Product & Compliance Roadmap
Last reviewed: 2026-05-15 · Version: 1.2
Planning horizon: Rolling 24 months
The rolling two-year product and compliance roadmap for HiringCoachAI, organized by theme and timeframe. Items inside each tier are grouped by topic rather than strict sequencing. Dates are planning targets, not contractual SLAs, and the roadmap is reviewed quarterly so the forward-looking horizon stays current.
In progress
- Continuous trust-center maintenance. Quarterly audit reviews, drill records,
and evidence refreshes across security, privacy, AI use, and accessibility documentation.
- Security automation hardening. Expanding scheduled and release-gated checks
across patch verification, API input validation, outbound-fetch detection, and AI provider data-retention verification.
- AI safety surface expansion. Broader coverage of input-safety and
prompt-injection safeguards across AI call paths.
- Accessibility evidence refresh. Live assistive-technology verification
cycles; ongoing ACR/VPAT maintenance.
- Customer data-rights tooling. Continued expansion of the self-service
account export to cover additional first-party data categories.
On the horizon (next 12 months)
- Independent attestations. Engagement with qualified third parties for
attestation and assessment work appropriate to the customer base, including attestation reports, penetration testing, and accessibility verification.
- Identity and access enhancements. Enterprise SSO via standards-based
protocols, automated provisioning, granular role-based access controls, and customer-configurable multifactor options.
- Operational reliability. External uptime probing in parallel to our
internal probe; enhanced incident communications.
- Privacy controls. Global Privacy Control honoring and expanded
consent-management surfaces.
Looking ahead (12-24 months)
- Tenant-scoped enterprise foundations. Audit-log export, administrative
reporting, customer-managed encryption-key options, and tenant-scoped customization for institutional deployments.
- Multi-region resilience. Alternate-region deployment options beyond the
current single-region production footprint.
- Industry credentials. Privacy-management certification path following
initial attestation work, and broader compliance-program participation as customer demand justifies.
Aspirational
- Bug-bounty program. Currently operated as a responsible-disclosure
program. Conversion to a paid program is on the long-horizon plan.
- Federal-grade compliance paths. Would require a separately-scoped
deployment model and external sponsorship; not on the near-term horizon.
Recently shipped
| Date | Item |
|---|---|
| 2026-05-15 | HECVAT 4.1.5 institutional response refresh; comprehensive answer audit; trust-center reframe. |
| 2026-05-07 | First AI bias-evaluation baseline run archived. |
| 2026-05-02 | Customer-facing status page with auto-probe and admin editor. |
| 2026-05-02 | Documentation-review drills wired into the compliance review process. |
| 2026-04-30 | Full HECVAT 4.1.5 workbook coverage with automated audit guards. |
| 2026-04-24 | Public trust center launched with comprehensive compliance documentation. |
Change log
| Date | Change |
|---|---|
| 2026-05-15 | Reorganized by theme; consolidated specific item lists into thematic groupings; tightened forward-looking sections. |
| 2026-05-11 | Added explicit rolling 24-month planning horizon and 12-24 month section. |
| 2026-05-02 | Initial public roadmap. |