Documentation menu

DOCUMENTATION

Evidence-as-code

What it is

Evidence-as-code is declarative, version-controlled definitions of what evidence to collect, from where, and which control it satisfies. Your M2M agents execute those definitions and submit the results through the MCP server — deduplicated, attributed, and queued for human review. Nothing counts until a human approves.

It is the compliance analogue of policy-as-code and infrastructure-as-code: the same discipline your team already applies to infrastructure and configuration, applied to the evidence your auditors need.

Why

Evidence managed as code is version-controlled and reviewable in pull requests. Every change to what you collect, where you collect it from, and which control it satisfies is a commit. That means repeatable collection, a complete audit trail, and compliance evidence gathered the same way you ship software.

Supported submission methods (via M2M agents)

MethodWhat it isWhen to use
submit_evidence (direct push)An agent collects an artifact and pushes it with a content hash. Idempotent, attributed, lands pending review. The primitive.One-off or ad-hoc submissions; the building block underlying all other methods.
Evidence-as-code definitionsDeclarative collectors (control + source + collector + schedule) your agents execute, then submit via that same primitive. The repeatable layer.Recurring, scheduled evidence collection where consistency and auditability matter.

Your agent — or ours

Collection can run as your own agent — recommended for sensitive systems, where evidence stays inside your tooling — or EquanimGRC's managed agent for a turnkey setup. Both are tenant-isolated and require human approval before anything counts.

The evidence-as-code library

We are building a growing, shareable library of reusable definitions — one per control per integration, version-controlled and reviewable. The library is the direction: a collection where teams contribute and share the collectors they build, reducing the cost of coverage across frameworks. We will share more as it takes shape.

Illustrative snippet

# illustrative — an evidence-as-code definition
control: CC6.1            # SOC 2 — logical access
source: aws
collector: iam_policy_snapshot
schedule: daily
submit: mcp:write:evidence   # pushed via MCP, deduped, pending review

Early access

Evidence-as-code is available to early-access customers. Request access and we will reach out when it is your turn.

See also: Agents & evidence for how machine agents authenticate and submit evidence, and Tools & scopes for the fullsubmit_evidence tool reference.