COMPLIANCE

Your auditor will thank you.

Evidence bundles mapping our checks to NIST AI RMF functions and EU AI Act articles. Policy-as-code YAML. Every change lands as a pull request, not a Slack message.

Talk to compliance See the evidence API →

Why AI differs

Traditional audit logs assume deterministic systems. LLMs break that assumption.

Standard SOC 2 controls do not address prompt injection, tool-output poisoning, or cumulative session drift. Verosek produces the same forensic evidence your auditor already knows how to read — applied to AI-specific failure modes.

NIST AI RMF

Function-level mapping.

Function	Verosek evidence
GOVERN	Policy profiles, policy-as-code YAML export, signed change history
MAP	Check catalog + per-key topic registration (CHK-024)
MEASURE	Every verdict scored; /api/v1/security/compliance/nist_ai_rmf returns the measurement bundle
MANAGE	Shield profiles (none / baseline / strict), FAIL_CLOSED default, incident timeline in audit trace

EU AI Act

Article-level mapping.

Article	Verosek evidence
Article 9 — Risk management	Check catalog scoring + signed decisions
Article 10 — Data governance	PII recognizers, redaction modes, cumulative drift (CHK-022)
Article 12 — Record-keeping	HMAC-SHA256 signed trace, 7-year retention supported
Article 13 — Transparency	Per-verdict explainable JSON, modification log on every request
Article 14 — Human oversight	HOLD decisions route to human review; policy-as-code = PR review
Article 15 — Accuracy & robustness	Adversarial test suite runs on every release; signed reports available under NDA

Evidence API

One GET request. A signed JSON bundle.

$ curl http://gateway/api/v1/security/compliance/nist_ai_rmf \
     -H "Authorization: Bearer vsk_ops_..." | jq .
{
  "framework": "NIST AI RMF 1.0",
  "generated_at": "2026-04-15T09:41:22Z",
  "functions": {
    "GOVERN": { "checks": ["profile.policy_as_code", "audit.signed"] },
    "MAP":    { "checks": ["CHK-024"] },
    "MEASURE":{ "checks": ["CHK-013","CHK-014","CHK-020","..."] },
    "MANAGE": { "checks": ["fail_closed","CHK-022","profile.strict"] }
  },
  "signature": "hmac-sha256:a7b9c2...4f8e"
}

Policy as code

Export profiles as YAML. Git history is your change log.

Validated import round-trips cleanly. Compliance review is a PR review. No parallel document to drift.

SOC 2 status

Honest status note.

A SOC 2 Type I report is in progress with an independent auditor. We publish real status on /trust and will not claim certification until the report is issued.

Auditor-ready evidence. On your first call.

FAIL_CLOSED by default. Every tool call scanned. Every decision signed.

Talk to our compliance team See /trust →