Documentation Index
Fetch the complete documentation index at: https://docs.ayliea.com/llms.txt
Use this file to discover all available pages before exploring further.
2026 Changelog
May 2026
Account activation flow
Newly invited members complete onboarding through a single/activate page that walks them through password setup (NIST SP 800-63B compliant — 12-character minimum with compromised-password check), MFA enrolment via TOTP, and backup-code download. Whether you’re an Account Owner activating your org for the first time or a teammate joining an existing org, the flow is identical.
Account Owner team management
Owners and admins can now invite teammates by email, resend activation emails to members who haven’t signed in yet, change roles with full audit-log trail, and remove members. New-to-Ayliea invitees get an auth account provisioned automatically and an activation email; existing Ayliea users get an org-membership invitation. When a removed member has no remaining org memberships, their auth account is fully deleted.Suspend members
Owners and admins can suspend a member, which revokes all active sessions immediately and denies any subsequent re-auth attempt. Unsuspend restores access on the member’s next sign-in.Member observability
The team list now shows status (Invited / Active / Suspended), MFA enrolment, and last-sign-in time per member. Lists are paginated for orgs with more than 50 members.Per-organization feature gating
Every org now carries a bundle assignment (Free / Core / Discover +) plus per-feature overrides on top of the bundle’s defaults. Sales-led deals can enable specific capabilities per customer without forcing them into a higher tier.Public Trust Center at /trust
Documents Ayliea’s encryption (per-organization envelope encryption with DEK + MEK), authentication (TOTP MFA mandatory, NIST 800-63B password policy), audit logging, and sub-processors. Enterprise buyers can self-serve the security questions they previously asked on every demo call.Trust Center scannability redesign
The/trust page now opens with a 4-card fast-facts header (Encryption, MFA, Sub-processors, DPA) so buyers can answer the top security questions in under 5 seconds. A sticky table of contents pins to the left rail on desktop and highlights the section currently in view; a Jump-to-section accordion replaces it on mobile. A “Last verified” timestamp under the hero makes the page’s freshness explicit.
Trust Center: regulatory alignment, not certification
The GDPR and CCPA entries on/trust are now labelled “Aligned” rather than “Compliant”, with notes that describe what we actually do operationally (DPA published with SCCs Module Two for international transfers, data subject rights honored via the privacy notice). Both are self-assessed regulatory standards with no third-party certification — the previous framing implied a higher bar than we could defend without external legal review. The section title also changed from “Certifications & attestations” to “Regulatory alignment”.
Competitor comparisons, glossary, vendor lookup, AI Risk Score Calculator
New marketing surfaces: per-competitor comparison pages at/compare/<competitor>, per-term definitions at /glossary/<term>, a free vendor risk-classification tool at /tools/vendor-lookup, and an AI risk scoring calculator at /tools/ai-risk-score.
Sales-led pricing
Public tier names and dollar amounts have been removed; pricing is now sales-led through/contact. The in-app /upgrade page is now a read-only bundle browser.
Public self-signup removed
/sign-up is gone. New customer accounts are created exclusively by Ayliea admins (via the provisioning UI) and Account Owners (via the team-management flow).
Email deliverability hardening
Apex SPF record now correctly authorizes Google Workspace; Resend DKIM record carries the standard tag prefix. mail-tester.com scores 10/10 for outbound mail from both Workspace and Resend transactional paths.April 2026
Continuous monitoring drift alerts (Business tier)
When evidence from your connected integrations causes your assessment scores to drop, Ayliea now detects the drift and emails your organization owner with a breakdown of the affected controls, their previous and current scores, and a deeplink back to the assessment. The continuous-monitoring sweep runs nightly — no configuration needed, just connect an evidence source and you’re covered. Available on Business and above.Scheduled GitHub evidence polling
Your connected GitHub integration now refreshes evidence automatically every morning — no more needing to hit “Refresh” manually. The scheduled poll covers your most-recent completed assessment across up to three frameworks per organization, so a Business-tier team running both CIS v8 and SOC 2 sees both updated. Combined with drift alerts, this closes the loop: your posture score now tracks the real-world state of your tooling on a rolling basis.Drift alert severity
Drift emails now carry a severity tier. Critical regressions (dropping below passing or losing more than 15 points overall) get a red banner and a[CRITICAL] subject prefix so your team can triage at a glance. Lighter regressions stay amber.
