What's new in AISEC

EU AI Act obligation tracker — compliance ring SVG, tier grouping (prohibited / high-risk / limited-risk / minimal), per-obligation evidence picker, notes, and revert action

Policy attestation campaigns — magic-link sign-off for internal users and external staff, completion email, and attestation report download

JWT revocation via JTI blocklist — tokens can now be instantly invalidated without waiting for expiry

bcrypt cost factor upgraded to 12 across all password and API key hashing operations

Demo tenant guard — prevents accidental data leakage from the shared demo environment to production tenants

Stripe payment idempotency keys on all charge operations — eliminates duplicate charge risk during network retries

Audit trail fix — response shape corrected (items / pagination), 279+ entries now display correctly in the timeline view

Gap analysis history — expandable detail panels with score ring and remediation roadmap per historical snapshot

Monitoring service pool exhaustion — pgxpool.NewWithConfig now respects DATABASE_CONNECTION_POOL_SIZE environment variable

AI chat conversations 404 — resolved by deploying current ai-orchestrator image; routing mismatch corrected

Settings AI/Model tab crash — Array.isArray guard added on JSONB validation_errors field to handle null and non-array values

Policy PDF blank on first click — switched to iframe.srcdoc approach; fully CSP-safe without unsafe-inline blob URLs

Removed users reappearing in lists — is_active filter added to listUsers query at the repository layer

Risk treatment due dates — date input on risk create and detail drawer; overdue monitoring rule fires automatically when a due date passes

Monitoring "Run Now" button — immediately evaluates all active rules without waiting for the 5-minute polling tick

Auditor invitation — one-time JWT, scoped read-only access to evidence, policies, controls, and comment threads for external auditors

Evidence download — Azure SAS URL generation for cloud storage backends; streaming download for local filesystem backends

SSRF guard on all connector URLs — outbound requests are validated against an allowlist before execution

JWT algorithm pinning across all services — RS256 explicitly required; alg:none and symmetric algorithms rejected at parse time

AI-BOM (AI Bill of Materials) — auto-generate a machine-readable inventory of all AI systems, models, and data sources with ISO 42001 mappings

Supply Chain Risk module — vendor inventory with 5-level risk tiers, ISO 27001 A.5.19–22 control mapping, and AI-assisted supplier questionnaires

Executive Dashboard (Board View) — single-screen KPI summary: framework scores, open risks, audit status, evidence health

Competitive Benchmarking — compare your compliance posture against 3 peer anonymised datasets across any supported framework

Threat Intelligence Hub — live feed aggregation from MITRE ATT&CK, CISA advisories, and NVD; AI-summarised relevance scoring per control

Status page redesigned with real-time service health polling every 30 seconds and colour-coded latency indicators

Policy Library now includes 38 community templates across ISO 27001, SOC 2, GDPR, NIS2, NIST CSF, and DORA

Immutable Audit Trail — every create/update/delete event is cryptographically anchored and cannot be altered by any user role

Evidence quality scoring pipeline runs asynchronously — no longer blocks the evidence upload UI

Compliance Drift Detection — automated daily comparison of control implementation status against baseline; alerts when coverage drops below threshold

AI-powered Gap Analysis — submit your current control posture and receive a prioritised remediation plan with effort estimates and template links

Evidence Quality Scoring — each piece of evidence is scored 0–100 for completeness, recency, specificity, and framework relevance

Monitoring service expanded with drift alert history, snapshot timeline, and 90-day trend graphs

Risk Register filtering redesigned: filter by likelihood × impact matrix, owner, or treatment status simultaneously

AI Assistant now supports multi-turn conversations with full control and policy context injected per session

Fixed policy generation TypeError when AI content was returned as a dict instead of a string

Resolved compliance-scores 500 error caused by NestJS route collision between /compliance-scores and /:id wildcard

All API responses now include Cache-Control: no-store to prevent sensitive compliance data appearing in CDN caches

Open Policy Library — 38+ community-maintained templates, filterable by framework, sector, and control family; one-click import into any tenant

TypeScript SDK — npm-published client with full type coverage for policies, risks, evidence, controls, and audit endpoints

Python SDK — pip-installable async client for FastAPI and Django use cases

GitHub Actions plugin — YAML action that triggers evidence collection, runs gap analysis, and fails PRs when drift exceeds threshold

OIDC federation — connect Okta, Auth0, Azure AD, or Google Workspace for SSO without SAML overhead

Slack Evidence Connector — automatically collect change-management evidence from Slack channel archives and pinned messages

Tenant onboarding wizard reduced from 9 steps to 5 with smart defaults based on chosen framework

Monitoring drift-alert and snapshot routes returned 404 — Go binary now rebuilt into Docker image before deployment

Policy Library loads 38 templates in under 200ms using server-side pre-rendering and edge caching

GraphQL API — full schema covering all entities (policies, risks, controls, evidence, audits) with nested resolvers and DataLoader batching

Terraform Provider — manage tenants, policies, and user roles as infrastructure-as-code; published to Terraform Registry

Webhook system — subscribe to policy.approved, risk.created, audit.completed, and 14 other event types with retry and signature verification

API Keys — create scoped keys with expiry dates and per-endpoint permission grants from the Settings → API Keys panel

Custom RBAC Roles — define roles with granular read/write/admin permissions per resource type; assign to users or teams

Bulk Policy Import — upload CSV or JSON to create or update up to 500 policies in a single operation

impl_status enum validation now correctly rejects in_progress and not_started — valid values documented in API reference

API key secrets are shown exactly once at creation; stored as bcrypt hashes — cannot be retrieved after modal is closed

AI Assistant Chat — conversational interface grounded in your policies, risks, and control library; suggests next actions and explains compliance gaps

Evidence Collector — integration framework supporting AWS Config, GitHub audit logs, Jira, Confluence, and manual uploads

SOC 2 Type II control mapping — 64 trust service criteria mapped to the AISEC control library with gap indicators

Audit Programmes — create and manage internal and external audit cycles with finding tracking and corrective action plans

Risk scoring now uses a configurable 5×5 likelihood/impact matrix instead of a fixed 3-band model

Evidence upload failed silently when file size exceeded 10 MB — now shows a clear error message with size limit

Dashboard KPI cards reduced initial load time from 2.3s to 340ms by batching compliance-score queries

Multi-tenant SaaS architecture with row-level security — complete data isolation between organisations at the database layer

Policy lifecycle management — draft, generate with AI, review, approve, and publish policies with version history

Risk Register — create, score, assign, and track risks with full treatment workflow (accept / mitigate / transfer / avoid)

Control library pre-loaded with ISO 27001:2022 Annex A — 93 controls across 4 themes, all mappable to your policies and evidence

AI policy generation using Claude — describe your requirement and receive a draft policy aligned to your chosen framework in under 2 minutes

RBAC — Owner, Admin, Editor, Viewer roles with team-based access; invite users by email with configurable expiry

Monitoring service — real-time compliance health scores, alert rules, and 30-day trend tracking

All communications over TLS 1.3 minimum; httpOnly cookie session tokens; bcrypt password hashing with cost factor 10