Is Custodian a Backstage plugin?

No. Custodian is a governed external agent, not a Backstage plugin. It runs outside Backstage and uses its APIs — Catalog, TechDocs, and later Scaffolder for guardrailed remediation — so there is nothing to install inside your portal. The agent core is connector-agnostic, with Backstage as the first connector and Port, ServiceNow, or internal registries to follow.

Which compliance frameworks does Custodian support?

SOC 2 ships today as the primary framework pack. ISO 27001 and RBI FREE-AI are on the roadmap on the same schema. Framework packs are data, not code, so adding a framework is a data change rather than an agent rewrite. Each pack combines structural checks (ownership, end-of-life dependencies, golden path, documentation freshness) with content validation that confirms a document actually satisfies the control.

How does Custodian produce audit evidence?

Custodian builds a KnowledgeIndex — a structured graph of catalog entities plus the TechDocs that document them. On demand it traces control to entity to the evidencing document, signs the result with TrustFabric into an immutable, versioned chain, and exports the evidence pack as JSON and PDF for auditors.

Can Custodian run on-premises or in a sovereign deployment?

Yes. In sovereign mode, Custodian routes inference only through approved on-prem models via Model Hub, and external egress is blocked. Every action is governed by Guardrails and logged by Observe, so continuous compliance does not require sending your catalog or documentation to an external cloud.

Who is Custodian for?

The decision buyer is the CISO, Head of Compliance, or GRC team; Platform Engineering is the champion that owns Backstage; and internal audit consumes scoped evidence packs. It is built for regulated platform teams in BFSI, insurance, healthcare systems, and government digital platforms, where a missing control mapping is a regulatory event.

CUSTODIAN · COMPLIANCE AGENT

Are you audit-ready right now?

AgentAnywhere Custodian is the continuous compliance and audit agent for your internal developer platform. It reads your Backstage software catalog, maps every service to SOC 2, ISO 27001, and RBI FREE-AI controls, flags drift before auditors do, and produces verifiable evidence packs — with every action governed by Guardrails and provenance-stamped by TrustFabric.

FIG.17Custodian Compliance Pipeline. Read the catalog, ground it in a KnowledgeIndex, assess it against control frameworks, detect drift, prove it with TrustFabric-signed evidence — all under one governance plane.

Nobody can answer “are we audit-ready today?” from the catalog alone.

Large engineering organizations run hundreds or thousands of catalog entities. Ownership goes stale. Documentation rots. Services ship without security review. Dependencies hit end-of-life. Evidence for SOC 2, ISO 27001, and RBI cycles is still assembled manually — weeks before every audit.

Custodian exists for the moment a supervisor, a board, or a CISO asks for proof — not a slide, not a spreadsheet scramble. It is compliance-native: SOC 2, ISO 27001, and RBI FREE-AI aligned, with TrustFabric-signed evidence chains tying every claim back to a real service and a real document.

Why the catalog can't answer the question.

Manual evidence assembly

Weeks, every cycle. Control-to-service mapping and auditor packets rebuilt from scratch before each audit — by hand, by the team that can least afford the time.

Catalog ≠ reality

Drift hides until audit. Ownerless services, stale TechDocs, end-of-life dependencies, golden-path violations — invisible in a catalog that everyone trusts and no one verifies.

Data residency ≠ compliance

The governance gap. Hosting in-region does not prove your controls are met. Custodian governs the control plane itself — not just where the data lives.

Read. Ground. Assess. Prove.

Catalog ingestion — Pull components, APIs, systems, and relations from Backstage (connector #1). Normalize to a connector-agnostic model so Port, ServiceNow, or internal registries can follow without rewriting the agent core.

KnowledgeIndex — A structured catalog graph plus TechDocs content. For a compliance agent, the knowledge base is the evidence source: control to entity to the actual document.

Control mapping — Pluggable framework packs. Structural checks — ownership, end-of-life dependencies, golden path, documentation freshness — plus content validation: does the document actually satisfy the control?

Drift detection — Ownerless services, deprecated dependencies, missing or stale documentation, content-validation failures. First-class signals, not afterthoughts buried in a report nobody reads.

Posture dashboard — An audit-ready percentage headline, per-service and per-framework readiness, and a documentation-coverage sub-score. The answer to “are we ready?” as a number, continuously.

Evidence packs — On demand: control to entity to evidence, drawn from the same KnowledgeIndex, signed by TrustFabric, exported as JSON and PDF for auditors.

The knowledge base is the evidence.

Custodian does not bolt a generic RAG chatbot onto your catalog. The KnowledgeIndex is a structured graph: every component, API, system, and relation as a first-class node, with the TechDocs that document it attached.

That structure is the difference between an answer and an artifact. When a control is assessed, Custodian can trace the exact path — control to the entity it governs to the document that evidences it — and hand that chain to an auditor. A chat interface can summarize. An index can prove.

Because the index is the same substrate the assessment runs on, there is no second system to keep in sync. The thing that answers the question is the thing that proves the answer.

Framework packs are data, not code.

Controls live as declarative packs — structural checks and content-validation rules — so a new framework is a data change, not an agent rewrite. SOC 2 ships today; ISO 27001 and RBI FREE-AI follow on the same schema.

