NSAuditor AI EE 0.31.2: Encryption-at-Rest Completed Fleet-Wide, a Cross-Cloud Key-Custody Doctrine, and a SOC 2 Integrity Fix
EE 0.31.2 completes AWS at-rest coverage, settles where provider-managed-key findings belong across clouds, and fixes a SOC 2 concurrency bug. No new framework, still 28 plugins.
NSAuditor AI Enterprise Edition 0.31.2 is live on npm. It is a compliance-mapping depth release with a paired integrity fix: it finishes encryption-at-rest coverage across the AWS fleet, establishes a cross-cloud key-custody routing doctrine that corrects a live control-mapping mis-route in PCI DSS and GDPR, and closes a SOC 2 “no silent data loss” concurrency bug. There is no new framework, no new plugin (still 28), and no change to any of the seven coverage matrices — every mapping change is additive to controls already covered.
Every at-rest source, finally complete
Encryption-at-rest is the most basic control a cloud auditor evidences, yet coverage had drifted source by source. EE 0.31.2 completes every AWS at-rest source — RDS storage encryption, S3 SSE, EC2/EBS volumes, SQS/SNS queues and topics, and ElastiCache — to the same canonical seven-control at-rest set: SOC 2 C1.1, HIPAA 164.312(a)(2)(iv), NIST PR.DS-01, PCI 3.5.1, ISO A.8.24, CIS 3.11, and GDPR Art. 32(1)(a). Critically, each source’s evidence-gap — a region that cannot be enumerated, a key that cannot be classified, a volume whose state cannot be read — now fails closed to exactly the same controls as a real violation, so an unverifiable posture can never read CLEAN.
Two silent gaps surfaced by the sweep’s own discipline were closed: a DynamoDB table with an unclassifiable encryption key (which used to route to zero controls) now fails closed to its confidentiality floor; and an EC2/EBS volume whose encryption state is indeterminate no longer reads clean across all seven frameworks. Both are now registered in a build-enforced routing-completeness guard, so a future sweep cannot re-open the gap.
A cross-cloud key-custody doctrine — and a mis-route, corrected
Some services cannot be unencrypted — Azure Storage, AWS DynamoDB. For those, the only finding is key custody: is the encryption key customer-managed or provider-managed? A five-lens auditor panel (PCI-QSA, GDPR-DPA, ISO Lead Auditor, NIST/CIS, and an adversarial reviewer) reached a unanimous verdict: a provider-managed key on an always-encrypted service is a key-management observation, not an encryption-presence violation. The data is encrypted, so the presence controls are satisfied; the residual belongs to ISO A.8.24, the one control whose text explicitly owns cryptographic key management.
Applying that doctrine corrected a live control-mapping mis-route. Azure Microsoft-managed-key storage — which is always encrypted — had been failing PCI DSS Req 3.5.1 and GDPR Art. 32(1)(a). A QSA or a data-protection authority would reverse that on first walkthrough. EE 0.31.2 down-routes those positives off the presence controls (keeping them on SOC 2 / HIPAA / ISO A.8.24) and up-routes the equivalent AWS and GCP provider-key findings onto ISO A.8.24, so the same situation routes the same way on every cloud. The platform now claims less, and claims it correctly.
A SOC 2 integrity fix
The release also fixes a concurrency bug in the lock that guards the SOC 2 suppression workflow and the audit-evidence index. Under same-process contention the lock could be held twice at once — a race against the very “no silent data loss” guarantee it exists to provide. The fix serializes same-process callers ahead of the filesystem lock while leaving the inter-process path byte-for-byte unchanged, with a re-entrancy guard that fails loud rather than deadlocking. The invariant now holds by construction.
Scope note
This release narrows a GDPR Art. 32(1)(a) claim rather than expanding one. The engine evidences GDPR Article 32 infrastructure substrate only — not GDPR compliance — and findings remain substrate for an operator’s proportionality determination, sitting in the Art. 83(4) lower tier.
Availability
Install with npm i -g nsauditor-ai@latest (Community Edition, MIT) plus @nsasoft/nsauditor-ai-ee@latest (Enterprise, licensed). EE 0.31.2 is paired with CE 0.2.14 and agent-skill 0.2.14. The cloud compliance surface requires an Enterprise license. Learn more at nsauditor.com/ai/enterprise.
