mairit Compliance
Mairit · For compliance teams

Your AI is drafting compliance documentation. Make sure a qualified human signed it off.

Mairit plugs into the AI your compliance team already uses and routes risk assessments, control narratives, and audit responses to a qualified compliance reviewer before they're filed. In-house leads first. Vetted external auditors when independence is required. Audit trail that holds up to SOC 2, ISO 27001, GDPR, and your external auditor.

Request a pilot See how it works
Works inside the agents your teams already use
Claude· ChatGPT· Drata· Vanta· Secureframe· Any MCP agent
Claude · soc2-cc6.1-control-narrative-v3.md
/review
 
mairit  Detected: SOC 2 control narrative (CC6.1, logical access). 3 qualified reviewers available.
1 Diane Marchetti · Head of Compliance (internal)
  76 control reviews · available now · ~22 min
2 Femi Adebayo · Senior GRC Analyst (internal)
  logical-access domain · backlog 2h · ~30 min
3 Senior SOC 2 auditor · Mairit network · $260
  Big 4 background · 200+ engagements · ~25 min
mairit  Sending to Diane. Control-mapped and signed off, back in your agent.
The problem

AI is drafting compliance documentation faster than your auditor's questions take to come back.

Your compliance team rolled out AI for documentation this year. Risk assessments, control narratives, evidence summaries. The output looks audit-ready. Some is. Some isn't. The auditor finds out in fieldwork.

01

AI-generated compliance docs are up 10x. Qualified review isn't.

Risk assessments drafted by ChatGPT. Control narratives written by Claude. Audit responses generated by your GRC tool's AI. Filed in minutes. Approved in hours. Failed in fieldwork when the auditor asks how the control actually operates.

02

Your senior compliance leads are the safety net. They know it.

The Head of Compliance catching the misstated control. The senior GRC analyst noticing the AI summarised an exception as if it were a standard control. The CISO who realises the AI conflated detective and preventive controls. They're the safety net but the safety net has holes when the volume jumps tenfold. The narratives that need their hours don't get them.

03

Your auditor will not accept 'the AI drafted it.'

SOC 2 attestation requires management's assertion, not an AI's draft. ISO 27001 certification requires evidence of a working ISMS, not AI-generated narratives. GDPR Article 30, NIS2 risk assessments, DORA ICT third-party registers all require human accountability. Right now, your evidence of qualified review is the compliance team's signature on something an AI wrote. That's not going to hold up at fieldwork.

How it works

The review gate, inside your agent.

One command. The right reviewer. Reviewed compliance doc back in minutes. No more chasing senior reviewers, no more rework after the auditor's first round, no more late-night SOC 2 scrambles.

1

AI finishes the work

An AI-drafted control narrative. A risk assessment. An audit response. A vendor security review. Something that would normally sit in a queue waiting for the Head of Compliance to find a free hour.

vanta finished drafting cc6.1-narrative.md
2

One command invokes Mairit

Type /review. Mairit reads the work, identifies the domain, and surfaces the two or three people best placed to check it.

/review
   3 reviewers matched
3

A qualified human reviews

Your in-house compliance lead by default. A vetted external auditor from our network when independence or specialist expertise is needed. Structured rubric. Control accuracy, evidence linkage, framework mapping. No essays.

diane.marchetti reviewing · 14 of 18
4

Back in your agent, attested

Reviewed compliance doc returns inline. Cryptographically signed by a qualified compliance reviewer. Audit-logged. Framework-mapped. Ready to file with a record that holds up to your external auditor and your certification body.

review complete
   attested · ready to ship
2030 min
Typical end-to-end review time, request to attested filing
3×
More AI-generated compliance docs reviewed without adding compliance headcount
100%
Audit-logged, signed, and ready for SOC 2, ISO 27001, and external audit
Today vs. with Mairit

What filing AI-generated compliance documentation looks like today vs. with Mairit.

Same CC6.1 narrative. Two very different findings.

Today
  • 01File as-is. Hope the auditor doesn't ask how the control actually operates.
  • 02Senior reviewer rewrites in fieldwork. 3 hours per control.
  • 03Slack the CISO for sign-off. Wait three days.
  • 04Auditor finds gap. Add control deficiency to the report.
With Mairit
  • Type /review. Pick a reviewer.
  • 28 minutes later, reviewed doc in the agent.
  • Compliance lead sign-off, cryptographically attested.
  • Full audit trail. Compliance, security, and external auditor all happy.
Use cases

Three motions at launch. The ones where getting it wrong becomes a control deficiency.

