From your first SOC 2 audit to your fiftieth enterprise deal
The AI governance platform built for how SMBs actually scale.
Custodia keeps your AI governance complete, documented, and defensible — so you can use AI confidently as your company grows, your deals get bigger, and your regulatory exposure increases.
Free · No credit card · A complete AI governance program running live in 2 minutes
Your firewall can protect the network. It cannot answer how your company governs AI.
AI is already creating revenue, privacy, and liability problems your existing stack was never built to catch.
This is not about being anti-AI. It is about having a defensible answer when a client, regulator, or internal leader asks what controls you actually have in place.
Enterprise deals now stall on AI questions your SOC 2 packet does not answer.
Procurement teams are asking for AI policy, employee controls, oversight, and incident response. A standard security policy is no longer enough to clear vendor review.
Employees are already pasting sensitive client, patient, and internal data into public LLMs.
Firewalls and MDM do not tell you who used ChatGPT on PHI, customer records, or confidential work product. Without AI-specific rules and proof of training, you are exposed.
Colorado and EU AI enforcement are turning weak oversight into direct liability.
If your business uses AI in ways that affect people, you need documented oversight, clear controls, and a defensible response record. Delay is not neutral anymore.
If your answer to “How do you govern AI?” is still “We have SOC 2,” you already have a commercial problem.
SOC 2, endpoint security, and general compliance reports matter. They just do not answer AI-specific questions about employee use, sensitive data, oversight, model risk, or incident handling. Buyers know that now.
Your next SOC 2 audit will include AI questions. Custodia generates the evidence your auditor needs — in hours.
The AICPA has signaled that AI controls are now in scope for SOC 2 Type II. Auditors are asking for AI policies, employee acknowledgements, and oversight records. A generic security packet does not answer those questions.
Do you have a documented AI use policy?
Custodia generates an AIGP-standard AI Acceptable Use Policy from your actual AI stack — not a template.
Are employees trained and acknowledged?
Custodia distributes the policy, collects signed acknowledgements, logs quiz scores, and timestamps every record.
Can you show an AI incident history?
Custodia logs shadow AI disclosures, misuse incidents, and resolutions in an exportable audit vault your auditor can verify.
AI is not just another app in your stack. It creates a different class of control problem.
Built to answer whether your environment is secured, monitored, and access-controlled.
Built to answer whether your people, tools, data, outputs, and oversight practices around AI are controlled and provable.
Not just a policy generator. A complete AI governance program across three compliance pillars.
18 document types. Three pillars. One platform that grows with you from your first SOC 2 question to full enterprise readiness.
From “we have a policy” to a documented, defensible governance program.
Nine documents covering AI use, ethics, risk, data, vendor management, and change management — mapped to NIST AI RMF, ISO 42001, EU AI Act, and SOC 2.
OWASP LLM Top 10 2025. NIST SP 800-218A. EU AI Act Art. 15.
Three documents covering prompt injection, supply chain risk, model hardening, secure development lifecycle, and structured adversarial testing — what enterprise security teams actually ask for.
Complete IAM-for-AI: human access, machine credentials, and agentic governance.
Three documents covering the AI tool access lifecycle (Joiner/Mover/Leaver), API key and service account governance, and agent identity registration with kill switches and human-in-loop gates.
Custodia automatically generates the AI policies, controls, and audit evidence your buyers and auditors demand.
Input your AI stack and data practices. The platform generates the policy documents, collects employee acknowledgements, logs incidents, and exports a clean evidence package — no compliance expertise required.
Create the AI policy your clients are actually asking for.
Custodia turns your real AI use into a dedicated policy system with clear approved uses, prohibited uses, data-handling rules, and accountability language.
Put employees on the record before AI misuse becomes your problem.
Distribute the policy, collect acknowledgements, log completion, and create proof that your team was informed about AI-specific rules before an incident occurs.
Track the AI events your current compliance stack does not even see.
Log shadow AI, misuse, and response activity in one place, then export a clean evidence package for procurement, legal review, or internal leadership.
Keep a continuous evidence record without manual tracking.
Every policy approval, employee signature, vendor decision, and incident is automatically logged and formatted for export whenever a buyer, auditor, or regulator asks.
The proof package your buyer, legal team, or leadership actually needs.
Custodia is designed to close the gap between “we use AI” and “we can prove we control it.”
Whether a compliance audit just hit your calendar or a deal just stalled — this is how teams get unblocked.
“Our auditor just asked if we have an AI use policy. We don't. The audit is in 6 weeks.”
