An auditor should never see your engineering shorthand. NSAuditor AI Enterprise 0.32.1 ships a report-quality patch: the “Why this violates:” explanation on every control, in every Report on Compliance, across all seven compliance frameworks, is now clean of internal engineering notes that had been rendering into auditor-facing reports. It changes no control’s status, no mapping, and no coverage number.
Clean rationales in every Report on Compliance
Each control in an NSAuditor Report on Compliance carries a per-control rationale that explains why a finding violates it. Those rationales are authored and refined over many review cycles — and over time, internal markers rode along into the text: cross-reference links to internal engineering notes, work-item codes, reviewer shorthand, and review-round identifiers. Because the renderer prints the rationale verbatim, those markers were surfacing in the customer-facing report.
0.32.1 removes all of them from roughly 900 rationales across all seven framework definitions. The removal is deliberately conservative: it deletes the marker and its connecting words only, never audit-relevant content, and is proven to be a pure deletion — a subsequence invariant guarantees no word was altered, reordered, or corrupted. A general-pattern grammar guard then repairs any capitalization or punctuation seams the removal left behind, and stays in the test suite so the class cannot reappear. Routing, severities, and every coverage matrix are untouched.
It also fixes a subtler leak: a KMS key-policy parse-failure rationale that had been rendering a reviewer code and a foreign-framework token into the “Why this violates” line of all seven reports — now neutralized in every framework and guarded by a report-render test.
More positive evidence — Azure and deeper AWS
An NSAuditor Report on Compliance can surface positive substrate — curated, per-control proof that a control is operating — alongside violations, without ever changing a control’s pass/fail status. 0.32.1 opts in more of it: an Azure Storage account-level holistic PASS, three additional clean Azure units, and deeper AWS at-rest and AWS-other coverage. Each carries an honest, framework-neutral caveat stating exactly what a point-in-time configuration scan does and does not prove, and every opt-in gates on complete, verified evidence — a PASS over a truncated enumeration or an AccessDenied read does not qualify. Display-only, non-flipping, count-neutral.
A leaner GRC-connector core
The Vanta and Drata GRC push connectors (shipped in 0.32.0) now share a single hardened push loop, with the two duplicated push implementations and their retryable-failure classification collapsed into one — proven behavior-neutral by tests and mutation testing. Zero change to how the connectors behave; a smaller, safer surface to maintain. The connectors remain opt-in and operator-configured, with live validation against production Vanta and Drata tenants in progress as partner onboarding proceeds; Secureframe is on the roadmap.
Matrix-neutral
No new framework, still 28 plugins, and all seven coverage matrices are byte-identical to 0.32.0: SOC 2 (10/4/33), HIPAA (7/3/45), NIST CSF 2.0 (13/10/83), PCI DSS v4.0.1 (19/9/39), ISO 27001 (17/14/62), CIS Controls v8 (17/23/113), and GDPR Article 32 (4/5/2). The build was smoke-verified across AWS, Azure, and GCP and regression-compared against 0.32.0 with zero control-status changes.
Versions
- Enterprise:
@nsasoft/nsauditor-ai-ee@0.32.1 - Community Edition:
nsauditor-ai@0.2.26(MIT) - Agent skill:
nsauditor-ai-agent-skill@0.2.24
NSAuditor AI runs entirely on your own infrastructure — local-first, with zero data exfiltration. Learn more at nsauditor.com/ai/enterprise.




