Aethos Frameworks
Frameworks Live

Control frameworks for every layer
of the modern platform stack.

Platform-specific, practitioner-built. Each framework tells you how to design the control, where it breaks, what evidence it produces, and exactly what your auditor will test.

Browse the catalog
SOX Primary framework
Also mapped to
PCAOB AS 2201 SOC 2 NIST PCI DSS ISO 27001 COSO COBIT
The Framework In Action

Built for how audit work actually happens.

Every control walks you through the same sequence an auditor walks through in the field — from understanding the risk, to designing the control, to collecting the evidence, to writing the test.

aethosassurance.com/framework-github
Source Code Management  ·  GitHub
GitHub Control Framework
SOX §404 PCAOB AS 2201 10 Controls April 2026
In a GitHub environment, logical access controls govern who can access the platform, under what conditions, and what happens when they leave — covering the authentication gate, provisioning, deprovisioning, periodic review, and privileged role governance.
GH-LA-01
SSO & SAML Enforcement
All GitHub Organization access is authenticated through the corporate Identity Provider. Direct GitHub username/password login is blocked for all human users.
Required — Configured PCAOB AS 2201 §36
Plain Language

This control ensures the only way into your GitHub Organization is through your company’s central login system — the same system that gets disabled the moment an employee is terminated. Without it, someone could have their company email and laptop taken away on their last day but still log into GitHub using a password they set three years ago.

The Office Building

The building has one entrance with a badge reader connected to HR. When someone’s employment ends, facilities disables their badge in one place and they lose access everywhere. SSO enforcement is that single entrance — without it, employees could have personal keys cut from the master that still work even after their badge is deactivated.

SOX Risk

Without SSO enforcement, terminated employees retain direct access to repositories containing financial application code and database migration scripts. GitHub specifically allows both SAML SSO and direct username/password authentication simultaneously unless enforcement is explicitly enabled — organizations that have configured SAML without enforcing it have the appearance of SSO governance with none of the access control.

Plain Language

The difference between Level 1 and Level 2 is one checkbox — “Require SAML SSO authentication.” Everything before that checkbox is setup; that checkbox is the control. Level 3 adds the detection layer so you know the moment someone turns it off.

L1
Manual Periodic Check
Required — Any
SAML configured and enforced. A team member checks the enforcement setting quarterly and documents the result. Evidence: configuration screenshot plus review record.
L2
Configured + Event Alert
Required — Configured
SAML enforced plus audit log streaming active. SIEM detection rule fires on any org.disable_saml event, routing an alert to the security team within minutes.
L3
Automated Drift Detection
Recommended
L2 plus a weekly automated API check comparing current SSO enforcement state against an expected baseline. Any divergence generates an alert before the next manual review cycle would catch it.
Plain Language

You’re enabling the one setting that blocks all non-SSO login paths, then setting up an alert so you know immediately if it’s ever turned off.

  1. Navigate to Organization → Settings → Authentication security. If you are on GitHub Enterprise, also check Enterprise → Settings → Authentication security.
  2. Under “SAML single sign-on”: enter your IdP’s Sign-On URL and public certificate. Click “Test SAML configuration” and confirm a successful test before proceeding.
  3. Check “Require SAML SSO authentication for all members.” Members who have not yet authenticated via SSO will be removed from the organization after a grace period and must re-join through SSO.
  4. Navigate to Organization → Settings → Audit log → Log streaming and confirm streaming is active. Verify that org.disable_saml is included in the event stream.
  5. In your SIEM, create a detection rule: alert immediately on any event matching action:org.disable_saml OR action:business.set_saml_disabled.
Verify SSO enforcement status via API GitHub CLI 
# Confirm SAML is enforced — not just enabled
gh api graphql -f query='query {
  organization(login: "YOUR_ORG") {
    samlIdentityProvider {
      ssoUrl
      issuer
    }
    requiresTwoFactorAuthentication
  }
}'

# List all members WITHOUT a linked SAML identity
# These accounts can still log in without SSO
gh api orgs/YOUR_ORG/members --paginate \
  -f filter=2fa_disabled \
  --jq '.[] | .login'
Plain Language

You need to prove two things: (1) SSO enforcement was turned on and set correctly at the beginning of the period, and (2) it was never turned off. The configuration screenshot proves the first. The audit log query proves the second.