Custodia generates the AI Acceptable Use Policy, collects employee acknowledgements, and assembles the evidence package your auditor needs to sign off — before the clock runs out.
“A $200K contract is stuck in procurement. They want our AI governance policy. We don't have one.”
Custodia generates the full governance document set, captures every AI tool your company uses, and exports a proof package that answers every category procurement will ask — in a single day.
“I manage compliance for 30 SMB clients. Every one of them needs AI governance and none of them has it.”
Custodia's ACO desk, document generation workflow, and exportable evidence are purpose-built for advisors who need to deploy governance at scale across multiple client accounts.
Every tier builds on the last. Start where you are.
“We have a policy.”
Satisfies the minimum bar for cyber insurance questions and basic procurement. Three foundation documents, employee acknowledgements, and a timestamped audit vault.
“We have documented controls.”
SOC 2 AI audit pass + enterprise procurement answer + NIST AI RMF + AI Security foundation. The document set that answers what a vendor questionnaire actually asks.
Most teams that hit a procurement wall start here.
“Everything a CISO needs to hand to an auditor.”
Full ISO 42001, complete IAM-for-AI (NHI + access lifecycle), HIPAA §164.312 technical safeguards. The document set that answers identity and access questions enterprise security teams ask.
“Forward-looking AI governance.”
Adds the two forward-looking documents — red team testing and agentic identity — that EU AI Act enforcement is trending toward. For teams that want to be ahead of the regulatory curve.
Built at CMU. Designed for the EU AI Act, NIST AI RMF, Colorado SB 24-205, and everything coming next.
Custodia was built by a Carnegie Mellon University graduate student who studied AI governance at the source. Every document type, every clause mapping, every framework reference is grounded in AIGP-standard structure — not templates scraped from blog posts. Enterprise GRC tools cost $40K+/year and require a compliance team to operate. Custodia is what they would build if they started today, for you.
Start where you are. Grow your program as your AI use does.
Every plan includes a 7-day free trial, HITL enforcement, and a timestamped audit vault. No compliance team required.
Up to 15 employees
7-day free trial
“We have a policy.”
Satisfies the minimum bar for cyber insurance questions and basic procurement. Three foundation documents, employee acknowledgements, and a timestamped audit vault.
Documents
- ✓AI Acceptable Use Policy
- ✓AI Ethics Policy
- ✓AI Roles & Accountability Matrix
SOC 2 foundation · Cyber insurance ready
Start Free Trial →Up to 50 employees
7-day free trial
“We have documented controls.”
SOC 2 AI audit pass + enterprise procurement answer + NIST AI RMF + AI Security foundation. The document set that answers what a vendor questionnaire actually asks.
Documents
- ✓All Starter documents
- ✓AI Impact Assessment
- ✓AI Incident Response Plan
- ✓AI Transparency Notice
- ✓Responsible AI Principles
- ✓AI Security Policy
- ✓AI Access Governance Policy
NIST AI RMF · SOC 2 Type II · EU AI Act · Colorado SB 24-205
Start Free Trial →Up to 150 employees
7-day free trial
“Everything a CISO needs to hand to an auditor.”
Full ISO 42001, complete IAM-for-AI (NHI + access lifecycle), HIPAA §164.312 technical safeguards. The document set that answers identity and access questions enterprise security teams ask.
Documents
- ✓All Professional documents
- ✓AI Data Governance Policy
- ✓AI IP & Copyright Policy
- ✓Vendor AI Risk Assessment
- ✓AI Non-Human Identity Policy
- ✓AI Secure Dev Lifecycle
- ✓AI Model Documentation
- ✓AI Training Data Policy
ISO 42001 · HIPAA §164.312 · SOC 2 CC6.x · Full EU AI Act
Start Free Trial →Up to 300 employees
7-day free trial
“Forward-looking AI governance.”
Adds the two forward-looking documents — red team testing and agentic identity — that EU AI Act enforcement is trending toward. For teams that want to be ahead of the regulatory curve.
Documents
- ✓All Business documents
- ✓AI Red Team Testing Policy
- ✓Agentic AI Identity Policy
EU AI Act Art. 14–15 · OWASP LLM Top 10 · Full enterprise audit package
Start Free Trial →All plans billed monthly · Cancel anytime · No compliance team required
If a client asked for your AI governance plan tomorrow, what would you send them?
If the answer is “nothing” or “our SOC 2 report,” see what a complete AI governance program actually looks like — running live, in your account, in two minutes.