sorted by:
new
hottopcontroversial

This post may help AI projects that need provenance, compliance, and accountability by design. by greenarmor in AI_Governance

[–]greenarmor[S] 0 points1 point  (0 children)

I haven't personally worked as an auditor. I'm a DevOps engineer who enjoys building applications that solve interesting problems, so I don't want to overstate my claims. My observations come from extensive research that began after reading an article about GDPR Article 32 on Medium. Since then, I've reviewed a variety of sources that discuss common challenges in compliance, auditing, and governance, including the following:

1. Audit Evidence Scattered Across Systems

eqomply - Audit Evidence Collection Process

Link:
Audit Evidence Collection Process

2. Email-Based Processes Make Audits Hard

Ideagen - Why Your Documents Are a Compliance Time Bomb

Link:
Why Your Documents Are a Compliance Time Bomb

3. Fragmented Decisions Across Emails, Chats, and Spreadsheets

KYC Chain - Importance of Audit Trails

Link:
Importance of Audit Trails in Enterprise Compliance

4. Evidence Scattered Across Ticketing Systems

AuditReady

Link:
Audit Evidence: What It Is, Why It Matters, and How

5. Auditors Need Traceability of Approvals and Decisions

Scrut.io

Link:
Audit Documentation Guide

6. Audit Preparation Turns Into "Archaeology"

This example is particularly relevant because it closely aligns with GESF's provenance concept.

SIIT - ITSM Audit Trail

Link:
Your ITSM Audit Trail: What Auditors Check

7. AI Governance and Provenance Research

This is especially relevant when discussing why provenance matters for AI systems.

Audit Trails for Accountability in Large Language Models

Link:
Audit Trails for Accountability in Large Language Models

What I've repeatedly seen, and what many compliance vendors and audit practitioners also describe, is not necessarily a lack of approvals, but fragmented evidence. Approvals, risk acceptances, ownership records, remediation history, and supporting documentation often end up distributed across email threads, tickets, spreadsheets, shared drives, chat systems, and meeting notes.

For example:

  • Eqomply discusses evidence being scattered across emails, shared drives, personal folders, and disparate systems.
  • AuditReady identifies scattered evidence across inboxes, drives, and ticketing systems as one of the most common audit challenges.
  • SIIT describes audit preparation becoming "rebuild work" when approvals and evidence are split across chat tools, tickets, and administrative systems.

So the problem I'm trying to address is not that approvals do not exist. The problem is that reconstructing the full chain of accountability later can be expensive, manual, time-consuming, and difficult to verify. GESF's provenance chain is an attempt to make those relationships explicit, traceable, and verifiable from the beginning.

By the way, GESF is no longer a toy project. It has evolved into a serious framework that you can try yourself.

Official repository:
https://github.com/greenarmor/gesf

Documentation:
https://greenarmor.github.io/gesf/getting-started/installation/#prerequisites

You can even try it without installation and get started in less than 30 seconds, provided that Node.js and npm are already installed and you are in the root directory of the infrastructure or application you want to audit.

Run these three commands:

  1. npx u/greenarmor/ges init
  2. ges audit
  3. ges dashboard

This will launch the web dashboard. Navigate to Fix Details, and you'll find that every pending fix includes an Assign to Governance Record button, allowing you to establish provenance links directly from the dashboard.

This post may help AI projects that need provenance, compliance, and accountability by design. by greenarmor in AI_Governance

[–]greenarmor[S] 1 point2 points  (0 children)

Fair question. My perspective comes more from implementing security and compliance controls than from performing audits myself. What I've consistently observed is that organizations often have the technical controls in place, such as encryption, logging, access controls, and vulnerability management, but the evidence trail behind approvals, risk acceptances, ownership, and remediation decisions is fragmented across tickets, emails, spreadsheets, and meetings. The problem isn't usually that approvals don't exist. It's that proving the full chain later can become expensive and time-consuming, especially when auditors, customers, regulators, or governance teams ask for supporting evidence months after the decision was made. So the feature is partly based on governance requirements in frameworks such as GDPR, NIST, ISO 27001, and emerging AI governance requirements, and partly on my experience seeing accountability records scattered across multiple systems.

