Compliance, declared honestly.
A tool can disprove a control — a fired check is a real failure — but it can never prove conformance. Watchdog evidences the automatable slice, blocks you from passing a control it caught failing without a recorded reason, and leaves the rest with a named person who self-declares. We measure; you declare; we never certify.
A clean automated result is necessary, not sufficient — a green Watchdog score is never, by itself, a compliance claim.
How a control gets evaluated — what a tool can do, and where a human must.
Tool-automated
The automatable surface — a live CVE, a committed secret, a missing label. A failure here is real: the control is pre-set to Fail and gates sign-off.
Evidence-assisted
Needs rendered runtime, assistive tech, or operational evidence — contrast, focus order, access control, backups. You evaluate; we record the basis.
Human judgement
Governance, incident handling, the resilience-testing programme, alt-text equivalence. You judge it — and it's recorded as your judgement, never dressed up as tool-evidence.
The integrity keystone: we won't let you pass what we caught failing.
The failure-gate
A caught failure pre-sets the control to Fail and locks it. To mark it Pass you must record a written justification — reproduced in full in an Integrity section of the artifact. A thermometer you can hide readings from is rigged; this one can't be.
Provenance on every line
Each verdict says how it was reached: tool-verified / evidence-assisted / AI-drafted-and-reviewed / human attestation — so a buyer, auditor or competent authority sees which claims a machine stands behind and which a person does.