What it is
Evidence-as-code is declarative, version-controlled definitions of what evidence to collect, from where, and which control it satisfies. Your M2M agents execute those definitions and submit the results through the MCP server — deduplicated, attributed, and queued for human review. Nothing counts until a human approves.
It is the compliance analogue of policy-as-code and infrastructure-as-code: the same discipline your team already applies to infrastructure and configuration, applied to the evidence your auditors need.
Why
Evidence managed as code is version-controlled and reviewable in pull requests. Every change to what you collect, where you collect it from, and which control it satisfies is a commit. That means repeatable collection, a complete audit trail, and compliance evidence gathered the same way you ship software.
Supported submission methods (via M2M agents)
| Method | What it is | When to use |
|---|---|---|
submit_evidence (direct push) | An agent collects an artifact and pushes it with a content hash. Idempotent, attributed, lands pending review. The primitive. | One-off or ad-hoc submissions; the building block underlying all other methods. |
| Evidence-as-code definitions | Declarative collectors (control + source + collector + schedule) your agents execute, then submit via that same primitive. The repeatable layer. | Recurring, scheduled evidence collection where consistency and auditability matter. |
Your agent — or ours
Collection can run as your own agent — recommended for sensitive systems, where evidence stays inside your tooling — or EquanimGRC's managed agent for a turnkey setup. Both are tenant-isolated and require human approval before anything counts.
The evidence-as-code library
We are building a growing, shareable library of reusable definitions — one per control per integration, version-controlled and reviewable. The library is the direction: a collection where teams contribute and share the collectors they build, reducing the cost of coverage across frameworks. We will share more as it takes shape.
Illustrative snippet
# illustrative — an evidence-as-code definition
control: CC6.1 # SOC 2 — logical access
source: aws
collector: iam_policy_snapshot
schedule: daily
submit: mcp:write:evidence # pushed via MCP, deduped, pending reviewEarly access
Evidence-as-code is available to early-access customers. Request access and we will reach out when it is your turn.
See also: Agents & evidence for how machine agents authenticate and submit evidence, and Tools & scopes for the fullsubmit_evidence tool reference.