For the Head of GRC

Walk into your AI audit with the file, not the shrug.

You inherited "AI governance" between the SOC 2 cycle and the EU AI Act deadline. Northbeams is the evidence layer that produces, signs, and delivers AI control evidence to your auditor and your GRC platform. So when the auditor asks, you click Download.

Talk to us about Evidence → Download a sample Evidence Pack →

01 / The asks landing on your desk in 2026

Four questions. One pack answers all four.

The same telemetry produces evidence for every framework your buyers, regulators, and insurers will ask about. One pack per framework. One control mapping. One signature.

Q2 2026From: ISO 42001 consultant

"Send me your Annex A control mapping for the cert audit."

38 controls. Status per control. Evidence sources. Owners. Exceptions with deadlines.

Answer: Evidence Pack · ISO 42001 variant · 9 pages · signed.

Aug 2026From: Counsel / EU subsidiary

"What logs do we have for EU AI Act Article 26?"

Deployer obligations enforceable December 2026. Logging, human oversight, monitoring. 6-month minimum retention.

Answer: Evidence Pack · EU AI Act variant · matched to 26(1) through 26(7).

Q3 2026From: Vendor security review (Fortune 500 buyer)

"Describe your AI governance with evidence."

Question 41 on every modern vendor security questionnaire. Notion doc + shrug loses the deal.

Answer: Attach Northbeams Evidence Pack. Done in under a minute.

Q4 2026From: SOC 2 auditor

"Add AI to your Type II controls this year."

CC6.1, CC7.2, and the CSA AI Controls Matrix. Auditor wants an evidence appendix annexed to the existing Type II.

Answer: Evidence Pack · SOC 2 + AI variant · staples onto your existing report.

02 / How it lands

Three steps. No procurement cycle for the evidence.

01 · Install

One platform across four surfaces.

Browser extension via Chrome Web Store. Desktop app via MDM (Intune, Jamf, Kandji). No proxy, no MITM cert, no network change. The IT lead deploys this; you don't need to fight for it.

02 · Map

Pick your frameworks. Set your scope.

ISO 42001, EU AI Act, NIST AI RMF, SOC 2 + AI. Northbeams maps each control to AUTO / ATTEST / scoped-out. Re-classify rows with reasons. The scope statement is yours; you sign it.

03 · Ship

Generate. Sign. Hand it over.

Pull a pack before a vendor questionnaire, before an audit, or on a monthly schedule. Webhook your GRC platform so it pulls a fresh pack on every control-status change.

03 / Honesty about scope

In the box. Not in the box.

Auditors trust scoping more than blanket claims. Here's what Northbeams' evidence layer covers, and what it doesn't, in writing, on the page they're reading.

In the box

Every AI tool your team uses across browser, desktop, CLI, and MCP.
Per-user attribution with timestamp and hostname.
On-device classifier output: category labels, never raw prompt text.
Per-MCP-tool allow / warn / block decisions and the argument hash.
Append-only, hash-chained event log. Tamper-evident.
Sampled events in the appendix for every AUTO control.
Continuous monitoring, daily re-evaluation, webhook on flip.

Not in the box

Server-side API token usage that never lands on a browser or desktop.
On-prem inference confined to a private network with no client installed.
Off-network devices with no Northbeams agent.
Anything you don't grant the agent install for. We don't run silently.
Policy authorship. You and your counsel own the AI use policy.
Replacing your GRC platform. We feed it. We don't replace it.

04 / Compliance tier

Annual. Flat. Not per-seat.

Compliance buyers don't think in seats. The Compliance tier is a line item with a number on it.

Starter

$12,000 / yr

1 framework. Monthly Evidence Pack. 1 GRC integration. 90-day retention.

Pro

$36,000 / yr

All frameworks. On-demand + scheduled. All integrations. Continuous monitoring + alerts.

Enterprise

$72,000+ / yr

SSO, custom controls, 7-year retention, dedicated CSM, contractual SLAs.

Bundle with per-seat Sentinel for an extra 15% off the per-seat side. See full pricing →