Our methodology
Compliance is only as good as the evidence behind it.
Every step in our process enforces a single principle: no conclusion is written before the evidence that supports it has been gathered, processed, and verified. This is not a philosophy. It is the architecture.
“AI cannot write a conclusion before an auditor gathers the evidence. We built our entire system around this one principle.”
The process
Five steps. No shortcuts.
Every engagement follows the same sequence. The order is not flexible — each step is a prerequisite for the next.
Evidence First
We gather before we analyse. Always.
Our auditors engage directly with your environment — systems, configurations, processes, and controls — before any analysis begins. No conclusions are pre-written. No templates are populated in advance. The evidence determines the findings, not the other way around.
What this means for you: your compliance report reflects what your organisation actually does — not what a template assumes every organisation does.
Secure Local Processing
Your data never leaves your pipeline.
All raw client evidence is processed locally using a private AI pipeline. Your data never touches a public cloud, a shared model, or any third-party infrastructure. Client confidentiality is structural — it is enforced by the architecture, not just promised in a policy.
What this means for you: sensitive evidence — configurations, logs, access controls, personal data — is processed in an isolated environment built specifically for your engagement.
Grounded Analysis
The AI can only draw from what we found.
Evidence is stored and retrieved through a RAG (Retrieval Augmented Generation) pipeline. Our AI system can only draw from what your auditors actually gathered — making fabrication structurally impossible. If the evidence is not there, the conclusion cannot be written.
What this means for you: every finding in your report has a traceable source in the evidence we collected. No hallucinations. No assumptions. No filler.
Verified Report Production
A human auditor reviews everything before delivery.
Only after evidence is grounded and validated does our system produce the final compliance report. Before it reaches you, a qualified human auditor reviews every finding, every conclusion, and every recommendation. The AI accelerates the process — the auditor is accountable for the output.
What this means for you: you receive a report that has been verified by a person who understands your environment — not an automated output that no human has read.
Audit Trail
Every statement is traceable to its source.
Every finding, every conclusion, and every report is logged in an encrypted audit trail. You can trace every statement in your compliance report back to the specific evidence that supports it. The trail is immutable — it cannot be altered after the fact.
What this means for you: if you are ever questioned on a finding — by a regulator, an auditor, a client — you have a documented, traceable chain from conclusion to evidence.
Structural confidentiality
We don't promise to protect your data. We build systems where exposing it is impossible.
Most compliance firms send your evidence to a shared AI model, a cloud API, or a third-party platform. Your sensitive configurations, access logs, and control documentation pass through infrastructure you have no visibility into.
At Enact Cyber, your evidence never leaves a local pipeline built specifically for your engagement. There is no shared model. There is no cloud API call. The confidentiality is not a policy — it is a structural property of the system.
Processing location
Isolated per engagement
Local private pipeline
Public cloud usage
No AWS, GCP, or Azure for evidence processing
None
Shared AI models
Private local model only
None
Evidence storage
Destroyed after engagement unless retained by agreement
Encrypted at rest
Audit trail
Every action logged and timestamped
Immutable and encrypted
What we believe
The principles that govern every engagement.
Evidence precedes analysis
We never write a conclusion before gathering the evidence that supports it. This is not a policy — it is enforced by the architecture of our pipeline.
Confidentiality is structural
We do not promise to protect your data. We build systems where exposing it is architecturally prevented. Local processing is not a feature — it is a design requirement.
Human accountability at every stage
AI accelerates our work. Humans are accountable for it. Every report that leaves our firm has been reviewed and verified by a qualified auditor.
Traceability over convenience
Every finding can be traced to its evidence. This slows us down compared to template-based approaches. We consider that a feature.
Why it matters
Compliance theatre has real consequences.
Pre-written reports create liability.
A compliance report that was drafted from a template before evidence was gathered is not a compliance report — it is a document that describes what the template assumes, not what your organisation does. When a regulator or auditor investigates, the gap becomes your problem.
Shared AI pipelines leak context.
When your evidence is processed by a shared cloud model, it becomes training data, context, or inference input for a system you do not control. The compliance firm's privacy policy does not protect you from model inference or data retention practices you have not audited.
Untraceable findings cannot be defended.
If you cannot trace a finding in your compliance report back to the specific evidence that supports it, you cannot defend that finding. When a client, regulator, or auditor challenges it, you have nothing to produce.
Ready to work differently?
Every engagement starts with evidence. Let's start with a conversation.
Tell us about your environment, your framework requirements, and where you are in your compliance journey. We'll tell you exactly how we approach it.