Risk assessments. Control narratives. Audit responses. The compliance work that needs qualified review before it's filed.

The narratives your team drafts. The ones the auditor reads first.

Your compliance team uses AI to draft SOC 2, ISO 27001, and PCI control narratives. Today senior review happens in fieldwork, when the auditor asks how the control operates and the answer doesn't match the narrative. With Mairit, every AI-drafted control narrative routes to a qualified compliance reviewer for an accuracy and evidence-linkage check before filing. Misstated controls flagged. Missing evidence references caught. Framework drift surfaced.

  • SOC 2, ISO 27001, PCI DSS, HIPAA, NIST control narratives
  • Compliance lead sign-off in 25 minutes, not 3 days of cross-team chasing
  • Built on your control library, your evidence repository, and your framework mappings
Request a pilot
Sample review · SOC 2 CC6.1 logical access narrative
⚠ Control accuracyNarrative describes MFA as enforced for 'all users.' Service accounts and break-glass IDs are exceptions. Document carve-out.
⚠ Evidence linkageCited evidence ID is from Q4. Auditor scope is Q1. Update to Q1 evidence pull.
NoteDetective control description (access reviews) is accurate and well-evidenced.
✓ ApprovedAfter exception documented and Q1 evidence linked. Ready for fieldwork.

The risk assessments your team produces. The ones that drive every control decision downstream.

Annual risk assessments. Vendor risk reviews. Privacy impact assessments. The AI is great at the first draft. Dangerous when it overstates a control or understates a risk. Mairit puts a senior compliance reviewer between the AI draft and the risk register, with a structured check on threat modelling, control coverage, and residual-risk rating.

  • Annual risk assessments, vendor risk reviews, privacy impact assessments, DPIAs
  • Threat-coverage and residual-risk-rating sanity check built into the rubric
  • Frameworks aligned: ISO 27005, NIST 800-30, ENISA, GDPR Art 35
Request a pilot
Sample review · Vendor risk assessment, AI sub-processor
⚠ Residual-risk ratingAI rates residual risk 'low' after applying compensating control. Compensating control is 'planned,' not implemented. Adjust to 'medium' until live.
⚠ Threat coverageData exfiltration via model training not addressed. Add explicit clause-level review of vendor's no-training term.
NoteVendor SOC 2 evidence cited correctly. Date in scope.
✓ ApprovedAfter residual-risk rating adjusted and exfiltration clause added. Ready for risk register.

The responses your team sends auditors. The ones that determine whether you pass.

Audit walkthroughs. Evidence requests. Management responses to findings. AI is fluent at writing what an auditor wants to read. Dangerous when 'what the auditor wants to read' diverges from 'what the control actually does.' Mairit routes every audit response to a senior compliance lead with the actual evidence at hand and a factual-accuracy check.

  • Walkthrough responses, evidence summaries, management responses to findings, remediation plans
  • Factual-accuracy and evidence-citation check built into the rubric
  • Misalignment between narrative and evidence flagged before send
Request a pilot
Sample review · Management response to finding, access review cadence
⚠ Factual accuracyResponse says 'access reviews are quarterly.' Last review was 5 months ago. Acknowledge the gap, document remediation.
⚠ Remediation planPlan says 'will implement automated reviews.' No timeline, no owner. Add both.
NoteAcknowledgement of finding is appropriate. Defensiveness avoided.
✓ ApprovedAfter factual correction, gap acknowledgement, and timeline + owner added. Ready to send to auditor.
Built for the compliance stack

The review infrastructure your team has been quietly asking for.

MCP-native. Directory-aware. Attested. Built for the work your team actually produces.

Routing

Your compliance leads first. External auditors when independence is required.

Mairit reads your compliance directory and knows which of your reviewers are qualified for what framework, what control domain, and what audit motion. They're the default reviewers. When independence is required (or domain expertise is needed), Mairit falls back to a curated network of CISA, CRISC, and Big 4-trained external auditors you don't have to manage.

  • Framework qualifications (SOC 2, ISO 27001, PCI, HIPAA), control domains, and certifications tracked
  • Matching is explained, not black-boxed. You always see why
  • 80+ vetted external auditors across SOC 2, ISO, PCI, HIPAA, GDPR, and NIS2
Reviewer options for this review
Diane Marchetti
Head of Compliance · 76 reviews
Internal
Femi Adebayo
Senior GRC Analyst · domain
Internal
Senior SOC 2 auditor
SOC 2 auditor · 200+ engagements
External
Rubrics

Structured checks. Not free-form narrative review.

