The AI Evidence Validation Agent checks whether collected evidence is accurate, complete, and likely to satisfy auditor expectations. It provides two validation paths: a pre-built test library for structured Hypersync data, and AI-powered analysis for document and image evidence.
The Test library table lists prebuilt tests and the services and proof types they support.
Automated control test library
Service | Proof Type | Test Name | What it checks |
AWS | Backup Jobs | RDS and DocumentDB daily backups enabled | Backup job ID is populated and state = enabled |
AWS | Bucket Access Control List | S3 bucket ACLs are private or restrictive | Grantee ID and permission are populated and grantee type = PrivateUser |
AWS | Bucket Encryption | S3 buckets encrypted at rest using AWS-managed or customer-managed KMS keys | Bucket, encryption key type, KMS key, and bucket key flag are all populated |
AWS | Bucket Policy Status | S3 Bucket Policy Status confirms restricted access | Bucket name is populated and bucket policy status = Not Public |
AWS | Bucket Replication | If used for backup, S3 replication configuration supports contingency | Bucket, replication rule name, destination, and status = Enabled are all populated |
AWS | Bucket Versioning | S3 bucket versioning configuration documented | Bucket name is populated and versioning status = Enabled |
AWS | List of Running Instances | Inventory maintained for EC2, EKS, RDS, Lambda, and more | Instance ID, instance type, availability zone, and IPv4 address are all populated |
AWS | List of Subnets | CIDR ranges reviewed | Subnet ID, state = available, VPC ID, and IPv4 CIDR are all populated |
AWS | List of Subnets | Routing tables reviewed | Subnet ID and IPv4 CIDR are populated |
AWS | List of Subnets | VPC configurations documented per region | Subnet ID, VPC ID, and IPv4 CIDR are populated |
AWS | List of Subnets | Public/private subnet separation enforced | Subnet ID, VPC ID, and IPv4 CIDR are populated |
AWS | List of Users with MFA Settings | MFA enabled for all users with console or privileged access | For Administrator rows: MFA must contain Enabled. For non-Administrator rows: MFA = None. Not a universal all-users MFA check. |
AWS | List of VPCs | VPC flow logging enabled | VPC ID is populated and state = available (note: does not directly test a flow-log field) |
CrowdStrike | Endpoint Detections | Endpoint Detection Coverage Verification | Display name, severity, status, host name, and platform name are all populated |
CrowdStrike | Endpoint Detections | Automated Incident Response Triggering | Display name, severity, detect time, status, hours to resolved, host name, and platform name are all populated |
CrowdStrike | Prevention Policies | Malicious Code Prevention Policy Enforcement | Policy is enabled and has created timestamp and groups populated |
CrowdStrike | Sensor Update Policies | Sensor Update Policies | Name, description, platform name, and enabled flag are all populated |
GitHub | Organization Members | Check Deprovisioned Accounts | Login, name, email, and role are all populated |
GitHub | Organization Members | Verify GitHub MFA Enabled | Name and role are populated (completeness check; does not directly verify an MFA field) |
GitHub | Organization Members | Validate Organization Member Roles | Login and role are populated |
GitHub | Repository Admins | Validate Repository Admin Authorization | Repository name, access level, and login are all populated |
Jamf | List of All Policies | Automate checks that all Jamf policies enforce approved baseline configurations | Policy has a name, is enabled, and has a trigger configured |
Jamf | List of All Policies | Automate verification of scheduled maintenance tasks, including updates and patching policies | Policy has a name, is enabled, and has a trigger configured |
Jamf | List of All Policies | Validate policy deployment status and ensure no unauthorized changes occur without proper approvals | Policy is enabled |
Jamf | List of Computer Groups | Automate verification that macOS devices are correctly assigned to authorized computer groups | Computer group has an ID and name |
Jamf | List of Computers | Verify Jamf accurately records and maintains the current inventory of all managed macOS computers | Row represents a managed device with operating system = Mac OS X |
Jamf | List of Computers | Validate asset details including hostname, serial numbers, OS versions, hardware configurations, and inventory updates | Name, username, model, operating system, OS version, and FileVault 2 encryption state are all populated |
