AI audit orchestrator enforces evidence-or-silence compliance checks
The `ai-audit-orchestrator` is an open-source read-only audit harness that runs a chain of single-purpose AI subagents over a repository, requiring every finding to cite a file path and line number or output "No evidence found."
Score breakdown
The harness directly counters LLM hallucination in compliance contexts by replacing narrative confidence with a mandatory citation-or-silence rule, making every audit finding independently verifiable by opening the cited line.
- 01Runs a chain of single-purpose audit subagents over a repository, one framework at a time
- 02Every finding must carry a `path:line` citation or the literal string "No evidence found"
- 03State is passed between subagents via a "Resume Packet"
The `ai-audit-orchestrator` is an open-source audit harness published on GitHub by bohdan_t, designed to constrain AI coding agents to read-only, evidence-gated compliance auditing. Rather than allowing an agent to produce a reassuring narrative when asked about compliance readiness, the harness forces adversarial rigor: every finding must include a file path and line number, or the agent must write "No evidence found" — never a guess. State is passed between subagents through a small "Resume Packet," and the system is designed to instruct the agent not to fix, edit, run, commit, or print secrets.
The README is candid that these are prompt-level constraints, not technical guarantees, and recommends running the harness in an environment that enforces read-only access at the infrastructure level.
The project explicitly distinguishes between Type I controls (a control that exists in code by design) and Type II controls (a control with durable proof it actually ran), noting that most compliance claims fail at this split. The README is candid that these are prompt-level constraints, not technical guarantees, and recommends running the harness in an environment that enforces read-only access at the infrastructure level. The project was built by a single person who describes themselves as not writing code, by directing AI — and was extracted, anonymized, and released publicly as the auditing method that emerged from that process.
Key facts
- 01Runs a chain of single-purpose audit subagents over a repository, one framework at a time
- 02Every finding must carry a `path:line` citation or the literal string "No evidence found"
- 03State is passed between subagents via a "Resume Packet"
- 04Agents are instructed not to fix, edit, run, commit, or print secrets
- 05Distinguishes Type I (design) from Type II (operating evidence) controls
- 06Constraints are prompt-level, not technical guarantees — a read-only environment is recommended
- 07Compatible with AI coding agents including Claude Code, Cursor, and Codex
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 18, 2026 · 10:40 UTC. How this works →