Six modules. One governed record.
Yōjin treats governance, risk and compliance as connected objects, not separate tools: policy is intent, risk is consequence, controls are operation, audit is assurance. All of it lives on one knowledge graph, moves through explicit lifecycles, and keeps its history.
01ContextGRC module
The organisational baseline everything else reads
Compliance starts with knowing who you are: sector, size, jurisdictions, the systems you run, the obligations that bind you. Yōjin captures this through onboarding, a tiered questionnaire, or the documents you already have — extracted claims are reviewed by you before they count.
The result is a versioned snapshot of your organisation. When it changes, it changes deliberately: a new version, reviewed and activated, with history preserved. Every other module reads from it, so scoping decisions stay consistent platform-wide.
What Context contains
- Onboarding by questionnaire or document upload
- Extraction review — you confirm what was read
- Versioned snapshots with a single active view
- Conflict review when sources disagree
02PolicyGRC module
Full lifecycle, clause-level coverage
Import the policies you have or author new ones. Yōjin identifies what each policy actually commits you to, then maps that against your obligations — clause by clause, not document by document.
Every policy moves through a governed lifecycle: draft, in review, approved, published, superseded, archived. Gap assessments show precisely where a policy falls short of an obligation, in language you can hand to the policy owner.
What Policy contains
- AI-assisted policy identification and extraction, human-reviewed
- Clause-level obligation coverage
- Gap assessment against your framework set
- Governed lifecycle with approvals and supersession
03ControlGRC module
A tiered catalogue with proof attached
Adopt controls from a catalogue built on the NIST 800-53 spine, organised in tiers — Foundation, Established, Advanced — so a growing organisation starts proportionate and matures deliberately.
Each control carries its evidence requirements and its framework mappings. Switch lenses to see the same control as NIS2 sees it, as DORA sees it, as the CRA sees it. Custom controls are first-class too: create discretionary controls and promote them when they harden.
What Control contains
- Tiered catalogue: Foundation / Established / Advanced
- Framework lenses per control — from NIS2 to the AI Act
- Evidence requirements and readiness tracking built in
- Formal and discretionary controls, with promotion
04RiskGRC module
Scenarios you can defend to a board
Risks in Yōjin are scenarios, not sticky notes: a threat actor, a loss event, an affected asset, an impact. Assess them qualitatively or quantify them with FAIR-style estimation when the decision warrants numbers.
Treatment is tracked to acceptance, residual risk is explicit, and the risk board shows your whole exposure — including which assessments came from AI proposals and still await review. Scenarios carry their threat side with them: exploitability context from CVE, KEV and EPSS surfaces on the risk itself. And when a decision needs numbers, scenario intelligence stages the quantification — feasibility, probability, loss — over a frozen evidence bundle, with the risk owner gating every result.
What Risk contains
- Structured scenarios: actor, event, asset, impact
- Qualitative and FAIR-based quantitative assessment
- Staged scenario intelligence: feasibility → probability → loss
- Exploitability context on scenarios: CVE, KEV, EPSS
- Treatment tracking and residual acceptance
- Risk board and heatmap with review states
05AuditGRC module
Engagements that end in a frozen record
Run internal or external audit engagements through their full lifecycle: planning, fieldwork, review, closed. Every audit item tracks evidence sufficiency — what is required, what is present, what is stale.
Findings are governed objects with owners and impact. When an engagement finalises, its snapshot freezes: a point-in-time record that stays exactly as the auditor saw it.
What Audit contains
- Engagement lifecycle: planning → fieldwork → review → closed
- Item-level evidence sufficiency
- Findings with ownership and impact
- Finalisation freeze and report packs
06ProgrammeGRC module
The work between "gap found" and "gap closed"
Compliance fails in the follow-through. Programme turns findings and gaps into programmes, projects and work items with owners, dependencies and dates.
Execution health rolls up honestly — clear, at risk, or blocked — and board packs report progress in the terms boards actually ask about.
What Programme contains
- Programme → project → work item hierarchy
- Dependency tracking across modules
- Execution health: clear / at risk / blocked
- Timeline compliance and board-pack reporting
Checks that are rules, not opinions.
Across all six modules, automated checks are written as deterministic expressions — evaluated the same way every time, against evidence with a known source and age. A check returns pass, fail, error, or unknown, and tells you why. More than 1,300 rules exist for the estate side alone, written against benchmarks assessors already trust — CIS, Microsoft Zero Trust, CISA. The same engine that assesses your cloud estate can assess policy conditions and audit test criteria, so "compliant" means the same thing everywhere in the platform.
It's the layer Kinetic Fabric feeds and Kōan reasons over.
Boring where it should be boring.
Underneath the modules sits the infrastructure an enterprise buyer expects to find — built European, validated deliberately.
Federated identity
Sign in with the identity provider you already run: OIDC federation with Microsoft Entra ID, just-in-time provisioning, and SCIM user lifecycle — provision, update, deactivate — on a dedicated EU-hosted identity layer, validated end-to-end.
Tenant isolation
Every tenant gets its own database, not a row filter. Isolation is proven the adversarial way — validation includes explicit cross-tenant denial tests, so one client's record can't leak into another's.
European infrastructure
Hosted on EU cloud in Paris, with European-model AI inference served from EU infrastructure — the residency and jurisdiction posture EU procurement asks about.
See the modules on your frameworks.
A demo maps your current obligations onto the catalogue, live.