BookbagBookbag
Book Demo
Governance

Compliance as a by-product of your runtime, not a month of PDFs.

Every runtime decision feeds framework controls automatically. Your audit bundle for EU AI Act, NIST AI RMF, ISO 42001, or SOC 2 is a one-click export — not a cross-functional fire drill.

Get early accessRead the docs

Compliance frameworks built-in

EU AI Act
Annex III controls
NIST AI RMF
Govern · Map · Measure · Manage
ISO 42001
AI management system
SOC 2
Type II evidence
HIPAA
Health AI risk tier

The compliance layer you don't have to write

30+ pre-built controls. Use-case + risk registries. Policies + policy packs. Auto-mapping. Signed exports. All in one place.

Framework library

30+ controls across EU AI Act, NIST AI RMF, ISO 42001, SOC 2. Add your own or customize shipped ones.

Use-case + risk registry

Each AI system = one use case. Assign risk tier, owner, policies, frameworks. Revision-tracked.

Policies + policy packs

Versioned policies with clauses. Pack policies into templates for regulatory bundles.

Evidence auto-mapping

Declarative rules map runtime decisions → framework controls. No AI, no drift, no surprises.

Questionnaires

Pre-built EU AI Act / NIST scoping questionnaires. Every answer versioned with reviewer + timestamp.

Stakeholder decisions

Approval workflow with roles: governance owner, SME, QA owner, final approver. Append-only audit log of every action.

How auto-mapping actually works

Deterministic rules, not AI-generated evidence. Auditors don't like AI-authored audits — we don't either.

framework_control_evidence_rule (example):

  control_id: "EU_AI_ACT_ANNEX_III_4a"
  name: "Logging requirements for high-risk AI systems"
  satisfied_when:
    - runtime_trace_count >= 1 for use_case in last 90d
    - policy_approved_at is not null
    - eval_pass_rate >= 0.95 over sample window
  evidence_source:
    - AgentRun rows tagged with use_case_id
    - Policy row + approval audit log entry
    - EvalRun aggregated results
  sign_off: required
  audit_tag: "EU-AI-ACT-ANNEX-III"
Rules are editable per-org. The mapping runs on export — not on schedule, not in-place, not in the runtime hot path.

What ships in an evidence bundle

One click exports a signed manifest. Hand it to your auditor.

manifest.json

Framework, controls, date range, use cases, sign-offs, cryptographic hash of contents.

controls/

One JSON file per control: satisfaction status, evidence refs, reviewer trail.

traces/

All runtime traces cited — run IDs, decisions, reasons, detector flags, reviewer actions.

policies/

Frozen snapshot of every policy + clause + approval at export time.

evals/

EvalRun results cited as evidence — pass rates, regression diffs, test case samples.

audit_log.ndjson

Append-only audit trail of who did what, when, and why.

Governance FAQs

Frequently Asked Questions

Audit day shouldn't be a project. Make it a one-click export.

Join the teams shipping safer AI with real-time evaluation, audit trails, and continuous improvement.

Get early accessTalk to compliance