Aegis

xAQUA Aegis

Explore Platform
Request a Demo
AI Governance · Fastest-Growing Buyer Requirement

The Only GRC Platform with
AI Governance Built In Natively

NIST AI RMF · ISO 42001 · EU AI Act · OWASP LLM Top 10 · MITRE ATLAS. As your agency deploys AI under SIMM 5305-F, Aegis is the only platform where AI risk and security risk live in the same command center — not in a separate spreadsheet.

5AI governance frameworks
natively supported
1stGRC platform with NIST AI RMF
& ISO 42001 built in
2025SIMM 5305-F effective date
CA agency requirement
100%AI risk in same command center
as infrastructure risk
5 AI Governance Frameworks

Built In. Not Bolted On.
Not On the Roadmap.

Every competitor either lacks AI governance entirely or has announced a future roadmap item. Aegis supports all five major AI risk frameworks in production today.

Production
🏛️
NIST AI RMF
AI Risk Management Framework 1.0 + Generative AI Profile (NIST AI 100-1)
The foundational US federal AI risk framework. Maps to the four core functions: Govern, Map, Measure, and Manage. Aegis tracks AI system inventory, risk assessments, and control evidence across all four functions with continuous posture monitoring.
  • AI system inventory with risk classification
  • Govern/Map/Measure/Manage function mapping
  • GenAI Profile control coverage (NIST AI 100-1)
  • Continuous risk posture monitoring
Production
📋
ISO 42001
Artificial Intelligence Management System — International Standard (2023)
The international standard for AI management systems, establishing requirements for responsible development, deployment, and use of AI. Aegis maps ISO 42001 controls alongside your existing ISO 27001 posture, enabling unified evidence collection and audit readiness.
  • AI management system (AIMS) controls
  • Unified evidence library with ISO 27001
  • AI impact assessment workflow
  • Supplier and third-party AI risk
Production
⚖️
EU AI Act
Regulation (EU) 2024/1689 — Risk-Based AI Regulatory Framework
The world's first comprehensive AI regulation. Aegis classifies your AI systems by risk tier (Unacceptable / High / Limited / Minimal), tracks conformity assessment obligations, and maintains the technical documentation required under Articles 11–17 for high-risk AI systems.
  • AI system risk classification (4 tiers)
  • High-risk system conformity tracking
  • Technical documentation (Art. 11-17)
  • Human oversight & transparency controls
Production
🔐
OWASP LLM Top 10
OWASP Top 10 for Large Language Model Applications (v1.1, 2025)
The definitive security reference for organizations deploying LLMs. Aegis maps your AI system controls to all 10 LLM risk categories — prompt injection, insecure output handling, training data poisoning, supply chain vulnerabilities, and six more — with continuous control monitoring.
  • All 10 LLM risk categories mapped
  • Prompt injection detection controls
  • Supply chain & plugin security
  • Sensitive information disclosure tracking
Production
🎯
MITRE ATLAS
Adversarial Threat Landscape for AI Systems — MITRE Knowledge Base
The adversarial ML threat matrix, built on the same structure as MITRE ATT&CK. Aegis maps AI-specific adversarial tactics — reconnaissance, resource development, model evasion, data poisoning — to your AI systems' detective and preventive controls.
  • Adversarial ML tactic/technique mapping
  • Model evasion & inversion controls
  • Training data poisoning detection
  • AI-specific threat intelligence feed
Key Differentiator
🏆
All 5. One Platform.
No other GRC platform does this today
We checked. As of Q1 2026, no existing GRC platform — not ServiceNow, Archer, Drata, or any other — has all five AI governance frameworks built in natively and in production. Most have zero. A few have announced roadmap items for one. Aegis ships them all, today, alongside your full traditional GRC posture.
Competitor Status
ServiceNow: 0 native (roadmap announced) · Drata: 0 · Archer: 0 · Aegis: 5 in production
Platform Capabilities

What AI Governance
Looks Like in Practice

🗺️
AI System Inventory & Classification
Maintain a live inventory of every AI system across your enterprise. Each system is classified by risk tier (per EU AI Act), mapped to frameworks, and assigned a responsible owner. Risk classifications update automatically as system usage patterns change.
EU AI ActNIST AI RMF
📊
AI Risk Scoring & Posture Monitoring
The Risk Intelligence Engine scores AI system risk continuously — factoring in deployment context, data sensitivity, usage volume, and control coverage. Drift alerts fire when AI risk posture degrades. Predictive forecasting projects AI risk trajectory 14 days ahead.
NIST AI RMFContinuous RIE
🛡️
LLM Security Control Testing
Validates detective and preventive controls against OWASP LLM Top 10 attack vectors and MITRE ATLAS adversarial techniques. Tracks control status across prompt injection defenses, output sanitization, model versioning, and access controls with continuous evidence collection.
OWASP LLMMITRE ATLAS
📄
AI Governance Reporting (Narratix)
Auto-generated AI governance reports for board briefings, CISO dashboards, and agency compliance submissions. Reports synthesize AI risk posture across all five frameworks into executive-ready narratives — the same Narratix engine used for traditional GRC reports, extended for AI.
ISO 42001Board-Ready
Natural Language AI Risk Queries
Ask Aegis anything about your AI risk posture: "Which AI systems have unresolved OWASP LLM Top 10 gaps?" or "What EU AI Act high-risk systems need conformity documentation updated?" ConverseDataIQ answers in natural language with source citations, running on your private H100.
ConverseDataIQPrivate AI
🔗
Unified AI + Security Risk View
AI governance controls live in the same command center as your NIST 800-53 controls, your SIEM alerts, your identity anomalies, and your infrastructure findings. When an AI system has elevated prompt injection risk and unusual traffic patterns simultaneously, Aegis correlates them — no other platform connects these dots.
Cross-DomainRIE Correlation
California State Agencies
You need SIMM 5305-F compliance.
Aegis is built for it.
California SIMM 5305-F (Generative AI Risk Assessment) and SIMM 5310-C (Privacy Threshold Assessment) require every state agency to assess and document the risks of deploying generative AI systems before and during their use. Aegis provides the framework, evidence collection, and reporting infrastructure to make this a continuous process — not a one-time checkbox exercise before OTech submission.
  • SIMM 5305-F GenAI Risk Assessment — AI risk assessment template built into platform workflow with continuous evidence collection
  • SIMM 5310-C Privacy Threshold — Privacy risk controls mapped alongside AI governance with linked evidence library
  • OTech Reporting Alignment — Report outputs formatted for California Office of Technology reporting requirements
  • Continuous, Not Point-in-Time — Risk posture monitored continuously, not just at assessment submission time
  • Data Stays In Your Tenant — No AI system data sent to xAQUA infrastructure; all processing within your Azure environment
  • Unified with Traditional GRC — NIST 800-53, StateRAMP, and AI governance in the same command center
California AI Requirements Coverage
SIMM 5305-F
GenAI Risk Assessment
Continuous monitoring of generative AI deployment risks with automated evidence collection
SIMM 5310-C
Privacy Threshold Assessment
Privacy risk controls linked to AI system data flows and processing activities

Ready to Govern Your AI
Like You Govern Your Infrastructure?

We'll show you exactly how Aegis maps your AI deployments to NIST AI RMF, ISO 42001, and SIMM 5305-F — in your environment, with your data.

Request AI Governance Demo →