Controls Live in the System
Not in Confluence. Not in a Word document. Not in a GRC tool updated once a year. Controls are data objects in the database -- live, versioned, testable.
Cert-Ready by Design
Not 'we have ISO.' Not 'we don't need ISO.' Rather: every agent is technically built to be certifiable and auditable at any time.
The Principle
In traditional compliance approaches, controls are described in documents, evidence is collected manually, and audits are conducted as periodic projects. An auditor asks for proof, an employee searches for a screenshot, someone creates a spreadsheet.
Cert-Ready by Design reverses this: controls are technical data objects in the system. Evidence is generated automatically. The auditor sees the live status -- not a snapshot from last week.
What Cert-Ready by Design Differentiates
Evidence Is Generated Automatically
No human collects evidence. No human creates screenshots. No human copies logs. The evidence generator runs automatically -- periodically or on change. If a control cannot generate its evidence, that itself is a finding.
Complete Drill-Down
From the traffic light on the dashboard to the concrete RLS policy with its name and the test SQL that verifies its effectiveness. No 'ask the developer.' Everything in one path.
Controls as First-Class Data Objects
Every control in the Gosign architecture is a data object with four properties:
1. Technical Implementation
The control is not just documented -- it is implemented. Examples: an RLS policy that enforces tenant isolation at database level, an API check that validates the rule version before every agent decision, a trigger that automatically writes an audit entry on configuration changes. The implementation is the truth -- not a document claiming the implementation exists.
2. Automatic Evidence Generator
Every control has an assigned evidence generator. It runs periodically or event-based and produces evidence automatically: RLS policy active? Test query against the policy, result documented. Audit trail complete? Automatic integrity check, gaps detected. Encryption active? Certificate status checked, algorithm documented.
3. Evidence History
Every evidence record is stored with: timestamp of collection, status (passed, failed, warning), version number of the control, version number of the test logic, raw data for drill-down. The history is immutable. An auditor can verify for any point in time whether a control was active and effective.
4. Auditor View with Drill-Down
The auditor sees in the Auditor Portal: traffic-light status per control (green / yellow / red), last evidence timestamp, trend over time (control stability), drill-down from the status indicator to the concrete RLS policy, to the test SQL, to the test result. The drill-down is the decisive difference. A green dot on a dashboard is worthless if the auditor cannot verify what lies behind it.
Cert-Ready Control Object -- Structure
Every control is a structured data object with framework mapping, technical implementation, automatic evidence generator, and audit view.
Control Object {
id: "ctrl-rbac-001"
name: "Tenant isolation at database level"
category: "Access Control"
implementation: {
type: "RLS Policy"
reference: "policies/tenant_isolation.sql"
deployed: true
last_verified: "2026-02-20T09:14:00Z"
}
evidence_generator: {
type: "automated_test"
schedule: "every_6h"
test_reference: "tests/tenant_isolation_test.sql"
}
evidence_history: [
{
timestamp: "2026-02-20T09:14:00Z"
status: "passed"
control_version: "1.3"
test_version: "2.1"
raw_data: { ... }
},
...
]
framework_mapping: {
iso_27001: "A.9.4.1"
soc2: "CC6.1"
eu_ai_act: "Art. 12"
}
owner: "security-team"
last_change: "2026-02-18T14:22:00Z"
change_reason: "Policy update for new entity"
}Auditor Portal
The Auditor Portal is the interface between the technical system and the auditor. It provides:
Dashboard
Overview of all controls with traffic-light status, grouped by framework category.
Control Detail
Description, technical implementation, evidence history, last change, assigned owner.
Drill-Down
From the overview to the concrete test result, including test logic and raw data.
Export
Evidence packages for external auditors, machine-readable (JSON) or as PDF report.
Change History
When was a control changed, by whom, why. Every change documented.
Override History
When a human override overruled an agent decision -- documented with reason, person, timestamp.
Framework Mapping
Structurally prepared for every framework.
ISO 27001: Controls are mapped to Annex A measures. Evidence is generated automatically.
SOC2: Trust Service Criteria (CC6, CC7, CC8) are represented as control categories.
PS 951 / ISAE 3402: Audit standards for IT service providers. Controls and evidence are prepared for auditors.
EU AI Act: Articles 9, 12, 13, 14 are implemented as controls in the system.
IDW PS 880: Software audit standards. GoB / GoBD: German principles of proper bookkeeping.
The mapping changes. The control structure remains identical. When a new framework becomes relevant, it is mapped -- the controls already exist.
What Cert-Ready by Design Is Not
Not a certification promise. Cert-Ready by Design does not mean the system is certified. It means the architecture is structurally prepared to be audited and certified at any time.
Not a GRC tool. Cert-Ready by Design does not replace a GRC platform. It complements it -- through technical controls that live in the system, not only in a separate compliance database.
Not a one-time audit. Cert-Ready by Design is continuous. Evidence is generated continuously, controls are tested continuously. There is no "audit mode" -- the system is always in audit mode.
Frequently Asked Questions about Cert-Ready by Design
What does Cert-Ready by Design mean?
Every AI agent is technically built to be certifiable and auditable at any time. Controls are data objects in the system with technical implementation, automatic evidence generation, and complete history.
Is Gosign ISO 27001 certified?
Cert-Ready by Design means: when certification is required, our system is structurally prepared for it. Controls live in the system, evidence is generated automatically, auditors see the live status.
Which frameworks are supported?
The architecture is framework-agnostic. Controls can be mapped to ISO 27001, SOC2, PS 951, EU AI Act, and other frameworks. The structure is identical -- only the mapping changes.
What does an auditor see in the Auditor Portal?
Live dashboard with traffic-light status per control, drill-down from the status indicator to the concrete RLS policy or test SQL, change history, override history, evidence export.
Talk to us about your compliance requirements.
Cert-Ready by Design. Auditable. At any time.
Book a Meeting