Skip to main content
    Reign. For the Chief Audit Executive

    Continuous Agentic Assurance. Built for the Chief Audit Executive.

    Your function is on the third line. The work has changed. Agentic AI takes high-risk actions thousands of times a day, faster than any sample-based audit plan can keep up with. Reign was built so risk-based audit planning, continuous control monitoring, and audit-grade evidence travel together at the speed the business now operates.

    Schedule an Executive Assurance BriefingStart a Runtime Risk Assessment
    Or apply for a focused pilot →Download the AI Audit Maturity Model →
    Aligned standards
    IIA Three Lines · ALCOA+ · CAVR
    Audience fluency
    IIA-fluent. CAE-led. Audit Committee-ready.
    Evidence discipline
    CAVR by construction. Population-level.
    Working-paper grade
    Tamper-evident. Reproducible. External-auditor-ready.
    Aligned to the Three Lines of Defense

    First line operates inside policy. Second line monitors continuously. Third line has read-only, tamper-evident access to the same evidence chain.

    This page is the canonical Reign surface for the Chief Audit Executive. The framework Reign aligns to here, by design, is the IIA Three Lines of Defense model.

    Read the deep reference
    The wedge, in audit language

    The two questions every line on your audit chain is now being asked.

    Internal Audit has always tested whether controls were designed and operating effectively. Agentic AI has split that test into two distinct questions, asked thousands of times per day, on a clock the audit plan was never designed for.

    Before execution
    01

    Should this agent be allowed to take this action?

    “This is the control activity. Policy at the point of decision. Identity bound. Risk classified. Logged the moment the decision is made, not reconstructed at exam time.”

    Control activityPolicy at decision pointIdentity boundRisk classified
    After execution
    02

    Did the resulting outcome align with the business objective?

    “This is the test of operating effectiveness. Outcome compared to intent. Variance captured as evidence. The work the third line has always done, now running continuously instead of quarterly.”

    Test of operating effectivenessOutcome vs intentVariance as evidenceContinuous, not quarterly

    Reign instruments both questions for every agent, every model invocation, every tool call. The audit plan inherits a continuous, population-level evidence chain instead of a quarterly snapshot.

    Why the audit plan has to change

    Sample testing was built for a world AI no longer fits inside.

    The IIA’s risk-based audit plan was designed for transaction populations that move at quarterly cadence. Agentic AI now drives credit decisions, payment approvals, vendor onboarding, IT remediation, security containment, and customer entitlements in the same operating day. Each one is a control activity. Each one is in scope.

    Sample-based testing cannot defensibly cover a population of that size. Application logs are not control evidence. The cycle mismatch between AI deployment and audit prep is widening, and the third line is the function that carries the residual. Reign closes the gap by making the evidence chain continuous and complete at the population level.

    CAVR. The four assertions, AI-native

    Completeness. Accuracy. Validity. Restricted Access.

    CAVR is the foundation Internal Audit has always tested for IT general controls. Continuous Audit Validation Reporting makes the same four assertions hold up at the speed and scale agentic AI operates.

    C

    Completeness

    Every model call, every agent action, every tool invocation captured at the gateway and written to the audit chain. No gaps because every action goes through Reign before it reaches a system of record.

    A

    Accuracy

    Tamper-evident evidence with ALCOA+ data integrity attributes. Attributable. Legible. Contemporaneous. Original. Accurate. Plus complete, consistent, enduring, and available. Auditor-verifiable in minutes.

    V

    Validity

    Policy at the decision point. Every approval and every denial is part of the audit chain. Unauthorized actions are blocked before execution rather than reconstructed afterward.

    R

    Restricted Access

    Identity-bound to every AI call. Segregation of duties enforced in the runtime. The same person cannot both develop and approve a model change. Every access decision logged and queryable.

    The framework, instrumented

    The third line was the hardest to instrument for AI. Reign starts there.