Reviewers don't write three paragraphs of compliance commentary. They answer a rubric built for the specific motion. 18 questions for a control narrative. 16 for a risk assessment. 14 for an audit response. Faster for them. Consistent across the team. Defensible at certification.

  • Rubrics designed with senior compliance leads, CISOs, and Big 4 auditors
  • Review time typically 25 to 40 minutes, not 3 hours of fieldwork rework
  • Free-text notes stay where compliance judgment actually needs them
Control narrative rubric
  • Control accuracy (matches operation)
  • Evidence linkage (in scope)
  • Framework mapping correct
  • Exceptions and carve-outs documented
  • Detective vs. preventive distinction
  • Frequency and ownership stated
  • 12 more...
Attestation

Every doc, signed. Every filing, logged.

When a compliance reviewer attests, it's cryptographically bound to their identity, their certification (CISA, CRISC, CIPM where applicable), and the timestamp. Every material action produces an immutable audit record. When your external auditor, your certification body, or a regulator asks who reviewed what and when, you export the answer in one click. In a format that maps to SOC 2, ISO 27001, GDPR Article 30, NIS2, and DORA evidence requirements.

  • Cryptographic attestation tied to a named, certified compliance reviewer
  • Tamper-evident audit log, CSV and JSON export
  • SOC 2, ISO 27001, GDPR Art 30, NIS2, DORA export templates included
Audit record · review #3741
Reviewer · certified · signed
diane.marchetti@company.com
Ed25519 · CISA #29481 · 2026-04-22 10:48Z
Review rubric
control-narrative-v3.0
18 questions · 2 flags raised · 1 evidence update
Compliance mapping
SOC 2 CC6.1 · ISO 27001 A.9.1
Audit packet ready
✓ Attested. Ready to act on.
Compliance & security

Built for the documentation your compliance team actually files.

Risk assessments. Control narratives. Audit responses. Vendor reviews. Certified, audited, regulator-watched. Mairit treats it that way from day one.

SOC 2 attestation AICPA SSAE 18

Management assertion evidence captured per AICPA SSAE 18. Defensible record of qualified human review for every control narrative.

ISO 27001 / 27002 ISMS

Aligned with ISO 27001 ISMS requirements. Evidence of competent personnel review captured per documentation artefact.

GDPR Article 30 Records of processing

Article 30 records of processing activities reviewed by qualified DPO/compliance lead. Evidence trail captured.

NIS2 & DORA EU cyber regs

NIS2 risk-management evidence and DORA ICT third-party register reviewed by qualified compliance lead per filing.

UAE PDPL & MENA PDPL · regional

UAE PDPL records and MENA regional compliance frameworks supported. Cross-border data transfer controls.

Audit-ready exports Auditor · certifier · regulator

One-click export of doc, review, attestation, and reviewer credentials in audit-preferred format.

Security & data handling

SOC 2 underway

Type I in audit. Type II target year 2.

Encryption everywhere

AES-256 at rest. TLS 1.3 in transit.

No training use, ever

Your compliance evidence is never used to train models.

Reviewer access scoped

Per-document only. PII redaction default-on for evidence.

Pilot

The review layer for your AI-drafted compliance docs. Pilot in 30 days.

Pick one motion. Plug into the AI and GRC tools your compliance team already uses. See whether qualified human review at machine speed actually changes how your function operates.

The pilot

  • Pick one motion. Control narratives, risk assessments, or audit responses.
  • Plug in. Works with the AI tools and GRC platforms your team uses today via MCP. No GRC migration.
  • Internal-first routing. Your compliance leads review by default. Mairit external auditors fill gaps.
  • 30-day outcome pack. Throughput numbers, audit-ready documentation, and a clear go or no-go on rollout.

Who this is for

CISOs and Heads of Compliance who'd rather have the review trail in place before fieldwork starts.

  • Compliance and security teams at mid-market companies running active certifications (200+ employees).
  • Teams already using AI in compliance. At least one of: AI-drafted narratives, AI-generated risk assessments, AI-summarised audit responses.
  • Audited, certified, or regulated. Companies running SOC 2, ISO 27001, PCI, HIPAA, GDPR, NIS2, or DORA programmes.
Why now

Auditors don't accept AI as the author of record. Management's assertion is still management's. Make the review trail you'll be asked for, before fieldwork starts.

Request a pilot Book a 20-min walkthrough