Compliance roadmap

A public commitment procurement can hold us to.

Kanonik is engineered against federal-grade compliance standards from day one. We are pre-certification. This page documents where we are against each standard and the sequence to certification. Changes land in the change log, not in retroactive edits.

We sell to people who do not accept marketing claims at face value. They should not have to.

How to read this page

For each standard, three things.

Current state. What we have built and what is in motion today.

Target. The next milestone in the certification sequence.

What changes. What becomes available or differently true once the milestone is reached.

Dates are stated as quarters or years rather than specific months. This reflects our actual planning horizon at this stage; tightening to month-level commitments before we have signed customers would be theater.

ISO/IEC 27001:2022

ISMS scope defined. Certification in sequence.

Current state. Information security management system scope defined. Statement of Applicability drafted against Annex A controls. Risk register established. Internal policies for access control, change management, incident response, supplier security, and cryptography written and in operation.

Target. Finalize the Statement of Applicability, then a Stage 1 audit engagement, then Stage 2 audit and certification. We engage the auditor when the program is ready rather than against a fixed public clock.

What changes when achieved. Kanonik becomes formally certified against ISO/IEC 27001:2022. Customers regulated to use only ISO-certified vendors can procure without additional risk review. Certification status will be displayed only at this point.

SOC 2: Type I, then Type II

Auditor selection in progress. Type I, then Type II.

Current state. Auditor selection in progress. System description drafted against Security, Availability, and Confidentiality Trust Services Criteria. Controls documented.

Target. Engagement letter with the auditor, then the Type I report, then a Type II observation period (six to twelve months) beginning immediately after Type I, then the Type II report.

What changes when achieved. Type I demonstrates control design at a point in time. Type II demonstrates operating effectiveness over a six- to twelve-month period. The Type II report is what enterprise procurement typically asks for; Type I serves earlier deals.

NIST SP 800-53 Rev. 5

Engineered against the Moderate baseline. FedRAMP-tracked.

Current state. Architecture engineered against the Moderate baseline. Selected high-baseline controls implemented for the audit log specifically: AU-10 (non-repudiation), SC-12 (cryptographic key establishment and management). Control mapping documented internally.

Target. This standard is not a separate certification track. It is the control baseline that underlies FedRAMP Moderate; achievement of FedRAMP Moderate authorization implies and supersedes any standalone NIST 800-53 claim.

What changes. When customers ask "are you 800-53 aligned," the answer today is "engineered against the Moderate baseline; formal authorization tracks via FedRAMP." Once FedRAMP Moderate authorization is achieved, the answer becomes specific.

FedRAMP Moderate

Engineered from day one. Authorization sponsor-gated.

Current state. Architecture engineered against the FedRAMP Moderate control baseline from initial design. Cloud-portable infrastructure-as-code, FIPS 140-3 validated cryptography for the audit log, per-tenant key separation, immutable logging, and the other controls that FedRAMP Moderate authorization requires are built in. We have not pursued sponsorship or entered any FedRAMP authorization track.

Target. The In Process stage begins once Kanonik holds three federally regulated customers willing to sponsor or co-sponsor. We do not pursue FedRAMP authorization speculatively because the assessment costs run $500K to $2M, and the right path is agency sponsorship driven by real customer demand. Authorization follows once sponsorship and 3PAO assessment scheduling allow.

What changes when achieved. Kanonik is listed on the FedRAMP Marketplace and is eligible for procurement by federal agencies and their regulated supply chain at the Moderate baseline. The terms "FedRAMP Moderate" and "FedRAMP Authorized" become usable on Kanonik marketing materials. Until then, the only defensible language remains "engineered against FedRAMP Moderate baseline."

FedRAMP PMO marketing policy. The FedRAMP Program Management Office controls public use of "FedRAMP" as a status term. Kanonik does not display or imply FedRAMP status it has not earned. The phrase "FedRAMP Moderate" appears on this page only in the context of the control baseline against which Kanonik is engineered, not as a status claim.

ISO/IEC 42001 - AI Management Systems

Engineered for the AI-governance standard your auditor will eventually ask for.

Current state. Architecture engineered against the 42001 control set, anticipating customer demand. The Verifier, the audit log, and the human-in-the-loop approval gates are the core controls relevant to 42001. Internal AI governance policy drafted.

Target. Internal AI governance policy in operation; external certification engagement to follow, contingent on auditor availability. 42001 is new (ratified 2023) and the certifier ecosystem is still maturing.

What changes when achieved. Kanonik becomes one of the early formally certified AI management systems. This is differentiating because it is what every customer's auditor will eventually ask for.

HIPAA: Security Rule

Architecture supports the Security Rule. BAAs at first onboarding.

Current state. Architecture supports the Security Rule (technical, administrative, and physical safeguards). Business Associate Agreement (BAA) template prepared.

Target. BAAs available for execution with healthcare customers from first onboarding.

What changes. HIPAA does not have a formal certification; HIPAA compliance is a self-attestation. We document the implemented safeguards on the trust layer page and execute BAAs with customers in scope.

Change log

Every material change recorded here.

This page states the certification sequence and posture, not fixed public dates. Material changes - a track abandoned, a sequence reordered, a milestone reached - are recorded here rather than retroactively edited above.

29 May 2026: Reformatted from fixed-date commitments to certification sequence and posture (Stage 1 then Stage 2; Type I then Type II; FedRAMP sponsor-gated; 42001 to follow). The pre-certification honesty and per-standard sequence are unchanged; specific target quarters and years were removed across the body, marginalia, meta, and JSON-LD. Milestones reached will be recorded here.
22 May 2026: SOC 2 Type II language softened from "Q2 2026 scheduled" to "target 2027" - aligning meta tags, JSON-LD, and FAQ schema with the body's existing target-tense. No body change.
14 May 2026: Roadmap published.

Why this page exists

The third path between skip-the-vendor and demand-indemnification.

CISOs and procurement officers buying from a pre-certification vendor have a problem: they cannot rely on vendor-provided assurances at face value. The standard response is either to skip the vendor entirely or to demand expensive contractual indemnification.

This page exists to make a third path easier. A public commitment that procurement can hold us to. If a sequence changes, you see it in the change log. If we hit a milestone, you see the updated status. If we abandon a track, you see why.

This is exactly the level of transparency we are building Kanonik to make possible for AI-assisted compliance work generally.

If you are evaluating Kanonik and a specific milestone matters to your procurement timeline, contact [email protected]. We can usually share more detail under NDA than appears on this page, and we can prioritize tracks that have real customer demand behind them.