How does an auditor verify a Kanonik chain offline?

The customer exports a signed bundle (PDF + JSON) covering the requested time range. The bundle ships with the public verification key. An open-source verification binary recomputes the hash chain, verifies each event signature, and reports any tampering. The auditor runs the binary on their own machine; no connection to Kanonik is required.

Does the auditor pay for access?

No. On every paid Kanonik tier (Solo, Team, Business, Enterprise), the auditor of record gets read-only access to the live system and the Auditor Export at no charge.

What's in the chain that an auditor would not get from a normal GRC platform?

Every AI proposal, the Verifier's rule + LLM verdict on it, the approver's signed decision, and the commit (or rejection). All four steps are hashed and chained, including the proposals that the Verifier blocked or the human declined. The auditor can answer 'what did your AI try to do that you stopped?', which a typical GRC-platform-with-AI-bolted-on cannot.

For Auditors

Verify the chain. Not us.

You are reviewing a client whose compliance program has AI in the loop. Their control mappings were drafted by AI; their evidence was assembled by AI; their narratives were written by AI. Your standard request list assumed humans made the changes. Kanonik is built so every AI-assisted change is yours to verify yourself, offline, with cryptographic proof.

You sign off on the autonomy. Not us.

The defense most AI-in-GRC tools cannot mount

What you are asked to take on faith.

Most AI-in-GRC offerings retain the AI-generated artifact and discard the trail behind it. The audit defense becomes: the vendor logged it; the AI proposed it; the human approved it; trust the vendor's reconstruction. For NIST 800-53 AU-10 (non-repudiation), AU-11/AU-12 (record retention and generation), and EU AI Act Article 12 (traceability over the lifetime of the system), that is not a defense. It is the absence of evidence.

The Kanonik trust layer

Every reasoning step, recorded and signed.

Every step of every AI-assisted change is captured as a structured event, hashed, chained, and signed with the customer's tenant key. The event store is append-only at the database layer; tampering with any past event breaks the chain detectably. The chain head is the customer's primary integrity anchor. The bundle you receive at session close lets you verify it on your own laptop, without contacting us. The full layer-by-layer architecture lives on how it works; the control mappings and cryptographic detail on security.

The auditor journey

Four stages. All four signed.

For every framework, scope, and time-box you accept as auditor of record, Kanonik produces four stages, each gated by the Verifier and recorded in the chain. You issue the same opinions you always have. The trust layer is what makes them defensible.

01

Engagement

The customer's compliance lead opens an AuditSession for a framework, a control scope, a time-box, and a named auditor principal. The Verifier checks the scope coheres with the framework, runs a cross-check on whether the scope is implausibly narrow or broad, and refuses if it cannot reconcile. Approval signs the session into existence.

02

Fieldwork

For each control in scope you retrieve evidence, reason about sufficiency, and record an AuditFinding with an opinion from a fixed enum, at least one evidence reference, and your notes. The Verifier checks the control is in scope, the opinion is valid, and the evidence references resolve. Then it runs a cross-check on whether the evidence supports the opinion. The approval is gated; the chain captures the verdict and your reasoning together.

03

Close

You call finalize_audit_session. The server runs the completeness check: every control in scope has exactly one finding, or finalization is refused and the gaps are returned. If complete, the chain head is force-signed at the finalize event, the bundle is produced, and the session transitions to sealed. After sealing, the session is immutable.

04

Post-audit

You keep the bundle. The customer keeps the bundle. The events stay immutable in the canonical store. Next year's audit opens with last year's findings queryable as priors. The same hash chain anchors both years.

The bundle

Eight artifacts. Verifiable offline.

Produced by finalize_audit_session and downloadable as a single archive. You verify on your own machine. No connection to Kanonik is required for the verification step.

MANIFEST.json: Tenant, session, framework, signing key id, schema versions, generation timestamp, file checksums.
events.jsonl: Every session-scoped event in sequence, with embedded Verifier verdicts and approval-token consumption records.
chain_root.json: The signed ChainRoot covering every event up to and including the finalize event.
public_key.pem: The verification key for chain_root.json. Algorithm specifics available under NDA.
schemas/: Canonical-model JSON schemas at the exact versions referenced by the events in this session.
framework/: The framework package as loaded at finalize time (e.g. iso27001-2022.json).
report.pdf: The human-readable audit report. Cover page, per-control sections (opinion, evidence references, Verifier verdict summary, your notes), and chain-of-proof appendix.
VERIFY.md: Step-by-step instructions for verifying the chain offline with the open-source binary.

Channel architecture

$0 for the auditor of record. On every paid tier.

$0

The auditor reviewing a Kanonik customer's program gets read-only access to the live system and the Auditor Export generator at no charge. Solo, Team, Business, Enterprise: same deal. You see what the client sees. You verify what they verify. You do not pay.

This is intentional. Auditors are our channel, not our adversary. We do not charge the people whose recommendation determines whether the customer's compliance investment was sound.

Request access

Set up in one business day.

If you are auditing a Kanonik customer, email [email protected] with your name, firm, and the client's name. We provision your read-only access within one business day. If your client has not onboarded yet, we coordinate.

If you are evaluating Kanonik for your own intake but are not yet engaged on a customer's program, contact us at the same address. We walk through the architecture and the verification toolchain, including the open-source verifier you run yourself to recompute the chain offline.