AI & Model Risk Examination Readiness Platform for Depository Institutions

The AI risk exam
is coming.
AuditAlign makes sure you're ready.

AuditAlign maps your bank's internal controls to SR 26-2, NIST AI RMF, and the CRI FS AI RMF — surfacing the exact gaps examiners are finding, before they find them. Gap determinations are produced by a deterministic matching engine, not an LLM: every finding traces to a numeric similarity score your team can audit, reproduce, and defend in front of an examiner. Non-compliance costs institutions 2.71× the cost of a compliance program — and $19.3B in global fines were issued in 2024 alone. Prevention is the only rational calculation.

Assess your gaps now Watch 60-second demo

Comprehensive AI/model risk exam preparation — in minutes, not months

auditalign.io  ·  SR 26-2  ·  CRI FS AI RMF  ·  Examination implications begin now
Why it matters now
$19.3B in global bank fines in 2024 — a record high 417% surge in penalties H1 2025 vs. H1 2024 NIST AI RMF · CRI FS AI RMF · SR 26-2 — all mapped automatically Built by a former federal bank examiner Deterministic matching engine — no LLM makes compliance determinations
The examination finding waiting to happen

Most institutions fail AI governance reviews
not because they lack controls — but because they can't demonstrate them

Four structural gaps generating examination findings right now, consistently across every institution size.

01 —

Incomplete AI inventory

MRM-validated models are documented. Vendor-embedded AI — fraud scoring, document processing, decisioning tools — rarely is. SR 26-2 requires a comprehensive inventory regardless of source.

02 —

Policy–practice disconnect

Governance policies reference NIST or SR 26-2 by name but contain no mapping between specific internal controls and the framework requirements those controls are supposed to satisfy.

03 —

Validation methodology mismatch

Traditional SR 26-2 validation procedures applied to GenAI and ML systems without adaptation. The OCC has explicitly noted that standard back-testing may not be appropriate for non-deterministic systems.

04 —

Board reporting without substance

Reporting acknowledges AI risk in general terms but cannot answer the examination question: what are your open AI governance gaps, who owns them, and what is the remediation timeline?

Why now — the window is closing

The governance gap is no longer theoretical.
It is generating examination findings.

Every quarter, more institutions receive AI-related examination findings they weren't prepared for. Regulators aren't waiting for a final rulebook — they're examining now, using existing authorities and emerging guidance. Institutions that act first define the standard. Those that wait inherit the findings.

Regulatory backdrop — why this is not optional

Five regulatory actions that moved AI governance
from best practice to examination expectation

2021
OCC · Fed · FDIC
NCUA · CFPB

All five federal financial regulators issue a joint RFI on AI in banking — the most unambiguous signal that AI governance is a shared, cross-agency supervisory priority, not a single-agency initiative.

2023
NIST

NIST AI Risk Management Framework 1.0 published. Becomes the de facto reference standard banking examiners cite when evaluating whether an institution has a defensible AI governance program.

2024
SEC

First AI enforcement actions filed against investment advisers for false claims about AI use — “AI washing.” The SEC's message is explicit: AI governance documentation must be accurate, specific, and defensible.

2024–25
All Agencies

157 AI-related regulatory updates issued to financial services in a single year — nearly double prior volumes. Supervisory expectations are escalating, not stabilizing. Every quarter adds new guidance.

Feb 2026
U.S. Treasury · CRI
108 Financial Institutions

CRI Financial Services AI RMF published — the first AI governance framework purpose-built for banks. Co-developed with the U.S. Treasury and 108 institutions. Explicitly extends SR 26-2. Examination implications begin now.

Three landmark regulatory events in 90 days. $19.3B in record global fines in 2024. A 417% surge in penalties in H1 2025. The mandate exists. The automated mapping tool doesn't — until now.

