NSAuditor AI Enterprise 0.32.2 — GRC Connector Trio Complete with Secureframe, Plus a Cross-Framework Report-Quality Fix

NSAuditor AI Enterprise 0.32.2 — with paired Community Edition 0.2.27 and agent skill 0.2.25 — is live on npm. Two changes ship, and both are about trust: the GRC connector line-up becomes a complete trio, and compliance reports stop citing other frameworks. It is a matrix-neutral release: no new framework, no new plugins (still 28), all seven coverage matrices unchanged.

Secureframe completes the GRC connector trio

NSAuditor AI Enterprise already pushes compliance-scan evidence to Vanta and Drata at scan time. 0.32.2 adds a Secureframe connector at the same opt-in, early-access shape. Set COMPLIANCE_GRC_PROVIDER=secureframe plus your API key, and every compliance scan maps each control to a structured record and pushes it to your Secureframe workspace evidence collection — where your Secureframe rules evaluate it. The connector carries the control’s status verbatim; it does not compute pass/fail for you.

It rides the same hardened push loop as the other two: retry-with-backoff, framework-dimensioned idempotency keys, a consecutive-failure circuit breaker, and token redaction across every log path. It is outbound, single-workspace, and opt-in early-access — the API shape follows Secureframe’s published model and live-tenant validation is deferred to partner onboarding. Not a multi-tenant managed sync, and not live-sync.

Compliance reports stop citing other frameworks

Each control in a Report on Compliance carries a “Why this violates:” line. Across seven frameworks, internal cross-references had leaked into that text — an Inherits from soc2.json note, a bare foreign control-id inside an engine-mechanism clause, or a cross-framework routing-map. Because the renderer prints the rationale verbatim, an ISO or HIPAA reader could see a SOC 2 or GDPR control-id in their own report.

0.32.2 removes the entire class from roughly 300 rationale strings across all seven frameworks. It is a proven pure deletion (a subsequence invariant guarantees no surviving word changed), routing- and matrix-neutral, and guarded at the class level so the fix and its guard cannot drift. The release does not claim “evidence quality complete” — the remaining hygiene classes (version stamps, dates, plugin-ids) are tracked as a follow-on.

The numbers

Coverage matrices unchanged: SOC 2 10/4/33, HIPAA 7/3/45, NIST CSF 2.0 13/10/83, PCI DSS v4.0.1 19/9/39, ISO 27001 17/14/62, CIS Controls v8 17/23/113, GDPR Art. 32 4/5/2. EE regression 8791 pass over a 4-test license-environment baseline, zero new failures. The three GRC connectors are shipped, opt-in, and early-access; live-tenant validation is in progress. NSAuditor AI runs entirely on your own infrastructure — local-first, Zero Data Exfiltration by default.

GRC connector docs: nsauditor.com/ai/docs/grc/ · Enterprise: nsauditor.com/ai/enterprise/