The Audit Defense Library

Practitioner-depth analysis across federal and private compliance: FISMA and NIST RMF, FedRAMP, CMMC, federal AI governance, SOC 2, AI governance, cybersecurity, and GRC engineering. Written by a CPA, CISSP, CISA with Big 4 audit experience.

All FISMA & NIST RMF FedRAMP CMMC Federal AI Governance GovCon Compliance Federal Cybersecurity Federal Zero Trust Federal GRC Engineering AI Governance GRC Engineering Cybersecurity Cloud Security HIPAA SOC 2
AI Governance

Agentic AI Risk Assessment: The 5-Layer Evaluation Framework

Agentic AI risk assessment evaluates five dimensions absent from traditional AI risk: autonomy, delegation, tool use, persistence, and multi-agent coordination. Organizations applying IT risk matrices to autonomous agents miss the categories causing the most damage....

Read the Guide
AI Governance

Multi-Agent System Governance: When Agents Manage Agents

Multi-agent system governance is becoming the defining challenge of enterprise AI deployment. KPMG deployed 50 AI agents through its Workbench platform in June 2025, with additional agents in development [KPMG Jun 2025]. These are not...

Read the Guide
AI Governance

EU AI Act Human Oversight: Article 14 Compliance for High-Risk AI Systems

The greatest risk in high-risk AI is not the algorithm. It is the human approving the algorithm's output without reading it. A 2025 systematic review of studies involving thousands of participants confirmed what practitioners already...

Read the Guide
AI Governance

EU AI Act Risk Management System: Article 9 Implementation Guide

Seventy-seven percent of organizations report active AI governance programs. Half lack a systematic inventory of AI systems in production. Eighteen percent of deployed AI systems are confirmed high-risk under the EU AI Act [appliedAI Enterprise...

Read the Guide
AI Governance

EU AI Act High-Risk Compliance Checklist: All Requirements Before December 2027

Editor's Note (July 13, 2026): This checklist has been updated to reflect the adopted Digital Omnibus. The European Parliament endorsed the AI Act simplification package on June 16, 2026, and the Council of the EU...

Read the Guide
AI Governance

EU AI Act Conformity Assessment: Article 43 Procedures for High-Risk AI Systems

The EU Medical Device Regulation entered full application in May 2021. By the deadline, 20% of medical devices had achieved certification. Queues at notified bodies stretched 18 months. Audit costs tripled. The industry had five...

Read the Guide
Cloud Security

FedRAMP 20x Compliance Guide: Key Security Indicators, Phases, and What Changes in 2026

Editor's Note (Updated July 13, 2026): FedRAMP clarified that the September 30, 2026 machine-readable requirement is enforced through a two-speed submission pipeline, not a hard rejection. The Consolidated Rules for 2026 (CR26) take mandatory effect...

Read the Guide
AI Governance

Agentic AI Governance: The 2026 Framework for Autonomous AI Systems

Who governs an AI agent governing itself? Not a chatbot responding to prompts. Not a model scoring risk on a spreadsheet. An autonomous system calling APIs, accessing databases, delegating tasks to other agents, and making...

Read the Guide
GRC Engineering

Agentic AI for GRC: How Autonomous Compliance Agents Are Replacing Manual Workflows

Monday morning, 8:15 AM. The compliance manager opens her GRC dashboard. Four evidence collection tasks completed overnight: AWS IAM access logs pulled, Okta MFA enforcement validated, GitHub branch protection configs captured, Jira change tickets mapped...

Read the Guide
GRC Engineering

How to Evaluate GRC Automation Platforms: Selection Criteria and Scoring

Two compliance teams at mid-market SaaS companies faced the same problem last year: SOC 2 audit preparation consuming 300+ hours per cycle. Both had the same budget ($40,000 to $60,000 annually) for a GRC automation...

Read the Guide
GRC Engineering

Automating SOC 2 Evidence Collection: From 200 Hours to 20

SOC 2 evidence collection is not a compliance problem. It is an engineering problem carrying a compliance label. The compliance team collects screenshots because no one built the pipeline to collect data automatically. The auditor...

Read the Guide
GRC Engineering

API-Driven Audit Evidence Collection: Eliminating Screenshot-Based Compliance

A compliance manager opens nine browser tabs at 7:14 AM. Tab one: AWS Console for security group screenshots. Tab two: Okta admin panel for user access exports. Tab three: GitHub for change management evidence. Tab...

Read the Guide
The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.