Quick Summary: Oleria Trustfusion, an AI-native identity security platform, generates a complete Access Request Audit Pack for SOX compliance — continuously assembled from every request, approval, and provisioning event — so GRC teams hand the auditor evidence, not a spreadsheet project.
SOX auditors want every access-request decision evidenced: population, sample, test result, exception, remediation. Most GRC teams produce that evidence by hand at audit time — pulling CSVs from the IGA tool, screenshotting approval messages, attaching to a SharePoint folder. As Kevin Towey, Director Security GRC at Vimeo, puts it: "without that automatic integration, it's a manual audit process — continuously going through, line by line, permission by permission."
The work isn't the audit. It's the assembly. The data exists in the access-request workflow; getting it into the auditor's preferred format is what consumes weeks per cycle.
Oleria's MCP server exposes the audit trail to MCP-capable AI clients. Where the AI generates narrative, every claim cites back to the underlying access-request record. The auditor reads the narrative and validates against source data; the GRC lead reviews and refines tone before submission.
Audit prep on access-request control Weeks → days
Cross-framework reuse Same data, different mappings
Audit findings on access-request evidence Eliminated
GRC lead time on assembly Materially reduced
Oleria's audit trail and export feed the GRC tool — it doesn't replace it. The GRC tool tracks findings and remediation across many controls; Oleria provides the access-request evidence layer underneath one of those controls. CSV export is the integration point today; MCP-based queries serve live assembly; deeper API integration is on the roadmap.
Exceptions are first-class. Every request approved as an exception (out-of-policy duration, sensitive-app approval, etc.) carries its reason and approver in the audit record. The export's exception list shows them with full context. The auditor sees the exceptions and the justifications; nothing is hidden in free-text fields nobody reads.
Today, the export is CSV with a continuous audit trail behind it. Signed PDF / sealed evidence bundles are on the platform roadmap. The current evidence model relies on Oleria's audit trail integrity — every record timestamped, every action attributable, no after-the-fact modification. Auditors who require signed bundles can pair the CSV with their existing evidence-signing tooling.
Oleria runs an MCP (Model Context Protocol) server that exposes audit-trail records to MCP-capable AI clients — Claude, MCP Inspector, custom GRC tools. The GRC lead asks in natural language ("show every approval decision on regulated apps in Q1 with the peer-access context shown at decision time"); the response assembles live from underlying records with citations to source. No CSV stitching.
Per cycle: every access request submitted, approved, denied, provisioned, expired, or revoked. Per request: requester, app, justification, duration, approver, decision channel, decision rationale, peer-access context shown at decision time, provisioning result, expiry, revocation event.
