Option C · PM Analysis

Thesis

The GRC industry's biggest hidden cost is collecting the same evidence multiple times for different frameworks. SOC 2 + ISO 27001 + HIPAA + customer security questionnaires all ask for the same MFA evidence. If every artifact is a graph node with mappings to all the controls it satisfies — across frameworks — the marginal cost of each new framework drops near zero. The graph compounds with every collected artifact.

Target user

👤

GRC program manager

Cross-framework GRC

Frequency: Weekly cycle planning, daily during fieldwork
Tools today: Spreadsheets crosswalking SOC 2 ↔ ISO 27001 ↔ NIST · ad-hoc collection per audit
Core pain: Collected MFA evidence three weeks ago for SOC 2. Now ISO surveillance audit asks for the same thing. Re-collected from scratch because no one mapped it. This happens 100s of times per year.
Win state: New audit kicks off. Auto-match surfaces existing fresh evidence for 89% of requests. The team only handles the 11% that's genuinely new.

Business Model Canvas

The nine standard blocks, mapped to this option.

Customer Segments

Companies running 3+ frameworks · IPO-track companies adding SOC 2 + ISO + HIPAA · multi-framework health/fintech

Value Proposition

"Collect evidence once. Reuse it across every framework. Watch your audit prep time drop 4× as you add frameworks."

Channels

AuditBoard direct + framework consultants (drive adoption when implementing new frameworks) · CSAT-driven expansion

Customer Relationships

Deep implementation (8–12 weeks for graph setup) · high switching cost · annual renewal expanding by framework count

Revenue Streams

Subscription per framework / per artifact · expansion as customer adds frameworks · platform value compounds

Key Resources

The evidence graph itself (data moat) · cross-framework mapping IP · AI reasoning over the graph

Key Activities

Maintain framework crosswalks · build graph reasoning engine · help customers seed initial graph

Key Partners

Standards bodies (AICPA, ISO, NIST, CIS) · audit firms · framework specialists / advisory partners

Cost Structure

Data engineering (high) · compliance research (med) · customer success (high — graph requires curation)

Pros

Strongest moat — graph compounds with use. Switching cost grows with every artifact added. Cross-framework reuse is the real customer pain.
Differentiated value prop. Hard to copy without years of investment in mapping IP.
Aligns with AuditBoard's existing IP (control library + framework crosswalks already exist).
Defensible against startups — they'd need scale to make the graph valuable, which takes years.
Customer LTV grows with framework count — pure expansion revenue.
Supports CRO and CISO narratives ("our compliance posture is queryable").

Cons / risks

Slower to demo cold — "graph" is abstract. First customer experience can feel like an empty graph.
Requires customer to seed the graph initially (or pair with A's auto-collection feeding it).
Pure C without input pipes (A) = chicken-and-egg problem. Graph is only valuable once it has evidence.
Long time to "wow" for new customers — graph value is cumulative over months.
Sales cycle is longer (needs ROI modeling for cross-framework reuse).

Build & time

Build complexity

Medium-High

Time to MVP

4–6 months

Time to "wow"

6–12 months for new customer

Path to GA

Build the graph data model (artifact ↔ control ↔ framework ↔ freshness).
Seed with framework crosswalks (SOC 2 ↔ ISO 27001 ↔ NIST CSF ↔ HIPAA).
Build smart-match engine (artifact → request matching with confidence scoring).
Add freshness scoring + audit-window reasoning.
Pair with A (1–2 high-value integrations) as the input pipe so graph stays current.
Open the graph for customer queries ("which controls are stale?", "what would adding ISO cost?").

Fit assessment

★★★★★

Strongest strategic fit. Most defensible. Pairs with A for input, B as the UX layer. The "platform" of the three options. The path that makes AuditBoard a category leader rather than a feature vendor.

Evidence Reuse / Freshness Graph