12%
of financial services firms using AI have adopted a formal AI risk management framework
[1] ACA / NSCP 2024 AI Benchmarking Survey
$3.09B
TD Bank penalty — largest AML fine in U.S. banking history. $1.3B to FinCEN alone. Root cause: governance frameworks that could not withstand examiner scrutiny.
[3] U.S. DOJ / FinCEN, October 2024
$19.3B
in global regulatory fines issued to financial institutions in 2024 — a record high
[4] FinTech Global / Fenergo, 2025
11%
of executives have fully implemented responsible AI capabilities — data governance, model testing, and third-party risk management
[2] PwC, 2024
32%
of financial services firms have established an AI committee or governance group
[1] ACA / NSCP 2024 AI Benchmarking Survey
18%
have a formal AI model testing program in place — leaving model outputs unvalidated
[1] ACA / NSCP 2024 AI Benchmarking Survey
417%
surge in regulatory penalties against financial institutions in H1 2025 vs. the same period in 2024
[5] Fenergo Global Financial Penalties Report, H1 2025
$206B
spent annually on financial crime compliance across major global markets — North America alone $61B. Costs rose for 99% of U.S. and Canadian institutions in 2023.
[6] LexisNexis Risk Solutions / Forrester, 2023
157
AI-related regulatory updates issued to financial services in a single year — nearly doubling prior volumes
[7] InnReg / RegTech industry analysis, 2024–2025
2.71×
the cost of non-compliance vs. running a compliance program. A bank under OCC enforcement typically spends $1–5M in consultant, legal, and auditor fees over 18–24 months — before a single dollar in fines, monitorship costs, or operational disruption — making AuditAlign's subscription a rounding error.
[8] Ascent RegTech / Ponemon Institute — The Not So Hidden Costs of Compliance; OCC Enforcement Actions Database, visbanking.com analysis (Feb 2026)
42%
of C-suite time at banks is devoted to regulatory and supervisory compliance — and the amount of employee hours spent on compliance grew 61% between 2013 and 2023.
[9] Bank Policy Institute Survey, 2023
$45.7B
in AML and sanctions-related major fines issued globally between 2000 and 2024 — a 25-year enforcement trajectory that shows no sign of plateauing.
[10] Fourthline / industry enforcement data, 2024
[1] ACA Group / NSCP 2024 AI Benchmarking Survey — 200+ compliance leaders, June–July 2024
[2] PwC, via Caspian One AI in Financial Services 2025 Report
[3] FinCEN / U.S. DOJ — TD Bank $3.1B AML Penalty, October 2024
[4] FinTech Global — Global regulatory fines soar to record $19.3bn in 2024
[5] Fenergo — Regulatory penalties skyrocket 417% in H1 2025
[6] LexisNexis Risk Solutions / Forrester — True Cost of Financial Crime Compliance, U.S. & Canada
[7] InnReg — AI in Financial Services: Use Cases and Regulatory Compliance
[8] Ascent RegTech / Ponemon Institute — The Not So Hidden Costs of Compliance; OCC Enforcement Actions — visbanking.com analysis (Feb 2026)
[9] Bank Policy Institute — Compliance Burden Survey, 2023
[10] Fourthline — How Much Do Banks Spend on Compliance? (2025)
How it works

From control library
to gap analysis in minutes

01

Upload your internal controls

Provide your existing control library in any format — CSV, Excel, or text. No reformatting required. AuditAlign accepts natural-language control descriptions as written by your team.

02

Select your framework

Choose NIST AI RMF (72 requirements), CRI FS AI RMF (230 control objectives), or run both simultaneously. Frameworks are built in — no configuration needed.

03

Semantic embedding and matching

The engine uses sentence-level embeddings and reciprocal matching logic to compare each internal control against every framework requirement — capturing substantive coverage regardless of terminology. The process is fully deterministic: the same control library run against the same framework produces identical results every time, with no randomness or model variability.

04

Gap classification with rationale

Every finding is classified as Confirmed Match, Partial Match, or Gap by the matching algorithm, based on numeric similarity scores against fixed thresholds — not by an LLM. After the determination is made, an LLM generates plain-language rationale explaining why, written in the language an auditor would use in a workpaper. The algorithm determines the outcome. The LLM explains it.

05

Structured Excel export

Output is a 10-tab workbook: Dashboard, Confirmed Matches, Partial Matches, Gaps, NIST match status, gap register, summary views, and run metadata. Designed for audit trail purposes from the first run.

