ABOUT NORMOS.IO
The Operating System
of Trust
We are building the infrastructure layer that makes trust as verifiable as a blockchain transaction and as automatic as a heartbeat.
THE STORY
Why We Built This
The compliance industry is built on a fiction: that a point-in-time audit, conducted once per year, tells you anything meaningful about the security of a company's systems.
We watched companies spend £20,000–£50,000 per certification cycle — engineers taking screenshots, collecting access reviews, chasing policy sign-offs — only to produce a PDF that was already out of date by the time the ink was dry.
We saw terminated employees whose GitHub access was never revoked. We saw the same two developers reviewing each other's code for months. We saw vendor assurance reports expire quietly while nobody noticed.
Nobody was catching this. Not the auditors. Not the GRC tools. Not the security scanners. The gap between what companies claimed and what was actually true was invisible — and growing.
And nobody could prove what was never stored was actually never stored. Every other tool that connected to GitHub held your data somewhere. The only honest answer was to build a platform that held nothing — where the mathematics of the hash chain proved what was found, without retaining what was read.
So we built Normos to make that gap visible. Forensically. Automatically. Continuously. And with a guarantee no competitor makes: we access your systems, we never store your data, and we prove what we found without keeping what we read.
THE TIMING
Why Now
Three forces are converging simultaneously to make Normos not just useful but necessary.
01
The AI Regulation Wave
The EU AI Act, ISO 42001, and emerging UK AI governance frameworks are creating entirely new compliance obligations. Every company deploying AI agents needs to prove those agents are trustworthy, auditable, and controlled. The compliance industry is not ready for this. We are building for it.
02
The Enterprise Sales Bottleneck
UK SaaS companies are losing deals — or delaying them by months — because they cannot produce timely, credible compliance evidence. ISO 27001 and SOC 2 are now table stakes for enterprise procurement. The market for compliance automation is growing at 15–20% per year. The existing tools are not good enough.
03
The Ghost Account Epidemic
With remote work and high employee turnover, the gap between HR records and technical system access is wider than it has ever been. Former employees with active GitHub access. Developers reviewing their own code in closed loops. Machine credentials accumulating unaudited. No existing compliance tool detects any of this automatically.
OUR MISSION
Make trust provable, portable, and permanent.
Every company deserves to prove their security without hiring a team of auditors. Every AI agent deserves a trusted identity before it touches sensitive data. Every regulator deserves cryptographic proof, not a PDF.
"We don't just check your controls; we notarise your truth."
THE INNOVATIONS
What No Competitor Does
Most compliance tools check that your policies exist. Normos checks that your controls actually work — and can prove it mathematically. These capabilities have no direct market equivalent. They are the reason Normos exists.
Zero-Footprint Evidence Generation
NORMOS ORIGINAL — LIVENormos connects to your systems, analyses everything, and stores nothing except findings. No source code, no commit history, no user lists — ever. Even if Normos were breached, your data would not be at risk. We never held it in the first place. The hash chain proves what was found without retaining what was read.
Review Collusion Risk Detection
NORMOS ORIGINAL — LIVEAnalyses the pull request review graph to detect closed-loop review patterns — where the same developers consistently review each other's code. This is statistically invisible to human auditors. It represents a systemic control failure that no other tool detects. Normos surfaces it automatically.
Machine Credential Sprawl
NORMOS ORIGINAL — LIVEAutomatically audits machine credentials, deploy keys, and OAuth app installations across your GitHub organisation. Detects write-access deploy keys where read-only suffices, and stale OAuth installations that have accumulated unreviewed. The non-human attack surface no other compliance tool monitors.
CI/CD Workflow Security
NORMOS ORIGINAL — LIVEDetects dangerous GitHub Actions workflow configurations — fork PR injection risks, wildcard permissions, and workflows triggered by pull_request_target. Your CI/CD pipeline is part of your attack surface. Normos audits it continuously.
Dependency Exposure Window
NORMOS ORIGINAL — LIVEMeasures not just whether a vulnerable dependency exists, but how long it has been open. Dependabot alerts open for 30+ days are a control failure, not just a vulnerability. Normos surfaces the exposure window — the metric auditors actually care about.
Identity Conflict Detection
NORMOS ORIGINAL — PHASE 2Cross-references HR termination records against technical systems in real time. Detects former employees who still have active GitHub access after leaving — automatically, continuously, with cryptographic proof. Traditional compliance tools check that an offboarding policy exists. Normos checks it was actually followed.
Evidence Freshness Decay
NORMOS ORIGINAL — PHASE 2Monitors vendor compliance evidence on a continuous basis and issues proactive alerts before expiry: 30 days = HIGH, 14 days = CRITICAL, 7 days = emergency. Every other tool flags evidence that has already expired. Normos predicts audit failure before it happens.