Score trend chart on the results page (Business tier)
Every assessment now shows a line chart of how your score has moved over time. Points are colored by what caused each rescore — completion (your initial baseline), evidence poll (automatic updates from your connected integrations), or manual rescore. The card lives on the assessment results page and appears as soon as you have a snapshot, then becomes a proper line once a second snapshot lands. A delta indicator shows the change since the previous capture, so you can see at a glance whether you’re trending toward or away from your posture target.HIPAA Security Rule Assessment
Assess your organization against the full HIPAA Security Rule — 80 questions covering Administrative, Physical, Technical, Organizational, and Documentation safeguards. Results are scored against the five sections of 45 CFR Part 164 Subpart C, with actionable remediation guidance for each gap. Available on Pro and above.SOC 2 Type II Security Assessment
Measure your posture against the AICPA Trust Services Criteria 2017 (revised 2022) — 84 questions covering all nine Common Criteria (CC1 Control Environment through CC9 Risk Mitigation). Map evidence to the controls auditors actually ask about. Available on Pro and above.AI Agent Security Framework
A focused mini-framework for teams deploying AI agents in production — 26 questions across six categories: agent governance, delegated authority and credentials, tool invocation security, context and memory protection, monitoring and incident response, and multi-agent orchestration. Aligned to MITRE ATLAS v5.1 agentic techniques. Available on Free.AI Agent Security assessment fixed for Free tier
A recent issue prevented Free-tier accounts from starting the AI Agent Security assessment. This is now resolved — all Free accounts can run the 26-question assessment without restriction.NIST IR 8401 — Satellite Ground Segment Assessment
Applies the NIST Cybersecurity Framework structure to commercial satellite command-and-control systems. 82 questions across six categories (asset management, governance/risk/supply chain, access control and data security, awareness and protective technology, anomaly detection and continuous monitoring, incident response and recovery). For space systems operators and ground segment providers. Available on Pro and above.ISO/IEC 42001:2023 AI Management System Assessment
The first certifiable AI management system standard — now fully supported. 69 questions provide complete coverage of clauses 4–10 (context, leadership, planning, support, operation, performance evaluation, improvement) and all 38 Annex A reference controls across A.2 (AI Policies), A.3 (Internal Organization), A.4 (Resources), A.5 (Impact Assessment), A.6 (AI System Life Cycle), A.7 (Data), A.8 (Information for Interested Parties), A.9 (Use of AI Systems), and A.10 (Third-Party and Customer Relationships). Every question cites its exact ISO clause or Annex A control reference so assessments map directly to an external audit. Available on Pro and above.OWASP Top 10 for LLM Applications (2025)
The canonical industry reference for LLM application security — now fully assessable in Ayliea. 77 questions across all 10 OWASP categories: prompt injection, sensitive information disclosure, supply chain, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption. Every OWASP-listed prevention strategy maps to a question in its OWASP-listed category, so an LLM10 score reflects coverage of all 15 LLM10 strategies, not a curated subset. Each question includes a remediation playbook authored from the official OWASP guidance, with concrete steps, environment guidance for small/mid/enterprise, and cross-framework references to AISS, ISO 42001, NIST AI RMF, and MITRE ATLAS techniques. Source: genai.owasp.org/llm-top-10/ (2025 release, March 12, 2025). Available on Pro and above.Personalized remediation for ISO/IEC 42001 findings
Every ISO/IEC 42001 control — all 69 — now has an AI-powered remediation playbook authored from the normative Annex B implementation guidance. When you score a low maturity level on any ISO 42001 control, the recommendation engine personalizes concrete next steps to your organization’s size, sector, and environment, so your gap report reads as a prioritized to-do list rather than an abstract control reference.Trust Centers
Publish a branded public trust page atayliea.com/trust/<your-org> showing your framework scores, compliance coverage, and certification badges. Choose between Summary (grades only), Standard (numeric scores), or Detailed (per-category breakdown) visibility. Optionally display an evidence indicator showing how many controls have supporting evidence on file — file contents and names are never exposed. Pro and above for basic trust centers; Business and above for advanced customization.
AI Usage Policy Engine
Define policies for every AI tool in your organization: Approved, Monitor, or Restricted. Ayliea automatically checks discovery scan results against your policies and flags violations with severity scoring. Export blocklists in CSV, JSON, or text format for direct import into Zscaler, Netskope, or Palo Alto firewalls.Policy Violation Trends
Track policy violations over time with a stacked area chart showing severity breakdown (critical, high, medium, low). View resolution rates, current open violations, and select between 7-day, 30-day, and 90-day time ranges.Public REST API
Enterprise-tier organizations can now access assessment scores, recommendations, and discovery results programmatically via the v1 REST API. API keys are scoped, hashed at rest, and rate-limited. Full documentation available at docs.ayliea.com/api-reference.Third-Party Integrations
Connect Ayliea to your existing workflow tools. Push recommendations directly into Jira, Linear, GitHub Issues, or Azure DevOps as actionable tickets. Connect Slack for real-time notifications on assessment completions and discovery alerts.Webhook Notifications
Subscribe to platform events (assessment completed, recommendation updated, discovery completed, policy violation detected) and receive HMAC-signed webhook deliveries to your endpoints. Track delivery status and retry failed deliveries.Scheduled Discovery Scans
Organizations with continuous monitoring enabled now receive automated daily discovery scans. New AI tools and risk escalations trigger alerts automatically without manual intervention.Scheduled Report Delivery
Configure weekly or monthly security digest emails delivered to your inbox. Reports include framework scores, recommendation progress, stale assessment warnings, and overdue items.Industry Benchmarking
Compare your security scores against anonymized industry benchmarks. See where you stand relative to the 25th, 50th, and 75th percentiles for your industry and framework.AI-Powered Recommendations
Recommendations are now personalized by Claude AI based on your organization’s size, industry, device environment, and platform stack. The AI tailors remediation steps to reference the specific tools, admin consoles, and settings paths relevant to your setup.Account Security Improvements
- Password changes now require current password re-authentication
- Concurrent session limiting: one active session per user, with forced sign-out on other devices
- Account deletion uses a 30-day soft-delete recovery window with email notification
- GDPR data export: download all your personal data in JSON format from Security settings