One engine.
Every vertical it honestly serves.

One engine. Load a framework catalogue and it assesses — the same spine powers every vertical, in every jurisdiction we ship packs for. The numbers below are read from the engine's own catalogue at build time, never typed in — and where a vertical isn't genuinely covered yet, its page says so.

Consultant-grade depth — full ISM/IRAP catalogue + SAR, Essential Eight ML1–ML3Tier-A breadth — control-level catalogues, evidence-led postureLicence-gated — control IDs + our labels; full text needs your licence
33frameworks live on the engine
18AI-governance instruments on the catalogue
5jurisdictions with AI-governance packs

Pick your vertical

Each page states the pain, which live frameworks serve it, how deep the engine goes today — honestly — and the jurisdictions genuinely covered.
Tier-A breadth

🏦 Banks & APRA-regulated

CPS 230 operational resilience and CPS 234 information security posture from live evidence — board and regulator packs, material-supplier registers, no false green. The engine is the evidence layer; it does not replace an APRA-appointed tripartite reviewer.

Consultant-grade depth

🏛 Government & Defence

ISM/IRAP assessment at the depth an IRAP assessor documents — the full ISM catalogue with SAR generation, Essential Eight across ML1–ML3, evidence mapped control by control. Australia's real moat.

Depth badged per lane

💼 GRC consultants & practices

Every framework live on the engine, one book of work: per-engagement scoping, evidence freshness measured — not asserted — and reports carrying an Evidence Freshness Statement. IRAP-grade on ISM/E8, Tier-A breadth elsewhere.

Tier-A breadth

🧠 AI vendors & providers — GAiaaS

Multi-jurisdiction AI governance from one evidence base — EU AI Act, ISO/IEC 42001, NIST AI RMF, plus every national instrument live on the catalogue, enumerated on the solutions page rather than promised. The one axis where our reach is already genuinely global.

Served via security lens

🏥 Healthcare

OAIC breach duties and buyer security clauses served through ISO 27001, SOC 2, Essential Eight and third-party risk. Honest position: no dedicated health-sector catalogue on the engine today — we say that plainly rather than badge it green.

Served via existing lanes

⚡ Critical infrastructure — SOCI

SOCI risk-management-program obligations served through Essential Eight maturity, ISM depth and third-party risk registers. Honest position: no dedicated SOCI catalogue yet — where an obligation is not covered, the posture says so.

Framework-driven

🌎 Everywhere else

Not a bank, not an agency, not a hospital? The engine is framework-driven, not industry-templated. If your obligations map to the frameworks live on the catalogue, the same machinery serves you — and if they don't, we say so and it goes on the roadmap, not on your report.

Jurisdictions we ship AI-governance packs for today

Enumerated from the live catalogue at build time — a pack that is not on the engine is not on this page.
Australia · 7 instrumentsEuropean Union · 1 instrumentUnited States · 4 instrumentsIndia · 1 instrumentUnited Arab Emirates · 1 instrument

Plus the international instruments:

International — ISOInternational — OECDInternational — UNESCOInternational — UN

Not on this list?

The engine is framework-driven, not industry-templated — if your obligations map to the frameworks live on the catalogue, the same machinery serves you. And if they don't, we say so and it goes on the roadmap, not on your report.

Talk to us →Try the demo →