What's shipping in Affirmark.

Affirmark now pulls evidence directly from your existing tooling — IdP exports, EDR attestations, vulnerability scans, configuration drift — so drift surfaces in near real time instead of at cycle close. Supported for several Tier-A providers today, with more wiring in continuously.

• Mailbox ingestion: Microsoft 365, Google Workspace, Proton.
• Direct API ingestion where the provider exposes one.
• Manual upload remains the always-available fallback.

Your assessor can now inspect the verifiable audit chain directly inside Affirmark — integrity banner, per-entry inspector, filters by actor / entity / date range. Raw JSONL bundle still exports for offline review, and the signed CLI tool still ships for fully-offline verification.

• Filter by actor (system / user), entity type (narratives, evidence, findings, …), or date.
• Integrity banner reads OK / FAIL with the head hash and entry count.
• Download the raw JSONL bundle from the same screen for assessor handoff.

OIDC sign-in via Cognito hosted UI. SSO from Microsoft Entra ID, Okta, or Google Workspace. Every action recorded against the user account that signed in — no more shared service-account credentials.

Backend and frontend now enforce role-based access. Operators see and edit; reviewers see and comment; auditors see only. Role assignments live in Settings → Users, audited like every other compliance entity.

Each tool in your inventory now carries its FedRAMP authorization status — Authorized, In Process, or Not Authorized. Assessors see at a glance which third-party services in your stack are FedRAMP-aligned and which need a compensating control.