Documentation menu

DOCUMENTATION

Evidence

Evidence is the proof behind a control. In EquanimGRC an evidence item is a typed record — a document, a screenshot, an exported configuration, a link — that attaches to the control or policy it supports and carries an attribution to whoever produced it. Coverage is the sum of your evidence: a control is demonstrably met when current, mapped evidence stands behind it. This page covers evidence as you manage it in the product; for agents submitting evidence programmatically, see Evidence-as-code.

What an evidence item holds

Each item has a title, a type (document, screenshot, and other formats), an attached file or a URL, and a status that tracks where it is in review. Every item must attach to at least onecontrol or policy, and every item must be attributed — either to the user who uploaded it or to the service principal (machine agent) that submitted it. That attribution is what makes an audit trail meaningful: every piece of proof has a known origin.

Mapping evidence to controls

Evidence attaches to the controls it satisfies. Because a single control can be mapped across several frameworks (see Frameworks & controls), one piece of evidence can count toward SOC 2, ISO 27001, and others at the same time — you collect it once and it satisfies every framework that shares the control. Evidence can also back specific answers on a security questionnaire, so the proof you keep for an audit is the same proof you cite when a customer asks. See Vendor risk.

Where evidence comes from

  • Manual upload. A person attaches a document or screenshot and maps it to the relevant control.
  • Document ingestion. Uploaded documents move through a processing pipeline — classify, extract, embed, map — that reads the content, indexes it for search, and proposes the controls it relates to.
  • Agents over MCP. Machine agents pull configuration and artifacts from your systems and submit them as evidence on scoped credentials. SeeEvidence-as-code.

Search and reuse

Evidence content is embedded as vectors, so you can find an item by meaning rather than exact filename, and the same index powers answer suggestions when you respond to questionnaires. Proof you have already collected gets reused instead of re-gathered.

Lifecycle

An evidence item moves from collected, to mapped against its controls, to reviewed and accepted. Items carry a processing status while they are being read and indexed, and a review status once a person or workflow has signed off. Because compliance is a moving target, evidence is treated as something to keep current — stale or missing proof shows up as a gap rather than passing silently.

Into audit packages

When an assessment comes, evidence rolls up by control and by framework into a package an auditor can review directly — controls, their mapped evidence, and the policies that govern them, in one place. See Audit & reporting.