Everything you need to know about using Govantic.
Sign up for Govantic using Google OAuth (one-click) or with an email and password. During registration you'll be asked to accept the Terms of Service and Privacy Policy - this is required before accessing the platform.
After signing up, you'll land on your workspace dashboard. If you're the first user, you'll also be the workspace administrator.
A workspace is your organization's environment in Govantic. Every workspace comes pre-configured with:
Your first steps should be: upload your key documents to the Knowledge Base, configure an LLM provider for the Compiler Agent, and connect your first integration (like Slack).
The dashboard is your compliance command center. It shows six stat cards at a glance:
Each framework also has a compliance ring showing your current pass rate. The ring is green at 100%, orange for partial compliance, and red at 0%. Compliance is calculated from controls that have a passing test result, not just controls that exist.
Policies are your organization's high-level compliance documents - things like your Information Security Policy, Acceptable Use Policy, or Data Classification Policy. Upload them to Govantic and the Knowledge Compiler will extract structured requirements from each one.
Each policy supports revisions. When you update a policy, create a new revision and describe what changed. The compiler will re-extract requirements, and the old revision is preserved with full history. You can restore any previous version with one click (this creates a new revision) or download any version as a PDF.
Policies are authored with a rich text editor featuring a full formatting toolbar: bold, italic, underline, strikethrough, headings, bullet and numbered lists, text alignment (left, center, right, justify), font size, font color, background highlight, tables, links, images, code blocks, blockquotes, and horizontal rules. Copy-pasting from Word, PDFs, and web pages preserves formatting, colors, and tables.
SOPs are your step-by-step operational procedures — incident response plans, change management processes, access review procedures, etc. They share the same revision system, compilation, archiving, and PDF export as Policies.
SOPs use a structured step editor with a split-panel layout. The left sidebar shows your numbered step list, and the right panel opens the full rich text editor for the selected step. Each step has:
Legacy SOPs created before the step editor was introduced continue to work — their content is displayed as a single block. You can restructure them into steps at any time by creating a new revision.
The Knowledge Compiler treats SOPs the same as Policies: it extracts requirements and maps them to the Govantic AI framework. The distinction between Policies and SOPs is organizational — it helps you categorize your knowledge base.
Source Documents are any other reference material that informs your compliance posture — vendor agreements, regulatory guidance, internal memos, training materials, etc. Govantic supports PDF, Word (.docx/.doc), Excel (.xlsx/.xls), and plain text files.
Bulk upload — drag and drop multiple files at once onto the upload area, or click to select them from your file browser. Each file shows individual upload progress, an editable display name, and an auto-detected category based on the filename. Files are uploaded sequentially so you can monitor progress.
Each source document has a processing status: Unprocessed (waiting for the compiler), Processing (currently being compiled), Compiled (requirements extracted), or Failed (compilation error). If a document fails, you can retry it from the grid.
All knowledge base entities (Policies, SOPs, Source Documents) support a full revision system. When you upload a new version:
The current revision is the active one used for compilation. You can restore any previous revision — this creates a new revision with the old content, preserving the complete history chain.
Policies and SOPs can be archived (soft-deleted) when they're no longer active. Archived documents are read-only — you cannot create new revisions or edit descriptions.
Download any Policy or SOP as a branded PDF with the document title, version number, and date. You can download:
The PDF preserves all formatting from the rich text editor including text alignment, colors, highlights, tables, and images.
The Knowledge Compiler is an AI agent that reads your documents and extracts structured, enforceable requirements. Here's the flow:
When you upload a new revision, the compiler archives the old requirements and re-extracts from the updated content, using your change description to focus on affected areas.
The Knowledge Compiler (and other agents) need an LLM to operate. Go to Agents → Configure on the Compiler Agent card to set up your provider:
Each workspace has its own LLM configuration - your API key is stored securely and used only for your workspace's compilations. You can change providers at any time.
The Compiler Queue shows all compilation jobs with real-time status. Access it from the Compiler Agent card via View Queue. You'll see:
The queue auto-refreshes every 10 seconds so you can monitor progress in real time.
After compilation, requirements appear in the Requirements list with auto-generated codes (REQ-001, REQ-002, etc.). Each requirement includes:
After each compile, a consolidated markdown file is generated and stored. This acts as the AI "knowledge base" that monitoring agents use to evaluate communications and activities.
Govantic includes a curated catalog of compliance frameworks with 385+ pre-built requirements across:
Frameworks are added from the catalog - you never build them manually. Each framework comes with pre-mapped requirements and controls.
