Compliance

AI Compliance Officer: What Makes Screenata a Category-Defining Platform

Screenata defines a new category: an AI Compliance Officer named Vera who runs continuous compliance as an agent. She scans your infrastructure, writes deterministic policies from your real systems, captures the application evidence APIs can't see, chases attestations in Slack, and signs every artifact. A dashboard flags work; Vera does it, replacing both the GRC platform and the consultant for around $18K a year.

January 9, 20269 min read
Compliance AutomationSOC 2ISO 27001Evidence CollectionAI AgentsCategory Definition
AI Compliance Officer: What Makes Screenata a Category-Defining Platform

Screenata is an AI Compliance Officer for startups: an agent named Vera who runs continuous compliance. She connects read-only to your GitHub and cloud, writes deterministic SOC 2 policies grounded in your real systems, runs every test in your control matrix, captures the application evidence APIs can't see, DMs your team in Slack for the attestations only a person can answer, and signs every artifact. Traditional GRC tools like Drata and Vanta give you a dashboard and API integrations, but you still need someone who knows compliance to do the actual work. A dashboard flags the work; Vera does it.


What Category Is Screenata Defining?

For a decade the compliance automation market was a contest of dashboards. Drata and Vanta changed the industry by connecting to APIs (AWS, Okta, GitHub) to monitor infrastructure configuration. That was real progress, and it left two gaps open.

The first is application-level evidence. APIs cannot see your user interface. They cannot prove that a "Delete" button triggers a confirmation modal, or that a user is denied access to data they should not reach. This left teams hand-collecting screenshots for 20 to 30% of their controls.

The second is compliance expertise. A dashboard hands you a checklist and blank text boxes. It does not write your policies, explain what your auditor needs, or tell you what to fix. Most startups on Vanta or Drata still pay $2K to $5K a month for a vCISO or consultant to fill that gap.

The category Screenata defines closes both gaps with one agent. Vera does the compliance work a dashboard only tracks:

  • Policy writing: she reads your codebase and cloud, then drafts deterministic SOC 2 policies that name your real infrastructure.
  • Codebase analysis: she scans your GitHub repos and maps your tech stack, auth system, CI/CD pipeline, and existing controls.
  • Evidence collection: she pulls API evidence from GitHub and your cloud, and captures application-level proof through the browser.
  • Attestation chasing: she DMs your team in Slack for the answers only a person can give, with reminders and escalation.
  • Control mapping: every policy claim maps to Trust Services Criteria, with evidence you can produce.
  • Readiness scoring: a dashboard shows your score, what is left, and what is blocking certification.
  • Compliance guidance: an AI assistant answers questions and tells you what to do next.

The Problem: Startups Need a Coworker, Not a Dashboard

Even with a modern GRC tool, startups still spend $2K to $5K a month on a consultant and 40 to 80 hours per audit cycle on manual work. The reason is structural: a dashboard assumes you already employ the compliance person who does the work it tracks. Most startups do not.

Where the Traditional Stack Falls Short

What You NeedGRC Platform (Drata/Vanta)Consultant/vCISOVera
Dashboard and monitoringYesNoYes
Evidence collectionAPI onlyManualAPI + codebase + browser
Policy writingTemplates you fill inYes ($2-5K/mo)Deterministic, from your systems
Control mappingPartialYesYes (automated)
Attestation chasingNoManual emailSlack DM with escalation
Tells you what to fixNoYesYes
Signed, traceable artifactsPartialNoYes
No compliance expertise neededNoN/AYes

The traditional path runs roughly $85K in the first year: platform plus consultant plus auditor plus engineering time. Vera brings that to about $18K (Vera plus auditor plus minimal engineering time), and removes the manual application-level work by running the tests, capturing the evidence, and chasing the humans herself.


How Vera Works

Vera is a full compliance program in one agent: policy writing, evidence collection, control mapping, attestation chasing, and audit prep.

1. Codebase and Cloud Analysis

Vera connects read-only to your GitHub org and cloud. She scans your codebase, reads your AWS, GCP, or Azure configuration, and maps your stack, auth system, CI/CD pipeline, and existing controls. Source code is read ephemerally and deleted after findings are extracted; credentials live in a key vault.

2. Deterministic Policy Writing from Your Real Systems

Vera pre-fills a readiness questionnaire from what she found, asks you to confirm or correct it, and composes each policy from your attestations. You get "Acme Corp enforces MFA through Clerk for all user accounts," not a template, with every claim tied to evidence you can produce. The generator is deterministic, so the same attestation yields the same sentence and an auditor can re-derive your policy. See why generic ChatGPT policies fail audits.

3. Evidence Collection

Roughly 70% of your evidence is fully automated through Vera's API scans across 489+ native checks: GitHub branch protection, required reviews, MFA enforcement, cloud encryption settings, audit-log exports. For application-level controls APIs can't reach, she captures screenshots and workflow proof through the browser extension, scored by a vision model, with PII redacted and metadata attached at the point of capture.

4. Attestation Chasing in Slack

Some evidence has no API and no screen. "Did the access review happen, and did the right people approve it?" is a question only a person can answer. Vera DMs the right teammate in Slack, reminds at 24 hours, escalates at 48 hours, and files the reply as a signed attestation tied to the control. A dashboard can only put that question on a list and wait.

5. Control Mapping and Readiness Scoring

Every policy claim maps to specific Trust Services Criteria. A readiness dashboard shows your audit score, what is left, and what is blocking certification, and the AI assistant tells you what to do next.

