Last updated 22 May 2026. Slipped dates are recorded in the change log rather than retroactively edited.
Kanonik is engineered against federal-grade compliance standards from day one. We are pre-certification. This page documents where we are against each standard and when we expect to be authorized. It is updated as milestones change. Material changes are also announced via the waitlist.
This page exists because we sell to people who do not accept marketing claims at face value, and they shouldn't have to.
For each standard, three things:
A target date that slips is documented in the change log at the bottom. We do not retroactively edit dates.
Dates are stated as quarters or years rather than specific months. This reflects our actual planning horizon at this stage; tightening to month-level commitments before we have signed customers would be theater.
Current state. Information security management system (ISMS) scope defined. Statement of Applicability drafted against Annex A controls. Risk register established. Internal policies for access control, change management, incident response, supplier security, and cryptography written and in operation.
Target. Final Statement of Applicability published in 2026. Stage 1 audit engagement scheduled in 2027. Stage 2 audit and certification target later in 2027.
What changes when achieved. Kanonik becomes formally certified against ISO/IEC 27001:2022. Customers regulated to use only ISO-certified vendors can procure without additional risk review. Certification status will be displayed only at this point.
Current state. Auditor selection in progress. System description drafted against Security, Availability, and Confidentiality Trust Services Criteria. Controls documented.
Target. Engagement letter with auditor signed in 2026. Type I report received in 2027. Type II observation period begins immediately following Type I; Type II report target later in 2027.
What changes when achieved. Type I demonstrates control design at a point in time. Type II demonstrates operating effectiveness over a 6 to 12 month period. The Type II report is what enterprise procurement typically asks for; Type I serves earlier deals.
Current state. Architecture engineered against the Moderate baseline. Selected high-baseline controls implemented for the audit log specifically: AU-10 (non-repudiation), SC-12 (cryptographic key establishment and management). Control mapping documented internally.
Target. This standard is not a separate certification track. It is the control baseline that underlies FedRAMP Moderate; achievement of FedRAMP Moderate authorization implies and supersedes any standalone NIST 800-53 claim.
What changes. When customers ask "are you 800-53 aligned," the answer today is "engineered against the Moderate baseline; formal authorization tracks via FedRAMP." Once FedRAMP Moderate authorization is achieved, the answer becomes specific.
Current state. Architecture engineered against the FedRAMP Moderate control baseline from initial design. Cloud-portable infrastructure-as-code, FIPS 140-3 validated cryptography for the audit log, per-tenant key separation, immutable logging, and the other controls that FedRAMP Moderate authorization requires are built in. We have not pursued sponsorship or entered any FedRAMP authorization track.
Target.
What changes when achieved. Kanonik is listed on the FedRAMP Marketplace and is eligible for procurement by federal agencies and their regulated supply chain at the Moderate baseline. The terms "FedRAMP Moderate" and "FedRAMP Authorized" become usable on Kanonik marketing materials. Until then, the only defensible language remains "engineered against FedRAMP Moderate baseline."
Compliance with the FedRAMP PMO marketing policy. The FedRAMP Program Management Office controls the public use of "FedRAMP" as a status term. Kanonik does not display or imply FedRAMP status it has not earned. The phrase "FedRAMP Moderate" appears on this page only in the context of the control baseline against which Kanonik is engineered, not as a status claim.
Current state. Architecture engineered against the 42001 control set, anticipating customer demand. The Verifier, the audit log, and the human-in-the-loop approval gates are the core controls relevant to 42001. Internal AI governance policy drafted.
Target. Internal AI governance policy finalized in 2026. External certification engagement target 2027, contingent on auditor availability. 42001 is new (ratified 2023) and the certifier ecosystem is still maturing.
What changes when achieved. Kanonik becomes one of the early formally certified AI management systems. This is differentiating because it is what every customer's auditor will eventually ask for.
Current state. Architecture supports the Security Rule (technical, administrative, and physical safeguards). Business Associate Agreement (BAA) template prepared.
Target. BAAs available for execution with healthcare customers from first onboarding.
What changes. HIPAA does not have a formal certification; "HIPAA compliance" is a self-attestation. We will document the implemented safeguards in the security page and execute BAAs with customers in scope.
Current state. Data minimization, purpose limitation, and right-to-erasure (via crypto-erase) implemented. Data Processing Addendum (DPA) available at kanonik.ai/dpa. EU data residency available.
Target. No certification track exists for GDPR. Operational compliance is continuous.
What changes. N/A. Operational compliance is in effect today for any customer that signs the DPA.
This log records every material change to the roadmap. Slipped dates are recorded here rather than retroactively edited above.
| Date | Change |
|---|---|
| 22 May 2026 | SOC 2 Type II language softened from "Q2 2026 scheduled" to "target 2027" (aligning meta tags, JSON-LD ItemList, and the security FAQ schema with the body's existing target-tense). No body change. |
| 14 May 2026 | Roadmap published. |
CISOs and procurement officers buying from a pre-certification vendor have a problem: they cannot rely on vendor-provided assurances at face value. The standard response is either to skip the vendor entirely or to demand expensive contractual indemnification.
This page is meant to make a third path easier: a public, dated commitment that procurement can hold us to. If we slip a date, you'll see it in the change log. If we hit a milestone, you'll see the updated status. If we abandon a track, you'll see why.
This is exactly the level of transparency we are building Kanonik to make possible for AI-assisted compliance work generally.
If you are evaluating Kanonik and a specific milestone matters to your procurement timeline, contact [email protected]. We can usually share more detail under NDA than appears on this page, and we can prioritize tracks that have real customer demand behind them.
Sponsorship from a regulated customer can accelerate any track on this page. If you are evaluating Kanonik and a specific certification matters to your procurement timeline, we want to hear about it.