Overview
ARIAS Compliance Posture exposes two integration surfaces that any GRC platform can consume:
| Surface | What it is | When to use |
|---|---|---|
| OSCAL endpoint | NIST OSCAL 1.1.2 assessment-results JSON per framework | GRC tools that import OSCAL natively (TrustCloud, OneTrust, AuditBoard) |
| Evidence endpoint | Delta-friendly list of compliance assessment records | GRC tools that pull via custom data sources (Vanta, Drata, Hyperproof) and poll on a schedule |
| Webhooks | compliance.posture.changed POST events when control state transitions | Push-mode integrations and event-driven alerting |
You can use one, two, or all three depending on what your GRC tool supports.
Step 1 — Generate an API key in ARIAS
- Log in as an Admin user
- Navigate to Compliance Posture → Integrations → API Keys
- Click Generate API key
- Give it a label that identifies the GRC tool (e.g. “Vanta production”)
- Click Generate
- Copy the raw key now — it will never be shown again
Keys are prefixed aria_cp_ and pass as a Bearer token.
Step 2 — Configure your GRC tool
Tools that ingest OSCAL (TrustCloud, OneTrust, AuditBoard)
Configure the data source URL as:
GET https://app.tryarias.com/api/analysis/compliance/oscal/<framework>
Authorization: Bearer aria_cp_<your-key>
Where <framework> is one of:
eu_ai_act nist_ai_rmf iso_42001 soc2
gdpr owasp_llm_top_10 owasp_agentic_top_10
maestro
Optional query parameter: ?repository=<name> to scope the export to a single repository’s most-recent scan.
The response is standard OSCAL — every credible OSCAL-compliant tool deduplicates findings and observations using the stable UUIDs in the document, so re-imports are idempotent.
Tools with custom data source ingest (Vanta, Drata, Hyperproof)
Configure a polling job that hits:
GET https://app.tryarias.com/api/analysis/compliance/evidence?since=<iso8601>
Authorization: Bearer aria_cp_<your-key>
Save the latest as_of timestamp from each response and pass it as since= on the next poll. Optional filters: ?framework=<name> and ?repository=<name>.
Each evidence record has this shape:
{
"evidence_id": "<deterministic-uuid>",
"source": "ARIAS",
"control_id": "Article 14",
"framework": "eu_ai_act",
"status": "aligned | partial | gap | not_checked",
"evidence_count": 7,
"analysis_id": "<scan-uuid>",
"timestamp": "<iso8601>"
}
Push-mode (any tool that accepts inbound webhooks)
- In your GRC tool, create a webhook receiver URL
- In ARIAS Compliance Posture → Integrations → Webhooks → Add webhook
- Paste the receiver URL + a label
- Save the signing secret that ARIAS generates — your receiver must use it to verify the HMAC signature on every event
Event payload:
{
"event": "compliance.posture.changed",
"tenant_id": "<tenant>",
"analysis_id": "<scan-uuid>",
"occurred_at": "<iso8601>",
"transitions": [
{
"framework": "eu_ai_act",
"control_id": "Article 14",
"prev_status": "aligned",
"new_status": "gap"
}
]
}
Headers:
Content-Type: application/jsonX-ARIAS-Event: compliance.posture.changedX-ARIAS-Signature: sha256=<hex>
To verify the signature in your receiver:
import hmac, hashlib
expected = hmac.new(
signing_secret.encode("utf-8"),
request.body,
hashlib.sha256,
).hexdigest()
signature_ok = hmac.compare_digest(
expected,
request.headers["X-ARIAS-Signature"].removeprefix("sha256=")
)
Step 3 — Verify the integration
- Run a scan in ARIAS (or wait for one to complete)
- Pull-mode: invoke your GRC tool’s manual sync; confirm new evidence rows appear
- Push-mode: check the webhook entry’s Last delivery column in ARIAS — should show
HTTP 200
Operational notes
| Key rotation | Generate a new key, configure your GRC tool to use it, then revoke the old one |
| Pagination | Evidence endpoint accepts ?limit= up to 10000 per call; use ?since= for delta polling |
| Repository scoping | Both endpoints accept ?repository=<name> to limit results to one repository’s latest scan; omit for the all-repos rollup |
| Failure semantics | Webhook delivery is best-effort with 5-second timeout. Failures are recorded on the webhook row (visible in the UI under “Last delivery”). ARIAS does not retry failed webhooks automatically — your GRC tool should also use the pull endpoints as a backstop. |
Supported frameworks today
| Framework | Coverage |
|---|---|
| EU AI Act | Articles 9, 10, 11, 12, 13, 14, 15, 17 |
| NIST AI RMF | Govern / Map / Measure / Manage functions |
| ISO/IEC 42001 | AI management system controls |
| SOC 2 | CC1, CC6, CC7, CC8, CC9 + Availability/Confidentiality |
| GDPR | Articles 5, 6, 7, 17, 32 |
| OWASP LLM Top 10 | LLM01–LLM10 |
| OWASP Agentic AI Top 10 | AAI-01 through AAI-05 |
| MAESTRO | M1–M5 adversarial threat categories |
ARIAS doesn’t claim to cover every control in every framework — only the controls where ARIAS provides evidence via SCF-mapped knowledge-base rules. The % framework assessed metric on each card surfaces the honest coverage breadth.
Questions
Email support@tryarias.com — we typically reply within one business day. For enterprise integration support please contact your account team.