Blog

SOC 2 & compliance evidence

soc2complianceai-governanceaudit-log

SOC 2 & NIST AI RMF: Runtime Evidence from Action Gates

Map GOVERN, MAP, MEASURE, and MANAGE to signed tokens, audit logs, and policy replay. Exportable evidence for compliance reviews.

May 14, 20268 min read

Auditors ask: how do you control what AI systems actually do? Chat logs are not enough. Runtime evidence — per-action decisions, signed tokens, immutable audit — maps cleanly to SOC2 and the NIST AI Risk Management Framework.

What Sanctum exports

  • Audit events with actor, action, risk score, decision, timestamp
  • Policy version history and replay (“what if today’s policies existed yesterday?”)
  • Governance workflows: dual approver, delegation, compliance columns
  • 16 mapped controls with implementation evidence in the OSS runtime

MEASURE and MANAGE

MEASURE: anomaly flags, blocked chains, verification latency. MANAGE: kill switch, escalation, human resolution trails in the operator console.

Security overview · Signed action tokens

Guides: agentic AI risk · MCP security · runtime authorization · HITL approvals · coding agents · get startedMore: all posts · AI trust layer · open Sanctum Console

Give every agent action a trust boundary.

Start with Connect Agent, keep the SDK path for deeper fleets, and prove exactly what was approved, blocked, or contained.