Changelog — ComplianceScout.ai

May 26, 2026v1.0

General Availability

ComplianceScout is now publicly available. Tenants can sign up, connect identity providers, and receive compliance scores immediately.
All 62 connectors are live — Okta, Azure AD, AWS IAM, Google Workspace, GitHub, Slack, 15 finance tools, 15 productivity tools, and more.
SOC 2 Type II audit in progress. Pre-launch security review completed.
Free trial available — connect your first identity provider and see results in under 10 minutes.

May 24, 2026Phase A–D

Multi-session connector expansion, JML automation, no-code builder, and tier-aware UI

Phase A: 62 total connectors including Workday and BambooHR for joiner/mover/leaver event sourcing. JML rules engine automatically triggers deprovisioning and role-change workflows on HR events.
Phase B: No-code workflow builder for custom compliance automation rules. Tier-aware UI gates advanced features behind Pro/Enterprise entitlements with in-app upgrade prompts.
Phase C: Log ingestion with natural-language query interface — describe what you want to search in plain English and AI translates it to a structured, parameterised query.
Phase D: Supply chain risk scoring, AI-powered support chatbot, and real-time compliance score computation across all active frameworks.

May 23, 2026v0.50

RMF pre-adjudication assistant

Risk Management Framework (NIST SP 800-37) pre-adjudication assistant surfaces likely control finding dispositions before the formal assessment meeting.
OSCAL-format control catalog integrated — all ~1,200 NIST SP 800-53 rev5 controls indexed with automated evidence mapping.
Adversarial simulation red team results feed directly into RMF control gap analysis.
System receives and processes real assessment data from a federal evaluator sandbox.

May 22, 2026v0.49

SaaS misconfiguration detection + secret manager connectors

SaaS misconfiguration posture layer scores Google Workspace, Microsoft 365, and Okta against CIS Benchmarks and internal hardening baselines.
Three secret manager connectors: HashiCorp Vault (token/AppRole), AWS Secrets Manager (access key/cross-account role), Azure Key Vault (service principal).
Secrets inventory populated from all three secret manager sources — rotation status, ARNs, and expiry dates surfaced in the UI.
CS posture self-assessment opt-in toggle: tenants can include or exclude cloud-platform posture evidence from their compliance score.

May 21, 2026v0.48

Secrets inventory, non-human identities (NHIDs), GitHub and Slack connectors

Secrets inventory tracks all machine credentials discovered across connected systems: API keys, service account tokens, OAuth client secrets, and certificate expiry.
Non-human identity (NHID) catalog surfaces bot accounts, service principals, and machine tokens separately from human identities.
GitHub connector (GitHub App auth): org members, teams, Action secrets, and bot users.
Slack connector (bot token auth): workspace members, public channels, OAuth apps, and bot users.

May 20, 2026v0.47

ML behavioral baseline engine (Phase 1)

Machine-learning behavioral baseline engine profiles identity access patterns from ingested sign-in events and flags statistically anomalous activity.
Blended compliance score combines connector evidence, ML risk signals, and posture findings into a single tenant-wide posture score.
Identity risk scores now include behavioral deviation factors alongside static entitlement signals.
Risk model training pipeline runs nightly; baseline updates propagate to the dashboard automatically.

May 18, 2026v0.46

Adversarial simulation / AI red team

Adversarial simulation module models attacker lateral-movement paths through the identity graph using the access graph data.
AI red team surfaces the highest-risk attack paths and maps each path to the MITRE ATT&CK technique most likely to exploit it.
Simulation results feed into the compliance score as evidence items for identity and access management controls.
Tenant admins can trigger on-demand simulations or schedule them weekly alongside the nightly sync.

May 15, 2026v0.45

JIT access write-back and connector batch 3 (15 finance + security tools)

Just-in-time (JIT) access write-back: compliance rules can now provision and deprovision access in connected identity providers, not just flag violations.
Connector batch 3 (15 new): Stripe, QuickBooks Online, Xero, Brex, Ramp, Adobe Admin Console, Auth0, OneLogin, Duo Security, CyberArk Privilege Cloud, BeyondTrust Password Safe, Tenable.io, Qualys, Rapid7 InsightVM, SAP SuccessFactors.
Write-back actions are tenant-controlled and individually audited with immutable audit trail entries.
Access certification campaigns can now auto-revoke access when a certifier marks a relationship as "remove".

May 12, 2026v0.44

Correlation engine v1 + identities directory + connector batch 2 (15 productivity tools)

Correlation engine v1 matches identities across connected systems by email, display name, and external ID — a single person with accounts in Okta, GitHub, and Slack is now one merged identity record.
Identities directory page: view all human and machine identities, their correlated accounts, risk scores, and compliance status in one place.
Connector batch 2 (15 new): Microsoft Teams, Zoom, Box, Dropbox Business, Asana, Monday.com, ClickUp, Trello, Airtable, Figma, Miro, Lucidchart, Webex, Calendly, DocuSign.
Connector count reaches 47; identity correlation runs automatically after every sync.

May 10, 2026v0.43

Access graph + access certification campaigns + connector batch 1 (15 enterprise tools)

Access graph visualises identity-to-resource relationships and highlights violation paths, over-provisioned accounts, and dormant access.
Access certification campaigns let admins send periodic reviews to managers — reviewers certify or flag each access relationship.
Connector batch 1 (15 new): ServiceNow, Salesforce, HubSpot, NetSuite, Snowflake, Databricks, Datadog, Splunk, 1Password, Notion, Linear, Confluence Cloud, GitLab, Bitbucket Cloud, PagerDuty.
Campaign reminders auto-sent at configurable intervals; overdue reviews escalate to the tenant admin.

May 8, 2026v0.42

AI daily reports + HR connectors + JML automation

AI daily reports: tenant admins schedule compliance and security summaries generated by AI. Four templates: compliance summary, violations digest, OAuth consent review, identity risk digest.
HR connectors: Workday and BambooHR feed joiner/mover/leaver lifecycle events into the JML rules engine. New hire provisioning and departure deprovisioning trigger automatically.
Audit trail for every AI-generated report — users can inspect the evidence data the AI used and the model version that produced it.
Pro+ tenants can add a custom prompt addendum to shape the report focus; Enterprise tenants unlock arbitrary cron schedules.

May 5, 2026v0.41

Cross-factor MFA reset + admin portal

Cross-factor MFA reset: any enrolled factor (TOTP, passkey, backup code, OTP email) can now be used to verify and reset any other enrolled factor.
Staff admin portal at /admin: tenant management, SSO connections review, MFA audit, user unlock and MFA reset actions — all step-up authenticated.
Log ingestion API: external systems can push raw events to ComplianceScout via a bearer-token-authenticated endpoint with natural-language query support.
Retention aging pipeline automatically moves logs from hot to warm to cold storage on a configurable schedule.

May 2, 2026v0.40

Auth hardening: TOTP, WebAuthn passkeys, OTP email, and enterprise SSO (OIDC + SAML)

Multi-factor authentication: TOTP authenticator apps, WebAuthn hardware passkeys, backup codes, and OTP email — all enrollable and cross-verifiable.
Enterprise SSO: OIDC Authorization Code Flow with PKCE and SAML 2.0 SP-initiated flow. JIT user provisioning, trust-IdP-MFA, and per-connection role mapping.
Passwordless login via passkey or OTP email. Password-based login retained as escape hatch.
All auth state changes (enroll, disable, reset, SSO login, step-up) written to the immutable audit log.

What's new in ComplianceScout