Skip to main content
Argitron
Start free
Menu
ISO/IEC 27001:2022 ISO/IEC 42001:2023 ITIL 4 NIS2 · DORA · EU AI Act

Governance that actually runs.

One self-hosted binary. ISO 27001 ISMS, ISO 42001 AIMS, ITIL 4 service management, and project portfolio governance — running on the same data model, in your VPC, with one audit trail. Evidence is a byproduct of the work.

Start free See published pricing Talk to a human →

Free under 25 assets, forever. No credit card. No sales gate.

$ argitron start
2026-04-25T09:21:14Z  argitron 1.4.0 starting
2026-04-25T09:21:14Z  isms     ready   ISO 27001 Annex A · 93 controls
2026-04-25T09:21:14Z  aims     ready   ISO 42001 Annex A · 38 controls
2026-04-25T09:21:14Z  itsm     ready   ITIL 4 · 34 practices
2026-04-25T09:21:14Z  pm       ready   portfolio · 8 stage gates
2026-04-25T09:21:14Z  workflow ready   34 activities · 30 playbooks
2026-04-25T09:21:14Z  evidence ready   signed · hash-chained · WORM
2026-04-25T09:21:15Z  serving https://localhost:8443

$ argitron audit run --framework iso-27001 --evidence-pack
  collecting 93/93 controls  ok
  bundling   soa.pdf risk-treatment-plan.pdf evidence/
  signing    cosign · sha256:f8c3…b2a9
  ready  ./out/iso-27001-2026-04-25.bundle.tar.gz

One binary. No dashboard sprawl. No SaaS data exfiltration. Your VPC, your data, your auditor's bundle.

Run the management system, not the spreadsheet.

Risk register, Statement of Applicability, control library, AI-system inventory, internal audit, and management review — first-class objects, not Confluence pages.

One audit trail across PM → ITIL → ISMS → AIMS.

A project stage gate produces a change request that satisfies ITIL change enablement, ISO 27001 A.8.32, and ISO 42001 A.6 lifecycle — at the same time, on the same record.

Evidence the auditor can verify.

Every action emits framework-tagged, signed, hash-chained evidence. Generate the SoA, risk treatment plan, internal-audit reports, and management-review pack from live data — not stale screenshots.

Why Argitron exists

Most GRC tools were built to attest. Argitron was built to operate.

The compliance-automation category sells the appearance of governance: screenshots, checklists, slack-bot reminders. That works until an auditor opens a control and asks 'show me how you actually run this.'

ISO 27001, ISO 42001, ITIL 4 and your project portfolio are not five different conversations. They are one operating system: people doing work, decisions being made, controls being applied, evidence being generated.

We built Argitron the other way around. Run the management system properly — PDCA, change enablement, project stage gates, AI lifecycle, risk treatment — and the audit evidence writes itself.

Tools that attest tell your auditor what you claim. Argitron runs the operating system, and the evidence is the byproduct.

The compliance-automation category Argitron
Collects evidence of claims you makeRuns the management system; evidence is the byproduct
SaaS, US-hosted, your data leaves your VPCSingle binary in your infrastructure; data never leaves
Compliance only — buy ITSM and PM separatelyISMS + AIMS + ITIL + PM on one data model
Demo-gated quote, $20–45k medianPublished pricing. Free under 25 assets.
Renewals jump 40–100%Renewals don't jump until you cross the next tier

What's in the binary

Six pillars on one data model.

A control isn't a row in a Vanta tab and a Jira issue and a JSM ticket. It's one record, with one history, that satisfies every framework that maps to it.

Govern

ISMS + AIMS in one tool. ISO 27001 Annex A (93 controls in 4 themes) and ISO 42001 Annex A (38 controls in 9 areas) on one control library, one risk register, one Statement of Applicability.
Learn more

Service

ITIL 4, the practices that matter. Incident, problem, change enablement, service request, CMDB, SLA management, IT asset management — without the ServiceNow implementation cost.
Learn more

Workflows

A workflow engine that polyglot teams can extend. 34 activities across HTTP, email, database, ticketing, identity, cloud, AI. Approval gates, SLA timers, BPMN-friendly. Five language SDKs.
Learn more

Projects

Portfolio, programmes, projects, tasks. RAID logs, stage gates, capacity planning, dependency management, benefits realisation. Project risks roll up to the enterprise risk register the SoA references.
Learn more

Audit

Continuous control testing + signed evidence. Vulnerability + misconfiguration scans, IaC checks, secret detection, asset discovery — outputs auto-attached to the controls they satisfy. Cosign-signed bundles.
Learn more

Respond

30 playbooks ship pre-built. Open the PR, revoke the key, rotate the secret, page the on-call. Approval gates for blast-radius-sensitive actions. Reversibility documented for every action.
Learn more

At a glance

The numbers we're comfortable putting on the page.

Honest scope. We tell you what's solid, what's young, and what's on the roadmap.

93 + 38
ISO 27001:2022 + ISO 42001 Annex A controls in the library
34
ITIL 4 management practices wired into the data model
9
frameworks mapped: 27001, 42001, NIS2, DORA, SOC 2, HIPAA, PCI, NIST CSF, NIST AI RMF
1
binary. Self-hosted. IPv6 + TLS 1.3 by default.

The dates that drive board agendas

EU AI Act enforcement is a calendar, not a debate.

Most ISO 42001 conversations start because the board is reading a regulatory deadline. Argitron ships the AIMS controls and AI-system inventory you'll need to demonstrate.

  1. 2 Feb 2025
    Prohibited practices banned

    Social scoring, manipulative AI, untargeted face-image scraping. AI literacy obligations apply to providers and deployers.

  2. 2 Aug 2025
    GPAI obligations live

    Transparency, technical documentation, training-data summary. Penalty regime activates: up to €35M or 7% of global turnover.

  3. 2 Aug 2026
    High-risk AI systems live

    Risk management, data governance, technical documentation, logging, human oversight, conformity assessment, post-market monitoring.

  4. 2 Aug 2027
    Embedded high-risk live

    High-risk AI in regulated products (medical devices, machinery). GPAI models predating Aug 2025 must be fully compliant.

Sources: artificialintelligenceact.eu, European Commission. Read more on our EU AI Act page.

Who buys Argitron

When the CISO, the CIO, and the head of PMO are the same buying decision.

CISOs of 100–500 person SaaS

Pursuing or maintaining ISO 27001, adding ISO 42001 because the board read about the AI Act, tired of paying Vanta-class prices for screenshot-and-attest workflows.

CIOs replacing the ServiceNow shelfware

Want ITIL 4 incident, problem, change, request, CMDB, SLA — without an 18-month implementation. Self-hosted, modern data model, API-first.

Heads of PMO running a hybrid portfolio

PMBOK / PRINCE2 governance over agile delivery. Want stage gates, RAID logs, capacity planning — and project risks that aggregate into the enterprise risk register the auditor reads.

"Every governance tool I've bought asked me to recreate work that was already happening somewhere else — Jira, the CMDB, a spreadsheet. Argitron is the first one where the work and the evidence are the same record."

— Founder & engineer behind Argitron · About →

Built by Deklarative

A small, opinionated team that ships boring, auditable, self-hosted infrastructure. Same team behind the Argitron Studio low-code platform and the GenuStream messaging fabric.

Stop stitching three vendors together to pass an audit.

Free under 25 assets, forever. No credit card. No sales call. Production use OK.

Start free See pricing Talk to a human →