AuditAlign output — sample run
Framework control Best match Score Status
GV 1.6 AI Model Inventory Registration 0.81 Confirmed
MS 3.1 Performance & Drift Monitoring 0.76 Confirmed
GV 1.2 AI Privacy & Data Governance 0.61 Partial
MG 4.1 — no internal control — Gap
GV 6.1 — no internal control — Gap
MS 2.5 Bias & Fairness Testing 0.58 Partial
Engine design — a critical distinction

No LLM decides whether your institution has a compliance gap.

The classification — Confirmed Match, Partial Match, or Gap — is the output of a deterministic algorithm: fixed thresholds, fixed logic, reproducible results. An LLM is used only to generate the plain-English rationale that explains a finding after the determination is made. This distinction matters to regulators, internal audit, and your board: every compliance determination in AuditAlign can be traced to a specific numeric similarity score, a documented threshold, and a recorded model version — all captured in run metadata. Your team can audit, challenge, and defend every finding without relying on the interpretation of a language model.

Supported frameworks

Built on the frameworks
examiners actually reference

Both frameworks are bundled into the platform. No configuration, no manual uploads.

NIST · 2023

NIST AI Risk Management Framework

The voluntary, sector-agnostic framework that has become the de facto reference standard for AI governance in financial services. Four functions — Govern, Map, Measure, Manage — with 72 control requirements.

72 control requirements · All 4 functions
CRI / Treasury · February 2026

CRI Financial Services AI RMF

Co-developed by 108 financial institutions and the U.S. Treasury. The first framework purpose-built for financial services AI governance. Explicitly extends SR 26-2. Four maturity stages from Initial (21 controls) to Embedded (230). Examination implications begin now.

230 control objectives · 4 maturity stages
Federal Reserve / OCC · 2011

SR 26-2 Alignment

Every gap analysis is framed in SR 26-2 language — the supervisory standard examiners will cite during an AI governance review. Output rationale is written to address effective challenge, validation sufficiency, and governance documentation requirements.

Examination-ready language throughout
The output

Built for
audit trails

Every output is structured for the people who will use it — second-line MRM teams, internal audit, and the examiners who review their work.

Examiner-ready rationale for every finding

Each finding is classified by the deterministic matching algorithm — Confirmed, Partial, or Gap — based on a numeric similarity score. An LLM then generates plain-English rationale explaining the classification in the language an auditor would use in a workpaper. The algorithm makes the call; the LLM makes it readable.

10-tab structured workbook

Dashboard, match tables, gap register, framework-level summaries, category breakdowns, and full run metadata. Every tab is audit-ready on export.

Gap register with workflow tracking

Each gap has an owner, risk classification, remediation status, and evidence notes field. The register is designed to look the same in a board package as it does in an examiner's workpapers.

Visual dashboard and run analytics

Coverage donut by NIST function, gap score histogram, stacked bar by framework category, and key findings summary — all from within the platform before export.

Workbook tabs
Sample rationale
DashboardCoverage summary & key metrics
Confirmed MatchesControls meeting framework requirements
Partial MatchesControls with coverage gaps
GapsRequirements with no internal control
NIST Match StatusPer-requirement coverage view
NIST GapsUnaddressed framework requirements
Internal SummaryControl-level coverage view
Category SummaryCoverage by framework function
Run MetadataThresholds, model, timestamp
Programs

Two ways to start.
Choose the one that fits.

Design Partners co-build the product with us at no cost. Paid Pilots run a structured 8-week evaluation with full platform access and a path to subscription.

Co-creation · Free
Design Partner
$0 · one analysis + quarterly feedback

For institutions willing to help shape the product in exchange for early access. We run the analysis and give you the full deliverable; you give us honest feedback that steers the roadmap. Limited to 2–3 institutions per month.

Who extracts value AuditAlign — through your feedback, reference introductions, and (with your permission) an anonymized case study.
One gap analysis run against NIST AI RMF or CRI FS AI RMF
FS AI RMF maturity stage assessment (if applicable)
Full 10-tab Excel deliverable
LLM rationale for every finding
60-minute debrief call with the founder
First look at new features before public release
No platform accounts · no gap-tracker workflow
Commitment: quarterly 30-min feedback call

Request to start

Tell us about your institution and which track fits. We follow up within one business day.