Evidence Item Source / Method What to Verify
SAML SSO configuration screenshot or API export Org Settings → Authentication security “Require SAML SSO authentication” is checked. IdP URL populated. Exemption list empty or documented.
Audit log — SSO disable events for the full audit period API export or SIEM query Zero org.disable_saml events returned. Any event requires documented justification and management sign-off.
Member list with SAML identity linkage GraphQL API export All active human members show a linked SAML identity (nameId populated).
Verify SSO enforcement & check for disable events during the audit period GitHub CLI 
# Confirm SAML is enforced at the organization level
gh api graphql -f query='query {
  organization(login: "YOUR_ORG") {
    samlIdentityProvider { ssoUrl issuer }
  }
}'

# Returns any event where SSO was disabled — should return empty
gh api orgs/YOUR_ORG/audit-log --paginate \
  -f phrase="action:org.disable_saml" \
  -f created="2025-01-01..2026-01-01" \
  --jq '.[] | {actor, action, created_at}'
Auditor Perspective

The most common gap: the distinction between “SAML enabled” and “SAML enforced.” Always verify enforcement status, not just configuration. A second gap: the SSO exemption list — ask explicitly: “Pull the list of all accounts currently exempted from SSO enforcement and show me the business justification for each.”

Plain Language

Design testing confirms the control is correctly configured. Operating effectiveness testing confirms it remained correctly configured — and was never disabled — for the entire audit period. For SSO, operating effectiveness is binary: either the setting was on the whole time or it wasn’t.

DoE Confirm SSO enforcement is appropriately configured
  1. Request the GitHub Organization authentication security settings. Confirm “Require SAML SSO authentication” is enabled — not just “Enable SAML SSO.” These are two separate settings.
  2. Confirm the connected IdP is the organization’s corporate identity provider. Verify by checking the Sign-On URL against the known corporate IdP tenant.
  3. Run the GraphQL query. For every active human member, confirm a SAML nameId is populated. Document the count with and without linked identities.
  4. Request the SSO exemption list. For each exemption, confirm there is a dated business justification and approving authority signature.
ToE Confirm SSO enforcement was maintained throughout the audit period
  1. Run the audit log query with the full audit period date range. The complete population is every org.disable_saml and business.set_saml_disabled event logged during the period.
  2. If the query returns zero events: document “no SSO disable events identified for the period [date range]. Control operated as designed.” This is sufficient ToE evidence.
  3. If the query returns any events: for each event, obtain (a) the dated business justification, (b) confirmation that SSO was re-enabled within SLA, and (c) management sign-off.
Auditor Perspective

This is one of the few GitHub controls where the ToE population is binary — either the setting was disabled during the period or it was not. Your evidence memo should explicitly state: “Reviewed complete audit log; zero org.disable_saml events identified.”

⚠ Failure Mode 1 — Enabled ≠ Enforced

SAML is enabled and the IdP is connected. But “Require SAML SSO authentication for all members” was never checked — it requires a deliberate separate action after enabling. All members can still authenticate using their GitHub username and password. Every provisioning and deprovisioning control in this framework is undermined by this single unchecked checkbox. This is the most common SSO control gap.

⚠ Failure Mode 2 — The SSO Exemption List

SSO enforcement is active and correctly configured. But 15 service accounts and 3 senior engineers have been added to the SSO exemption list over two years. Two of the exempt engineers have since left the company. Their accounts remain active and exempt because the exemption list is never reviewed — it’s not part of the quarterly access certification process and no one knows it exists.

What Auditors Miss

Auditors test whether SSO enforcement is enabled. They rarely pull the SSO exemption list. Ask specifically: “Provide the complete list of accounts currently exempted from SAML enforcement, with the business justification and approval date for each.”

