NovaGuardian – Autonomous Compliance Agent Fleet

From Controls to Confidence — Autonomous Compliance, Powered by Nova. NovaGuardian automates enterprise compliance audits end-to-end using Amazon Nova 2 Lite, Nova Multimodal Embeddings, and Nova Act.

Comment

Inspiration

Enterprise compliance audits (SOC2, ISO27001, HIPAA) are manual, slow, and costly. Teams spend weeks gathering evidence, mapping controls to policies, and writing reports. We wanted to show how agentic AI can orchestrate the full audit workflow: plan controls, retrieve relevant policy with semantic search, gather evidence, score risk, and generate reports—so auditors get a consistent, repeatable result in minutes instead of weeks.

What it does

NovaGuardian runs autonomous compliance audits end-to-end:

  • Orchestrator (Nova 2 Lite) plans the audit and coordinates Policy, Evidence, Risk, and Report agents.
  • Policy Service uses Nova Multimodal Embeddings for semantic policy retrieval and Nova 2 Lite for control applicability and summaries.
  • Evidence Service uses Nova Act (or mock) to collect evidence from HR, ticketing, and cloud sources.
  • Risk Service computes a 0–100 risk score and Low/Medium/High category from evidence and policy alignment.
  • Report Service (Nova 2 Lite) generates an executive summary and full audit report.
  • Historical Audit Memory persists each audit and computes risk trend (improving / stable / worsening) and recurring control issues.
  • Auto-remediation suggests actions after the audit; the user chooses which to run (e.g. access review, deprovisioning) via Nova Act.

Users can run audits from the dashboard UI (framework + control IDs), view results (controls, evidence, risk, report, remediation), and see overall audit results and risk trend on the dashboard, which auto-refreshes.

How we built it

  • Backend: Python 3.11, FastAPI (gateway), with microservices for policy, evidence, risk, and report. Shared core (Pydantic models, Nova Lite client, policy retrieval with Nova embeddings). Orchestrator calls services in-process or via HTTP.
  • Nova integration: Amazon Bedrock for Nova 2 Lite (orchestration prompts, policy summaries, report generation) and Nova Multimodal Embeddings (policy chunk embeddings and semantic search). Nova Act (or mock) for evidence gathering and remediation workflows.
  • Frontend: React 18, Vite, Tailwind CSS. Dashboard with New Audit, Results (tabs: Summary, Controls, Evidence, Risk, Remediation, Full report, Audit trail), History (past audits + trends), and auto-refreshing overall results and risk trend.
  • Data: File-based audit history (JSON) for persistence; trend logic compares risk scores over time and counts recurring control issues and risk factors.
  • Deployment: Docker (multi-stage build: Node for UI, Python for API); Terraform for AWS (ECR, ECS Fargate, Application Load Balancer, IAM with Bedrock permissions). Single image serves API + UI at /app.

Challenges we ran into

  • Architecture: Running the same code path for in-process (local/demo) vs HTTP (distributed) services required a clean service_clients abstraction and env-based URLs.
  • Deployment: Building the Docker image on an ARM Mac produced an image that failed on ECS Fargate (x86_64) with "exec format error." We fixed this by using Docker Buildx with --platform linux/amd64 and pushing directly so the registry always gets an amd64 image.
  • ALB/health: Getting 503 and 504 from the load balancer when the ECS task was still starting or unhealthy. We added a health check grace period (120s) in the ECS service and documented troubleshooting (target group health, CloudWatch logs).
  • UI under one origin: Serving the React app at /app with client-side routing required Vite base: '/app/', React Router basename="/app", and FastAPI routes for /app and /app/* plus static mount for /app/assets.

Accomplishments that we're proud of

  • Multi-agent design with a clear orchestrator and dedicated agents for policy, evidence, risk, and report, all wired to Nova 2 Lite, Nova Embeddings, and Nova Act.
  • End-to-end flow from a single audit request to control checks, evidence, risk score, and generated report, with historical audit memory and risk trend (improving/stable/worsening) and remediation offered after the audit.
  • Dashboard that auto-reflects overall audit results and risk trend, with History and Remediation tabs, and a single Docker image deployed on AWS (no separate UI server).
  • Mock mode so the app runs without Bedrock credentials for demos; Terraform variables for mock_nova, nova_lite_model_id, and nova_embed_model_id for easy production use.

What we learned

  • Buildx and platform: Cross-building for linux/amd64 from an ARM host and pushing directly avoids "exec format error" on Fargate and keeps CI/deploy simple.
  • Agentic patterns: Using Nova 2 Lite for both orchestration (planning control order) and content (report writing) kept the flow coherent; Nova Embeddings for policy retrieval gave better relevance than keyword search.
  • Grace period and health: ECS needs enough time for the container to start before the ALB marks the target healthy; documenting target group and CloudWatch logs helped debug 503/504 quickly.

What's next for NovaGuardian – Autonomous Compliance Agent Fleet

  • Continuous compliance monitoring: Schedule periodic audits and alert on risk trend or control drift.
  • Cross-framework mapping: Map controls across SOC2, ISO27001, and HIPAA for unified coverage views.
  • Voice-driven audits: Start or query audits via voice (e.g. Alexa or Nova voice).
  • External auditor portal: Share read-only audit results and trend dashboards with auditors via secure links.
  • Production Nova Act: Replace mock with full Nova Act integration for evidence and remediation in customer environments.

Built With

  • amazon-bedrock
  • amazon-nova-2-lite
  • amazon-nova-act
  • amazon-nova-multimodal-embedding
  • docker
  • ecr
  • ecs-fargate
  • javascript
  • python
  • react
  • tailwind-css
  • terraform
  • vite
Share this project:

Updates