HOW WE WORK
Our Principles
Forensic Certainty
We do not use AI inference for detection. Every finding is produced by deterministic rule-based logic — the same finding will always be produced from the same input. Findings are independently verifiable. This is the standard auditors require.
Zero Raw Data
We never store your source code, commit history, or business data. Only findings — the outputs of analysis — are persisted. Even if Normos were breached, no customer data would be at risk. We never held it in the first place.
Autonomous by Default
Normos never sleeps. Sleuth Agents run automatically every day — scanning your connected systems, computing a forensic hash chain, and emailing you the results. No manual scans. No manual evidence collection. No screenshots. No spreadsheets.
Built to Be Trusted
We eat our own dog food. Normos is built to the same security standards we help customers achieve — MFA enforced, AES-256-GCM encryption, 346/346 security tests passed. We would not ask customers to trust a platform we would not use ourselves.
THE STRATEGIC VISION
From Compliance Evidence to the Trust Protocol
We started with a narrow problem: ISO 27001 and SOC 2 evidence is manual, expensive, and untrustworthy. The forensic hash chain we built to solve that problem turns out to be the foundation for something much larger.
Every finding Normos generates is cryptographically chained to every finding before it. Tamper with one, the chain breaks. The entire evidence history becomes a single mathematical object — independently verifiable by anyone, at any time, without trusting Normos. This is not a feature. It is infrastructure.
In Phase 4, that infrastructure becomes the Normos Score — a real-time, continuously updated trust rating derived from the hash chain. Not a self-assessment. Not an annual PDF. A live, mathematically verifiable signal of an organisation's security posture, queryable by any system that needs to make a trust decision.
In Phase 5, that same infrastructure extends to AI agents. By 2027, 40% of enterprise applications will use AI agents — autonomous systems that access data, make decisions, and interact with other systems. These agents need a trust protocol. Before Agent A shares sensitive data with Agent B, it needs to know: is Agent B compliant? Does Agent B have active findings? Is Agent B's evidence fresh?
The Governance Gateway answers those questions in milliseconds, with cryptographic proof. The hash chain you see on your ISO 27001 evidence package today is the same chain that will verify an AI agent's behaviour in the enterprise economy of 2029. We are not building a compliance tool. We are building the trust infrastructure for the next decade of digital commerce.
THE DESTINATION
Phase 1 proves compliance for 5 UK SaaS companies.
Phase 4 becomes the trust rating infrastructure for global B2B commerce.
Phase 5 becomes the governance layer for the AI agent economy.
Phase 6 is compliance baked into the cloud itself.
Every phase is built on the same forensic hash chain. Every customer we onboard today becomes part of the trust network we are building for tomorrow.
THE TEAM
Who We Are
Founder — Normos Technologies Ltd
London, UK
Building the Operating System of Trust™. Previously worked across technology and compliance domains, identifying the gap between what companies claim and what is actually true about their security posture. Normos is the platform built to close that gap — forensically, automatically, and continuously.
WHERE WE ARE GOING
The Roadmap
5 UK pilot customers. 21 Sleuth detectors across 5 domains. Automated daily scanning. ISO 27001 + SOC 2 evidence packages. SHA-256 forensic hash chain on every scan. Four proprietary innovations live: Zero-Footprint Evidence Generation, Review Collusion Risk Detection, Machine Credential Sprawl, CI/CD Workflow Security.
Azure SQL Ledger notarisation — findings sealed on an immutable external ledger. ML-DSA post-quantum signing via Azure Key Vault. GitLab integration. SCIM universal directory sync (Okta, Entra ID, Google Workspace). HR integrations: HiBob, BambooHR. Real-time finding alerts. Normos Trust Badge™. Normos Score beta. Seed round.
Multi-framework — ISO 42001, CE+, HIPAA. Continuous control monitoring with real-time alerting. Customer-facing compliance timeline. Board reporting. Insurance partnerships. Series A.
The Normos Score API™ — real-time trust ratings replacing static SOC 2 PDFs. Score-gated procurement — enterprises require a minimum Normos Score™ from suppliers. FCA and ICO regulatory recognition.
The Governance Gateway™ — border control for AI agent interactions. Agent identity verification. Agent behaviour forensics. ISO 42001 compliance verification in milliseconds. The trust protocol for the AI agent economy.
Born Compliant™ hosting — compliance proof from the moment a workload starts. GRC baked into the kernel. Defence, Banking, MedTech, Government. The compliance infrastructure of the internet.
Ready to see it in action?
We are selecting 5 UK-based SaaS teams for our Phase 1 Pilot Programme.