Move from self-attestation to verifiable proof.
Mend.io continuously discovers, tests, and documents the security posture of your code and the AI inside it — turning the EU AI Act, CRA, EO 14028, NIST, OWASP, and ISO 42001 from checklists into audit-ready evidence for your compliance program, your board, and your regulators.
Challenges
AI changed what “compliant” means.
Compliance used to mean a scanned codebase, a vulnerability report, and a signed attestation. Today, regulators want more — and they want it continuously.
The regulatory bar keeps rising
The EU AI Act expects documented adversarial testing for high-risk AI systems. The Cyber Resilience Act expects an SBOM and ongoing vulnerability handling for any product with digital elements sold into the EU. Executive Order 14028 and the NIST SSDF require U.S. federal vendors to attest to specific secure software development lifecycle practices. NIST AI RMF, ISO 42001, and the OWASP LLM Top 10 are quickly becoming the de facto baseline for AI governance.
Legacy stacks weren’t built for this
Most security stacks weren’t built to produce that evidence. They were built to find vulnerabilities — not to inventory AI agents, harden system prompts, simulate adversarial attacks, or generate the attestation outputs your conformity assessment requires. Mend.io was.
Opportunities
Discover. Test. Document. Prove.
Compliance lives in the gap most tools miss — between code and AI. Mend.io closes that gap with a single platform that continuously inventories every component, tests it adversarially, and produces the evidence your stakeholders need.
Discover everything, including shadow AI
A continuously updated AI-BOM and SBOM across code, libraries, containers, dependencies, models, agents, RAGs, and system prompts. You can’t govern what you can’t see — we make sure you see all of it.
Test continuously, automate the proof
Automated AI red teaming and reachability-based code testing run on every build — not on a six-month audit cadence. Each test produces structured evidence mapped to the framework that asked for it.
Govern the full lifecycle
AI-SPM connects discovery, behavioral findings, compliance obligations, and remediation status in one governed workflow — the evidence layer your board, your auditors, and your regulators are starting to demand.
One solution. Every framework that matters.
Mend.io produces the technical evidence required by the regulations and standards driving modern security and AI governance programs. Here’s how each one maps.
EU AI Act
What it requires: Risk classification, technical documentation (Article 11), data governance (Article 10), security and accuracy testing (Article 15), post-market monitoring (Article 72), and third-party conformity assessment for high-risk systems.
How Mend.io helps: Mend AI generates a continuously updated AI-BOM covering every model, agent, RAG, and system prompt — the inventory required for technical documentation. Automated red teaming produces documented evidence of adversarial robustness testing under Article 15. AI-SPM gives compliance teams the post-market monitoring layer the Act expects, with traceable findings and remediation status.
EU Cyber Resilience Act (CRA)
What it requires: Secure-by-design evidence, vulnerability handling processes, an SBOM in machine-readable form, and ongoing security updates aligned to Annex I essential requirements.
How Mend.io helps: Mend AppSec produces standards-compliant SBOMs (CycloneDX, SPDX) and reachability-based prioritization so you remediate what’s actually exploitable. Mend Renovate delivers automated, confidence-driven dependency updates that map to CRA’s ongoing vulnerability-handling expectations. Open source license compliance is also a CRA obligation — Mend.io’s open source license compliance coverage ensures your license posture is documented alongside your security posture. Together they generate the CRA attestation outputs you need to declare conformity.
U.S. Executive Order 14028 / OMB M-22-18 & M-23-16
What it requires: Producer attestation against NIST SP 800-218 SSDF practices, machine-readable SBOMs, and — where relevant — evidence artifacts such as vulnerability disclosure reports.
How Mend.io helps: Mend AppSec maps directly to SSDF practices PW (Produce Well-Secured Software) and RV (Respond to Vulnerabilities), and outputs the SBOMs and evidence artifacts CISA expects when you file your Secure Software Development Attestation Form.
NIST SSDF (SP 800-218)
What it requires: Documented practices across four groups: Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV).
How Mend.io helps: Mend AppSec covers PS.1–PS.3 (protect software, provide artifacts to consumers), PW.4–PW.8 (reuse secure software, review code, test executable code), and RV.1–RV.3 (identify and confirm vulnerabilities, assess and remediate, analyze root cause). Every finding is logged with traceable, audit-ready evidence.
NIST AI Risk Management Framework (AI RMF 1.0 + GenAI Profile)
What it requires: A documented AI risk management approach across the four functions, with specific actions for generative AI systems including prompt-injection testing, data leakage prevention, and content provenance.
How Mend.io helps: Mend AI maps to all four functions. AI-BOM and discovery support Map. Automated red teaming and system prompt testing support Measure. Runtime guardrails and prompt hardening support Manage. AI-SPM provides the Govern layer — unifying inventory, behavioral findings, and remediation in one governed workflow.
OWASP LLM Top 10 & OWASP ASVS
What it requires: Defenses against LLM01 Prompt Injection, LLM02 Sensitive Information Disclosure, LLM03 Supply Chain, LLM04 Data and Model Poisoning, LLM05 Improper Output Handling, LLM06–LLM10, plus traditional ASVS controls for the surrounding application.
