Documentation Index
Fetch the complete documentation index at: https://docs.ayliea.com/llms.txt
Use this file to discover all available pages before exploring further.
2026 Changelog
May 2026
NIST AI 600-1 (Generative AI Profile) framework
Ayliea now ships the NIST AI RMF Generative AI Profile (NIST AI 600-1, July 2024) as a standalone assessment. The profile organizes the 12 generative-AI-specific risks from §2 — CBRN information, confabulation, dangerous or hateful content, data privacy, environmental impact, harmful bias and homogenization, human-AI configuration, information integrity, information security, intellectual property, obscene or abusive content, and value chain integration — and maps each one against the AI RMF GOVERN, MAP, MEASURE, and MANAGE functions from §3. Forty-four questions total, source-honest: Environmental Impacts has only a MEASURE question because the published §3 lists no other actions for that risk, and Confabulation has no MAP question for the same reason. Every question’s remediation playbook cites the specific AI 600-1 Action IDs (GV-1.3-002, MS-2.6-005, and the like) that apply, so audit-ready evidence ties back to the published document. Crosswalk references to the parent NIST AI RMF, ISO/IEC 42001, OWASP LLM Top 10, and EU AI Act high-risk requirements ship with every recommendation. Especially useful for healthcare and financial-services teams subject to sector oversight, US contractors under EO 14110, and organizations integrating third-party foundation models.AI Questionnaire Autofill
Upload a security questionnaire (PDF, DOCX, or CSV) from a customer, auditor, or prospect and Ayliea drafts an answer for every question, grounded in your organization’s existing evidence and prior responses. Every draft carries a citation chain — you can see exactly which sources backed each answer, plus a confidence score — and questions without sufficient evidence are flagged inline rather than guessed. Review, edit, or reject drafts in the reviewer UI, then export the finalized questionnaire as CSV for spreadsheet review, JSON for system integration, or DOCX for an auditor-ready document. Available on the Business plan and above.AISS framework — expanded to 66 sub-controls
AISS now covers 66 sub-controls across the same 10 control domains. Twelve sub-controls — AI Risk Assessment, Executive Sponsorship, AI Suitability Criteria, Embedded AI Discovery, PII in AI Systems, AI Integration Controls, AI Vendor Monitoring, AI Cost Monitoring, AI Guidance Documentation, AI Training Effectiveness, Synthetic Content Provenance, and Agentic AI Action Authorization — are now formally part of the standard your assessment is scored against, each with a corresponding remediation playbook. The expanded coverage closes gaps practitioners and auditors had asked about, particularly around embedded AI (Copilot-in-Office), agentic AI workloads, and synthetic content provenance.AISS remediation playbooks — full coverage
Every AISS sub-control (66 controls in total) now has a remediation playbook. AI-generated recommendations for AISS assessments now include an objective, the risk if the control is missing, three concrete remediation steps, environment-specific guidance for common stacks, and cross-framework references to NIST CSF 2.0, NIST AI RMF, CIS Controls v8.1, ISO/IEC 27001:2022, the EU AI Act, and the Colorado AI Act. Recommendations are no longer generic — every AISS gap your assessment surfaces now comes with auditor-ready remediation depth.Vertical-aware AI recommendations
When your organization selects a vertical default (Healthcare or Financial Services), the AI-generated recommendations on every assessment now speak to the regulatory and threat surface for your sector. Healthcare orgs see recommendations biased toward PHI handling in inference paths, business associate agreements, and breach notification timelines. Financial Services orgs see recommendations biased toward model validation cadence, MNPI minimization, and adversarial robustness for fraud and trading models. The personalized summary on every recommendation now says “in the Healthcare sector” or “in the Financial Services sector” rather than free-form industry text. If no vertical is set, recommendations continue to use your free-form industry — there is no change for non-vertical organizations.AISS Coverage hub at /aiss
Every authenticated user with an AISS assessment now has a dedicated coverage page showing posture across all 10 AISS control domains (AC-1 through AC-10) in a single grid. Each domain card surfaces the score and links directly to the corresponding domain markdown in the public Ayliea/aiss repository — so auditors can verify your score against the published spec without leaving the page. Available from the sidebar (desktop) and the More sheet (mobile).
