NSAuditor AI EE 0.31.8 — Framework-Aware Positive-Substrate Evidence: The Right Citation for the Right Auditor
EE 0.31.8 makes one positive-evidence finding cite PCI DSS Req 10.5.1 on the PCI report while staying neutral on SOC 2 — and hardens the mechanism all the way to the GRC-connector push.
Nsasoft US LLC has released NSAuditor AI Enterprise Edition 0.31.8, a precision-and-hygiene follow-up to 0.31.7’s opt-in positive-substrate evidence. It is a patch: no new framework, plugin count unchanged at 28, and all seven coverage matrices unchanged (SOC 2 10/4/33, HIPAA 7/3/45, NIST CSF 2.0 13/10/83, PCI DSS v4.0.1 19/9/39, ISO 27001 17/14/62, CIS Controls v8 17/23/113, GDPR Article 32 4/5/2).
One finding, two audiences
In 0.31.7, NSAuditor AI began surfacing positive substrate evidence — curated proof that a control is actually operating — directly in the per-control Report on Compliance. One of the first such findings concerns AWS RDS audit-log retention, and it routes to two places at once: PCI DSS Requirement 10.5.1 and, through the cross-framework inheritance anchor, SOC 2 CC7.2. That dual routing created a subtle editorial problem.
During the 0.31.7 review, a fix made the evidence caveat globally neutral so that nothing PCI-specific could leak onto a SOC 2 Report on Compliance, where a PCI citation has no business appearing. Correct for SOC 2 — but it also stripped the genuinely useful citation off the PCI report, where an assessor wants to see 10.5.1 named.
A per-framework caveat that restores precision without reopening the leak
EE 0.31.8 lets a finding carry a small per-framework override map alongside a neutral base caveat. The compliance engine selects the override for the framework it is currently rendering and falls back to the neutral base for every other. The PCI report gets its Req 10.5.1 citation back — accurately hedged (twelve months total, three months immediately available, and framed as substrate from a configuration value rather than proof a detective control operated) — and the SOC 2 report keeps the neutral base. The same evidence, two correct voices, no cross-talk.
Hygiene that survives the GRC-connector push
Compliance evidence rarely stops at a rendered document — it is serialized to JSON and pushed into a GRC platform such as Vanta, Drata, or Secureframe. EE 0.31.8 hardens the mechanism for exactly that surface:
- The positive-substrate finding used to carry an internal category label ending in
-pci-substrate. On a SOC 2 evidence item that lowercasepciis harmless to a human but is a stray framework marker on the machine record a connector pushes — and it rode two serialized channels, the category and the rule’s provenance rationale. Both are now framework-neutral, so a SOC 2 evidence item carries no PCI marker on any channel. - The caveat-selection helper is now robust to empty strings: an empty override falls back to the base rather than silently blanking the caveat line.
- A new regression test carries the no-leak invariant onto the JSON/GRC surface itself, paired with a negative control that fails if the override is stripped.
Neither change moves a coverage matrix, changes a control’s status, or adds a cloud call. They make an existing feature more precise and more trustworthy on the surface auditors and GRC platforms actually consume.
Engineering rigor and availability
Both changes were built test-first and put through independent multi-lens adversarial review — a PCI DSS Qualified Security Assessor lens, a SOC 2 evidence-sufficiency lens, a GRC-connector-integrity lens, and an engineering-discipline lens — then an external pass mutation-proved the fix by breaking each mechanism in turn and confirming the paired test went red. Zero confirmed defects survived. Fleet-wide read-only (Zero Data Exfiltration) enforcement holds across all 28 plugins.
@nsasoft/nsauditor-ai-ee@0.31.8 (Enterprise, restricted) pairs with nsauditor-ai@0.2.22 (Community, MIT) and nsauditor-ai-agent-skill@0.2.20. EE 0.31.8 requires CE 0.2.8+. Upgrade in place — no configuration change, no new dependency. Learn more at nsauditor.com/ai/enterprise.