    Most AI governance tooling produces one dashboard for one persona. That structure does not survive an examination. The second line cannot independently challenge a control it cannot see. The third line cannot provide independent assurance on evidence it does not own. Reign was architected against the Three Lines model from day one. Same evidence chain. Different views, different access controls, different working-paper trails per line.

    First Line

    Operates inside policy

    Business and operations run AI within the policy boundary. Calls go through the gateway. Every decision is logged the moment it is made.

    Second Line

    Monitors continuously

    Risk and Model Risk Management run continuous control monitoring against the same evidence chain. Independent challenge of first-line activity in real time, not after the fact.

    Third Line

    Independent assurance

    Internal Audit has read-only, tamper-evident access to the same record the first line generated. Working papers reference the same ledger the second line monitors. Independence by construction.

    Deep reference. Read the full Three Lines of Defense architecture for Reign.Open the architecture page
    Inside your audit plan

    Risk-based planning, continuous monitoring, and working papers, refactored.

    Risk-based audit planning

    Reign surfaces the highest-frequency, highest-impact agent actions across the enterprise so the audit universe reflects how AI actually operates today, not how it was scoped in last year’s plan.

    Continuous control monitoring

    Anomaly detection runs against the evidence chain in real time, with materiality thresholds set by your function. Findings that cross threshold escalate to the CAE, to the Chief Risk Officer, and into the Audit Committee dashboard with full context attached.

    Control effectiveness testing

    Population-level test packets generated on demand. Test-of-design and test-of-operating-effectiveness artifacts assembled from the same ledger the first line operates against, walkthrough-ready for the external audit firm.

    Working papers and audit evidence

    Verifiable, reproducible artifacts. The same query against the same evidence corpus produces an identical artifact, with cryptographic chain of custody. The external auditor walks away with population-level evidence instead of a sample.

    The AI Audit Maturity Model

    Where does your function sit today.

    A five-stage maturity model for AI inside Internal Audit. Stage one is unscoped, AI in production with no audit coverage. Stage five is continuous, AI fully scoped, continuously monitored, and assurance-ready on demand. Most functions today sit between stage two and stage three.

    The gated download walks through where your function sits, what changes at each stage, and the order to sequence the work.

    Download the AI Audit Maturity Model (PDF)
    Maturity assessment · PDF

    Five stages. From unscoped to continuous.

    1. Unscoped
    2. Reactive
    3. Defined
    4. Monitored
    5. Continuous
    28 pages · self-assessment workbook includedFor CAE and IA leadership
    The engagement funnel, for CAE-led functions

    What is the next step.

    Four stages. Each one scopes and qualifies the next. Most CAE-led functions start at Stage 1 with an Executive Assurance Briefing, then move into a Runtime Risk and Governance Assessment scoped to the agents and workflows already on the audit plan.

    Schedule an Executive Assurance BriefingStart a Runtime Risk Assessment
    Or apply for a focused pilot →
    Internal Audit questions, answered

    Frequently asked by CAE-led functions.

    Reign is the AI-specific control and evidence layer. The GRC platform you already run for enterprise risk continues to do that job. Reign’s audit chain produces structured artifacts that ingest into ServiceNow GRC, Archer, OneTrust, Workiva, and other enterprise platforms by API or scheduled export.
    Continue along the audit chain
    Deep reference · Three Lines of DefenseAcross · Outcome validationAcross · Residual riskPeer · Audit ledgerPeer · Regulatory alignment
    Built for the boardroom. Tested in the engine room.
    D-SIBs and Tier 1 banks
    Global biopharma operations
    Public sector and defense suppliers
    Critical-infrastructure operators
    FINOS-aligned consortium members
    The engagement funnel, for the third line

    What is the next step.

    Four stages. Briefing scopes the question. Assessment scopes the surface area. Pilot proves runtime evidence at a fixed scope. Platform Rollout is where Reign goes into steady-state production. Most CAE-led functions start at Stage 1.

    Schedule an Executive Assurance BriefingStart a Runtime Risk Assessment
    Or apply for a focused pilot →