Regulatory integrity at scale
Skip the DIY.
Ship with integrity.
Meridian closes the gap between GRC policy and engineering execution. Machine-readable policy translates into automated pipeline controls, immutable evidence is captured at every step, and a single authoritative record is ready the moment an audit begins.
- Standards authored
- 5
- Gemara, AGMM, CCC, OSPS, CALM
- Open governance
- OpenSSF · FINOS · CNCF
- Independently stewarded — no vendor lock-in
- Deployment
- Air-gap ready
- SaaS, dedicated, or fully offline
The problem
Compliance and engineering should share a single system of record.
No single tool has resolved the compounding tension between fast delivery and provable compliance. Meridian's thesis: it should be automated end-to-end, with immutable evidence at every step — and that requires a common language.
Engineering wants speed
CI/CD pipelines, microservices, and cloud-native deployments have accelerated software delivery. The tools engineers use are optimized for velocity.
Compliance demands proof
DORA, SOC 2, NIST, ISO 27001, FedRAMP, and others require documented evidence that every change was reviewed, approved, and deployed correctly — gathered manually, inconsistently, and expensively.
The gap creates compounding risk
Manual evidence collection introduces human error. Homegrown compliance tooling accumulates technical debt. When a supply-chain incident occurs, organizations discover their compliance posture existed on paper, not in production.
The platform
One closed loop from policy to production.
Meridian is a cross-cutting orchestration platform — not a point solution. Each component maps to one or more Gemara layers and feeds the others, forming a closed loop from policy design to production audit.
Pipeline-agnostic. Full CLI and API surface — no vendor-specific runners required.
- Gemara Layers 1–3
Chancery
GRC & policy development
Author regulatory requirements as machine-readable policy. Pre-seeded with FINOS Common Cloud Controls; preview policy impact before execution.
- Gemara Layer 4
Loft
Architecture governance
Design systems in CALM. Auto-ingests Chancery policy and validates architecture against it before any code is approved.
- Gemara Layer 5
Tackle
DevTool orchestration
Orchestrates engineering assistants and scanners. Auto-configures tooling based on active policy; tracks installation and usage data.
- Gemara Layers 4–6
Slipway
Hybrid-cloud deployment
Hot-swap between cloud providers and on-premises data centers. Resilient multi-environment deployment, recorded immutably end-to-end.
- Gemara Layer 7
Patrol
Continuous monitoring
Detects runtime drift against the approved state. Bulk configuration management with centralized alerts and telemetry across the estate.
- Gemara Layer 7
Admiralty
Executive single-pane-of-glass
Implementation status, audit findings, and continuous monitoring outcomes — synthesized for CISO, GRC, and board-level review.
Open standards foundation
We didn't build on the ecosystem. We built it.
Meridian's founding team authored — and co-authored — the open standards the compliance automation industry is converging on, and contributed them to neutral governance at OpenSSF, FINOS, and CNCF. Customers build on independently stewarded standards. Meridian is the commercial platform that makes them operational.
- · Taxonomy and schemas governed independently — no vendor lock-in
- · Any tool in the ecosystem can interoperate
- · Competitors must adopt our architecture or build proprietary equivalents
- Model Governed by OpenSSF
Gemara
GRC Engineering Model for Automated Risk Assessment. The schema and taxonomy backbone — written in CUE — that makes the entire stack interoperable.
- Model Governed by CNCF
Automated Governance Maturity Model
Co-authored within the CNCF community, the AGMM defines how organizations measure and advance their automated-governance practice. Operates at Gemara Layer 1, framing how risks are identified and addressed across the stack.
- Layer 2 Governed by FINOS
FINOS Common Cloud Controls
The leading open catalog of machine-readable cloud compliance controls. Pre-seeds Chancery with financial-grade security controls.
- Layer 2 Governed by OpenSSF
OpenSSF OSPS Baseline
A Gemara-native security baseline for open source software delivery — directly applicable to the engineering pipelines Meridian targets.
- Architecture Governed by FINOS
CALM
Common Architecture Language Model. Open-sourced by Morgan Stanley, deployed across thousands of internal systems. Powers Loft.
Already in production
The open standards Meridian is built on are already running inside the world's most regulated organizations.
Meridian is pre-launch as a commercial platform. Our trust signal today is ecosystem adoption — Meridian's architectural choices are validated at scale inside the same kinds of enterprises Meridian was built for.
-
Morgan Stanley
CALM · FINOS Common Cloud Controls
Open-sourced CALM through FINOS with 1,400+ internal deployments; member of the FINOS CCC Steering Committee
-
Citibank
FINOS Common Cloud Controls / Gemara
Production use of the control catalog
-
RBC
FINOS Common Cloud Controls / Gemara
Production use of the control catalog
-
CVS Health
FINOS Common Cloud Controls / Gemara
Production use of the control catalog
-
Red Hat
Gemara · FINOS Common Cloud Controls
Founding Gemara maintainer alongside Meridian; member of the FINOS CCC Steering Committee
-
Linux Foundation
Gemara
Confirmed commercial customer
Adoption refers to the open standards underlying Meridian, not the commercial platform. Commercial customer references will be added as they are confirmed.
Proof of Value
See the ROI before you commit.
A structured engagement in your actual environment. We identify specific governance bottlenecks using your real pipeline and compliance data, and prove compliance-automation ROI before any full-scale deployment decision.
- Identify governance bottlenecks in your real pipelines
- Quantify audit-prep and approval-time baseline
- Demonstrate measurable ROI before contract
- Reduce procurement risk on both sides