Artificial intelligence risk management platform provider JupiterOne Inc. today announced the launch of JupiterOne Continuous Controls Monitoring, a new product that tests whether security and compliance controls are actually working across cloud, software-as-a-service and hybrid environments.

The company is pitching CCM, as it calls the offering, as a fix for a gap left by existing compliance automation tools. Those tools have made audit preparation faster but generally stop at proving a control exists on paper rather than confirming it’s operating as intended after implementation.

CCM evaluates controls against live asset data instead of screenshots, spreadsheets and point-in-time reviews. The product is designed to flag control drift as it happens, generate audit-ready evidence from current data sources and map a single control definition across frameworks, including System and Organization Controls 2, International Organization for Standardization 27001, the National Institute of Standards and Technology Cybersecurity Framework, the Federal Risk and Authorization Management Program and the Health Insurance Portability and Accountability Act.

The product sits on top of JupiterOne’s graph-based data model and the company’s library of more than 200 integrations. Rather than checking isolated application programming interface responses from each connected tool, CCM evaluates controls across the relationships between assets, identities, cloud resources, SaaS applications and security findings. Every test exposes the underlying query, integration source and test logic, which JupiterOne argues is necessary for auditors to trust the output.

The company’s AI layer is also wired into the product, letting users ask compliance questions in natural language and pull back answers on control status, evidence, drift and framework alignment.

“Most organizations can show that a policy exists. Far fewer can prove, at any moment, that the control behind that policy is actually working,” said Chief Product Officer Kevin Tonkin. “GRC tools were built to manage compliance workflow. Security teams need something different, a way to prove that the technical controls behind every policy are actually working, in environments that change by the hour. JupiterOne CCM brings a security lens to GRC.”

Continuous controls monitoring has been gaining ground as security and compliance teams move away from periodic attestation toward real-time assurance, a shift that has drawn entries from both established governance, risk and compliance vendors and a wave of newer startups. JupiterOne’s pitch leans on the graph data model it has built the rest of its platform around, arguing that controls cannot be meaningfully evaluated in isolation from the assets and identities they govern.

The launch follows JupiterOne’s May rollout of AI Attack Surface Management and Unified Vulnerability Management. The company will demonstrate CCM at Infosecurity Europe in London from June 2 to 4.

JupiterOne has raised $119 million over four rounds. Investors in the company include Bain Capital Ventures, Sapphire Ventures, LifeOmic Security, Cisco Investments, Splunk Ventures, Rain Capital Fund LP, Tribe Capital Management, Heavybit Industries Inc. and Sands Capital Ventures.

Image: JupiterOne