Everything you need to know about using Govantic.
Sign up for Govantic using Google OAuth (one-click) or with an email and password. During registration you'll be asked to accept the Terms of Service and Privacy Policy - this is required before accessing the platform.
After signing up, you'll land on your workspace dashboard. If you're the first user, you'll also be the workspace administrator.
A workspace is your organization's environment in Govantic. Every workspace comes pre-configured with:
Your first steps should be: upload your key documents to the Knowledge Base, configure an LLM provider for the Compiler Agent, and connect your first integration (like Slack).
The dashboard is your compliance command center. It shows six stat cards at a glance:
Each framework also has a compliance ring showing your current pass rate. The ring is green at 100%, orange for partial compliance, and red at 0%. Compliance is calculated from controls that have a passing test result, not just controls that exist.
Policies are your organization's high-level compliance documents - things like your Information Security Policy, Acceptable Use Policy, or Data Classification Policy. Upload them to Govantic and the Knowledge Compiler will extract structured requirements from each one.
Each policy supports revisions. When you update a policy, upload the new version and describe what changed. The compiler will re-extract requirements, and the old revision is archived with full history.
SOPs are your step-by-step operational procedures - incident response plans, change management processes, access review procedures, etc. They work exactly like Policies in terms of uploading, revisions, and compilation.
The Knowledge Compiler treats SOPs the same as Policies: it extracts requirements and maps them to the Govantic AI framework. The distinction between Policies and SOPs is organizational - it helps you categorize your knowledge base.
Source Documents are any other reference material that informs your compliance posture - vendor agreements, regulatory guidance, internal memos, training materials, etc. Govantic supports PDF, Word (.docx/.doc), Excel (.xlsx/.xls), and plain text files.
Each source document has a processing status: Unprocessed (waiting for the compiler), Processing (currently being compiled), Processed (requirements extracted), or Failed (compilation error). If a document fails, you can retry it from the grid.
All knowledge base entities (Policies, SOPs, Source Documents) support a full revision system. When you upload a new version:
The isCurrent flag indicates which revision is the active one. Only the current revision is used for compilation.
The Knowledge Compiler is an AI agent that reads your documents and extracts structured, enforceable requirements. Here's the flow:
When you upload a new revision, the compiler archives the old requirements and re-extracts from the updated content, using your change description to focus on affected areas.
The Knowledge Compiler (and other agents) need an LLM to operate. Go to Agents → Configure on the Compiler Agent card to set up your provider:
Each workspace has its own LLM configuration - your API key is stored securely and used only for your workspace's compilations. You can change providers at any time.
The Compiler Queue shows all compilation jobs with real-time status. Access it from the Compiler Agent card via View Queue. You'll see:
The queue auto-refreshes every 10 seconds so you can monitor progress in real time.
After compilation, requirements appear in the Requirements list with auto-generated codes (REQ-001, REQ-002, etc.). Each requirement includes:
After each compile, a consolidated markdown file is generated and stored. This acts as the AI "knowledge base" that monitoring agents use to evaluate communications and activities.
Govantic includes a curated catalog of compliance frameworks with 385+ pre-built requirements across:
Frameworks are added from the catalog - you never build them manually. Each framework comes with pre-mapped requirements and controls.
To add a framework, go to Frameworks → Add Framework. Before committing, you'll see a readiness ring showing how much of the framework you already cover. This percentage is based on controls that are already passing - not just controls that exist.
When you add a framework:
The GAP analysis page shows the difference between your current controls and what a framework requires. Click View Gap on any catalog framework to see:
This helps you understand your compliance posture before committing to a new framework.
The Govantic AI framework is unique - it's an internal compliance framework that enforces how your organization actually works, based on your own documents. It's auto-provisioned on every new workspace.
Unlike external frameworks (SOC 2, ISO 27001), the Govantic AI framework:
Track your compliance progress in multiple places:
Compliance percentage = (controls with passing test results) / (total in-scope controls). Out-of-scope controls are excluded from the calculation.
Requirements are the atomic compliance obligations your organization must meet. They come from two sources:
Each requirement can be mapped to one or more controls (which enforce it) and one or more frameworks (which require it).
Every requirement has a unique code within your workspace:
Codes are workspace-scoped and deterministic - recompiling the same document produces the same codes.
On a requirement's detail page, you'll see:
You can filter the Requirements list by framework using the dropdown filter. Click from a framework detail page to see only that framework's requirements.
Controls are the mechanisms that enforce your requirements. They're organized by category (not by agent type) in a flat, filterable list. Each control card shows:
Click any control to see its full detail: linked requirements, frameworks, monitoring test history, and evidence.
Integrations connect Govantic to your tools. The architecture is integration-first: you connect an integration once, and it unlocks the controls that use it.
Currently supported integrations:
Go to Integrations in the sidebar to connect. Each integration has a configuration panel where you enter credentials and adjust settings.
All controls are in-scope by default when provisioned. If a control doesn't apply to your organization, mark it as Out of Scope:
To bring a control back, click Include - the exclusion reason is cleared. Use the status filter (Active / Out of Scope / All) to switch between views.
