Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
ResourcesPlatform OverviewArchitectureSecurityControl PacksAccess DriftRemediation LifecycleEvidence ModelAI Governance Assistant
Evidence Model

Every action creates evidence. Automatically, cryptographically.

Nuxari generates structured, SHA-256 hashed, Merkle-chained evidence packages at every workflow stage. No manual collection. No screenshots. No reconciliation.

What is an evidence package

An evidence package is a structured, signed collection of records that document a complete workflow execution. Each package has a unique identifier, a scope (which resource or user it covers), a creation timestamp, and a Merkle root hash covering all records.

Evidence packages are created automatically, operators do not collect evidence manually. A complete package exists for every approved remediation workflow that reaches validation.

What this means for your organization
Before an auditor asks for evidence, Nuxari has already created it. Every approved access change, every remediation, every offboarding workflow generates a package. Your team does not compile evidence before a review, it exports the packages that already exist.

Evidence record types

Access Evaluation Result
A snapshot of observed access at a point in time, user, resource, observed access level, approved baseline, detection timestamp, SHA-256 hash.
Captured
Approval Record
The signed record of a human approval decision, approver identity, timestamp, what plan was approved, and the action authorized.
Signed
Pre-Change Snapshot
Access state captured immediately before a remediation executes, what was true at the moment of change, hashed and immutable.
Immutable
Execution Log
Record of the execution phase, start/end timestamps, connector used, action attempted, result (success or failure).
Verified
Validation Result
Post-change access state confirming the change is in effect and the observed state now matches the approved baseline.
Validated
Final Evidence Hash
The Merkle root hash of all records in the package. Changes if any record is altered, providing tamper-evidence for the full package.
Sealed

Cryptographic integrity

Each evidence record is SHA-256 hashed after creation. The evidence package uses a Merkle tree structure: the root hash is computed from all record hashes. If any record in the package is altered, the root hash changes, making tampering immediately detectable.

Exported packages include all record hashes and the Merkle root, allowing independent verification that the package contents match the hashes.

What is not stored

Evidence records are designed to document governance actions, not expose sensitive data. The following are deliberately excluded:

  • Passwords in any form
  • OAuth tokens, refresh tokens, or API keys
  • Client secrets or private keys
  • Full raw third-party API responses
  • Credit card numbers or payment data
  • Sensitive personal data beyond what documents the governance event

Export

Evidence packages can be exported as JSON (machine-readable, with all hashes) or PDF (human-readable, formatted for auditor review). Exported packages include all evidence records, their SHA-256 hashes, the Merkle root, and package metadata.

Evidence packages are immutable after creation. They cannot be deleted by org admins within the configured retention window.

Get started

Build the operating layerfor governance work.

See how Nuxari Ops reduces manual IT work, eliminates access drift, and generates audit evidence automatically, across your entire enterprise.

Explore the platform