Design Partner slots are limited to 2–3 institutions per month. All control data is treated as confidential and used solely for the engagement you request.

Thank you — we'll be in touch within one business day.
BK
Brian Kantanka
Founder, AuditAlign
Former Federal Bank Examiner
Second-Line Model Risk Management
Regional Bank & Fortune 100 FI
Data Scientist & Full-Stack Developer
AI Governance Practitioner
ProSight MRM Summit Speaker · April 2026
"Most institutions I've examined don't lack commitment to AI governance. They lack the operational infrastructure to demonstrate it."

I spent years on both sides of the examination table — first as a federal bank examiner, then in second-line model risk management roles at a regional bank and a Fortune 100 financial institution. The same problem appeared everywhere: institutions with genuine governance programs that couldn't produce the evidence an examiner needed to see it.

The manual process of mapping internal controls to regulatory frameworks — NIST AI RMF, SR 26-2, the new CRI FS AI RMF — takes weeks of practitioner time and still produces outputs that are inconsistent and hard to defend. I built AuditAlign to automate that specific workflow. Not to replace expert judgment, but to do the mapping work so practitioners can focus on the decisions rather than the documentation.

The platform uses semantic embeddings to compare control language against framework requirements, reciprocal matching logic to classify coverage accurately, and LLM-generated rationale to explain every finding in the language an auditor would recognize. The output looks like something an MRM team produced — because it was built by one.

Pricing

Priced to your institution.
No long-term contracts.

Evaluate with a Design Partner engagement or a Paid Pilot, then scale into an annual subscription priced by asset size.

Evaluation tracks
Co-creation · Free
Design Partner
$0 / one analysis

Limited to 2–3 institutions per month. We extract value from your feedback; you get the full deliverable at no cost.

One gap-analysis run (NIST or CRI FS AI RMF)
Full 10-tab Excel deliverable
LLM rationale for every finding
60-min debrief call with the founder
Early access to new features
No platform accounts or workflow tools
Quarterly 30-min feedback call expected
Apply to be a design partner
Recommended start
Paid evaluation · 8 weeks
Pilot
$35,000 flat · 8-week engagement

A structured evaluation inside your team's workflow. Credit 25% of the pilot fee toward your first-year subscription if you convert.

Platform access for up to 5 named users
Up to 3 full runs across both frameworks
FS AI RMF maturity stage assessment
Gap tracker workflow with evidence capture
Rationale override & audit trail
Kick-off workshop · weekly office hours
Mid-pilot check-in & week-8 executive readout
Start a pilot
Annual subscription · by asset size
Community
$1B – $10B in assets
Community
$45K–$60K / year

For community and regional institutions standing up AI governance for the first time. Everything you need to demonstrate coverage for an exam.

Unlimited gap-analysis runs
NIST AI RMF + CRI FS AI RMF + SR 26-2 crosswalk
FS AI RMF maturity stage banner
Gap tracker with evidence capture & audit trail
10-tab Excel export on every run
Up to 10 named users
One custom framework upload (e.g. internal policy)
Email support · 2-business-day SLA
Quarterly office hours with the founder
Annual peer-anonymized governance benchmark
Get in touch
Most common
Professional
$10B – $50B in assets
Professional
$80K–$120K / year

For mid-size banks with mature MRM programs that need role separation, custom frameworks, and a read-only pipe into their GRC tool.

Everything in Community
Up to 25 named users
Unlimited custom framework uploads
Role-based access (MRM / Audit / Compliance / Read-only)
Read-only REST API for GRC integration
Webhook notifications on gap-status changes
1-business-day response SLA
Structured 2-day onboarding
Monthly 30-min check-in
Get in touch
Advanced
$50B – $100B in assets
Advanced
$130K–$175K / year

For large regional institutions with multi-entity reporting, SSO requirements, and continuous monitoring expectations.

Everything in Professional
Up to 75 named users
SSO (SAML / OIDC) + SCIM user provisioning
Bi-directional GRC connector (ServiceNow IRM, Archer, MetricStream, OneTrust)
Multi-entity / subsidiary separation with consolidated reporting
Continuous monitoring: auto re-run on register change
Regulatory change tracking with impact analysis
Dedicated Customer Success Manager
Quarterly Business Reviews
2 custom training sessions per year
Get in touch
Enterprise
$100B+ in assets
Enterprise
$200K–$350K / year

For money-center and global institutions that need private deployment, BYO LLM, examiner workpaper formats, and SOC 2 Type II turnkey.

