Each of these looks like a product a competitor would sell you separately, with its own licence and its own database. Here they are the same engine with different rows, sharing one graph, one audit chain, and one place to configure them.
Planning, fieldwork, tests, samples, exceptions, reporting. The test carries its source, its sample size, the exceptions found and the rate. Last year's engagement and last year's issue carry forward, so a recurring finding is flagged as recurring, not rediscovered.
The opinion is a defined choice, not free text someone can fudge.
A risk is a node, not a spreadsheet row. It knows the controls that mitigate it, the entities it sits in, and the obligations it threatens, because those are edges in the graph. Score it from its own fields, and the residual updates when a control changes.
Risk lives on the record, wherever the record is.
A policy traces back to the citation and the regulation that require it, and forward to the controls that implement it. When a regulation changes, you can see every policy it touches. When an auditor asks why a policy exists, the answer is a path, not a memory.
A common control framework sits at the centre. Map a control to it once, and every framework you report against, ISO, NIST, CIS, reuses that mapping. Test the control once, and the result satisfies every obligation that leans on it. No more testing the same thing five times for five reports.
Obligations by jurisdiction and sector, each linked to the controls that satisfy it. Filter to the profile that matches you, listed or not, by region, by industry, and see exactly which obligations apply and which controls answer them. Coverage is a query, not a quarterly panic.
Vendor reviews with tiering, cadence and a named owner, on the same record shape as an audit test. A tier-one vendor review is not a different tool, it is the same engine with a vendor at the centre and a review cycle around it. Overdue is a state the platform knows, not a reminder someone forgot to set.
Findings, remediation, owners and due dates. An issue can point to the issue it followed, so the third time a control fails, that is on the record, not in someone's memory. Carry-forward is a link in the graph, which means "this keeps happening" is a fact you can query.
Evidence lives on the control it supports, not in a shared drive nobody trusts. And because the deterministic layer watches it, the day a piece of evidence goes stale, a source that moved, a document that expired, that is flagged before an auditor finds it first.
A filing deadline is only as good as where it came from. Each one in Amzaa carries the regulator page it was read from and the line the date appeared on. A human verifies it once. Then, with the AI switched off, the platform keeps re-reading that page and tells you the day the deadline changes or the source disappears.
When the agent cannot find a dated filing, it proposes nothing rather than guess.
Everything above was built in the same wizard, on the same engine, with no new code. The solution that fits your organisation and no one else's is built the same way.
Bring us the tenth