How Mend.io helps: Mend AI runs the LLM Top 10 attack patterns against every build via automated red teaming, hardens system prompts at the source, and enforces runtime guardrails in production. Mend AppSec covers the ASVS-aligned code, dependency, and supply-chain controls. Findings are tagged to LLM01–LLM10 in your evidence outputs.
ISO/IEC 42001 (AI Management Systems)
What it requires: A documented AI Management System (AIMS), AI impact assessments, lifecycle controls, and continuous improvement — supported by Annex A controls covering data, system development, and operations.
How Mend.io helps: Mend AI produces the technical control evidence (Annex A controls covering AI system lifecycle, impact assessment inputs, and operational monitoring) that your AIMS auditors will request — without forcing your team to manually assemble screenshots and exports.
ISO 27001, SOC 2, PCI DSS
What it requires: Evidence of change management, secure SDLC, vulnerability management, and software supply chain integrity.
How Mend.io helps: Mend.io outputs satisfy controls across ISO 27001 Annex A (A.5.23 information security for use of cloud services, A.8.25 secure development lifecycle, A.8.28 secure coding, A.8.29 security testing in development and acceptance), SOC 2 Common Criteria (CC7, CC8), and PCI DSS Requirement 6 (develop and maintain secure systems).
Built for every stakeholder in the audit chain.
Compliance doesn’t belong to one role. Mend.io gives the GRC team verifiable artifacts, the CISO a unified posture, and the security architect a defensible technical mapping — from one platform.
From capability to control — at a glance.
Use this mapping in your conformity assessments, vendor questionnaires, and audit prep.
|
Mend.io capability |
What it produces |
Frameworks it satisfies |
|---|---|---|
|
AI-BOM |
Continuous inventory of every model, agent, RAG, and system prompt — including shadow AI |
EU AI Act Art. 11, ISO 42001 Annex A, NIST AI RMF Map |
|
SBOM |
Machine-readable software bill of materials (CycloneDX, SPDX) |
CRA Annex I, EO 14028 / OMB M-23-16, NIST SSDF PS.3 |
|
Reachability analysis |
Exploitability-prioritized vulnerability findings |
NIST SSDF RV.2, CRA vulnerability handling |
|
SAST |
Static analysis findings with line-in-code traceability |
NIST SSDF PW.7, OWASP ASVS V1–V14, ISO 27001 A.8.28 |
|
SCA |
Open source and third-party vulnerability detection (incl. containers) |
NIST SSDF PW.4 / PS.3, EO 14028, CRA |
|
Mend Renovate |
Automated, confidence-driven dependency updates |
NIST SSDF PW.4, CRA ongoing security updates |
|
Automated AI red teaming |
Documented adversarial test results on every build |
EU AI Act Art. 15, NIST AI RMF Measure, OWASP LLM Top 10 |
|
System prompt hardening |
Hardened, version-controlled prompts with attack-resistance evidence |
NIST AI RMF Manage, OWASP LLM01 |
|
AI runtime protection |
Real-time behavioral guardrails and policy enforcement |
ISO 42001 Annex A operational controls, NIST AI RMF Manage |
|
AI-SPM |
Unified AI risk posture and remediation governance |
ISO 42001 AIMS, NIST AI RMF Govern, EU AI Act Art. 9 (risk management) |
The artifacts your auditors actually want.
Every Mend.io capability produces structured, exportable evidence. No screenshots. No spreadsheets. No reconstruction.
Mend.io is the only platform with full coverage across both the code layer and the AI logic layer. No pure-play competitor can claim both.
FAQs
Does Mend.io replace our GRC platform?
No. Mend.io produces the technical evidence that feeds your GRC platform. Findings, AI-BOMs, SBOMs, and control mappings export cleanly into systems like ServiceNow GRC, OneTrust, Drata, Vanta, and similar.
Are Mend.io’s SBOM and AI-BOM outputs machine-readable?
Yes. SBOMs export in CycloneDX and SPDX. AI-BOM exports in JSON for ingestion into governance and inventory systems, with CSV available for manual review.
How does Mend.io support EU AI Act conformity assessments?
Mend.io produces Article 11 technical documentation inputs (system inventory, training data lineage where surfaced, system architecture), Article 15 evidence (adversarial robustness, accuracy, cybersecurity testing), and Article 72 post-market monitoring data (ongoing posture, incident-relevant findings).
Can I use Mend.io for U.S. federal software attestation under EO 14028?
Yes. Mend.io maps directly to NIST SP 800-218 SSDF practices and produces the SBOMs, vulnerability evidence, and traceability needed for the CISA Secure Software Development Attestation Form.
Does Mend.io support self-hosted or sovereign-cloud deployments for regulated industries?
Yes. Mend.io supports both SaaS and self-hosted deployments to meet data residency, sovereign-cloud, and regulated-industry requirements. Talk to sales for specific deployment models.
How do I get from “we use Mend.io” to “we passed our audit”?
Three steps. (1) Connect your repos and AI environments — Mend.io builds the inventory automatically. (2) Run continuous discovery, testing, and red teaming — evidence accumulates with every build. (3) Export the AI-SPM dashboard, attestation outputs, and control mapping; hand them to your auditor.
Make your next audit the easiest one yet.
See how Mend.io turns the regulations driving your roadmap — EU AI Act, CRA, EO 14028, NIST, ISO 42001, OWASP — into evidence on every build.
