01 INVENTORY
Proov evidence bundle
Tamper-evident JSON of every agent, model, MCP tool, credential, and outbound call across your environment. Reproducible, signed with your org key.
→ proov-acme-2026-04-30.json
SHA-256: 9f2c…e1
SHA-256: 9f2c…e1
A 90-day engagement for regulated teams. We inventory the agents already running in your environment, produce signed evidence your auditor will accept, and leave you with a written governance posture mapped to NIST AI RMF, ISO 42001, EU AI Act, and SOC 2.
From first scan to signed governance posture, end to end.
For Proov to inventory a typical 30-host environment.
NIST AI RMF, ISO 42001, EU AI Act, SOC 2 — cross-walked from a single evidence base.
Talk to OpenAI by mistake when we're done. Egress mapped, by host.
Agents are already in your environment. Most weren't approved, most aren't catalogued, and the regulators arriving next quarter won't accept “we'll write the policy after the breach.”
More agents in production than the average GRC team can name — per scan, before remediation.
Agentic Highway · Q1 2026 cohort, n=18
Until EU AI Act high-risk obligations take effect — audit trails, transparency, post-market monitoring.
Reg. (EU) 2024/1689 · Art. 113 · 02 Aug 2026
Of enterprises have governance mature enough to defend their current AI deployment.
Deloitte State of Generative AI · 2025
We don't sell a platform you have to operate. We arrive, run Proov across your environment, sit alongside your GRC and security teams to build the artifacts, and leave a posture your auditor will recognize.
Everything we produce is reviewable, re-runnable, and yours. No proprietary file formats, no platform you have to keep paying to read your own evidence.
Tamper-evident JSON of every agent, model, MCP tool, credential, and outbound call across your environment. Reproducible, signed with your org key.
Each over-broad credential, unallowlisted egress path, and capability gap recorded with severity, owner, and remediation status — exportable to Jira, Linear, or ServiceNow.
Each finding mapped to the controls it touches across NIST AI RMF, ISO/IEC 42001, EU AI Act, and SOC 2. One evidence base, four auditor conversations.
Acceptable use, agent-approval workflow, model-supplier review, capability-boundary policy, and incident response — drafted for your GRC stack, not a new one.
Review workflows, escalation paths, on-call rotation, re-scan cadence — the operating manual the team running this after we leave will actually use.
A single bound document for your auditor, regulator, or board: scope, evidence, findings, mapping, controls, and the operating model going forward.
We deliberately scope around the people whose names go on the documents that come out of this. Each role gets the artifacts, the review surface, and the language they need.
“I want to know which agents have which credentials, where they call out, and what changes between scans.”
“I need controls mapped to the framework my auditor uses, with evidence I can hand to them tomorrow.”
“I want a process that doesn't slow product down — and a runtime backstop when review isn't enough.”
“I want one document I can put in front of customers, regulators, and the board — and a clear path forward.”
Most of what's on the market is either a checklist consultancy or a SaaS dashboard you have to learn before you can read your own evidence. We do neither.
| Big-Four advisory | AI governance SaaS | Agentic Highway | |
|---|---|---|---|
| Inventory of agents in production// what's actually running | NoSelf-attestation interviews. | PartialIf you instrument it. | YesProov scan, signed. |
| Signed, reproducible evidence// auditor-friendly | NoPDF report, point-in-time. | PartialLocked to platform export. | YesSHA-256, your org key. |
| Mapped to four frameworks// NIST · ISO · EU · SOC2 | PartialOne framework per project. | PartialTheir preferred framework. | YesAll four, one evidence base. |
| Runtime enforcement option// when review is not enough | No | No | YesKelvinClaw, open-source. |
| Time to defensible posture// engagement length | 6–9 months | 3–6 months self-onboard | 90 daysend-to-end |
| Vendor-neutral// no preferred LLM, no preferred cloud | PartialAlliances and reseller deals. | NoTied to specific stacks. | YesBy design. |
| Recurring platform fee// after engagement ends | No | YesPer-seat, annual. | NoOptional Vettd subscription. |
Findings cross-walk into the regulatory and standards frameworks most likely to be in scope for a regulated team this year. Pick the ones that apply to you; the evidence travels.
Govern, Map, Measure, Manage. Findings indexed to the four functions and their subcategories.
Requirements for an AI management system. Mapped to clauses 4–10 and Annex A controls.
High-risk obligations: technical documentation, transparency, logging, post-market monitoring.
CC2 / CC6 / CC7 controls extended to cover agent identity, access, and change management.
Same methodology, different surface area. Smaller teams compress into 30 days; multi-entity groups extend with quarterly re-scans. Final price scoped after the briefing.
A signed inventory and findings register, end-to-end.
// best for: first scan, pre-budget, board demand
The full 90-day program. Most enterprise teams.
// best for: regulated teams, EU AI Act in scope, audit on the calendar
Group-wide rollout with ongoing review surface.
// best for: holding companies, regulated groups, multi-jurisdiction
If yours isn't here, drop it on the briefing call — we'd rather answer in plain English than in writing anyway.
No. Proov runs locally on your hosts and emits a signed JSON bundle to disk. Nothing leaves the host unless you upload it to Vettd. The scan is reproducible and you keep the org key.
No. The deliverables are written to plug into ServiceNow, Drata, Vanta, Archer, OneTrust, or whatever you already run. We export to your registers; we don't ask you to migrate.
The 30-day Proov assessment is built for that. You'll still walk away with a signed inventory and a findings register — the same artifacts, smaller surface area.
Fixed fee for the pilot. Scoped fixed fee for the 90-day engagement, set after the briefing. Retainer for multi-entity programmes. No per-agent or per-seat pricing.
A two-to-three person team: a governance lead (ex-Big-Four or ex-regulator), a platform engineer, and a writer who has shipped policy in your sector. We don't subcontract.
Yes — that's the point. The Proov bundle, cross-walk, and posture pack are designed to be read by external auditors directly. We've sat in on Big-Four, regional, and PCAOB walkthroughs.
No. The private organisational instance is yours. Public registry signals are opt-in, per agent, and useful when you want to vouch for — or warn about — a tool you've reviewed.
We assess them through the same lens: vendor questionnaire, capability surface, data flows. If they're in Vettd already, we use the public review; if not, we file one.
// 30 minutes · no slides · one of the leads on the call · NDA on file by request