I want to start by saying something nice about Vanta, because the comparison ahead is going to sound critical and the criticism is structural rather than personal. Vanta is an excellent product. So is Drata. So is Comp AI. So is Delve. If you’re a startup pursuing your first SOC 2 attestation, hiring one of those vendors is a defensible default and most of our clients have used one of them at some point.
But every one of those products is designed around a single primary tenant: the customer who buys the workspace. They are not designed for an MSP that needs to run continuous compliance posture across a portfolio of client environments — with multi-tenant evidence segregation, cross-portfolio benchmarking, and code-level audit hooked into the same fabric. That gap is what we’re shipping AiT Audit and AiT Trust Portal to fill.
What an MSP actually needs from continuous audit
The compliance landscape changed under us in 2026. EU AI Act Article 50 effective August 2. TRAIGA enforceable since January 1 with $200,000-per-violation penalties. The Treasury’s February 2026 framework mapping NIST AI RMF onto SOC 2 controls. Sector overlays from financial regulators. NIS2 transposition rolling through EU member states. The uniform answer to all of those is the same: continuous evidence collection, retained for years, exportable to whichever auditor is asking, in whichever format they want.
"Continuous" is the word that breaks the existing tooling for an MSP context. Specifically:
- The MSP cannot give one client’s auditor access without giving them a generic dashboard view of unrelated client environments. Multi-tenant evidence segregation is required at the access-control layer, not the workspace layer.
- The pricing model assumes one customer per workspace. MSPs end up paying for n workspaces when the right model is one workspace with n tenant slices.
- Cross-portfolio benchmarking is structurally absent. Telling a client "your posture is in the 67th percentile of the MSPs we serve" is a real conversation we have, and the existing tools can’t feed that conversation.
- Code-level audit — SAST, SCA, drift detection against a canonical rule set, OpenAPI lint, secrets scanning — is not the product. The existing vendors focus on operational evidence; we focus on operational evidence plus the code that produces it.
What we’re shipping
AiT Audit is a Cloud Run job that fires monthly across every codebase under our management. In approximately 45 minutes per cycle, it runs eight scanners per repository: Semgrep (with our centralized OWASP + Next.js + Clerk-RLS + multi-tenant rule set), OSV-Scanner for dependencies, Gitleaks for secrets, Checkov for IaC, Knip for dead code, Spectral for OpenAPI, Nuclei plus Lighthouse plus axe-core for deployed-URL scans, and a drift detector that compares each project’s lint and SAST configs against the canonical guardrail set. Findings persist to a Supabase database with row-level security scoped per project, then route through an Anthropic Haiku classifier that aligns each finding to the project’s stated objectives. The result is not "200 things to maybe fix." It’s "the 3 findings that actively threaten your stated quarterly objective."
A companion weekly cron pulls market signals — Hacker News /best filtered by relevance keywords, GitHub trending by topic, NVD CVE feed for stack components, awesome-list git diffs — and classifies each against project objectives the same way findings are. The Monday morning digest tells the team what changed in the world that touches what we’re building. The first such run wrote 29 real signals to the database, including a Hacker News story titled "Securing a DoD contractor: finding a multi-tenant authorization vulnerability" that mapped directly to objectives in two of our security products. The system found something useful on its first run.
AiT Trust Portal exposes this surface to the client. Every audit run, every finding, every remediation, every guardrail violation is queryable by the client’s designated auditor with row-level security enforcing tenant scope. Evidence collection for a SOC 2 control family that previously required an annual scramble now exists in retrievable form, dated, signed, retained for the policy period.
What this means for an existing client
A typical engagement looks like this: the client has eight repositories, mostly built by a previous agency or in-house team that has since rotated through people. Vanta has been running for a year and produces a tidy dashboard for the SOC 2 attestation, but no one on the team can answer a basic question like "do all eight repos enforce the same authentication boundary on their tRPC endpoints." Within the first month of an AiT Audit engagement, that question has an evidenced answer (yes / no / partially, with line numbers), and the gap closes through code changes our engineers ship in the same sprint.
The MSP delivering this is doing about a hundred dollars of work per repo per month and saving the client thirty thousand dollars of audit-prep labor at year-end. The deliverable is a continuously-current trust posture, not a once-a-year scramble. That’s the structural shift.
Read the deep dive
White paper WP-06 explains the AiT Audit toolchain, schema, and the Anthropic-classifier objective-alignment pattern in full operational detail.
The bottom line
Vanta and Drata are good products for direct startup buyers. They are not the MSP-channel answer to the 2026 compliance wave, and pretending they are leaves you with a posture that crumbles under any audit that goes deeper than the dashboard. The MSPs serving mid-market clients need a continuous-audit fabric that runs across portfolios, segregates evidence by tenant, integrates code-level findings, and exposes the result to client auditors directly. That’s what we built. That’s what we’re running. That’s the wedge.