Why Verifiable Compliance Beats Documented Compliance

The gap between paper and proof

In most regulated environments, compliance is a narrative. Teams assemble spreadsheets, screenshots, and PDFs once a quarter and hand them to an assessor. By the time the package is reviewed, the system it describes has already changed.

This is documented compliance. It is necessary, but it is not sufficient.

A control you cannot prove at any moment is a control you do not actually have.

From narrative to evidence

Narsil treats every control as an executable check that emits signed evidence on every build. Instead of describing what should be true, the pipeline records what is true, with cryptographic provenance.

• Each check maps to a NIST 800-53 or DISA STIG control identifier.
• Results are serialized as OSCAL assessment results.
• Every artifact is hash-linked into a tamper-evident ledger.

A worked example

narsil verify --baseline rhel9-stig --emit oscal
# › 1,284 controls evaluated
# › 1,281 pass · 3 accepted-risk · 0 fail
# › evidence sealed sha256:9f3c…a17e

The output is not a report a human wrote. It is a measurement the system took.

What this unlocks

When compliance is continuous and verifiable, authorization stops being a once-a-year event and becomes a property of the system. Authorizing officials can query posture directly, and drift is caught the moment it appears — not the next time someone opens a spreadsheet.

Truth in security begins with evidence you can check.