SSO Disable Events
Monthly count of org.disable_saml and business.set_saml_disabled events. Any event should trigger immediate investigation — there is no legitimate reason to disable SSO enforcement outside of a documented emergency change process.
Alert: any event — zero tolerance
Members Without SAML Identity
Count of active organization members without a linked SAML identity. These members can authenticate without SSO despite enforcement being enabled — typically indicates accounts added through a path that bypassed SCIM provisioning.
Alert: any member active >7 days without a linked SAML identity
SAML Certificate Expiry
Days until the SAML signing certificate expires. An expired certificate causes SSO to fail, forcing GitHub to fall back to direct authentication for all users — effectively disabling the control without any explicit disable event.
Alert: 30 days before expiry  ·  Critical: 7 days before expiry
GH-LA-02
User Provisioning & Access Grants
Access is granted based on documented business need, approved by an authorized manager, at the minimum privilege level required for the role.
Required — Any Implementation PCAOB AS 2201 §36
GH-CM-01
Branch Protection & Code Review Enforcement
All commits to production-affecting branches require peer review approval before merge. The platform technically prevents direct pushes and self-approvals.
Required — Configured PCAOB AS 2201 §39
GH-CO-01
Secrets Detection & Push Protection
GitHub Advanced Security secret scanning and push protection prevent credentials from entering the repository. High-severity alerts are resolved within 24 hours.
Required — Configured PCAOB AS 2201 §39
0:00 / 0:38
01 — Rationale
Understand the risk
Plain language, analogy, and the SOX exposure if absent.
02 — Control Design
Four maturity levels
From manual ticketing to IaC. Know where you are.
03 — Implementation
Step-by-step + code
Exact steps and CLI commands to configure the control.
04 — Evidence & Queries
PBC list, ready to send
Every evidence item with the API command to pull it.
05 — Test Procedures
DoE and ToE pre-written
Exact PCAOB AS 2201 steps. Know what they’ll test.
06 — Failure Modes
What breaks in practice
Real failures, management assumptions, auditor gaps.
07 — Drift Signals
Continuous monitoring
Leading indicators, thresholds, and monitoring queries.
Open the GitHub Framework Browse all frameworks →
Extending Governance Into Modern Platforms

Why These Frameworks Exist.

Traditional governance frameworks established foundational control principles for enterprise technology environments. Modern platforms introduced a different challenge: cloud-native architectures, CI/CD pipelines, automation layers, APIs, distributed identity models, and continuously evolving configuration surfaces. The challenge is no longer understanding whether controls should exist. The challenge is understanding how governance should be designed for platforms that operate fundamentally differently than traditional infrastructure environments.


01
Platform-Specific by Design.

Each framework is purpose-built for a specific platform ecosystem — not adapted from a generic control template. GitHub governance differs from AWS. Okta differs from Azure DevOps. The controls are designed around how the platform actually operates, how trust is established, and where modern governance dependencies emerge.

02
Opinionated Where Precision Matters.

Traditional guidance often defines control objectives at a high level while leaving implementation interpretation to individual teams. The Aethos frameworks provide architectural direction for how governance should operate within modern platform environments, reducing ambiguity that frequently leads to inconsistent or inherited control design.

03
Built From Real Operational Environments.

The frameworks are shaped through direct experience designing, implementing, evaluating, and governing modern cloud and platform ecosystems. They reflect operational realities encountered inside evolving enterprise environments — not theoretical mappings created independently from platform behavior.

22
Frameworks in the library
239
Individual controls
7
Tabs of depth per control
10
Platform categories
The distinction

Not templates. Not compliance mappings.

Most compliance documentation tells you a control should exist. Aethos Frameworks tell you how to design it, where it breaks, what evidence it produces, and what auditors actually look for when they test it.

What templates and compliance mappings give you
  • Control objectives with framework citations but no implementation detail
  • Generic descriptions like “ensure access is reviewed periodically”
  • Guidance written without reference to any specific platform
  • Blank evidence tables for you to fill in yourself
  • One approach regardless of your environment or maturity
  • No guidance on what auditors actually test or where they find gaps
What an Aethos framework gives you
  • Platform-specific controls mapped to runtime behavior, not documentation assumptions
  • Four maturity levels per control from manual baseline to fully automated
  • Step-by-step implementation with real CLI queries and API commands
  • Evidence tables with the specific format and content auditors will request
  • Failure mode analysis showing exactly how and why each control breaks
  • DoE and ToE procedures written for PCAOB AS 2201
  • Drift signals for continuous monitoring between audit cycles
Modern Assurance Is Evolving

Designed for the Reality of Modern Platforms

Across organizations at different stages of platform maturity, leaders consistently describe the same realization: traditional control models were never designed for interconnected, automated ecosystems. The Aethos frameworks help expose governance gaps many teams did not recognize until modern platform risks were mapped beyond legacy audit assumptions.



Framework Catalog

22 frameworks.
Browse by platform stack.

Control number and name are visible to everyone. Full access — all 7 tabs per control — requires an annual subscription at $799/year. Use Rationale to scope your audit, Design to brief engineering, Implementation to close gaps, and Drift & Detection to monitor between cycles.