Shipping now

SOC 2 — the primary pack. Ownership, change management, access, documentation, and dependency controls mapped to live catalog entities.

Structural checks — ownership, end-of-life dependencies, golden-path conformance, documentation freshness.

Content validation — not just “is there a doc?” but “does the doc actually satisfy the control?”

On the roadmap

ISO 27001 — information security management controls on the same pack schema.

RBI FREE-AI — aligned with the framework AgentAnywhere already maps platform-wide, brought to the catalog surface.

Connector-agnostic packs — written once against the normalized model, reused across Backstage and future catalog connectors.

The same governance plane as every other agent.

Custodian is not a side tool with its own security model. It runs on the AgentAnywhere stack and inherits the platform's governance.

Agent Universal Gateway routes every content-validation model call. Model Hub governs model selection — sovereign or on-prem when the deployment requires it. Guardrails enforces policy on every action, so there are no silent writes without a credential. TrustFabric signs evidence packs into an immutable, versioned chain. Observe keeps an audit log of every sync, drift, and evidence event.

Sovereign mode — when enabled, Custodian routes inference only through approved on-prem models. External egress is blocked at Model Hub. Compliance does not require shipping your catalog to someone else's cloud.

Not a Backstage plugin. A governed external agent.

Custodian runs outside Backstage and treats it as a data and action substrate via APIs — Catalog, TechDocs, and, later, Scaffolder for guardrailed remediation. Nothing to install inside your portal; nothing that ships with your developers' page loads.

Your platform team keeps Backstage exactly as it is. Your compliance team gets continuous posture and auditor-ready artifacts. And because the agent core is connector-agnostic, the same engine extends to Port, ServiceNow, or an internal registry — Backstage is the first connector, not the only one.

Who it's for.

BFSI, insurance, healthcare systems, government digital platforms — anywhere a missing control mapping is a regulatory event, not a ticket.

CISO / Head of Compliance / GRC

Audit readiness as a continuous number, defensible evidence on demand, and sovereign governance over how it is produced. The decision buyer.

Platform Engineering

Owns Backstage and the catalog's health day to day. Custodian turns catalog hygiene into a posture signal instead of a nag. The champion.

Internal audit

Scoped evidence packs — control to entity to document — without exposing the full catalog or waiting on a quarterly assembly exercise.

What you explore. What you deploy.

AgentAnywhere Core (open) gives you:

The connector interfaces — the normalized catalog model Backstage and future connectors map to

The framework pack schema — write and test structural and content-validation rules

KnowledgeIndex query seams for exploration and prototyping

Commercial Custodian adds:

The production Backstage connector and the shipped SOC 2 framework pack

Drift and posture APIs, and the audit-ready posture dashboard

TrustFabric evidence signing and the immutable evidence chain

Sovereign routing through Model Hub, plus Guardrails policy enforcement

Enterprise support, SLAs, and architecture review

The boundary is the same one as the rest of the platform: open seams are enough to learn the model and prototype; the commercial agent is what you run when a regulator is going to look at your catalog.

FAQ

Frequently asked questions.

What is AgentAnywhere Custodian?: AgentAnywhere Custodian is a continuous compliance and audit agent for your internal developer platform. It reads your Backstage software catalog, maps every service to SOC 2, ISO 27001, and RBI FREE-AI controls, flags drift before auditors do, and produces verifiable, TrustFabric-signed evidence packs.
Is Custodian a Backstage plugin?: No. Custodian is a governed external agent, not a Backstage plugin. It runs outside Backstage and uses its APIs — Catalog, TechDocs, and later Scaffolder for guardrailed remediation — so there is nothing to install inside your portal. The agent core is connector-agnostic, with Backstage as the first connector and Port, ServiceNow, or internal registries to follow.
Which compliance frameworks does Custodian support?: SOC 2 ships today as the primary framework pack. ISO 27001 and RBI FREE-AI are on the roadmap on the same schema. Framework packs are data, not code, so adding a framework is a data change rather than an agent rewrite. Each pack combines structural checks (ownership, end-of-life dependencies, golden path, documentation freshness) with content validation that confirms a document actually satisfies the control.
How does Custodian produce audit evidence?: Custodian builds a KnowledgeIndex — a structured graph of catalog entities plus the TechDocs that document them. On demand it traces control to entity to the evidencing document, signs the result with TrustFabric into an immutable, versioned chain, and exports the evidence pack as JSON and PDF for auditors.
Can Custodian run on-premises or in a sovereign deployment?: Yes. In sovereign mode, Custodian routes inference only through approved on-prem models via Model Hub, and external egress is blocked. Every action is governed by Guardrails and logged by Observe, so continuous compliance does not require sending your catalog or documentation to an external cloud.
Who is Custodian for?: The decision buyer is the CISO, Head of Compliance, or GRC team; Platform Engineering is the champion that owns Backstage; and internal audit consumes scoped evidence packs. It is built for regulated platform teams in BFSI, insurance, healthcare systems, and government digital platforms, where a missing control mapping is a regulatory event.

Continuous compliance for the catalog you already have.

If your organization runs Backstage — or plans to — and your next audit expects control-level evidence tied to real services and real documentation, we should talk.

Request a pilot Talk to our architects