Jamf | List of Mobile Devices | Verify accurate inventory of enrolled iOS and iPadOS devices in Jamf | Device name, model, and username are populated and device is marked managed |
Jamf | OSX Configuration Profiles | Automate regular validation of enforced configuration profiles to maintain macOS security integrity | Profile has an ID and name |
Jamf | OSX Configuration Profiles | Automate validation of macOS profile enforcement, including screen lock timeout and login window settings | Profile has an ID and name |
Jira | List of Issues | Approval Verification | Issue has an issue type, assignee, and status of Awaiting Approval or Approved |
Jira | List of Issues | Incident Resolution Timeliness | Issue type, status, and priority are all populated |
Jira | List of Issues | Incident Resolution Tasks Completed | Issue type and resolution are populated |
Jira | List of Issues | Records of Security Issues Being Assigned to Owners | Issue type and assignee are populated |
Jira | List of Issues | P1 Security Issues Resolved | Issue type, priority, and status are all populated |
Jira | List of Issues | P0 Security Issues Resolved | Issue type, priority, and status are all populated |
Jira | List of Issues | Incident Management Tasks Completed | Issue type and status are populated |
KnowBe4 | Phishing Security Tests | Initial Security Awareness Training Completion | Name and email populated; module name contains "Cybersecurity Awareness 2023"; status = Completed; enrollment date populated; completion date within 30 days |
KnowBe4 | Training Activity | Role-Based Training Assignment | Name, module name, status, enrollment date, completion date, and days until complete are all populated |
Microsoft Entra ID | List of Groups | Generate a list of all security and Microsoft 365 groups in Azure AD | Group name, group type, and object ID are all populated |
MicrosoftIntune | List of Devices | Inventory Granularity Verification | Display name, managed flag, device ownership, compliance flag, operating system, OS version, and approximate last sign-in date are all populated |
Okta | Group Membership List | Validate Group Membership Based on User Attributes | Person and username are populated |
Okta | Group Membership List | Detect Inactive Users in Group | Status = Active |
Okta | Group Membership List | Retrieve All Group Members | Person and username are populated |
Okta | Group Membership List | Ensure Timely Removal of Deactivated Users from Groups | Status is not Deactivated |
Okta | Group Membership List | Group Membership Accuracy | Person and username are populated |
Okta | List of API Tokens | API Token Validity and Assignment | Token has an ID, name, expiration date, and creation date |
Okta | List of Deactivated Users | Deactivated User Access | Row has person, username, status, and deactivation date populated |
Okta | List of Devices | Device Compliance Status | Device has an ID and device name populated |
Okta | List of Groups | Group Definition Completeness | Group has group ID, name, type, and description populated |
Okta | List of Users | Unique User Identification | Username is populated |
Okta | List of Users | Automate provisioning and deprovisioning processes | User status is Provisioned or Deprovisioned |
Okta | List of Users | MFA Enrollment Verification | Person, username, and last login are populated and status is not none (does not check a direct MFA field) |
Okta | List of Users | Retrieve All Users | Person and username are populated |
Okta | List of Users (exception finder) | Find users with no status assigned | Username and primary email are populated and status is null β surfaces incomplete user records |
Okta | List of Users for a Given Application | Application User Assignments | Assignment has an ID, status, and scope |
Okta | List of Users for a Given Application | Application Access Review | Assignment has an ID, email, status, and scope |
Okta | Password Policies | Stricter policy assigned to privileged users | Assigned groups contains a value matching *Admins β identifies admin-linked policies |
Okta | Password Policies | Minimum Password Length | Minimum length is at least 12 characters |
Okta | Password Policies | Validates that passwords are checked against commonly used or breached passwords | Exclude common passwords = true |
Okta | Password Policies | Ensures that users cannot reuse previous passwords | Password history count is at least 24 |
Okta | Password Policies | Exclude First Name From Password | Exclude first name = true |
Okta | Password Policies | Exclude Username From Password | Exclude username = true |