Everything in Advanced
Unlimited users
Private single-tenant VPC deployment option
Multi-region data residency (US / EU)
BYO LLM: Azure OpenAI, AWS Bedrock, or on-prem
Custom rationale tone / style tuning
Examiner workpaper export (Fed / OCC / FDIC / state DFS)
On-site kick-off + examiner-walkthrough prep
SOC 2 Type II report + security questionnaire turnkey
4-hour priority incident response
8 executive advisory hours per year with the founder
Contact us

All annual tiers are billed yearly with no long-term contract. Features listed in future-facing italics (e.g. SOC 2 Type II, GRC connectors, examiner-workpaper exports) are part of the committed roadmap and delivered on the timeline agreed in your order form.

Common questions

Before you get started
with AuditAlign

AuditAlign is an automated AI governance examination readiness platform built specifically for banks and financial institutions. It takes your existing internal controls — in whatever format they're already in — and maps them to the regulatory frameworks examiners are actively using: SR 26-2, NIST AI RMF, and the CRI Financial Services AI RMF. For every framework requirement, AuditAlign tells you whether your controls confirm coverage, partially address it, or leave a gap — and generates examiner-ready rationale explaining why. The result is a documented evidence posture that answers regulators' questions before they ask them. AI and model risk governance failures are now the single largest driver of bank penalties — $19.3B in fines in 2024 alone, before remediation costs. AuditAlign exists because the institutions that get hit hardest aren't the ones with bad controls — they're the ones that can't prove what they have. Built by a former federal bank examiner who has sat on both sides of that conversation.
Design Partners are free — we run one gap analysis, give you the full deliverable and a 60-minute debrief, and in exchange we ask for quarterly feedback and permission (optional) to cite you as a reference. AuditAlign is extracting value from your input on the roadmap. Limited to 2–3 institutions per month. Pilots are paid ($35K flat, 8 weeks) — you get full platform access for a team of up to 5, multiple runs as your controls evolve, a gap-tracker workflow, a kick-off workshop, weekly office hours, and an executive readout at week 8. Your institution is extracting value: measurable output for an upcoming exam, MRM committee meeting, or board readout. 25% of the pilot fee is credited toward your first-year subscription if you convert. Pick Design Partner if you’re comfortable co-building the product in exchange for feedback time; pick Pilot if you want a structured evaluation with SLAs, live users, and a clear deliverable.
Annual subscription pricing scales with institution size (total assets under management): Community ($1B–$10B) is $45K–$60K/yr, Professional ($10B–$50B) is $80K–$120K/yr, Advanced ($50B–$100B) is $130K–$175K/yr, and Enterprise ($100B+) ranges from $200K–$350K/yr depending on deployment mode (shared vs private VPC), data residency, and custom framework scope. Each tier unlocks a defined set of features — named users, role-based access, custom framework uploads, SSO, GRC connectors, BYO LLM, etc. Community through Enterprise are billed annually with no long-term contract required.
Any format — CSV, Excel, or plain text. We accept natural-language control descriptions as written by your team. No reformatting required. The most common input is an export from your existing GRC system or a controls register spreadsheet with a description column. We’ll clean it before running the analysis.
The engine uses sentence-level semantic embeddings and bidirectional (reciprocal) matching. A Confirmed Match means the internal control is the best-available match for a framework requirement AND the similarity score exceeds the high-confidence threshold (default 0.50). A Partial Match means there’s semantic overlap but coverage is incomplete — the internal control addresses related topics but doesn’t fully satisfy the requirement’s intent. A Gap means no internal control scored above the minimum threshold for a given framework requirement. The key insight: high similarity alone doesn’t produce a Confirmed Match. The reciprocal match logic ensures that topical overlap without directional coverage is surfaced as a Gap rather than a false confirmation — which is how an examiner would evaluate it.
