ECCO seal

Ethereal Connections Co.

Provenance Architecture
← Back to main
Positioning · May 2026

ECCO sits downstream
of compliance automation.

Provenance infrastructure for a post-compliance world.

§ 01 · The shape of the gap

Compliance is solved. Integrity isn't.

The compliance automation category — Vanta, Drata, Secureframe, Anchor — won. They automated SOC 2, ISO 27001, HIPAA, GDPR, FedRAMP. That problem is solved at the infrastructure layer.

But compliance automation has a structural ceiling. It checks that your controls match a framework. It does not check whether the framework's source documents are still where they were yesterday. It does not check whether the regulatory citation in your terms of service still resolves to the rule you cited. It does not check whether the AI guidance page you depended on for a compliance claim was silently removed last week.

§ 02 · What we found in May 2026

The operating environment of regulated business in the post-AI economy.

ECCO ran a build-time link integrity check across the regulator citations on its own AI compliance scanner. Of 156 external URLs cited from federal agency sources across 41 industry verticals:

14
404s on federal source URLs
8
cloaked from cloud-provider IPs
16
structurally fragile
156 / 41
URLs audited across verticals
The EEOC's primary AI guidance page had been actively removed. NIST's AI RMF was mid-revision. The audit, the patches, and the build pipeline that now enforces this continuously are in github.com/jeremiah-ECCO/scan-ecco.
§ 03 · The adjacency claim

Not replacing. Completing.

ECCO is the integrity layer adjacent to compliance automation — not replacing it, completing it. Where Vanta verifies that your systems match their frameworks, ECCO verifies that the claims your systems make about themselves still resolve to live, current, accurate sources. Where Drata watches your access controls, ECCO watches the provenance chain of every assertion your business makes to the public.

Same stack. Different layers.

As above  ·  the compliance layers
Frameworks SOC 2 · ISO 27001 · HIPAA · GDPR · FedRAMP · EU AI Act
Vanta · Drata · Secureframe
Controls automation Continuous monitoring · evidence collection · audit readiness
Vanta · Drata · Secureframe
— where compliance ends and integrity begins —
Cited-authority integrity Build-time verification that cited regulator sources still resolve live
ECCO
Provenance Architecture The provenance chain of every public claim, mechanically enforced
ECCO
So below  ·  the integrity layers
§ 04 · The doctrine

We call this Provenance Architecture.

The doctrine is short enough to ship in a build command:

Every claim verifiable. Every link live. Build pipeline enforced.
Four of ten ECCO surfaces are CI-gated under four posture variants — research-public, case-study-public, lead-funnel-public, offer-private. Same build pipeline; four operating modes; doctrine consistent. Public surfaces are licensed against extraction (CC BY-NC-ND 4.0) with subject-narrative carve-outs where lived-experience content sits outside the license. Private surfaces stay closed because they are the offer, not the research.

It is not a feature. It is the next layer.

Read the source Try the scanner Back to main