The compliance gap nobody's pricing in yet
A team building a healthcare API asks an AI coding assistant to implement a patient records endpoint. The assistant produces working code — clean, well-structured, passes review. Six months later, a HIPAA audit finds the endpoint returns more PHI fields than the request actually needed. Nobody wrote a test for "is this response over-broad." Nobody thought to.
That's not a hypothetical. It's the specific, named failure mode in GAUNTLEX's own HIPAA policy playbook: "PHI Disclosure — Over-Broad API Response." I want to walk through how GAUNTLEX turns regulatory requirements like this into something that actually runs in CI, instead of something a compliance team discovers during an audit that's already too late.
Domains, not generic scans
GAUNTLEX ships five compliance domain playbooks out of the box: OWASP Top 10, HIPAA, FINRA, PCI DSS, and SOC 2 (NIST SSDF and OWASP API Security are available as installable extensions). Each one is a curated set of attack scenarios specific to that domain's actual failure modes — not a generic vulnerability scanner with a different label stapled on.