Every control tracks its health based on monitoring test results:
Health badges appear on both the controls list and the control detail page. The health status is updated automatically every time an agent runs a monitoring test.
The Monitoring Tests page shows every agent test run across all controls. Access it from the sidebar. You can filter by:
Each row shows the agent type icon, control name, result badge, and timestamp. Click any row to open a structured detail modal with the full test information.
You can trigger a retest on any control from the control detail page by clicking the Retest button. This sends a signed request (HMAC-SHA256) to the appropriate agent asking it to re-evaluate the control.
The retest runs asynchronously - refresh the page or check the Monitoring Tests tab to see the result once it completes.
Every monitoring test result can be downloaded as a branded PDF report. The report includes structured sections:
You can also download the raw JSON. PDF reports are useful for sharing test evidence with auditors.
The Evidence Library is where you store all compliance artifacts - screenshots, reports, certificates, audit logs, etc. To upload evidence:
Implementation guidance is shown as a collapsible section on the evidence detail page.
Each artifact can have its own renewal schedule:
Renewal dates are auto-computed from the creation date plus the cadence. When an artifact's renewal date passes, it's flagged for renewal. All artifacts must have a renewal schedule.
When you renew an artifact, the old version is archived and a fresh artifact is created. This preserves a full history of every version - useful for demonstrating ongoing compliance to auditors.
You can also delete an artifact and upload a replacement if you don't need to keep the historical record.
Govantic agents are AI-powered workers that continuously monitor your organization for compliance. Each agent is a long-running service with its own repository and deployment. The Agent Status page shows all agents with their configuration and health.
Current agents:
Each agent needs an LLM provider configured. Go to the agent card and click Configure to set your API key and choose between OpenAI or Claude.
The Communication Agent monitors your Slack workspace in real-time. It evaluates every message against your compiled requirements using a two-pass system:
Only confirmed violations create incidents. The agent uses rich context including channel topic, company name, user job titles, and bot message detection to minimize false positives.
To set up the Communication Agent with Slack:
The agent processes messages in a 10-minute window - it only evaluates recent messages. If the agent was offline, messages older than 10 minutes are skipped to avoid stale alerts.
Use a dedicated test channel to safely test the agent end-to-end without creating real incidents.
Mention the Govantic bot in any Slack channel or thread to ask compliance questions. The bot uses your compiled requirements to answer in context. This works in both public channels and private channels where the bot has been invited.
The Communication Agent can send proactive reminders about policies before issues happen. When the agent detects a conversation that could lead to a violation, it posts a friendly nudge as a thread reply instead of flagging it as an incident.
Reminders are also posted to a dedicated reminders channel for managers to review.
Keep your team sharp with fun, LLM-generated compliance quizzes. Configure quizzes in the Slack integration settings:
Quizzes are delivered as DMs to all channel members with multiple-choice answers. Users can choose A, B, C, or "Teach me!" to get an explanation. The quizzes use light humor and quirky scenarios - they're designed to be engaging, not boring corporate training.
The Communication Agent automatically detects personally identifiable information (PII) in Slack messages, including:
PII violations are flagged through the same two-pass evaluation system as other compliance violations.
Under Settings → Organization, create Business Units to represent your organizational structure (Engineering, Sales, Finance, etc.). Each unit has:
Personnel can belong to one or many business units.
The Organization Chart is auto-generated from your Business Units and personnel assignments. It provides a visual hierarchy of your organization. This view is useful for auditors who need to understand your reporting structure and personnel security controls.
Define Security Roles to track who in your organization is qualified for specific security functions. The Skills Matrix tab provides a cross-reference view of:
This is essential for SOC 2 and ISO 27001 personnel security controls.
The Personnel register tracks everyone in your organization relevant to compliance. Each person can be linked to:
Register your cloud infrastructure by category:
Each resource has a name, category, and assigned administrator from your personnel records.
Track on-premise infrastructure: servers, routers, switches, firewalls, and other networking equipment. Physical resources are linked to locations and administrators for complete asset tracking.
Register company laptops, desktops, and other endpoint devices. Each computer is associated to a personnel record, creating a clear chain of custody for device management and endpoint security controls.
Track your offices and work locations. Locations are linked to personnel records so you can see who works where. This supports physical security controls required by SOC 2 and ISO 27001.
The Asset Inventory provides a unified view of every entity in your workspace: documents, evidence, personnel, computers, cloud resources, physical assets, vendors, and customers.
This page is essential for SOC 2 and ISO 27001 asset management controls that require a complete inventory.
Track your third-party vendors with contact details and risk classification. The vendor register helps you meet SOC 2 vendor management requirements by maintaining a central record of all third parties with access to your systems or data.
Track your customers and the commitments you've made to them. Each customer entry can include contracts, SLA terms, and specific obligations.
Manage contracts with SLA obligations for both vendors and customers. The obligations column is surfaced directly in the contracts grid with full filtering and sorting, making it easy to review commitments during audits.
If you're migrating from Drata, Govantic can import your existing evidence library. The import wizard:
Access the import from the sidebar (internal tools, available to workspace administrators).
Support for importing from Vanta, Sprinto, and other GRC platforms is in progress. Contact us if you need help migrating from a specific platform.
Our team is here to help.