act dictionary. Sign-off in days.

Task

Answer a vendor questionnaire (1 of 12 this quarter)

Without ReguNav™

Re-write the same answer from last quarter in a new format. Lose the previous version.

With ReguNav™

Trust portal: vendor reads the auditor-defensible posture page. Zero questionnaire.

Task

Know your compliance rails are actually working today

Without ReguNav™

Operator sees 200 OK on /health. Has no idea if the rail's irreversible action (HMAC sign, email render, GitHub App token) actually works until the next real customer call.

With ReguNav™

Every 15 minutes the liveness verifier exercises the real signing, render, token-mint and HTTP roundtrip paths against synthetic targets — no real customers touched. Results in the audit-trail, dashboard, and deploy-gate verdict.

Task

Spot an EU regulator publishing something that affects you

Without ReguNav™

A consultant on retainer reads the Official Journal. You hear two weeks later. Or you don't.

With ReguNav™

EUR-Lex daily probe emits structured events tagged with affected sector packs and framework codes. Routed into your obligations engine within the day.

ReguNav™ vs the three categories you're comparing it to.

A GRC suite, a code scanner, or a spreadsheet — those are the alternatives. Here's how each one answers the nine capabilities that matter on August 2026 EU AI Act day.

Capability	ReguNav™	GRC suite	Code scanner	Spreadsheet
Number of populated frameworks	21	8–12	1–3	n/a
EU AI Act + ISO 42001 + NIST AI RMF	shipped	roadmap	no	manual
Crosswalk graph (one control → N)	shipped	partial	no	manual
WORM hash-chained audit trail	by default	premium	no	no
Deterministic check engine	shipped	LLM	shipped	no
Vault-pattern credentials (BYOC)	default	no	no	no
Inline PR check-runs	Code Constitution™	no	shipped	no
Apache-2.0 SDK + dictionaries	shipped	proprietary	proprietary	n/a
Data export without renewal cost	yes	no	yes	yes
Live behavioural probes (15-min cadence)	5 high-risk surfaces, every rail	uptime ping	n/a	n/a
EU regulator change feed	EUR-Lex daily + 3 scaffold sources	operator reads	no	manual
Flow-contract gate (CI-enforced)	every user-initiated flow	n/a	n/a	n/a
Runtime errors → git branch (30-min)	errors/cf branch	dashboard-only	dashboard-only	n/a

Categories are generic — capability statements describe ReguNav's own implementation, not specific vendor gaps. Replace the column with a named competitor at procurement time.

Three customer journeys. One platform.

Each row below is an end-to-end customer journey from activation to auditor sign-off — using only the rails ReguNav™ ships today.

AI-first SaaS preparing for August 2026

AI/ML governance lead at a Series-B SaaS, EU customers

Activate EU AI Act + ISO/IEC 42001 + NIST AI RMF + GDPR packs.
Run the Classifier agent on each AI system → risk tier per Annex III.
FRIA workflow for every high-risk system; signed by named accountable role.
GPAI Annex XI/XII docs auto-generated from model cards on HuggingFace.
Auditor URL handover — read-only portal scoped to the tenant.

Maritime operator → flag + class + port-state in one tenant

HSE & QA director at a 60-vessel shipping company

Activate the Maritime sector pack (30 anchor frameworks).
Per-vessel applicability: IMO SOLAS + MARPOL + class-society rules + flag-state regs.
Cybersecurity controls (BIMCO + IACS UR E26/E27) layered on top.
Evidence packs per port-state inspection — WORM-sealed, pre-emailed.
Composite risk index per vessel, board-facing.

Engineering org preparing for SOC 2 + ISO 27001 + GDPR

Head of Platform at a 300-engineer scale-up

Install Code Constitution™ on the GitHub org. 11 framework rule packs activate.
constitution.yaml layers customer-specific rules on top.
Every PR runs deterministic check-runs inline; evidence packs persist to tamper-evident object storage.
Quarterly auditor review: read-only auditor portal, pre-mapped to controls.
Stripe Connect billing → meters per check run; finance gets one invoice.

Three steps to know if ReguNav fits.

Pick your driver

See deliverables

Book a POC

ReguNav™ — ship AI faster. Survive every audit.

The status quo costs more than the audit.

Where are you on the journey?

Five roles. Five artefacts. One platform.

One platform. Every regulator. Every authority. Every timer.

Where every framework actually stands.

One evidence upload. 24 audits passed.

Board-ready posture. Zero spreadsheets.

Why your team writes the same SOP five times.

One control. Many obligations.

Before. After.

Compliance lives in side-systems

Compliance is the graph itself

31 deterministic agents. Replayable byte-for-byte.

Pick your industry. Skip the discovery call.

Who is this for?

Compliance teams

Engineering teams

Auditors

AI governance teams

CISOs

Product teams

Stop hiring your way out of compliance.

EU AI Act audit — drag the divider.

3 hours of prep

3 weeks of prep

SOC 2 alone won't pass an EU AI Act audit.

Built for the seven people who own AI compliance.

Compliance Officer / DPO

AI Builder / Engineer

Auditor (internal + external)

CISO

Founder / GC

Tier-1 Bank IT

Pricing that doesn't punish you for compliance.

The EU AI Act enforcement window opens August 2026. Be ready.

One platform. Seven stakeholder-ready report packs.

Compliance Executive Summary

GDPR Record of Processing & DPIA Roll-up

ISO/IEC 27001:2022 — Statement of Applicability

SOC 2 Type II — Evidence Pack

EU AI Act — Regulator Submission Pack

Multi-Framework Conformity Bundle

FedRAMP Authorisation Pack

Data-Processing Evidence Pack (DPA)

HAARF Healthcare AI Verification Pack

Model Card + Annex IV Technical Documentation

Enterprise Risk Register & Residual-Risk Treatment Plan

Internal Audit Findings Report

DPIA + FRIA Combined Dossier

Compliance heatmap + Risk heat-signature.

Three packs out of the box. Each one a vertical-grade compliance bundle.

With ReguNav™. Without ReguNav™.

ReguNav™ vs the three categories you're comparing it to.

Three customer journeys. One platform.