Compliance
AI Compliance Officer: What Makes Screenata a Category-Defining Platform
Screenata defines a new category: an AI Compliance Officer named Vera who runs continuous compliance as an agent. She scans your infrastructure, writes deterministic policies from your real systems, captures the application evidence APIs can't see, chases attestations in Slack, and signs every artifact. A dashboard flags work; Vera does it, replacing both the GRC platform and the consultant for around $18K a year.

Screenata is an AI Compliance Officer for startups: an agent named Vera who runs continuous compliance. She connects read-only to your GitHub and cloud, writes deterministic SOC 2 policies grounded in your real systems, runs every test in your control matrix, captures the application evidence APIs can't see, DMs your team in Slack for the attestations only a person can answer, and signs every artifact. Traditional GRC tools like Drata and Vanta give you a dashboard and API integrations, but you still need someone who knows compliance to do the actual work. A dashboard flags the work; Vera does it.
What Category Is Screenata Defining?
For a decade the compliance automation market was a contest of dashboards. Drata and Vanta changed the industry by connecting to APIs (AWS, Okta, GitHub) to monitor infrastructure configuration. That was real progress, and it left two gaps open.
The first is application-level evidence. APIs cannot see your user interface. They cannot prove that a "Delete" button triggers a confirmation modal, or that a user is denied access to data they should not reach. This left teams hand-collecting screenshots for 20 to 30% of their controls.
The second is compliance expertise. A dashboard hands you a checklist and blank text boxes. It does not write your policies, explain what your auditor needs, or tell you what to fix. Most startups on Vanta or Drata still pay $2K to $5K a month for a vCISO or consultant to fill that gap.
The category Screenata defines closes both gaps with one agent. Vera does the compliance work a dashboard only tracks:
- Policy writing: she reads your codebase and cloud, then drafts deterministic SOC 2 policies that name your real infrastructure.
- Codebase analysis: she scans your GitHub repos and maps your tech stack, auth system, CI/CD pipeline, and existing controls.
- Evidence collection: she pulls API evidence from GitHub and your cloud, and captures application-level proof through the browser.
- Attestation chasing: she DMs your team in Slack for the answers only a person can give, with reminders and escalation.
- Control mapping: every policy claim maps to Trust Services Criteria, with evidence you can produce.
- Readiness scoring: a dashboard shows your score, what is left, and what is blocking certification.
- Compliance guidance: an AI assistant answers questions and tells you what to do next.
The Problem: Startups Need a Coworker, Not a Dashboard
Even with a modern GRC tool, startups still spend $2K to $5K a month on a consultant and 40 to 80 hours per audit cycle on manual work. The reason is structural: a dashboard assumes you already employ the compliance person who does the work it tracks. Most startups do not.
Where the Traditional Stack Falls Short
| What You Need | GRC Platform (Drata/Vanta) | Consultant/vCISO | Vera |
|---|---|---|---|
| Dashboard and monitoring | Yes | No | Yes |
| Evidence collection | API only | Manual | API + codebase + browser |
| Policy writing | Templates you fill in | Yes ($2-5K/mo) | Deterministic, from your systems |
| Control mapping | Partial | Yes | Yes (automated) |
| Attestation chasing | No | Manual email | Slack DM with escalation |
| Tells you what to fix | No | Yes | Yes |
| Signed, traceable artifacts | Partial | No | Yes |
| No compliance expertise needed | No | N/A | Yes |
The traditional path runs roughly $85K in the first year: platform plus consultant plus auditor plus engineering time. Vera brings that to about $18K (Vera plus auditor plus minimal engineering time), and removes the manual application-level work by running the tests, capturing the evidence, and chasing the humans herself.
How Vera Works
Vera is a full compliance program in one agent: policy writing, evidence collection, control mapping, attestation chasing, and audit prep.
1. Codebase and Cloud Analysis
Vera connects read-only to your GitHub org and cloud. She scans your codebase, reads your AWS, GCP, or Azure configuration, and maps your stack, auth system, CI/CD pipeline, and existing controls. Source code is read ephemerally and deleted after findings are extracted; credentials live in a key vault.
2. Deterministic Policy Writing from Your Real Systems
Vera pre-fills a readiness questionnaire from what she found, asks you to confirm or correct it, and composes each policy from your attestations. You get "Acme Corp enforces MFA through Clerk for all user accounts," not a template, with every claim tied to evidence you can produce. The generator is deterministic, so the same attestation yields the same sentence and an auditor can re-derive your policy. See why generic ChatGPT policies fail audits.
3. Evidence Collection
Roughly 70% of your evidence is fully automated through Vera's API scans across 489+ native checks: GitHub branch protection, required reviews, MFA enforcement, cloud encryption settings, audit-log exports. For application-level controls APIs can't reach, she captures screenshots and workflow proof through the browser extension, scored by a vision model, with PII redacted and metadata attached at the point of capture.
4. Attestation Chasing in Slack
Some evidence has no API and no screen. "Did the access review happen, and did the right people approve it?" is a question only a person can answer. Vera DMs the right teammate in Slack, reminds at 24 hours, escalates at 48 hours, and files the reply as a signed attestation tied to the control. A dashboard can only put that question on a list and wait.
5. Control Mapping and Readiness Scoring
Every policy claim maps to specific Trust Services Criteria. A readiness dashboard shows your audit score, what is left, and what is blocking certification, and the AI assistant tells you what to do next.
