NSAuditor AI Enterprise 0.32.2 — The GRC Connector Trio Is Complete (Secureframe), and Compliance Reports Stop Citing Other Frameworks

EE 0.32.2 adds a Secureframe GRC connector to complete the Vanta·Drata·Secureframe trio, and closes a cross-framework leak in compliance report rationales. Matrix-neutral.

nsauditor-ai-ee-0-32-2-grc-trio-secureframe

NSAuditor AI Enterprise 0.32.2 (with paired Community Edition 0.2.27 and agent skill 0.2.25) is live on npm. Two changes ship in this release, and both are about trust: the GRC connector line-up is now a complete trio, and your compliance reports stop citing other frameworks. Neither touches a coverage matrix — no new framework, no new plugins (still 28), and all seven coverage matrices are byte-identical to 0.32.1.

1. The GRC connector trio is complete — Secureframe joins Vanta and Drata

NSAuditor AI Enterprise already pushes your compliance-scan evidence to Vanta and Drata at scan time. 0.32.2 adds a Secureframe connector, completing the trio at the same opt-in, early-access shape.

Set COMPLIANCE_GRC_PROVIDER=secureframe plus your API key, and every compliance scan maps each control to a structured record and pushes it to your Secureframe workspace evidence collection — where your Secureframe rules evaluate it. Like the Drata connector, it carries the control’s status verbatim; it does not decide pass/fail for you. It rides the same hardened machinery as the other two connectors: retry-with-backoff, framework-dimensioned idempotency keys so a timed-out retry never duplicates a record, a consecutive-failure circuit breaker, and API-token redaction across every log and error path.

It is outbound, single-workspace, and opt-in early-access. The API shape follows Secureframe’s published model, and live-tenant validation is deferred to partner onboarding — exactly the posture Vanta and Drata shipped in. It is not a multi-tenant managed sync and it is not live-sync; it pushes to the one workspace whose token you provide.

2. Your compliance reports stop citing other frameworks

Each control in a Report on Compliance carries a “Why this violates:” explanation. Building that library across seven frameworks, internal cross-references had ridden into the text — an Inherits from soc2.json note, a bare foreign control-id (CC6.1, PR.AA-05, Art.32) tucked inside an engine-mechanism clause, a cross-framework routing-map, or a real-engine verified == QA-note. Because the renderer prints the rationale verbatim, an ISO or HIPAA reader could see a SOC 2 or GDPR control-id in their own report — the kind of thing an auditor rightly questions.

0.32.2 removes the entire class from roughly 300 rationale strings across all seven frameworks. The removal is a proven pure deletion — a subsequence invariant guarantees no surviving word was altered or reordered — it is routing- and matrix-neutral, and it is guarded at the class level: the guard checks foreign control-ids per non-own framework plus the tokenless idioms, using the same rule as the fix so the two cannot drift. A per-framework adversarial review after the first pass is what surfaced the sibling channels that a single-token check would structurally miss.

The remaining rationale-hygiene classes — version stamps, dates, plugin-ids, and rewriting internal engineering-note rationales into plain language — are tracked as a follow-on. 0.32.2 does not claim “evidence quality complete.”

Coverage, honestly stated

This is a matrix-neutral release. The seven coverage matrices are unchanged: SOC 2 10/4/33, HIPAA 7/3/45, NIST CSF 2.0 13/10/83, PCI DSS v4.0.1 19/9/39, ISO 27001 17/14/62, CIS Controls v8 17/23/113, and GDPR Article 32 4/5/2. Every coverageSummary and every routing tuple is byte-identical to 0.32.1, and the EE regression suite runs 8791 pass over a 4-test license-environment baseline with zero new failures.

On the honest framing that matters here: the three GRC connectors are shipped, opt-in, and early-access; live validation against production tenants is in progress, and Secureframe’s API shape is published-assumed with live-tenant validation deferred to partner intake. NSAuditor AI runs entirely on your own infrastructure — local-first, Zero Data Exfiltration by default.

Full GRC connector documentation: nsauditor.com/ai/docs/grc/ · Enterprise overview: nsauditor.com/ai/enterprise/