Audit Preparation · Compliance Strategy · AI Governance

Compliance
that doesn't hurt.

Most organizations walk into audits hoping for the best. I make sure you walk in ready — with the evidence, the documentation, and the confidence that comes from knowing exactly where you stand.

Download the Framework → Book a Conversation
📋
Your next audit will be the one you walked into ready.
🤖
AI agents in your stack? There's a compliance gap most auditors are just starting to ask about.
🔒
Frameworks: SOC 2 · ISO 27001 · HIPAA · CMMC · NIST CSF · ISO 42001
CISSP Certified · SOC 2 · ISO 27001 · HIPAA · CMMC · NIST CSF · Cloud-First Compliance · Published AI Governance Framework
The Real Problem

Most organizations don't fail audits because they're insecure.

They fail because they can't prove they're secure.

Evidence gathered at the last minute. Controls that exist but aren't documented. Auditors who find gaps that nobody noticed — or that everybody noticed and nobody addressed. Findings that delay certification by months and cost more to remediate under pressure than they ever would have cost to prevent.

The problem isn't your security program. It's your evidence package. And that's a solvable problem — before the auditor walks in the door.

How I Work

I come in before the finding, not after.

01

Assess Where You Are

A structured assessment that tells your leadership where the risks are, what they cost, and where to invest first — before any auditor asks the question.

02

Close the Evidence Gap

I identify what's missing between your actual security posture and your documented evidence. Then we close it — methodically, not at the last minute.

03

Walk In Ready

By the time your auditor arrives, the evidence package is complete, the controls are documented, and your team knows what to say when they're asked.

04

Leave You Stronger

Compliance isn't a destination. The documentation, processes, and muscle memory you build for an audit are what make your security program actually work year-round.

Services

The right tool for where you are.

Every engagement starts with an honest assessment of what you need — not the most expensive option, the right one.

🗺️

Information Security Enterprise Risk Assessment

ISERA · 30 Business Days

A structured 30-day assessment that tells management where the security risks are, what they cost, and where to invest first. Includes workshops with business and technical stakeholders, a perception gap analysis, a risk register, and a prioritized roadmap.

Framework-agnostic — satisfies ISO 27001, NIST CSF, HIPAA, CMMC, and SOC 2 risk assessment requirements simultaneously.

Best fit: Pre-compliance. Post-incident. Pre-M&A. After new regulatory requirements land.

Compliance Audits

Full-Lifecycle Audit Engagements

End-to-end audit engagements across every major framework — with preparation, evidence management, and audit support built in from day one.

  • SOC 2 Type I & II
  • ISO 27001:2022 · ISO 42001 · ISO 27701
  • PCI-DSS 4.x · HIPAA Security Rule · HITRUST CSF
  • CMMC 2.0 · NIST CSF 2.0 · NIS2
Best fit: Certification pursuit, contractual compliance requirements, pre-third-party audit preparation.
🔍

Penetration Testing & Security Re-Assessment

Technical Security Assessment

Targeted technical assessments of applications, infrastructure, and code. Grey-box and white-box methodology. Findings mapped to frameworks. Remediation verification included.

Best fit: Pre-launch, post-development, pre-compliance audit, or following a security incident.
🛠️

Gap Closure & Remediation Roadmap

Post-Assessment Remediation Planning

You have the findings. Now what? I turn assessment results into a prioritized backlog — with Jira epics and stories, vendor selection guidance, and a sequenced roadmap your team can actually execute.

Best fit: Coming out of any assessment — ISERA, audit, or pen test — with findings that need a plan.
AI Governance

The next audit frontier is already here.

AI coding agents are running in production at companies that haven't thought through what this means for their compliance posture. The audit exposure is real — and most auditors are just beginning to ask about it.

If you're running agentic AI in a SOC 2-scoped environment, your change management evidence package has a gap you probably haven't closed. I mapped it, named it, and built a framework for fixing it.

Read the Framework →
Published Framework

The Evidence Gap

AI Agents, Attribution, and SOC 2 CC8.1

AI coding agents are changing how software gets built — and creating an audit exposure most organizations haven't noticed yet. These agents work fast, make hundreds of changes per session, and typically operate under a human engineer's credentials. The result: your audit log says Jane made 47 production changes on Tuesday afternoon. Jane was in meetings.

This paper names the specific gap, explains why the most common responses close only part of it, and proposes the Evidence Parity Framework — a practical approach that holds AI agents to the same evidentiary bar human engineers already meet.

  • How AI agents break SOC 2 CC8.1's evidence package — in three specific ways
  • Why service account treatment and policy documentation aren't enough
  • The Evidence Parity Framework: plan-bound authorization, agent identity separation, independent anchoring
  • A five-phase implementation roadmap
  • The questions auditors are already starting to ask
Steve Weltman, CISSP · Aletheia Security Consulting · © 2026
WHITE PAPER
The Evidence Gap
AI Agents, Attribution,
and SOC 2 CC8.1
Steve Weltman, CISSP
Aletheia Security Consulting

Enter your work email to download the framework.

No spam. Occasional advisory briefings on compliance and AI governance, from which you can unsubscribe anytime.

Steve Weltman, CISSP
About

Steve Weltman, CISSP

I've spent my career at the intersection of security and compliance — not as a checkbox-counter, but as the person who gets called when a company needs to actually get ready for an audit, close a deal that's contingent on their compliance posture, or figure out why their controls look good on paper and failed in practice.

My background is cloud-first. Most compliance programs were built for on-premise environments and retrofitted for cloud — which is exactly where the evidence gaps hide. I've spent years specifically addressing the controls that trip companies up when they move fast in cloud environments.

The fires I've fought

[Steve — add a specific situation here: industry, timeline, what was wrong, what happened. Anonymous clients fine.]

[Second situation — different industry or framework if possible.]

[Third situation — or a specific type of problem you solve repeatedly.]

I published the first practitioner framework for agentic AI governance under SOC 2 CC8.1 — because no one else had named the problem yet. That's the kind of work I do: find the gap before the auditor does, name it precisely, and build the approach to close it.

CISSP SOC 2 ISO 27001 CMMC 2.0 HIPAA NIST CSF Cloud-First AI Governance
Advisory Briefings

Stay ahead of what auditors are asking next.

I send occasional briefings on regulatory changes, emerging compliance requirements, and what the AI governance landscape actually looks like for practitioners — not academics or policy people, but the people who have to make it work.

Occasional sends. Unsubscribe anytime. No sales pitches.

Ready to walk into your next audit ready?

Book a 30-minute conversation. We'll talk about where you are, where you need to be, and whether I'm the right person to help you get there. No pitch. No proposal. Just an honest conversation.

Schedule a Conversation →

Or reach out directly: sweltman@aletheiasecurity.com