Handvantage

Insights · RETROSPECTIVE

From B to A: the discipline behind the upgrade

What changed between February and May to move the compliance posture three letter grades. Less novel methodology than you'd expect.

By Josh Olayemi · May 5, 2026 · 6 min read

Three months ago the published compliance grade was B at 84%. Today it is A at 100%. The gap was closed across nine sprints. The pattern in those sprints is more interesting than the resulting number, because the pattern is repeatable — and it is what we expect to repeat the next time the regulatory frame moves and a new B-grade gap opens.

The B grade had three structural causes. The first was a control-mapping gap: PIPEDA Principle 7 (Safeguards) and Privacy Act (Canada) Section 4 had no satisfying events in the audit log because the relevant evidence path was wired only into a specific code path. The second was a test gap: the embedding-inversion detection in Layer 4 had an outdated probe library. The third was a methodology gap: the assessment was taking the average of per-framework grades, not the worst, which masked individual framework failures.

We addressed all three across nine sprints. The methodology fix was the smallest change in code (a single line in the assess script) and the largest change in posture — switching from average to worst-of immediately moved several frameworks that had been silently dragging the grade down into visible focus. The control-mapping gap was a sprint of careful tracing, not invention; the platform was producing the right events, but the assess script wasn't recognising them as satisfying the right controls. The test gap was four sprints of probe-library research, refreshing the embedding-inversion patterns to current published research.

The discipline is unglamorous. None of these fixes were novel cryptography or a new architectural primitive. They were the slow, careful work of looking at a specific failure, finding the smallest change that closes it, shipping that change with evidence, and re-running the assessment. The same discipline catches the next failure when it appears.

We expect the next failure. Frameworks update. AIDA may change shape between proposed and enacted. NIST AI RMF 1.1 will land at some point. When the failure appears, the assessment will catch it within a sprint, the published grade will move, and we'll publish the methodology that closes it. That is the only marketing strategy a Sovereign Capability Partner can credibly run.

RELATED

BRIEFING

The EU AI Act deadline your CISO is ignoring

August 2, 2026 is the high-risk obligations deadline. The audit window opened in Q1. Most security leaders are still treating it as a Q4 problem.

May 2, 2026 · 5 min read

CONTINUE THE CONVERSATION

If something here is what you're working on, talk to us.

Articles like this one come out of conversations with practitioners, security leaders, and engineering teams in regulated industries. If the writing reflects your situation, the next conversation is probably worth having.

Continue the conversation →

Or write to hello@handvantage.com directly.