6. Signed, Traceable Reporting
Vera generates an audit-ready evidence pack: formatted reports with a narrative for each control, mapped to the relevant ID (for example SOC 2 CC6.1 or ISO 27001 A.5.15), each artifact carrying SHA-256 hashes, RSA/ECDSA signatures, and RFC 3161 timestamps so an auditor can verify integrity independently.
Vera vs. the Traditional Compliance Stack
| Feature | Traditional GRC (Drata/Vanta) | Vera |
|---|---|---|
| Primary data source | APIs (AWS, GitHub, IdPs) | Codebase + cloud + UI workflows |
| Policy writing | Templates you fill in | Deterministic, from your systems |
| Evidence type | JSON configs, ticket status | Policies, signed screenshots, PDFs, configs |
| Control mapping | Partial (infra only) | Full (automated, cross-framework) |
| Attestation chasing | None | Slack DM with reminder and escalation |
| Compliance guidance | None | AI compliance assistant |
| Manual effort | Low for infra, high for everything else | Low across the board |
| Still need a consultant? | Yes ($2-5K/mo) | No |
For most startups, Vera replaces both the platform and the consultant. You still need an independent auditor, because SOC 2 requires a CPA firm to issue the report, but Vera prepares everything that auditor needs. If you already run a dashboard, she works alongside it to close the application gap.
Why Auditors Accept Vera's Evidence
A category-defining program has to meet AICPA (SOC 2) and ISO registrar standards. Auditors accept Vera's evidence because it is more reliable than hand-collected screenshots, for three reasons.
1. Chain of Custody
A manual screenshot can be edited in Photoshop. Vera hashes each artifact at the point of capture and signs it, and the JSON manifest lets an auditor verify programmatically that nothing was altered since creation. Every artifact traces back through a control test to the policy claim it supports.
2. Standardization
Auditors dislike folder dumps of disorganized images. Vera produces a consistent schema for every control: a header with control ID, date, and tester; a body with the step-by-step visual flow and a drafted caption; and a footer with technical metadata and hash values.
3. Policies That Name Real Systems
Vera's policies reference your actual auth provider, cloud setup, and CI/CD pipeline by name, and because the generator is deterministic, the control language does not drift between drafts. That is what auditors want to see, and what generic template policies fail to provide.
Honest Escalation as a Trust Mechanism
Vera does not pretend to settle judgment calls. When a control needs a human decision, an exception sign-off, a first-time procedure, or an attestation only a person can give, she escalates it rather than guessing. That honesty is what makes the rest of her output trustworthy, because you can see exactly where her judgment ends and yours begins.
Continuous Compliance, Not Point-in-Time
Vera runs on a schedule, so the program stays audit-ready between cycles. Every morning she runs a 6:00 evidence-freshness check, a 6:15 readiness snapshot, and a 6:30 Slack briefing. Weekly she scans cloud and repos for drift. Quarterly she schedules and chases access reviews. Annually she refreshes the risk assessment. When a control slips, she opens the remediation work instead of waiting for the audit to find it. A single MFA scan she runs satisfies SOC 2 CC6.1 and HIPAA §164.312(d) at once through the shared canonical control catalog, so you collect once and satisfy many.
Frequently Asked Questions
What makes Vera different from a screen recorder like Loom?
Loom records video pixels and stops there. Vera runs the whole program: she writes your policies, maps controls, collects evidence, chases attestations, and signs every artifact. Screenshot capture is one of several ways she gathers evidence, about 9% of the total, not the product itself.
Can Vera automate ISO 27001 Annex A evidence?
Yes. Annex A controls (particularly A.5, A.7, and A.8) often require evidence of operational procedures. Vera collects it through codebase analysis, cloud scans, and workflow capture, and maps it through the shared control catalog so a SOC 2 artifact can satisfy the equivalent ISO control.
Does Vera replace Vanta or Drata?
For most startups, yes. Vera covers both halves of SOC 2: roughly 70% of evidence through her own API scans of the same sources a dashboard reads, and the application 20% through guided capture and Slack attestations, plus policy writing, control mapping, and readiness scoring. A dashboard flags work; Vera does it. You still need an independent auditor, but she preps everything they need. If you already run a dashboard, she works alongside it. For first-time SOC 2 teams this is the simpler, cheaper path.
Is this continuous compliance?
Yes. By running daily scans, weekly drift checks, and quarterly reviews, Vera moves you from point-in-time manual screenshots to a continuous stream of verifiable evidence, so you stay audit-ready between cycles.
Does Vera replace our auditor?
No. Vera does the preparation: collecting evidence, writing policies, and assembling the pack. An independent CPA firm still issues your SOC 2 report. Because her output is deterministic and traceable, their review tends to go faster.
Key Takeaways
- Screenata is an AI Compliance Officer, an agent named Vera, who runs continuous compliance instead of charting it on a dashboard.
- A dashboard flags the work; Vera does it. She covers ~70% of evidence through API scans, ~9% through application screenshots, and chases the attestations in between.
- She writes deterministic policies that name your real infrastructure and signs every artifact, so each ties back through a control test to a policy claim.
- For most startups she replaces both the GRC platform and the consultant for around $18K in the first year, against roughly $85K traditional. You still need an independent auditor; Vera preps everything they need.
- Honest escalation is part of the design. She runs the tests she can and hands judgment calls to a person.
Learn More
Connect and see
See your SOC 2 with your real systems.
Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.