Audit Defence Methodology
How mima maps your estate, applies vendor-specific rules, and generates a cryptographically verifiable position before the auditor arrives.
1. Five-Layer Signal Ingestion
Mima builds its estate model from five signal layers. The first three are API-based and require no software on your endpoints. Layers four and five are optional — added when deeper telemetry is needed for FlexLM interrogation, local software inventory, or browser-based shadow AI detection.
Directory & hypervisor
Okta, Entra ID, VMware vCenter, AWS — hardware topology mapped from outside.
Network & proxy logs
SIEM records and proxy gateway hooks surface undocumented SaaS and AI tool access.
Billing & entitlement APIs
Direct vendor and SaaS API integrations inspect live licence balances and OAuth grants.
Endpoint agent
Windows MSI, Linux DEB, RHEL RPM. FlexLM daemon interrogation, local software inventory, machine-level telemetry.
Browser extension
Catches AI tool sessions that never pass through SSO — ChatGPT, Gemini, Perplexity, and 5,000+ tracked domains.
2. Two-Pass Forensic Normalization
Messy vendor logs, contract PDFs, and configuration strings are put through a strictly decoupled, forensic-first normalization pipeline:
- Pass 1 (Signal Extraction): Large language models parse raw fields (
product_raw,version_raw,host_raw) alongside structured AI confidence scores and quoted raw rationales. - Pass 2 (Canonical Resolution): Extracted signals are matched against official product catalogs using deterministic Graph lookup and vector indices.
- Shadow IDs: If a host is unknown, mima assigns a deterministic shadow ID using
sha256(user_email + tenant_id)to keep the graph topology separate rather than merging it into a single generic "unknown" bucket.
3. Deterministic WASM Rule Calculation
Mima does not hallucinate licensing calculations. All vendor licensing rules (Oracle partition policies, Broadcom VMware CPU calculations, and IBM virtualization sub-capacity standards) are compiled into deterministic WebAssembly (WASM) modules.
// Vendor-dispatched WASM verification contract
#[no_mangle]
pub extern "C" fn calculate_licence_position(
vendor: &str,
cpu_cores: u32,
virtualization: &str,
affinity_rule: &str,
) -> LicensingResult {
match vendor {
"oracle" => oracle_lms::calculate(cpu_cores, virtualization, affinity_rule),
"ibm" => ibm_ilmt::calculate(cpu_cores, virtualization),
"sap" => sap_law::calculate(cpu_cores, affinity_rule),
"broadcom_vmware" => broadcom::calculate_per_core(cpu_cores),
_ => LicensingResult::unknown(vendor),
}
} 4. Cryptographic Proof of Custody
To stop audit negotiation games, all hardware allocations and license states are logged into a Merkle-tree-backed ledger. Every daily state snapshot is cryptographically signed using your organization's cert key.
When an auditor queries your deployment history, you present mathematical proofs of state changes. Any report without matching Merkle root signatures is flagged as inconclusive, ensuring that your compliance posture is legally and mathematically irrefutable.