Yes. Control data uploaded for analysis is used solely for the gap analysis you requested. We do not use client control data for model training, benchmarking, or any other purpose. Design-partner and pilot engagements both operate under a mutual NDA on request, and annual subscriptions include confidentiality terms in the master order form. We treat your control library with the same confidentiality expectations a bank examiner applies to examination materials.
No — and this is a deliberate architectural decision that matters for regulatory defensibility. The gap determination itself — whether a finding is classified as a Confirmed Match, Partial Match, or Gap — is produced by a deterministic matching algorithm. It uses sentence-level semantic embeddings and reciprocal matching logic, then applies fixed similarity thresholds to classify each finding. The same inputs produce the same outputs every time. No LLM is involved in the determination, and no LLM can influence a finding's classification. The LLM enters only after the determination is made — its sole role is to generate plain-English rationale that explains the finding in language an auditor would recognize. Every classification is traceable to a specific numeric similarity score, the threshold applied, and the model version — all recorded in run metadata and included in the output workbook. Your team — and an examiner — can audit exactly how any finding was reached.
No — and it’s not designed to. AuditAlign replaces the manual mapping work that comes before expert judgment, so your practitioners can focus on decisions rather than documentation. The output is a starting point for your MRM team, not a finished product. Every finding includes a rationale that practitioners should review, override if needed, and use as a structured input to their governance process. The gap register and workflow tools are designed to be embedded in your existing processes, not replace them.
The CRI FS AI RMF classifies institutions into four maturity stages — Initial (21 control objectives), Minimal (126), Evolving (193), and Embedded (230) — based on the AI Adoption Stage Questionnaire. AuditAlign can scope its gap analysis to the control objectives applicable at your declared adoption stage, so institutions at an Initial or Minimal stage aren’t evaluated against 230 controls that don’t yet apply to them. The adoption stage you select is recorded in the run metadata and reflected in the output.
The output is designed to be examination-ready — structured the way examiner workpapers are structured, with rationale written in regulatory language. However, no automated tool produces a complete examination response on its own. AuditAlign gives you the mapping, the gap identification, and the evidence structure. Your team provides the institutional context, the remediation commitments, and the judgment calls that make a governance program defensible. Think of it as the first 80% of the documentation work — done accurately, consistently, and in a fraction of the time.
A 60-minute walkthrough of your results with the founder — a former federal bank examiner. We cover: the most significant gaps by examination risk, which partial matches are closest to confirmed and what documentation would close them, which gaps represent new capabilities you’d need to build versus controls you may already have that aren’t documented correctly, and how to prioritize remediation. You leave with a clear picture of where you stand and what to do next. Design Partners receive one debrief call; Pilots include a kick-off workshop, weekly office hours, a mid-pilot check-in, and a week-8 executive readout.
Data security & trust