Glass-Box Score breakdown on the results page
For AISS assessments, the score breakdown is now expandable per category. Each AC-N domain drops down to show the questions answered, weight per question, points earned vs. maximum, MITRE ATLAS technique mappings, framework crosswalks (NIST CSF 2.0, ISO/IEC 27001:2022, NIST AI RMF, CIS Controls v8.1, EU AI Act, Colorado AI Act), and a deep-link to the matching domain markdown in the public AISS repository. Any auditor can hand-calculate the score from the published spec plus your answers.In-app RFC deep-link from disputed sub-controls
Every question row in the Glass-Box audit drilldown now has a pencil icon that opens a pre-filled GitHub issue on Ayliea/aiss with the control ID, question text, selected option, and points earned populated. Practitioners who disagree with how a control is scored have a one-click path to propose a change.AISS published as an open standard
The Ayliea AI Security Standard is now publicly available at github.com/Ayliea/aiss under CC-BY-4.0. 10 control domains, 56 sub-controls, 9 framework crosswalks (NIST CSF 2.0, ISO/IEC 27001:2022, NIST AI RMF, NIST AI 600-1, CIS Controls v8.1, EU AI Act, Colorado AI Act, OWASP LLM Top 10, MITRE ATLAS). Fork it, audit your organization with it, or propose changes through the public RFC issue template — the same standard your in-app Ayliea score is computed against. Current production tag:v1.2.3.
Vertical threat profiles — Healthcare, Financial Services, Legal
Three industry pages now overlay MITRE ATLAS techniques with the threats specific to each vertical’s AI workloads. Healthcare anchors on patient-data exfiltration via clinical-decision-support agents. Financial Services covers prompt-injection-driven fraud in customer-facing chat and adversarial drift in credit/risk models. Legal covers the privilege-erosion risks of LLM-assisted document review.Vertical compliance bundles — Healthcare and Financial Services
Both verticals now ship a coordinated bundle page that maps AISS against the vertical’s required frameworks. Healthcare bundles HIPAA Security Rule + FDA SaMD guidance + AISS. Financial Services bundles SOC 2 + PCI DSS + AISS with model-risk-management overlays for NYDFS Part 500, EU DORA, SR 11-7, FINRA, and SEC Marketing Rule. Buyers in regulated industries can self-qualify Ayliea’s coverage against their compliance reality in one page.PLG pricing restored
Pricing is back to four transparent tiers: Free (500/yr), Business (15,000/yr). Pro and Business sign up directly and pay via Stripe Checkout. Enterprise is inbound only — visit/contact to book a tailored demo. Replaces the 2026-05-04 sales-led pricing inquiry form.
Self-serve sign-up restored
Public account creation is back at/sign-up. NIST SP 800-63B password validation (12-character minimum), tier-aware copy on Pro and Business signup flows, and paid-tier signups proceed directly to checkout. Replaces the redirect-to-sign-in route from the sales-led pivot.
Account activation flow
Newly invited members complete onboarding through a single/activate page that walks them through password setup (NIST SP 800-63B compliant — 12-character minimum with compromised-password check), MFA enrolment via TOTP, and backup-code download. Whether you’re an Account Owner activating your org for the first time or a teammate joining an existing org, the flow is identical.
Account Owner team management
Owners and admins can now invite teammates by email, resend activation emails to members who haven’t signed in yet, change roles with full audit-log trail, and remove members. New-to-Ayliea invitees get an auth account provisioned automatically and an activation email; existing Ayliea users get an org-membership invitation. When a removed member has no remaining org memberships, their auth account is fully deleted.Suspend members
Owners and admins can suspend a member, which revokes all active sessions immediately and denies any subsequent re-auth attempt. Unsuspend restores access on the member’s next sign-in.Member observability
The team list now shows status (Invited / Active / Suspended), MFA enrolment, and last-sign-in time per member. Lists are paginated for orgs with more than 50 members.Per-organization feature gating
Every org now carries a bundle assignment (Free / Core / Discover +) plus per-feature overrides on top of the bundle’s defaults. Sales-led deals can enable specific capabilities per customer without forcing them into a higher tier.Public Trust Center at /trust
Documents Ayliea’s encryption (per-organization envelope encryption with DEK + MEK), authentication (TOTP MFA mandatory, NIST 800-63B password policy), audit logging, and sub-processors. Enterprise buyers can self-serve the security questions they previously asked on every demo call.Trust Center scannability redesign
The/trust page now opens with a 4-card fast-facts header (Encryption, MFA, Sub-processors, DPA) so buyers can answer the top security questions in under 5 seconds. A sticky table of contents pins to the left rail on desktop and highlights the section currently in view; a Jump-to-section accordion replaces it on mobile. A “Last verified” timestamp under the hero makes the page’s freshness explicit.
