Skip to content

What Efterlev is not

Limitations restated positively.

This page is a placeholder for SPEC-38.4. Substantial content lands in a follow-up batch. The authoritative source is LIMITATIONS.md.

Short version:

  • Not an Authorization to Operate. Drafts and findings, not authorizations. The 3PAO + Authorizing Official own the ATO decision.
  • Not a SOC 2 / ISO 27001 / HIPAA / GDPR tool. Other tools serve those well; Efterlev's depth is gov-grade frameworks.
  • Not a runtime cloud-API scanner. Efterlev reads .tf source and Evidence Manifests. Cloud-API scanning is v1.5+, gated on customer pull.
  • Not a continuous-monitoring daemon. v0.1.0 runs on demand. The provenance graph is structured for continuous monitoring; the daemon isn't built yet.
  • Not a SaaS. Local-first, no telemetry, no phone-home, no account.
  • Not a guarantee of accuracy. LLM-generated artifacts are drafts. Every Claim carries a non-removable DRAFT — requires human review marker.

Full accounting →