u/Sweaty-Ad5953

Hey everyone.

So honestly I was analyzing my old offer letters and I found some laws that could have been really dangerous.
Like most of them said :

"You shall keep strictly confidential details of your salary and employment benefits within and outside the company. You shall not disclose or divulge any confidential information related to the Company’s business or its customers which may come to your knowledge or possession during the tenure of your employment, and which should not be disclosed or made public save in the course of the proper execution of your duties."

I realized that this prohibits me even sharing anything with a lawyer about a dispute with the company itself, I can't share confidential information with them. This clause doesn't permit that.

That single carve-out — "proper execution of duties" — is extremely narrow. It only covers things you need to share to do your job. That's it.

Thus here I thought the intention wasn't correct of company and honestly, I barely have ever analyzed the document I sign.

I want to know , how important is contract analysis before signing it ?? I mean is it really frequent that unexpected clause usually hurt for sure ?

Also , I mean earlier there was no llm or gpt , so that was hard thing and need legal people, but with llm has situation been easier ??

How is your experience with claude and other. I used it honestly and it pointed me out this ,but it was hard to understand intially why its saying that. I thought it might be hallucinating or something else. However, when I showed to legal guy he explianed me the interpretation showing exact clause in pdf.

Whats your guys opinion here ?

I’ve been experimenting with AI-based document/contract analysis recently, and one thing keeps bothering me:

Most AI contract reviewers feel like black boxes. I barely know how exactly they perform analysis and the weird things is every llm has something new pointed out apart from common issue. Now I don't really understand that if other missed this finding as mistake or it was desgined to ignore few things.

Honestly , I am so confused sometime how to use these gpts. I mean sometime , I use a neutral Claude for judge and then give all other llm answer and then pick up the facts that are common blindly and then I read the unique findings and then make a decision to include it or not in my final findings report. For small documents it feel like , it over doing as now I am reading summary of like 3 llms , which is more than reading time of small document. For larger one , although it helps and usually accelerates my speed of reviewing or analyzing.

I wonder how you guys are using it ??

Thought process are useful but it even more bigger to read. Do you guys feel same tension using llm .

This is my theory but I think honestly the llm are being used in wrong way. Its really good extractor tbh , but its not a best responser . What I mean is to generate response it just predict what words should come after and thus with all that pattern matching , it eventually make sentences which are contextually aligned and make sense, but there is no way I can honestly say, yeah it has thought all the angles. Especially for high stakes contracts .

I think we should restrict use of llm blindly , and more use deterministic rules as brain rather than llm as brain , which I am seeing most document analyzer are doing. Its still really useful with its sheer speed of processing document. If a dumb job needs to be done then llm is good where stakes are low.

Are you guys also feeling this pain ?

I built this wrapper doing exact things, where I believe analysis done for any document is backed by

• exact evidence,
• why the conclusion was reached,
• what source was used,
• what the AI could NOT verify.

And all these with confidence level.

Not some wrapper where llm produces ai slob with no meaningful information and sounds like OG who knows what I want more than me. Sometime they act stupid.

Anyway what you guys take on this ?? Do you think necessity of this ?

Hey Folks,

I have built an evidence linter for SOC2 audit prep. Basically it takes IAM list and Termination list and create a report which could be helpful as audit readiness. Looking to connect with founders, who has recently been or trying to do SOC2.

I am looking for people who are experienced in SOC2 audit . I have some question and help is highly appreciated.

Built a small SOC2 CC6.1 “evidence linter” over the last few weeks and would genuinely appreciate feedback from people who’ve actually dealt with audits/access reviews.

Current scope is intentionally narrow:

Input:

• HR termination export
• IAM/IdP export (CSV/Excel/JSON)

Engine runs deterministic checks like:

• terminated employee still active
• post-termination login activity
• missing MFA on privileged accounts
• stale active users
• join failures between HR + IAM datasets
• missing IPE fields/timestamps

The interesting part for me wasn’t detecting violations — it was discovering how messy the evidence itself usually is:

• missing identifiers
• no export timestamps
• inconsistent usernames
• partial exports
• unclear account status fields

A lot of SOC2 pain seems less about “security controls” and more about proving them with audit-acceptable evidence.