Trust Center: regulatory alignment, not certification
The GDPR and CCPA entries on/trust are now labelled “Aligned” rather than “Compliant”, with notes that describe what we actually do operationally (DPA published with SCCs Module Two for international transfers, data subject rights honored via the privacy notice). Both are self-assessed regulatory standards with no third-party certification — the previous framing implied a higher bar than we could defend without external legal review. The section title also changed from “Certifications & attestations” to “Regulatory alignment”.
Competitor comparisons, glossary, vendor lookup, AI Risk Score Calculator
New marketing surfaces: per-competitor comparison pages at/compare/<competitor>, per-term definitions at /glossary/<term>, a free vendor risk-classification tool at /tools/vendor-lookup, and an AI risk scoring calculator at /tools/ai-risk-score.
Sales-led pricing
Public tier names and dollar amounts have been removed; pricing is now sales-led through/contact. The in-app /upgrade page is now a read-only bundle browser.
Public self-signup removed
/sign-up is gone. New customer accounts are created exclusively by Ayliea admins (via the provisioning UI) and Account Owners (via the team-management flow).
Email deliverability hardening
Apex SPF record now correctly authorizes Google Workspace; Resend DKIM record carries the standard tag prefix. mail-tester.com scores 10/10 for outbound mail from both Workspace and Resend transactional paths.April 2026
Continuous monitoring drift alerts (Business tier)
When evidence from your connected integrations causes your assessment scores to drop, Ayliea now detects the drift and emails your organization owner with a breakdown of the affected controls, their previous and current scores, and a deeplink back to the assessment. The continuous-monitoring sweep runs nightly — no configuration needed, just connect an evidence source and you’re covered. Available on Business and above.Scheduled GitHub evidence polling
Your connected GitHub integration now refreshes evidence automatically every morning — no more needing to hit “Refresh” manually. The scheduled poll covers your most-recent completed assessment across up to three frameworks per organization, so a Business-tier team running both CIS v8 and SOC 2 sees both updated. Combined with drift alerts, this closes the loop: your posture score now tracks the real-world state of your tooling on a rolling basis.Drift alert severity
Drift emails now carry a severity tier. Critical regressions (dropping below passing or losing more than 15 points overall) get a red banner and a[CRITICAL] subject prefix so your team can triage at a glance. Lighter regressions stay amber.
Score trend chart on the results page (Business tier)
Every assessment now shows a line chart of how your score has moved over time. Points are colored by what caused each rescore — completion (your initial baseline), evidence poll (automatic updates from your connected integrations), or manual rescore. The card lives on the assessment results page and appears as soon as you have a snapshot, then becomes a proper line once a second snapshot lands. A delta indicator shows the change since the previous capture, so you can see at a glance whether you’re trending toward or away from your posture target.HIPAA Security Rule Assessment
Assess your organization against the full HIPAA Security Rule — 80 questions covering Administrative, Physical, Technical, Organizational, and Documentation safeguards. Results are scored against the five sections of 45 CFR Part 164 Subpart C, with actionable remediation guidance for each gap. Available on Pro and above.SOC 2 Type II Security Assessment
Measure your posture against the AICPA Trust Services Criteria 2017 (revised 2022) — 84 questions covering all nine Common Criteria (CC1 Control Environment through CC9 Risk Mitigation). Map evidence to the controls auditors actually ask about. Available on Pro and above.AI Agent Security Framework
A focused mini-framework for teams deploying AI agents in production — 26 questions across six categories: agent governance, delegated authority and credentials, tool invocation security, context and memory protection, monitoring and incident response, and multi-agent orchestration. Aligned to MITRE ATLAS v5.1 agentic techniques. Available on Free.AI Agent Security assessment fixed for Free tier
A recent issue prevented Free-tier accounts from starting the AI Agent Security assessment. This is now resolved — all Free accounts can run the 26-question assessment without restriction.NIST IR 8401 — Satellite Ground Segment Assessment
Applies the NIST Cybersecurity Framework structure to commercial satellite command-and-control systems. 82 questions across six categories (asset management, governance/risk/supply chain, access control and data security, awareness and protective technology, anomaly detection and continuous monitoring, incident response and recovery). For space systems operators and ground segment providers. Available on Pro and above.ISO/IEC 42001:2023 AI Management System Assessment