01
Source Code Management
Version control · branch governance · code review · secrets hygiene
3 frameworks
GitHub
The foundation of most engineering workflows. GitHub controls are the most frequently tested ITGC in a software company — branch protection, code review enforcement, and access governance. Most environments have them configured. Few have them designed to hold under audit.
10 controls Open  
GitLab
GitLab's permission model spans five tiers — Owner, Maintainer, Developer, Reporter, Guest — and access granted at a parent group propagates silently to every project below it. Most quarterly access reviews never pull the full subgroup tree, which means reviewers are certifying access they cannot actually see.
11 controls Open  
Bitbucket
Bitbucket is the only source code platform that can natively require a linked, approved Jira ticket before a pull request merges, giving it a uniquely strong change authorization model. The risk is in its workspace permission structure: workspace-level administrator access flows down to every repository in the workspace without a separate grant.
11 controls Open  
02
CI/CD & Deployment
Pipeline governance · deployment authorization · artifact integrity · environment promotion
4 frameworks
Jenkins
Jenkins provides no built-in deployment approval gate. A developer with job-configure permission can edit the pipeline definition that deploys to production — and unless Jenkinsfile changes go through the same SCM review process as application code, that modification leaves no auditable record. The framework covers how to build a change authorization chain auditors will accept.
13 controls Open  
CircleCI
CircleCI contexts are the mechanism for storing deployment credentials — and by default, any pipeline in the organization can reference them. That means a context holding production cloud credentials is accessible to every project, every branch, and every developer who can trigger a build. Context security group restriction is the primary control, and most environments have never configured it.
12 controls Open  
ArgoCD
In a GitOps model, the Git merge is the deployment authorization event — which means the audit trail lives in the SCM, not the deployment tool. ArgoCD enforces that model by default, but its parameter override feature and manual sync capability can both execute production changes that bypass the Git-based approval entirely. The framework covers how to restrict both and what the resulting audit evidence needs to demonstrate.
11 controls Open  
Ansible
Ansible without AWX or Ansible Automation Platform produces no native record of execution — no log of which playbook ran, against which inventory, triggered by whom. In a direct CLI deployment model, the only evidence is whatever the engineer chose to record in a change ticket. The framework covers how to build an auditable execution layer using AWX job templates and approval workflows.
12 controls Open  
03
Cloud Infrastructure
IAM governance · audit logging · deployment authorization · network boundary controls
3 frameworks
AWS
AWS is the most common cloud environment in a SOX audit, and the two findings that appear most consistently are the same: root account credentials without MFA and IAM policies that are broader than the role actually needs. Both are straightforward to prevent and consistently overlooked. The framework covers IAM least privilege, CloudTrail organization-level logging, cross-account deployment authorization, and Secrets Manager governance.
18 controls Open  
Google Cloud
GCP Data Access audit logs — the logs that record who read or modified data in BigQuery, Cloud SQL, Cloud Storage, and other services — are disabled by default for nearly every service. Organizations that have not explicitly enabled them at the organization level have no record of financial data access. Most discover this during fieldwork, not before.
13 controls Open  
Microsoft Azure
Azure has four distinct permission systems that operate independently: Azure RBAC, Entra ID directory roles, Microsoft 365 service roles, and application-level roles. An access review that covers only one of them is certifying a fraction of the actual access picture. The framework also covers the Entra Connect synchronization delay that creates a deprovisioning window in hybrid environments, and the Diagnostic Settings that control whether Azure activity is logged at all.
14 controls Open  
04
Container Orchestration
RBAC governance · workload access controls · privileged container restrictions · API audit logging
1 framework
Kubernetes
cluster-admin is the most dangerous permission in a Kubernetes environment, and it is routinely granted at cluster setup and never removed because removing it feels like a risk. The more subtle problem is ServiceAccounts: a workload running under a ServiceAccount with cluster-admin can reach any resource in the cluster regardless of namespace boundaries or network policy. The framework covers RBAC least privilege, ServiceAccount governance, admission control configuration, and what the Kubernetes API server audit log needs to contain.
12 controls Open  
05
Identity & Access Management
SSO enforcement · MFA policy · SCIM provisioning · deprovisioning timing · administrator governance
2 frameworks
Okta
Okta sits upstream of every application it protects — which means a failure in Okta's access controls is a simultaneous failure across every connected system. The framework covers MFA policy enforcement gaps (including the sign-on policy evaluation order that makes MFA optional for specific networks), the SCIM deprovisioning timing gap that leaves terminated employees active in downstream applications, and Super Administrator access governance, which most Okta environments have never formally documented.
12 controls Open  
OneLogin
OneLogin's role mapping rules can automatically provision access to connected applications based on directory attributes — department, title, location. That automation is its primary value. The risk is that a role rule misconfiguration, or an HR attribute change, can silently expand access to a financially sensitive system without any explicit approval action from a human reviewer. The framework covers how to govern role rules as change-controlled objects.