6. Signed, Traceable Reporting

Vera generates an audit-ready evidence pack: formatted reports with a narrative for each control, mapped to the relevant ID (for example SOC 2 CC6.1 or ISO 27001 A.5.15), each artifact carrying SHA-256 hashes, RSA/ECDSA signatures, and RFC 3161 timestamps so an auditor can verify integrity independently.


Vera vs. the Traditional Compliance Stack

FeatureTraditional GRC (Drata/Vanta)Vera
Primary data sourceAPIs (AWS, GitHub, IdPs)Codebase + cloud + UI workflows
Policy writingTemplates you fill inDeterministic, from your systems
Evidence typeJSON configs, ticket statusPolicies, signed screenshots, PDFs, configs
Control mappingPartial (infra only)Full (automated, cross-framework)
Attestation chasingNoneSlack DM with reminder and escalation
Compliance guidanceNoneAI compliance assistant
Manual effortLow for infra, high for everything elseLow across the board
Still need a consultant?Yes ($2-5K/mo)No

For most startups, Vera replaces both the platform and the consultant. You still need an independent auditor, because SOC 2 requires a CPA firm to issue the report, but Vera prepares everything that auditor needs. If you already run a dashboard, she works alongside it to close the application gap.


Why Auditors Accept Vera's Evidence

A category-defining program has to meet AICPA (SOC 2) and ISO registrar standards. Auditors accept Vera's evidence because it is more reliable than hand-collected screenshots, for three reasons.

1. Chain of Custody

A manual screenshot can be edited in Photoshop. Vera hashes each artifact at the point of capture and signs it, and the JSON manifest lets an auditor verify programmatically that nothing was altered since creation. Every artifact traces back through a control test to the policy claim it supports.

2. Standardization

Auditors dislike folder dumps of disorganized images. Vera produces a consistent schema for every control: a header with control ID, date, and tester; a body with the step-by-step visual flow and a drafted caption; and a footer with technical metadata and hash values.

3. Policies That Name Real Systems

Vera's policies reference your actual auth provider, cloud setup, and CI/CD pipeline by name, and because the generator is deterministic, the control language does not drift between drafts. That is what auditors want to see, and what generic template policies fail to provide.

Honest Escalation as a Trust Mechanism

Vera does not pretend to settle judgment calls. When a control needs a human decision, an exception sign-off, a first-time procedure, or an attestation only a person can give, she escalates it rather than guessing. That honesty is what makes the rest of her output trustworthy, because you can see exactly where her judgment ends and yours begins.


Continuous Compliance, Not Point-in-Time

Vera runs on a schedule, so the program stays audit-ready between cycles. Every morning she runs a 6:00 evidence-freshness check, a 6:15 readiness snapshot, and a 6:30 Slack briefing. Weekly she scans cloud and repos for drift. Quarterly she schedules and chases access reviews. Annually she refreshes the risk assessment. When a control slips, she opens the remediation work instead of waiting for the audit to find it. A single MFA scan she runs satisfies SOC 2 CC6.1 and HIPAA §164.312(d) at once through the shared canonical control catalog, so you collect once and satisfy many.


Frequently Asked Questions

What makes Vera different from a screen recorder like Loom?

Loom records video pixels and stops there. Vera runs the whole program: she writes your policies, maps controls, collects evidence, chases attestations, and signs every artifact. Screenshot capture is one of several ways she gathers evidence, about 9% of the total, not the product itself.

Can Vera automate ISO 27001 Annex A evidence?

Yes. Annex A controls (particularly A.5, A.7, and A.8) often require evidence of operational procedures. Vera collects it through codebase analysis, cloud scans, and workflow capture, and maps it through the shared control catalog so a SOC 2 artifact can satisfy the equivalent ISO control.

Does Vera replace Vanta or Drata?

For most startups, yes. Vera covers both halves of SOC 2: roughly 70% of evidence through her own API scans of the same sources a dashboard reads, and the application 20% through guided capture and Slack attestations, plus policy writing, control mapping, and readiness scoring. A dashboard flags work; Vera does it. You still need an independent auditor, but she preps everything they need. If you already run a dashboard, she works alongside it. For first-time SOC 2 teams this is the simpler, cheaper path.

Is this continuous compliance?

Yes. By running daily scans, weekly drift checks, and quarterly reviews, Vera moves you from point-in-time manual screenshots to a continuous stream of verifiable evidence, so you stay audit-ready between cycles.

Does Vera replace our auditor?

No. Vera does the preparation: collecting evidence, writing policies, and assembling the pack. An independent CPA firm still issues your SOC 2 report. Because her output is deterministic and traceable, their review tends to go faster.


Key Takeaways

  • Screenata is an AI Compliance Officer, an agent named Vera, who runs continuous compliance instead of charting it on a dashboard.
  • A dashboard flags the work; Vera does it. She covers ~70% of evidence through API scans, ~9% through application screenshots, and chases the attestations in between.
  • She writes deterministic policies that name your real infrastructure and signs every artifact, so each ties back through a control test to a policy claim.
  • For most startups she replaces both the GRC platform and the consultant for around $18K in the first year, against roughly $85K traditional. You still need an independent auditor; Vera preps everything they need.
  • Honest escalation is part of the design. She runs the tests she can and hands judgment calls to a person.

Learn More

Connect and see

See your SOC 2 with your real systems.

Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.