https://nsauditor.com/ai/ Latest releases, plugins, and compliance-framework updates for NSAuditor AI (Community + Enterprise). en-us Fri, 12 Jun 2026 18:00:00 GMT https://www.nsauditor.com/ai/docs/gdpr/ nsauditor-ai-ee-0.20.0 Fri, 12 Jun 2026 18:00:00 GMT EE 0.20.0 introduces GDPR Article 32 (Security of Processing) as the seventh compliance framework — and only Article 32: this is GDPR Article 32 infrastructure substrate, NOT GDPR compliance. GDPR is a 99-article legal regime; Art. 32 (security of processing) is the only article whose evidence is technical infrastructure state, so the rest of GDPR is operator-side and out of scope by design. The new seventh coverage matrix is 4 covered + 5 partial + 2 OOS across 11 Art. 32 sub-measure units, carrying the disciplines the article demands: four-factor proportionality (every finding is substrate FOR the operator's "appropriate to the risk" determination, never an absolute pass/fail); personal-data-scope attestation (the scanner reads configuration, not data classification — a finding is an Art. 32 concern only if the resource processes personal data; pair with your Article 30 records of processing); and the Art. 83(4) lower fine tier (up to 10M EUR or 2% of turnover — not the 20M EUR / 4% Art. 83(5) headline tier, which is for the basic principles and data-subject rights). Mapping-layer cycle: plugin count unchanged at 28, the six existing matrices unchanged. Paired CE 0.2.11 + agent-skill 0.2.11. https://www.nsauditor.com/ai/enterprise/ nsauditor-ai-ce-0.2.10 Thu, 11 Jun 2026 18:00:00 GMT CE 0.2.10 — "MCP affordance II" — closes the MEDIUM-invisibility false-clean the EE 0.19.4 Desktop validation caught: the scan_cloud MCP summary itemized only CRITICAL/HIGH, so actionable MEDIUM/LOW findings were count-only and a Desktop agent could narrate "the alarm dimension came back clean" while live SQS/SNS no-alarm findings fired. The summary now rolls up MEDIUM+LOW findings per provider by category (count-descending, no-silent-cap, per-plugin uncategorized fallback). And a NEW Enterprise-gated get_findings tool drills the most recent scan's per-provider, per-session cache — filter by provider/plugin/severity/category, paginate, and read the FULL untruncated finding text — keyed by a scanId the summary footer carries, gated before any cache read (a CE/Pro caller gets the same upgrade denial, never cached Enterprise findings). Paired with EE 0.19.4 (unchanged) + agent-skill 0.2.10 (which documents the drill-down). https://www.nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.19.4 Thu, 11 Jun 2026 16:00:00 GMT EE 0.19.4 — "Routing-Integrity Hardening" — closes the last structural false-clean: a real finding (or a visible evidence-gap) that maps to ZERO compliance controls, leaving the verdict green. A build-time routing guard now fails the build on any marked evidence-gap that routes to zero controls; GuardDuty evidence-gaps are de-duplicated and routed (plugin 1200); a deferred-scope unmark across eight plugins distinguishes a documented capability boundary from an unverified gap, shrinking the MCP "unverified" list. PCI DSS Req 7.2.2 (access by job classification and function) is honestly down-rated covered to partial — the job-classification half is process/HR-gated, a QSA-flagged overclaim — so the PCI matrix moves 20/8/39 to 19/9/39, with the least-privilege half now backed by IAM over-privilege detection (plugin 1030). The AWS-default VPC-endpoint full-access policy is recalibrated CRITICAL to MEDIUM and routes across five frameworks (SOC 2 / HIPAA / PCI / ISO / CIS), and SQS/SNS CloudWatch-alarm posture now survives a Get*Attributes AccessDenied with all four unverifiable causes failing closed the monitoring controls (plugin 1150). Plugin count UNCHANGED at 28; the other five coverage matrices UNCHANGED. Paired CE 0.2.9 + agent-skill 0.2.9. https://www.nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.19.3 Tue, 09 Jun 2026 16:00:00 GMT EE 0.19.3 — "MCP affordance + class-O truncation sweep" — closes the gap between what the scanner finds and what the reader (or AI agent) actually sees. The scan_cloud MCP tool description now enumerates the real per-service coverage so AI agents route service-named audit asks to the scanner instead of improvising shell commands, and evidence-gap lines lead with the gap clause while carrying the first actionable clause as a companion. Truncation and per-key AccessDenied evidence-gaps across eight AWS auditors (1090/1080/1100/1110/1120/1130/1070/1210) now fail-close their sources' native controls in all six frameworks — including the 1110 P-16 grant-bypass, a real confirmed decrypt-bypass finding that previously failed no control. Also: a new Azure NSG dimension flags restricted-port exposure to the tenant-rentable AzureCloud service tags (1221), Lambda inline-credential env-var names and the AWS_LAMBDA_ exclusion-prefix evasion bypass are closed (1080), and public-subnet Redis replication groups no longer silently downgrade (1180). Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED at the count level. Paired CE 0.2.8 + agent-skill 0.2.8. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.19.2 Mon, 08 Jun 2026 15:00:00 GMT EE 0.19.2 — "Confirmed false-negative tail" — closes six more gauntlet-confirmed cloud-auditor silent misses (the Tier-B continuation of 0.19.1), each closed test-first (RED then GREEN) and independently adversarially reviewed. Azure Key Vault legacy access-policy per-verb breadth — a 2-verb decrypt+unwrapKey envelope-decryption grant now flags — which also surfaced and repaired two compliance-routing titlePattern anchor-drifts (findings that were routing to ZERO controls across all six frameworks) and closed the root-cause drift detector (plugin 1222); a broad-but-not-full PUBLIC GCP firewall source range (e.g. 0.0.0.0/1) on a management port now flags HIGH, with RFC1918/reserved blocks discounted so a large private range is not flagged (1021); AWS KMS PendingDeletion keys are now policy-audited — the deletion is reversible via kms:CancelKeyDeletion (1070); a CodePipeline sticky approval-latch — each production stage now needs its own gate, so an un-gated canary-to-worldwide promotion is flagged (1100); a GCP Cloud Storage bucket-enumeration page-cap truncation evidence-gap, class-O-routed to the source's native controls (1024); and a CloudTrail data-events read-coverage caveat — a WriteOnly selector that drops S3 GetObject exfiltration events no longer reads "data events enabled" (1040). Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED at the count level. Paired CE 0.2.7 + agent-skill 0.2.7. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.19.1 Mon, 08 Jun 2026 14:00:00 GMT EE 0.19.1 — "Confirmed false-negative batch" — closes seven gauntlet-confirmed cloud-auditor silent misses, each closed test-first (RED then GREEN) and independently adversarially reviewed with every confirmed review finding folded the same session. AWS IAM prefix-glob privilege-escalation (iam:Create*/Put*/sts:Assume*) plus access-key hygiene dead-code (plugin 1030); a wildcard-Principal SQS queue-policy audit at parity with SNS (1150); air-gapped KMS CreateGrant/GenerateDataKey effective-decrypt detection (1130); versioned-bucket noncurrent-version disposal via a read-only GetBucketVersioning fetch (1120); deprecated and unknown Lambda runtime currency, with no more allowlist-by-exclusion fail-open (1080); GCP OIDC-impersonation and Workload-Identity-Federation-provider admin-equivalence parity (1025); and VPC-endpoint sensitive-action matching by service namespace (1160). Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED at the count level. Paired CE 0.2.6 + agent-skill 0.2.6. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.19.0 Sun, 07 Jun 2026 14:00:00 GMT EE 0.19.0 — "No silent false-clean" — is the largest false-clean-class closure since the framework cycles. An un-scanned cloud region, a denied cloud API call, or a CloudTrail trail that is logging but FAILING to deliver to its S3 bucket can no longer read CLEAN — at EITHER the compliance verdict OR the Claude Desktop / MCP transport. The shared forEachRegion fan-out (all 16 regional AWS plugins) now emits a per-region evidence-gap for every errored or access-denied region, and class-O routing fails closed exactly that source's own native attested controls across all six frameworks (208 additive routing anchors). Four per-plugin swallow-to-gap retrofits land alongside: AWS SQS/SNS, Azure Storage, AWS GuardDuty (no longer mis-reported as "NOT ENABLED"), and AWS CloudTrail delivery-failure. Plus two air-gapped / IAM criticals from the Mythos architecture review — the offline CVE matcher now fails closed on distro/epoch/build-suffixed package versions, and the KMS effective-decrypt auditor keeps HIGH on the AWS-default root-delegation key policy — and the AI-enrichment prompt no longer leaks the scan target (public IP / hostname / MAC / secrets) to the external LLM. Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED at the count level. Paired CE 0.2.5 + agent-skill 0.2.5. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.18.3 Thu, 05 Jun 2026 14:00:00 GMT EE 0.18.3 closes three more cloud false-negatives by failing closed. (1) Azure Key Vault: a custom RBAC role granting only a narrow data-plane crypto/extraction verb — keys decrypt/sign/unwrap/encrypt/wrap (key-as-oracle / envelope-unwrap of CMK-wrapped DEKs), release/backup (key-material exfiltration), import/restore, purge; secrets getSecret/setSecret/backup/restore/purge — is now flagged, not just full-wildcard roles (plugin 1222). (2) GCP IAM: the service-account impersonation BFS now fail-closes on depth-cap truncation — a privileged service account reachable only via a chain longer than the depth cap fires a completeness evidence-gap instead of a confident "zero reachability paths" (plugin 1025 H3). (3) GCP IAM: when the optional googleapis IAM Admin SDK is absent, the custom-role / SA-key-custody / impersonation dimensions now fail-close to compliance-routed evidence-gaps (SOC 2 CC6.1 + C1.1, HIPAA 164.312(a)(1)) instead of silently vanishing (plugin 1025 M2). Each TDD'd + independently adversarial-reviewed. Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED at the count level. Paired CE 0.2.4 + agent-skill 0.2.4. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.18.2 Thu, 05 Jun 2026 13:00:00 GMT EE 0.18.2 makes the no-false-clean "we couldn't verify this" evidence-gaps the cloud plugins emit visible end-to-end through the Claude Desktop / MCP transport across AWS, Azure, and GCP. A new CI producer-contract guarantees every cloud plugin marks its scan-coverage gaps — retrofitting AWS S3, the three Azure auditors (Storage, NSG, Key Vault), and AWS IAM — and the collector renders a dedicated "Evidence gaps (unverified)" section, so an auditor sees the disclosures instead of a silent LOW count over a surface the scanner could not actually read. Plus a read-only-security hardening (a regex-scanner fix that closes a way a crafted plugin could mask a mutating cloud call from the read-only meta-test) and the proprietary LICENSE / EULA now shipped inside the package. Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED (SOC 2 + HIPAA + NIST CSF 2.0 + PCI DSS v4.0.1 + ISO/IEC 27001:2022 + CIS Controls v8). Paired CE 0.2.3 + agent-skill 0.2.3. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.18.1 Thu, 05 Jun 2026 12:00:00 GMT EE 0.18.1 makes the tool's read-only promise structural and closes three more GCP detection gaps. A new CI guarantee makes it impossible to ship a mutating cloud API call across all 28 plugins, paired with the customer-facing read-only-credential requirement (EULA §5.5) — read-only scoping guarantees an audit cannot change your environment. The three GCP fixes: (1) a firewall rule whose split source ranges cover the entire IPv4 internet (for example 0.0.0.0/1 plus 128.0.0.0/1) without ever literally writing 0.0.0.0/0 is now flagged as the CRITICAL it is; (2) the service-account impersonation graph now fails closed — emitting an evidence gap that suppresses an over-confident "no impersonation paths" verdict whenever the scan could not read every edge (a denied per-SA policy, unavailable custom roles, or a truncated list) — instead of reading falsely clean; (3) a bucket whose default object ACL grants allUsers / allAuthenticatedUsers, making every future object born public, is now detected. Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED (SOC 2 + HIPAA + NIST CSF 2.0 + PCI DSS v4.0.1 + ISO/IEC 27001:2022 + CIS Controls v8). Paired CE 0.2.2 + agent-skill 0.2.2. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.18.0 Wed, 03 Jun 2026 12:00:00 GMT EE 0.18.0 is a GCP false-negative hardening release: five fixes that close real GCP detection gaps where an audit could read clean while a genuine exposure went unseen. (1) A Cloud Storage bucket made public via a legacy ACL (allUsers / allAuthenticatedUsers) while Uniform Bucket-Level Access is disabled is now detected — the auditor scans the bucket ACL plus a sampled object-ACL surface instead of only IAM-policy exposure. (2) GCP IAM impersonation analysis is now complete: a project-scope serviceAccountKeyAdmin binding (mint a long-lived key for any service account) and a service account made admin-equivalent through a custom role are both detected instead of dead-ending as clean. (3) A denied GCP firewall / IAM / bucket enumeration now routes into findings and fails its own controls (fail-closed) rather than being read as a clean pass. (4) The project-IAM-public check, which had been calling the wrong client and never actually ran, now reads project IAM via the correct client — live-validated under pure ADC. (5) The IAM-admin client that powers custom-role, key-custody and impersonation analysis now authenticates under pure Application Default Credentials. The last two were pre-existing bugs caught by a new mandatory pre-publish validation gate before they shipped. Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED (SOC 2 + HIPAA + NIST CSF 2.0 + PCI DSS v4.0.1 + ISO/IEC 27001:2022 + CIS Controls v8). Paired CE 0.2.1 + agent-skill 0.2.1. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.17.0 Mon, 01 Jun 2026 12:00:00 GMT EE 0.17.0 adds --aws-region <one|csv|all> on the CLI and a regions argument on the MCP scan_cloud tool: audit one region, a comma-separated list (us-east-1,eu-west-1), or every region your account has enabled. The regional auditors — security groups, EC2, RDS, KMS, Lambda, Secrets Manager, DynamoDB, CodePipeline/CodeBuild, Backup, SQS/SNS, VPC endpoints, ElastiCache, SES, Inspector/GuardDuty, CloudTrail — now fan out across every in-scope region instead of only the configured one; the S3 auditors resolve each bucket's own region and skip-and-disclose buckets outside scope, closing latent cross-region false-cleans. Safe defaults: the no-flag path stays single-region and discloses any unscanned regions, and an unknown region code fails fast so a scan never silently mis-scopes. In Claude Desktop an "all regions" request is covered automatically in small region-group batches within the per-call time budget. Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED. Paired CE 0.2.0 + agent-skill 0.2.0. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.16.7 Sat, 31 May 2026 18:00:00 GMT An operator pointed Claude Desktop at their AWS account and the CloudTrail auditor came back thin — a handful of unreachable regions made the ~32-region enumeration hang past the assistant's time limit, so it fell back to one region. EE 0.16.7 makes that fail fast and keep going: a dead region drops out in ~2s instead of stalling for thirty, and one region's error no longer discards every other region's evidence. The CloudTrail audit went from 234s (incomplete) to ~13s and fully multi-region; an unreachable region is now an explicit evidence gap routed to the CloudTrail controls, never a silent miss. Confirmed in production via Claude Desktop. No new plugin (count stays 28); all six coverage matrices UNCHANGED. Paired CE 0.1.98 + agent-skill 0.1.66. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.16.4 Fri, 30 May 2026 12:00:00 GMT EE 0.16.4 closes a false-clean in the MCP scan_cloud tool: a cloud audit that found real CRITICAL exposures could report zero findings because the user-facing summary was built by a network-port-scan component that silently dropped cloud compliance findings. It now builds a per-cloud findingsSummary directly from the scan results. No new plugin (count stays 28); all six coverage matrices UNCHANGED. Paired CE 0.1.95 + agent-skill 0.1.63. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.16.0 Thu, 29 May 2026 12:00:00 GMT EE 0.16.0 adds per-account cloud scanning: --env loads a per-scan dotenv credentials file, --aws-profile selects a named AWS profile, and sentinel-host --plugins all auto-scopes to only that cloud's plugins. No new plugin (count stays 28); all six coverage matrices UNCHANGED. Paired CE 0.1.91 + agent-skill 0.1.58. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.15.6 Wed, 28 May 2026 12:00:00 GMT EE 0.15.6 closes two cross-framework false-report defects in how S3 public-exposure findings route: a publicly-accessible bucket now routes to NIST CSF PR.AA-05 + PR.DS-01 and PCI DSS 7.2.1 (was CLEAN on those two), and a missing-Public-Access-Block guardrail gap no longer false-FAILs a compliance control. Routing correctness, not new scope — all six coverage matrices UNCHANGED. Paired CE 0.1.87 + agent-skill 0.1.54. https://nsauditor.com/ai/enterprise/ nsauditor-ai-ee-0.15.4 Wed, 28 May 2026 06:00:00 GMT EE 0.15.4 completes the S3 public-exposure story across current and historical object states: non-current object-version ACL sampling closes a silent-overwrite vector, and public grants are now differentiated WRITE-vs-READ. No new plugin (count stays 28); all six coverage matrices UNCHANGED. Paired CE 0.1.85 + agent-skill 0.1.52.