Questions banks ask before
sharing their controls

We handle sensitive institutional compliance data. Here are the security questions we hear most from compliance officers, CISOs, and vendor risk teams — with technically specific answers.

v1.4 · May 2026 — httpOnly cookie auth · brute-force lockout · instant deprovisioning · envelope encryption at rest · read-level audit logging
Access to institution control data is restricted by design — and as of v1.4, restricted by cryptography, not just policy. Your control descriptions, gap rationale, evidence notes, and reviewer commentary are encrypted at rest using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256) with a key unique to your organization. That key is itself encrypted by a master Key Encryption Key stored exclusively in our deployment environment — never in the database. An AuditAlign engineer who queries the database directly sees only ciphertext throughout. Decrypting a single field requires simultaneous access to both the database and the deployment environment. In addition, every read of your data — not just writes — is logged with a timestamp and accessor identity. You can request that access log at any time.
No — and this is architecturally prevented, not just policy-restricted. Every single database query is filtered by tenant_id derived from the authenticated session token, not from any user-supplied parameter. A user authenticated to Bank A cannot retrieve any data belonging to Bank B, even if they know Bank B's internal identifiers. This isolation is enforced in code, not configuration.
Through envelope encryption — a two-key architecture that separates the encryption key from the data it protects. Each institution is assigned a unique Data Encryption Key (DEK). That DEK is itself encrypted by a master Key Encryption Key (KEK) stored exclusively in our deployment environment, never in the database. A database dump exposes only Fernet ciphertext (AES-128-CBC + HMAC-SHA256) throughout — for control names, control descriptions, gap rationale, evidence notes, and reviewer commentary. The encryption_key_encrypted column that stores your wrapped DEK is also ciphertext. An attacker with database access alone cannot decrypt a single field. Decryption requires simultaneous possession of both the database and the KEK from the deployment environment — two separate systems. New tenants receive a DEK automatically at account creation; existing tenants received one on their first authenticated request after the v1.4 deployment.
Three layers working together: Per-IP rate limiting — 10 login attempts per IP per 15-minute window. Account lockout — 5 consecutive failures triggers a 30-minute account lock, regardless of source IP, defeating distributed attacks that rotate IPs. Persistent lockout state — stored in the database, not memory, so it survives server restarts and is enforced across all instances.
Instantaneously. The platform checks the active status flag on every authenticated request — not just at login. The moment an admin deactivates an account, that user's session is invalidated platform-wide even if they're currently logged in. There is no grace period or session drain delay. Admin users within your institution can manage this directly without contacting AuditAlign support.
No. Your data is never used to train, fine-tune, or improve any AI model. The only point where your data reaches a third party is the Google Gemini API, which generates plain-language rationale explanations for gap assessments. Our API usage agreement with Google prohibits them from using API-submitted data for model training — we use the API tier, not consumer-facing products. We will confirm this in writing in your pilot agreement.
No. As of v1.3 (April 2026), session tokens are stored exclusively in httpOnly cookies — a browser-enforced standard that makes the cookie completely inaccessible to any JavaScript on the page, including malicious injected scripts. Previously tokens were stored in localStorage (readable by JS), and this was explicitly remediated. Cookies are additionally marked Secure (HTTPS-only) with cross-site protections applied.
Yes — this is a core design principle, and as of v1.4 it covers reads as well as writes. Every read of sensitive fields — not just changes — writes a timestamped row to the audit log with the accessor identity, the field accessed, and the action. Every data mutation additionally records the old value, the new value, and a UTC timestamp. AI rationale overrides preserve both the original machine-generated rationale and the human override with stated reason. Audit log entries are append-only and cannot be modified or deleted by any platform user. The full history is exportable to Excel. You can request a complete access log for your tenant at any time.
Your file is validated first (type-checked to .csv or .xlsx only, capped at 10 MB — invalid files are rejected before any parsing). It is then processed in an isolated temporary directory for the duration of the matching run only. It is not retained: the temp directory is deleted after the run completes. Only the derived mapping results are stored, not the original file. Only the filename is recorded in run metadata for your reference.
Notification within 72 hours of confirmed incident discovery. You receive a written incident summary covering scope, affected data, root cause, and remediation steps. Critically: if the breach is limited to the database, what an attacker obtains is Fernet ciphertext throughout — no readable control text, no rationale, no notes. Decrypting your data requires simultaneous possession of both the database and our Key Encryption Key, which is held in a separate deployment environment. We provide full cooperation with your regulatory notification obligations (OCC, FDIC, Federal Reserve, state regulators), and share a post-incident review with affected partners. Transparent, fast notification is in our direct interest — not just a legal obligation.
Minimum 12 characters, with at least one uppercase letter, one lowercase letter, and one numeric digit — enforced at registration, not just recommended. Passwords are stored exclusively as bcrypt hashes — a one-way function that cannot be reversed. We do not store plain text, reversible encryption, MD5, or SHA-1. Ever.
AuditAlign's application layer runs on Railway. Your data is stored in Supabase-hosted PostgreSQL — a managed database provider that holds SOC 2 Type II, ISO 27001, and HIPAA-eligible certifications. Supabase infrastructure is hosted on AWS in US-East (Northern Virginia). All database connections enforce TLS 1.2+ in transit. We can provide Supabase's compliance documentation on request. If your institution has specific data residency requirements, raise them during pilot onboarding and we will confirm our ability to accommodate them in writing.
Yes. We support CAIQ, SIG Lite, and institution-specific vendor risk questionnaires. Provide your questionnaire at the start of the pilot evaluation and we will return a completed response within 10 business days. We can also arrange a technical walkthrough with your CISO or vendor risk team.
Security questions?  security@auditalign.io