The newest release of NSAuditor AI Enterprise Edition, version 0.30.0, is unusual: it ships no new compliance framework, no new plugins, and no change to any coverage matrix. What it ships instead is depth — a focused effort to surface cloud misconfigurations that the scanner used to walk straight past, and to make a single finding land on the same control no matter which framework you are reporting against.

The motivation is a simple, uncomfortable truth about automated compliance: the most dangerous result a scanner can return is a green check it did not earn. A tool that says “clean” over a genuinely exposed resource gives a team false confidence right up until an auditor — or an attacker — proves otherwise. EE 0.30.0 is a release-length campaign against exactly that.

Where the depth went

On AWS, the headline is S3 access points. A storage bucket can look perfectly locked down at the bucket level and still be reachable from the open internet through an access point, if the bucket has delegated authority. The scanner now works through the entire chain — the network origin, the access-point policy, Block Public Access at both the access-point and account level, and the delegation posture — and raises the bypass. Crucially, any part of that chain it cannot read is reported as an explicit evidence gap rather than waved through.

The same effective-exposure logic now inspects the resource policies behind Lambda, DynamoDB, SQS, SNS, VPC endpoints, Secrets Manager and API Gateway, catching public and cross-account access that was previously unexamined. Add to that sharper EC2 security-group analysis (public-versus-private address ranges, including IPv6), broader KMS decrypt and cross-account key-policy checks, and paginated IAM enumeration so a risky user on the second page is no longer invisible.

On Azure, a parallel pass swept storage, network security groups, Key Vault and the cloud scanner, closing the cases where an unreadable scope quietly returned a clean result. The entire Azure fleet now answers to one structural guard that turns an un-enumerable scope into a routed evidence gap.

The same exposure, the same answer

The second half of the release is about consistency. Two resources with the same architectural flaw should fail the same way on every report — and until now they did not always. EE 0.30.0 aligns the mapping layer so that an over-broad KMS decrypt grant or an anonymous queue read reaches the confidentiality controls on ISO/IEC 27001, CIS Controls v8 and GDPR Article 32, not only SOC 2. A public, unauthenticated application entry point — a Lambda Function URL or an API Gateway method with no authorization — now appears under NIST CSF 2.0’s access-enforcement control, PR.AA-05. And a grant that only touches integrity or availability no longer overstates a confidentiality claim. Every one of these adjustments is matrix-neutral.

Underneath it all sits a new build-time check that refuses to ship if an evidence gap fails to close the very controls its real findings would attest — turning the “no silent false-clean” rule from a habit into an enforced property.

The GDPR line, unchanged

The Article 32 routing added this cycle does not change the product’s long-standing position: NSAuditor evidences the GDPR Article 32 infrastructure substrate only — not GDPR compliance. The findings feed the operator’s own proportionality assessment, carry a personal-data-scope caveat, and map to the Article 83(4) lower fine tier, never the headline figure.

NSAuditor AI Community Edition is open source and free (npm i -g nsauditor-ai@latest); the Enterprise cloud-compliance surface is licensed (@nsasoft/nsauditor-ai-ee@latest). One scan still produces seven framework-mapped evidence packs — now with deeper detection and a verdict that reads the same across all of them. More at nsauditor.com/ai/enterprise.