Six workflows Kanonik removes from your week, grouped by what they replace rather than by feature checklist. Tier availability and what becomes available as you grow noted on each. The whole page is one mental model: the AI proposes, the Verifier checks, you approve, the chain records. Across every framework you cover.
Your AI proposes a control update, an evidence mapping, a framework cross-walk. The Verifier inspects the proposal server-side (deterministic rule layer + independent LLM cross-check), routes it to a human for a signed approval, and chains the whole journey into a tamper-evident audit log. Rejected proposals are kept too. The auditor's question "what did your AI try that you stopped?" has a defensible answer.
Walk the AI through one framework's controls; it proposes mappings into the adjacent frameworks you also have to satisfy. Every mapping is a structured proposal (control_id source, control_id target, confidence, reasoning) that passes the Verifier and gets signed. The result is a framework graph your auditor can navigate, not a multi-tab spreadsheet maintained by hand.
Drafting evidence narratives, audit response packages, control descriptions: the same generative AI work that compliance teams already do informally, but with the trail intact. Every draft enters the chain as a proposal; the approver's signed acceptance is the artefact a SOC 2 or ISO 27001 auditor will accept as evidence. The artefact carries its own provenance.
At audit time, the customer's compliance officer finalises an audit session for a specific framework, scope, and time box. Kanonik produces a signed bundle (PDF report, JSON event log, ChainRoot signature, public verification key, framework package, canonical-model schemas) that the external auditor verifies offline. The auditor doesn't trust the vendor; they verify the hash chain themselves.
Kanonik sits between your AI and the GRC tool you already pay for. Eramba is the live connector today; Vanta, Drata, Hyperproof, ServiceNow GRC ship as the cohort signal commits. The connector model is the same in every case: read everything, draft-write where the underlying platform supports it, direct-write only with explicit per-entity-type authorization. Round-trip fidelity tested; canonical model versioned independently.
The same architecture serves the buyer whose tool works and the buyer whose tool is a trap. Today Kanonik sits on top of your current platform with no migration in. When source and destination connectors both exist, the canonical model lets you read evidence out of one tool, walk it through Kanonik, and commit into the next; the audit chain spans the transition. Your evidence is yours. Your chain is portable. Switching tools no longer means losing the proof that defended you last cycle.
Anthropic Claude, OpenAI, AWS Bedrock, Google Gemini, Azure OpenAI: your existing account, your existing key, your existing billing. Kanonik never sees your conversation or your token usage. The Verifier's internal tier-2 LLM cross-check is paid by Kanonik in the tier price (no token meters, ever). Procurement requires one SaaS invoice? The Kanonik-paid Primary AI add-on (+$25 Solo / +$75 Team / +$150 Business) flows your primary-session usage through our account.
Three capabilities the architecture was designed for from day one, building when the cohort signal justifies the work. We mention them here because the schema fields, the event-store contracts, and the canonical model already carry them; shipping is implementation, not a rewrite.
These are architectural commitments, not Phase 0 features. We name them so the schema decisions you'd want for them are visible - building these later costs an order of magnitude more than designing for them on day one. We designed for them on day one.
Six architectural primitives, the canonical mapping to NIST AU-10/11/12 and EU AI Act Article 12, the engineering posture and threat model.