I’m specifically trying to understand:

• does this solve a real operational problem?
• would security/compliance teams ever upload this data to a cloud service?
• are deterministic “pre-audit lint checks” actually useful before an auditor samples evidence?

Not trying to replace auditors or automate SOC2 end-to-end. More interested in whether constrained evidence validation has practical value.

Would appreciate blunt feedback from anyone who has handled CC6/access review evidence in practice.

Hi,

I am actually looking to understand soc2 process and how soc2 auditing happened . This is what I understand that are generally part of it .

1. Create policy

2. Validate policy and get type 1 done through some auditor

3. Implement controls

4. Collect evidence

5. Get type2 get done with some auditor.

6 If auditor have some qualified opinion , resolve it , go back to 4 and perform step agains till you get clearance.

Thus what exactly is hardest part in all these ? Do you think an ai which would give a pre audit report of potentially what happens when auditor is in room would be helpful?

Hi,

I am actually looking to understand soc2 process and how soc2 auditing happened . This is what I understand that are generally part of it .

1. Create policy

2. Validate policy and get type 1 done through some auditor

3. Implement controls

4. Collect evidence

5. Get type2 get done with some auditor.

6 If auditor have some qualified opinion , resolve it , go back to 4 and perform step agains till you get clearance.

Thus what exactly is hardest part in all these ? Do you think an ai which would give a pre audit report of potentially what happens when auditor is in room would be helpful?

I’ve been building a project called Spellout to address a problem I kept hitting: LLMs are great for creative tasks, but they are "guessy" when it comes to high-stakes compliance/legal docs. In a compliance and legal field, a hallucination is a dealbreaker.

I decided to move away from pure black-box models. I’m building what I call a Verifiable Reasoning Layer. Instead of just giving a Yes/No answer on a document check, the engine is forced to "show its work" by mapping out a transparent logic trail. It basically treats compliance as a deterministic logic problem rather than a probabilistic guessing game.

My goal is to make the AI reasoning reliable enough that you don't have to second-guess the output.

I’m a solo dev and I’ve just pushed the first compliance workflow live(SCO2 framework). I’m looking for some collaborative feedback from this community. If you’ve dealt with the headache of manual document audits or are skeptical about using AI for strict regulatory work, I’d love for you to poke at the logic of my MVP.

I’m not looking to sell anything—I just need a reality check on whether this "transparent reasoning" approach actually solves the trust problem for you.

If you’re open to trying it and giving some honest, builder-to-builder feedback, let me know and I’ll DM you the access.

Been working on a project to address the reliability I’ve run into when using standard LLMs for compliance work. We all know that probabilistic models can be great, but they often "guess" when they should be strictly reasoning through a document.

I’ve spent the last few months building a version of a "white-box" engine. Instead of a black-box output, it’s designed to show the actual logic path it took to verify a document against a compliance rule. The goal is to make the AI response generation transparent so anyone can actually trust the result.

It’s still early, and I’m a solo dev looking for some collaborative feedback. I’ve just launched the compliance workflow and I’d love to have a few people try to break the logic. If you deal with compliance and have 10 minutes to run a doc through it, I’d really appreciate your thoughts on where the reasoning falls short or where the UX is confusing.

Drop a comment and I'll send you a link to the sandbox.

Hello People.
Most AI compliance tools just summarize documents. I wanted something that actually audits the data.

I’ve built an MVP of an Audit Assistant that uses formal logic to find mismatches between what your policy says and what your system actually did.

The Stack/Logic:

• Deterministic: It’s not just a Large Language Model. It uses symbolic logic to ensure that if a policy says "MFA is required," and a log shows mfa: false, it flags it 100% of the time without "hallucinating" a reason.
• Two Models: I’ve trained it on India (RBI/SEBI) for fintechs and Global (SOC2) for SaaS.
• Privacy-First: I hate 6-month IT security reviews as much as you do. This requires Zero API access. You just drop sanitized JSON/CSV logs and a policy PDF.

I need help: I’m looking for 3-5 people (Auditors, CTOs, or Compliance Leads) to stress-test the engine. Give me a sanitized policy and a month of logs, and I’ll give you the deficiency report.

I’m in the early MVP stage, thus I am validating that how helpful the ai agent would be as compliance auditing ai assistant.

DM me or comment if you want to run a test file.