9 controls Open  
06
Identity Governance & Administration
Access certification · role management · SoD enforcement · provisioning workflow authorization
1 framework
SailPoint
SailPoint produces the quarterly access certification output that auditors use as evidence for user access reviews across every application in scope. The validity of that evidence depends entirely on whether certifications required real decisions. Auto-approve on non-response — a default configuration in many SailPoint deployments — generates certification records that look complete but represent no human review. The framework covers both IdentityNow and IdentityIQ environments.
8 controls Open  
07
Infrastructure as Code
Change control · state file governance · secrets management · configuration drift detection
2 frameworks
Terraform
The Terraform state file is a complete inventory of production infrastructure, including resource identifiers, network configuration, and output values. In most organizations it is stored in a shared backend accessible to the entire engineering team with no access logging. Separately, terraform apply can be executed from any workstation with cloud credentials, leaving no CI/CD pipeline record of the change. The framework covers state file access governance, plan/apply separation, and using drift detection as a continuous monitoring control.
12 controls Open  
HashiCorp Vault
Vault is where production secrets live — database passwords, API keys, cloud credentials, TLS certificates. That makes Vault policy governance the access control layer that sits beneath every other access control in the stack. A policy granting read on a wildcard secret path gives access to every current and future credential stored at that path. The framework covers path-scoped policy design, AppRole and token lifecycle, root token governance, and audit device configuration.
8 controls Open  
08
Data Platform
Data warehouse governance · transformation layer controls · streaming pipeline authorization · financial data access
3 frameworks
Snowflake
Snowflake uses a role hierarchy where child roles inherit permissions from parent roles, and role grants accumulate over time without a natural expiry. A functional role that was granted access to a financial schema during initial setup may now be assigned to dozens of users whose job functions have changed — and because the grant looks correct at the role level, quarterly access reviews often miss it. The framework covers role architecture, ACCOUNTADMIN governance, and what ACCESS_HISTORY produces as audit evidence.
13 controls Open  
Databricks
Databricks clusters can be configured to inject cloud provider instance credentials directly into the Spark session — which means a notebook running on that cluster can call the AWS or GCP API with the permissions of the underlying compute role, bypassing Unity Catalog access controls entirely. The framework covers Unity Catalog privilege governance, workspace administrator controls, notebook change management, and financial data modification tracking on Delta tables.
13 controls Open  
Apache Kafka
When financial transactions flow through Kafka topics, any producer authorized to write to a financial topic has the ability to inject or modify that data stream — regardless of what controls exist on the downstream database. Kafka's ACL model is the primary control surface, and it is frequently misconfigured in ways that grant broad produce permissions to topics that carry revenue or transaction data. Covers both Apache Kafka and Confluent Cloud environments.
6 controls Open  
09
Database
Operational database access · privileged user governance · audit logging · financial data modification controls
1 framework
MongoDB
MongoDB's audit log — the facility that records who read or modified documents — is only available in MongoDB Enterprise and Atlas M10 or higher. Organizations running Community Edition or a lower Atlas tier have no native audit capability for financial collections. The framework covers the evidence gap this creates, Atlas versus self-managed governance differences, and how to use change streams as a compensating control when full audit logging is not available.
8 controls Open  
10
Change Management Platforms
Change authorization workflow · CAB approval governance · emergency change controls · automation rule audit
2 frameworks
Jira
When a Jira ticket linked to a pull request is used as the change authorization record, the integrity of that record depends on whether only authorized approvers can transition the ticket to an approved state. If workflow transition permissions are not explicitly restricted — or if an automation rule advances tickets automatically — the authorization evidence is not valid, regardless of how complete it looks in the audit trail.
5 controls Open  
ServiceNow
The Emergency change type exists to allow production changes when a full CAB approval cycle is not possible. In most ServiceNow environments, anyone with the itil role can create an Emergency change, and there is no monitoring on how frequently that path is used. Standard change templates present a related risk: once a change pattern is classified as Standard, it receives pre-approval indefinitely unless someone actively reviews and recertifies the template list.
8 controls Open  
Framework Library

Don’t see your platform?

The framework library is expanding continuously. If you’re dealing with a platform environment without a framework yet, reach out — we may already be building it.

Platforms under consideration include Docker, Datadog, Spinnaker, GitHub Actions, Prometheus, Grafana, and others. Priority is influenced by subscriber requests.

[email protected]
What’s next

New frameworks release first
through the Aethospect.

Subscribe for early access to frameworks in development, notifications when specific technologies release, and input into which platforms are prioritised next.

Join the Aethospect

Free. No spam. Unsubscribe anytime.