To add a framework, go to Frameworks → Add Framework. Before committing, you'll see a readiness ring showing how much of the framework you already cover. This percentage is based on controls that are already passing - not just controls that exist.
When you add a framework:
The GAP analysis page shows the difference between your current controls and what a framework requires. Click View Gap on any catalog framework to see:
This helps you understand your compliance posture before committing to a new framework.
The Govantic AI framework is unique - it's an internal compliance framework that enforces how your organization actually works, based on your own documents. It's auto-provisioned on every new workspace.
Unlike external frameworks (SOC 2, ISO 27001), the Govantic AI framework:
Track your compliance progress in multiple places:
Compliance percentage = (controls with passing test results) / (total in-scope controls). Out-of-scope controls are excluded from the calculation.
Requirements are the atomic compliance obligations your organization must meet. They come from two sources:
Each requirement can be mapped to one or more controls (which enforce it) and one or more frameworks (which require it). Description fields support rich text editing with full formatting. Requirements and Controls are edited on dedicated full-width pages (not modals).
In addition to compiled and framework requirements, you can create requirements manually from the Requirements page. Manual requirements:
Manually edited requirements (whether originally compiled or manually created) are protected during recompilation — the Knowledge Compiler will not overwrite your changes when processing new document revisions.
Requirements are organized into categories within each framework. Use the category dropdown on the Requirements page to filter — select a framework first, then pick a category.
Govantic AI categories are automatically assigned by the Knowledge Compiler when it extracts requirements from your documents. The same category filter is available on the Controls page when a framework is selected.
Every requirement includes a "What auditors look for" section on its detail page. This field explains what evidence, processes, and documentation auditors typically expect when evaluating the requirement.
Use this guidance to prepare for audits — it tells you what to have ready before the auditor asks. The guidance is displayed in a highlighted box below the requirement description.
Every requirement has a unique code within your workspace:
Codes are workspace-scoped and deterministic - recompiling the same document produces the same codes.
On a requirement's detail page, you'll see:
You can manually map or unmap requirements to controls and frameworks from the requirement detail page. Adding or removing a requirement from the Govantic AI framework automatically triggers a knowledge base regeneration so monitoring agents stay up to date.
Filter the Requirements list by framework using the dropdown filter. Click from a framework detail page to see only that framework's requirements.
Controls are the mechanisms that enforce your requirements. They're categorized by how they are satisfied, with filter cards at the top of the Controls page showing per-type counts:
Each control card shows a health badge (Passing, Failing, Erroring, or Not Tested) and the control's category and severity. Click any control to see its full detail: linked requirements, frameworks, policies, evidence, responsible person, and monitoring test history.
Every control has a type that describes how it is satisfied. The Controls page shows filter cards at the top — one per type — with counts so you can quickly focus on a specific category:
Click any filter card to show only controls of that type. Click again to clear the filter and see all controls.
Each control can have a responsible person assigned from your personnel register. This tracks who is accountable for the control's compliance posture.
Integrations connect Govantic to your tools. The architecture is integration-first: you connect an integration once, and it unlocks the controls that use it.
Currently supported integrations:
Go to Integrations in the sidebar to connect. Each integration has a configuration panel where you enter credentials and adjust settings.
All controls are in-scope by default when provisioned. If a control doesn't apply to your organization, mark it as Out of Scope:
To bring a control back, click Include - the exclusion reason is cleared. Use the status filter (Active / Out of Scope / All) to switch between views.
Every control tracks its health based on monitoring test results:
Health badges appear on both the controls list and the control detail page. The health status is updated automatically every time an agent runs a monitoring test.
The Monitoring Tests page shows every agent test run across all controls. Access it from the sidebar. You can filter by:
Each row shows the agent type icon, control name, result badge, and timestamp. Click any row to open a structured detail modal with the full test information.
You can trigger a retest on any control from the control detail page by clicking the Retest button. This sends a signed request (HMAC-SHA256) to the appropriate agent asking it to re-evaluate the control.
The retest runs asynchronously - refresh the page or check the Monitoring Tests tab to see the result once it completes.
Every monitoring test result can be downloaded as a branded PDF report. The report includes structured sections:
You can also download the raw JSON. PDF reports are useful for sharing test evidence with auditors.
The Evidence Library is where you store all compliance artifacts - screenshots, reports, certificates, audit logs, etc. To upload evidence:
Implementation guidance is shown as a collapsible section on the evidence detail page.
Each artifact can have its own renewal schedule:
Renewal dates are auto-computed from the creation date plus the cadence. When an artifact's renewal date passes, it's flagged for renewal. All artifacts must have a renewal schedule.
