Capabilities & Skills
What your AI can do, with the skills loaded.
Kanonik ships a private, signed skill library. Your AI loads the skills on first sign-in and uses them to draft policies, assess controls, write audit narratives, respond to vendor questionnaires, and assemble auditor bundles - in your own AI client.
New skills ship continuously. The skills you have are yours to keep. Versioned. Provenance-attested. Pinned to every output they produce.
What this page is
Six things Kanonik takes off your week.
You run the compliance program. You write the controls, mind the framework mappings, draft the evidence narratives, handle the auditor questions, keep the GRC tool clean, and now you are also expected to govern the AI the rest of the company is already using. Kanonik is the layer that lets your AI do the mechanical parts of that work without producing artefacts an auditor will refuse to accept.
Six capabilities below. Each one names the workflow it removes and the framework references it satisfies.
01 / AI-assisted control work
Draft, review, update controls without losing the trail.
Your AI proposes a control update, an evidence mapping, a framework cross-walk. The Verifier inspects the proposal server-side (deterministic rule layer + independent LLM cross-check), routes it to a human for a signed approval, and chains the whole journey into a tamper-evident audit log. Rejected proposals stay in the chain too. The auditor's question "what did your AI try that you stopped?" has a defensible answer.
The work feels the same as if you had drafted it by hand. The artefact at the end carries the proposal, the verdict, the approval, and the commit, each hashed into the next. Nothing about that chain depends on us. The verification key is yours.
02 / Multi-framework mapping
One control. Six frameworks at once.
Walk the AI through one framework's controls; it proposes mappings into the adjacent frameworks you also have to satisfy. Map a single access-control statement to ISO 27001:2022, SOC 2 Type II, NIST CSF 2.0, HIPAA Security Rule, EU AI Act Article 12, and ISO/IEC 42001 in one pass instead of maintaining six tabs of a spreadsheet by hand.
Every mapping is a structured proposal (source control_id, target control_id, confidence, reasoning) that passes the Verifier and gets signed. The result is a framework graph your auditor can navigate, not a multi-tab spreadsheet you re-reconcile every quarter.
03 / Evidence drafting and auditor handoff
Generate the narrative. Hand over the proof.
The AI drafts the audit response: control description, evidence narrative, summary of who did what when. Each draft enters the chain as a proposal; the approver's signed acceptance is the artefact a SOC 2 Type II or ISO 27001:2022 auditor will accept as evidence. The artefact carries its own provenance.
At audit time you finalise an audit session for a specific framework, scope, and time-box. Kanonik produces a signed bundle (PDF report, JSON event log, ChainRoot signature, public verification key, framework package, canonical-model schemas) that the external auditor verifies offline. They do not trust the vendor. They verify the hash chain themselves with the open-source binary.
04 / AI governance for the AI you already use
The AI Act sits on your desk. We help you answer it.
Marketing is running Claude. Engineering is running Copilot. Sales has a custom GPT for proposals. Compliance is now expected to write risk register entries for every model in production, capture a model card for each, curate the prompt library, and produce traceability records that satisfy EU AI Act Article 12 and ISO/IEC 42001.
Kanonik captures the model-card metadata, the prompt-library entries, and the per-model risk register lines as structured proposals the Verifier inspects. The same hash chain that covers ISO 27001:2022 work covers the AI governance work. You stop running a parallel spreadsheet to track the AI; the AI governance program lives in the same canonical model.
05 + 06 / Trust layer and model
Your LLM. Our trust layer.
The last two capabilities are architectural. Kanonik turns your own AI into a compliance worker with a non-bypassable Verifier, real human approval, and a tamper-evident audit trail. Write-back to an external GRC platform is a secondary integration point, not the foundation, and you do not bring a model vendor we lock you to.
Write back where it matters. Your chain stays intact.
Today. Eramba (Community and Enterprise). AI-proposed changes land as drafts, or as direct writes on the Business tier, with full provenance in the hash chain.
Source systems stay yours. Your AI reaches your evidence (code review, ticketing, identity provider) through its own MCP connections, under your credentials. Kanonik stores the compliance objects and references to evidence, never ingesting those systems.
Direction. Additional write targets are evaluated on demonstrated design-partner demand. The canonical model is the source of truth; a connector is a translation layer, not the product. There is no queued GRC-connector roadmap.
Portability by design. Because the canonical model is independent of any one platform, moving between tools, or running with no external platform at all, does not break the audit trail. Your evidence is yours. Your chain is portable.
Kanonik is model-agnostic. Your AI account stays yours.
Supported providers. Anthropic Claude, OpenAI, AWS Bedrock, Google Gemini, Azure OpenAI. Your account, your key, your billing.
Bring your own model key. The LLM provider stays yours, not ours. Kanonik never becomes a layer between you and your model vendor. If you already have Anthropic on your DPA, that line does not change. We do add ourselves as a sub-processor (one entry); the model vendor does not become a second.
Verifier cross-check is on us. The tier-2 independent LLM cross-check the Verifier runs is paid by Kanonik inside the tier price. No token meters.
Single-invoice procurement? The Kanonik-paid Primary AI add-on (+$25 Solo / +$75 Team / +$150 Business) routes your primary-session usage through our account. Opt-in. BYO key is the default.
Built on the trust layer
Three more the canonical model makes possible.
The same bitemporal canonical model and event stream that carry your controls and evidence also carry the history these three capabilities reason over. They are why the trust layer is worth building, not a bolt-on.
Six workflows removed from your week. One canonical model behind all of them. Your GRC tool, your AI, your auditor relationship - all kept. What changes is that every AI-assisted output now arrives signed, chained, and verifiable.
The proof is the product™.