Zephyr AI Overcomes Compliance Hurdles, Achieves Drastic Audit Efficiency

Overview

Zephyr AI is an emerging healthcare technology company using machine learning to unlock life-saving insights in clinical research and patient care. With a cloud-native approach, the company’s infrastructure is built on AWS, with GitHub, Jira, Slack, and Google Workspace playing critical roles in day-to-day operations.

From the beginning, the Zephyr AI team prioritized strong security and operational discipline. But as the company grew, so did the complexity of its environment and the pressure to maintain compliance with industry standards like SOC 2. With a small team tasked with managing both infrastructure and security responsibilities, Zephyr AI needed a smarter way to manage risk, enforce controls, and prepare for audits.

Challenges

Zephyr AI’s team didn't have the luxury of separate teams for cloud, security, and compliance. The small team was tasked with securing every part of the business including infrastructure provisioning, vulnerability management, device hygiene, identity access control, and regulatory compliance. Everyone on the team wore multiple hats.

When it came time to prepare for SOC 2 audits, the burden was intense. Collecting audit evidence required hours of manual investigation across tools like AWS, GitHub, and Jira. Questions like “Do all devices have MDM enabled?” or “Were any GitHub pull requests merged without approval?” meant diving into logs, exporting CSVs, and correlating data by hand. Not only was this slow — it was prone to error and hard to scale.

Solution

Zephyr AI implemented JupiterOne to bring structure, context, and automation to their growing security operations. The team connected integrations across AWS, GitHub, Google Workspace, Jira, Slack, Kanji and SentinelOne — pulling all asset, identity, and relationship data into the JupiterOne platform.

Immediately, the team was able to see their cloud environment in a new way. Every user, device, workload, and permission was now mapped and searchable. Ad-hoc queries became a powerful new tool: instead of relying on static dashboards or vendor-defined reports, engineers could ask any question of their environment in real time and get results in seconds.

One major shift was the ability to proactively monitor for compliance drift. Engineers built custom queries to surface high-risk conditions like unencrypted volumes, excessive IAM permissions, or non-compliant devices. These queries powered dynamic dashboards, making it easy to share up-to-date security metrics with leadership and auditors.

Results

With JupiterOne, audit preparation became dramatically easier. Zephyr’s team created custom dashboards aligned to SOC 2 controls, making it possible to gather evidence directly from JupiterOne — without needing to recompile spreadsheets or screenshots. In their most recent audit, more than 70–80% of their evidence came from JupiterOne alone.

The impact was clear: what used to be a stressful, multi-engineer scramble to collect documentation and validate control coverage became a structured, repeatable workflow — largely handled by one person.

Future Plans

Looking ahead, Zephyr AI plans to deepen its use of JupiterOne to further scale and mature its security and compliance program. The team aims to automate auditor access by building dedicated dashboards aligned to SOC 2 controls, enabling auditors to self-serve evidence directly within the platform. They also intend to expand their use of JupiterOne’s continuous compliance capabilities to support both industry-standard and custom frameworks, ensuring proactive monitoring across evolving requirements. As their tech stack grows, they’ll continue to broaden integration coverage through new data integrations and custom file uploads. Additionally, Zephyr AI plans to templatize dashboards and workflows to accelerate onboarding for new teams and business units, making security a shared, scalable foundation across the organization.