When you renew an artifact, the old version is archived and a fresh artifact is created. This preserves a full history of every version - useful for demonstrating ongoing compliance to auditors.
You can also delete an artifact and upload a replacement if you don't need to keep the historical record.
Govantic agents are AI-powered workers that continuously monitor your organization for compliance. Each agent is a long-running service with its own repository and deployment. The Agent Status page shows all agents with their configuration, health, and queue status — including the Knowledge Compiler queue with pending, running, completed, and failed jobs.
Current agents:
Each agent needs an LLM provider configured. Go to the agent card and click Configure to set your API key and choose between OpenAI or Claude.
The Communication Agent monitors your Slack workspace in real-time. It evaluates every message against your compiled requirements using a two-pass system:
Only confirmed violations create incidents. The agent uses rich context including channel topic, company name, user job titles, and bot message detection to minimize false positives.
To set up the Communication Agent with Slack:
The agent processes messages in a 10-minute window - it only evaluates recent messages. If the agent was offline, messages older than 10 minutes are skipped to avoid stale alerts.
Use a dedicated test channel to safely test the agent end-to-end without creating real incidents.
Mention the Govantic bot in any Slack channel or thread to ask compliance questions. The bot uses your compiled requirements to answer in context. This works in both public channels and private channels where the bot has been invited.
The Communication Agent can send proactive reminders about policies before issues happen. When the agent detects a conversation that could lead to a violation, it posts a friendly nudge as a thread reply instead of flagging it as an incident.
Reminders are also posted to a dedicated reminders channel for managers to review.
Keep your team sharp with fun, LLM-generated compliance quizzes. Configure quizzes in the Slack integration settings:
Quizzes are delivered as DMs to all channel members with multiple-choice answers. Users can choose A, B, C, or "Teach me!" to get an explanation. The quizzes use light humor and quirky scenarios - they're designed to be engaging, not boring corporate training.
The Communication Agent automatically detects personally identifiable information (PII) in Slack messages, including:
PII violations are flagged through the same two-pass evaluation system as other compliance violations.
Under Settings → Organization, create Business Units to represent your organizational structure (Engineering, Sales, Finance, etc.). Each unit has:
Personnel can belong to one or many business units.
The Organization Chart is auto-generated from your Business Units and personnel assignments. It provides a visual hierarchy of your organization. This view is useful for auditors who need to understand your reporting structure and personnel security controls.
Define Security Roles to track who in your organization is qualified for specific security functions. The Skills Matrix tab provides a cross-reference view of:
When creating a security role, a "Assign as responsible for unassigned controls" toggle (on by default for top-level roles) lets you bulk-assign all currently unassigned controls to the first person in that role. The role with the lowest ordinal is used for auto-assignment when controls are imported or activated.
This is essential for SOC 2 and ISO 27001 personnel security controls.
The Personnel register tracks everyone in your organization relevant to compliance. Each person can be linked to:
Register your cloud infrastructure by category:
Each resource has a name, category, and assigned administrator from your personnel records.
Track on-premise infrastructure: servers, routers, switches, firewalls, and other networking equipment. Physical resources are linked to locations and administrators for complete asset tracking.
Register company laptops, desktops, and other endpoint devices. Each computer is associated to a personnel record, creating a clear chain of custody for device management and endpoint security controls.
Track your offices and work locations. Locations are linked to personnel records so you can see who works where. This supports physical security controls required by SOC 2 and ISO 27001.
The Asset Inventory provides a unified view of every entity in your workspace: documents, evidence, personnel, computers, cloud resources, physical assets, vendors, and customers.
This page is essential for SOC 2 and ISO 27001 asset management controls that require a complete inventory.
Track your third-party vendors with contact details and risk classification. The vendor register helps you meet SOC 2 vendor management requirements by maintaining a central record of all third parties with access to your systems or data.
Track your customers and the commitments you've made to them. Each customer entry can include contracts, SLA terms, and specific obligations.
Manage contracts with SLA obligations for both vendors and customers. The obligations column is surfaced directly in the contracts grid with full filtering and sorting, making it easy to review commitments during audits.
If you're migrating from Drata, Govantic can import your entire compliance program — evidence, frameworks, requirements, controls, and mappings. Enter your Drata API key and workspace ID once, then use either import action:
Combined, these two imports give you a complete one-click migration from Drata. Access the import page from the sidebar (internal tools, available to workspace administrators).
Support for importing from Vanta, Sprinto, and other GRC platforms is in progress. Contact us if you need help migrating from a specific platform.
Our team is here to help.