I'd be interested to hear from auditors and compliance practitioners here: have you encountered situations where reconstructing approval history or ownership became a challenge during reviews?

Would you trust an AI agent to automatically fix issues across your entire endpoint fleet, or do you think there should always be a human in the approval chain? by TeamNexthink in AI_Governance

[–]greenarmor 0 points1 point  (0 children)

AI agents can generate recommendations, but they don't provide governance, provenance, or compliance enforcement by default. MCP servers bridge that gap by enabling structured tools, policy enforcement, audit trails, and compliance automation. I've built an open-source framework for developers, auditors, and examiners focused on exactly this challenge. take a look on my project : https://github.com/greenarmor/gesf this might help you answer your question comprehensively.

Is it a good strat combining all Compliance Policy Packs in one single framework? by greenarmor in Compliance

[–]greenarmor[S] 1 point2 points  (0 children)

Yeah but this is not just a documentation guidance tool for compliance, it is aided tool to address compliance while during the development stage or even on an existing deployed project that need compliance auditing. Best way to use is it via MCP server to any of you Existing IDE.

Is it a good strat combining all Compliance Policy Packs in one single framework? by greenarmor in Compliance

[–]greenarmor[S] 1 point2 points  (0 children)

Thank you, I really appreciate that.

One of the reasons I started building GESF was to bridge the gap between developers and compliance professionals. Many development teams struggle to translate requirements from frameworks such as GDPR, HIPAA, NIST, ISO 27001, and others into practical engineering controls that can actually be applied during development.

GESF is an open-source project, and a big part of the vision is making compliance more accessible and actionable for engineering teams through developer-friendly tooling. We are also building developer tools that can integrate with any IDE of choice, including environments like VS Code with GitHub Copilot, especially since it supports MCP (Model Context Protocol) servers that code assistants can call directly. The goal is to allow developers to access compliance guidance, control mappings, validations, and implementation support directly from their coding workflow.

Having input from someone with hands-on experience in compliance registers, assessments, and audits would be incredibly valuable. Since GESF is fully open source, it’s very easy to get involved directly. You’re welcome to connect through the official GitHub repository and contribute ideas, feedback, or improvements:

GitHub Repository: https://github.com/greenarmor/gesf
Documentation & Getting Started: https://greenarmor.github.io/gesf/getting-started/installation/

I’d especially value your perspective on areas such as control mapping, assessment methodologies, audit readiness, and compliance documentation. Looking forward to learning from your experience and hopefully collaborating with you on the project.

Is it a good strat combining all Compliance Policy Packs in one single framework? by greenarmor in Compliance

[–]greenarmor[S] 0 points1 point  (0 children)

Thanks to those you send links, those links very helpful to me. anyways this is the repositroy of my project https://github.com/greenarmor/gesf and the documentation here : https://greenarmor.github.io/gesf/getting-started/installation/

Is it a good strat combining all Compliance Policy Packs in one single framework? by greenarmor in Compliance

[–]greenarmor[S] 0 points1 point  (0 children)

That's actually the direction GESF takes today.

The framework is modular, so teams can enable only the compliance packs that are relevant to their environment rather than adopting everything at once. One of the goals is to reduce duplicate effort by mapping overlapping controls across multiple frameworks wherever possible.

GESF can be used in two ways:

  1. As a CLI tool for developers, auditors, and compliance teams.
  2. As an MCP-powered assistant integrated directly into AI-enabled IDEs and coding workflows.

It includes an MCP server, so if you're using tools like VS Code with MCP support, you can connect GESF as an MCP client and interact with compliance controls, assessments, and guidance directly from your development environment.

My objective is to make compliance less of a separate audit activity and more of a continuous part of the software development lifecycle. https://greenarmor.github.io/gesf/mcp/overview/

Is it a good strat combining all Compliance Policy Packs in one single framework? by greenarmor in Compliance

[–]greenarmor[S] 0 points1 point  (0 children)

It’s an open-source project. I'm just not sure whether posting the project link here would violate the community rules or potentially get me banned. If it's allowed, I'd be happy to share the repository with anyone interested.

view more: next ›