OpenCompliance is an OSCAL-native, Lean 4 proof-carrying compliance engine. It treats technical controls as theorems when they really are theorems, treats human attestations as signed claims when they are not, and keeps judgment-heavy controls explicit instead of hiding them behind green checks.
OpenCompliance is a proof-carrying compliance engine, not a checklist dashboard. It ingests controls and evidence, routes each obligation into proof, attestation, or human review, then returns either a certificate or a typed punch-list together with a trust-surface report that states exactly what was proved, assumed, attested, excluded, or deferred to judgment.
The point is not maximal automation. The point is epistemic honesty with better artifacts.
Most compliance tooling collapses very different kinds of reasoning into one dashboard status. A runtime proof, a stale screenshot, a manually uploaded PDF, and a partner attestation often end up looking identical in the UI.
OpenCompliance tries to break that habit by making the boundary between proof and assertion visible and machine-readable.
OpenCompliance imports the target control profile and the matching OSCAL mappings for the in-scope corridor.
Machine evidence, human attestations, and exclusions are stored as typed claims with signer, scope, source, freshness, and control mappings.
Every control is routed into one of four buckets: decidable, attestation, judgment, or mixed.
Only the decidable corridor enters the proof kernel. The system extracts unresolved axioms rather than hiding them.
Proof bundles, certificates, and revocations become signed artifacts with canonical digests that can be logged and replayed later.
The output is a certificate or typed punch-list plus a trust-surface report saying what is proved, attested, judgment-dependent, or out of scope.
The product’s signature artifact is the trust-surface report. It is a machine-generated summary of what the compliance result rests on.
The system should make it difficult to jump from messy internal state to a public certificate without leaving a signed, append-only, replayable trail.
The public value is not just the UI. It is the open mapping corpus, typed evidence model, proof boundaries, and replayable examples others can inspect and improve.
OpenCompliance does not replace licensed CPA firms, ISO certification bodies, or internal human judgment. It improves the quality, structure, and inspectability of evidence that those parties review.
Physical controls, policy adequacy, board oversight, and other normative questions remain partly or wholly attestation-driven or judgment-driven.
The initial scope is deliberately narrow: the technical overlap corridor between SOC 2 Security and ISO 27001. Access-control invariants, MFA enforcement, repository protections, CI policy guarantees, cryptographic settings, and similar inspectable controls come first.
The runtime pipeline, components, and how proofs, attestations, and publication-safe artifacts fit together.
Open architectureHow signed artifacts, transparency logs, witness reruns, and fail-closed issuance make the system tamper-evident without blockchain.
Open trust modelWhy an open, limitation-aware proof layer would move the compliance industry forward even before it solves every control.
Read the essayWhere OpenCompliance overlaps with Ceel, Vanta, and Drata, and why the open-source proof layer still matters.
Open landscapeThe public repos now carry both a minimal and a richer synthetic ExampleCo corridor, with typed claims, OSCAL-shaped projections, and replayable witness receipts.
Open examplesWhy the shared semantic layer should live in a neutral home, how sponsors fit in, and how the documents should be peer reviewed.
Open foundation