The first certifiable AI management system standard — now fully supported. 69 questions provide complete coverage of clauses 4–10 (context, leadership, planning, support, operation, performance evaluation, improvement) and all 38 Annex A reference controls across A.2 (AI Policies), A.3 (Internal Organization), A.4 (Resources), A.5 (Impact Assessment), A.6 (AI System Life Cycle), A.7 (Data), A.8 (Information for Interested Parties), A.9 (Use of AI Systems), and A.10 (Third-Party and Customer Relationships). Every question cites its exact ISO clause or Annex A control reference so assessments map directly to an external audit. Available on Pro and above.OWASP Top 10 for LLM Applications (2025)
The canonical industry reference for LLM application security — now fully assessable in Ayliea. 77 questions across all 10 OWASP categories: prompt injection, sensitive information disclosure, supply chain, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption. Every OWASP-listed prevention strategy maps to a question in its OWASP-listed category, so an LLM10 score reflects coverage of all 15 LLM10 strategies, not a curated subset. Each question includes a remediation playbook authored from the official OWASP guidance, with concrete steps, environment guidance for small/mid/enterprise, and cross-framework references to AISS, ISO 42001, NIST AI RMF, and MITRE ATLAS techniques. Source: genai.owasp.org/llm-top-10/ (2025 release, March 12, 2025). Available on Pro and above.Personalized remediation for ISO/IEC 42001 findings
Every ISO/IEC 42001 control — all 69 — now has an AI-powered remediation playbook authored from the normative Annex B implementation guidance. When you score a low maturity level on any ISO 42001 control, the recommendation engine personalizes concrete next steps to your organization’s size, sector, and environment, so your gap report reads as a prioritized to-do list rather than an abstract control reference.Trust Centers
Publish a branded public trust page atayliea.com/trust/<your-org> showing your framework scores, compliance coverage, and certification badges. Choose between Summary (grades only), Standard (numeric scores), or Detailed (per-category breakdown) visibility. Optionally display an evidence indicator showing how many controls have supporting evidence on file — file contents and names are never exposed. Pro and above for basic trust centers; Business and above for advanced customization.
AI Usage Policy Engine
Define policies for every AI tool in your organization: Approved, Monitor, or Restricted. Ayliea automatically checks discovery scan results against your policies and flags violations with severity scoring. Export blocklists in CSV, JSON, or text format for direct import into Zscaler, Netskope, or Palo Alto firewalls.Policy Violation Trends
Track policy violations over time with a stacked area chart showing severity breakdown (critical, high, medium, low). View resolution rates, current open violations, and select between 7-day, 30-day, and 90-day time ranges.Public REST API
Enterprise-tier organizations can now access assessment scores, recommendations, and discovery results programmatically via the v1 REST API. API keys are scoped, hashed at rest, and rate-limited. Full documentation available at docs.ayliea.com/api-reference.Third-Party Integrations
Connect Ayliea to your existing workflow tools. Push recommendations directly into Jira, Linear, GitHub Issues, or Azure DevOps as actionable tickets. Connect Slack for real-time notifications on assessment completions and discovery alerts.Webhook Notifications
Subscribe to platform events (assessment completed, recommendation updated, discovery completed, policy violation detected) and receive HMAC-signed webhook deliveries to your endpoints. Track delivery status and retry failed deliveries.Scheduled Discovery Scans
Organizations with continuous monitoring enabled now receive automated daily discovery scans. New AI tools and risk escalations trigger alerts automatically without manual intervention.Scheduled Report Delivery
Configure weekly or monthly security digest emails delivered to your inbox. Reports include framework scores, recommendation progress, stale assessment warnings, and overdue items.Industry Benchmarking
Compare your security scores against anonymized industry benchmarks. See where you stand relative to the 25th, 50th, and 75th percentiles for your industry and framework.AI-Powered Recommendations
Recommendations are now personalized by Claude AI based on your organization’s size, industry, device environment, and platform stack. The AI tailors remediation steps to reference the specific tools, admin consoles, and settings paths relevant to your setup.Account Security Improvements
- Password changes now require current password re-authentication
- Concurrent session limiting: one active session per user, with forced sign-out on other devices
- Account deletion uses a 30-day soft-delete recovery window with email notification
- GDPR data export: download all your personal data in JSON format from Security settings