SOC 2 & NIST AI RMF: Runtime Evidence from Action Gates
Map GOVERN, MAP, MEASURE, and MANAGE to signed tokens, audit logs, and policy replay. Exportable evidence for compliance reviews.
Auditors ask: how do you control what AI systems actually do? Chat logs are not enough. Runtime evidence — per-action decisions, signed tokens, immutable audit — maps cleanly to SOC2 and the NIST AI Risk Management Framework.
What Sanctum exports
- Audit events with actor, action, risk score, decision, timestamp
- Policy version history and replay (“what if today’s policies existed yesterday?”)
- Governance workflows: dual approver, delegation, compliance columns
- 16 mapped controls with implementation evidence in the OSS runtime
MEASURE and MANAGE
MEASURE: anomaly flags, blocked chains, verification latency. MANAGE: kill switch, escalation, human resolution trails in the operator console.
Guides: agentic AI risk · MCP security · runtime authorization · HITL approvals · coding agents · get started
More: all posts · AI trust layer · open Sanctum Console
