SanctumSanctum
Start
Blog
soc2complianceai-governanceaudit-log

SOC2 and NIST AI RMF: runtime evidence from your action gate

Map GOVERN, MAP, MEASURE, and MANAGE controls to signed action tokens, audit logs, and policy replay — exportable evidence for compliance reviews.

May 14, 20268 min read

Auditors ask: how do you control what AI systems actually do? Chat logs are not enough. Runtime evidence — per-action decisions, signed tokens, immutable audit — maps cleanly to SOC2 and the NIST AI Risk Management Framework.

What Sanctum exports

  • Audit events with actor, action, risk score, decision, timestamp
  • Policy version history and replay (“what if today’s policies existed yesterday?”)
  • Governance workflows: dual approver, delegation, compliance columns
  • 16 mapped controls with implementation evidence in the OSS runtime

MEASURE and MANAGE

MEASURE: anomaly flags, blocked chains, verification latency. MANAGE: kill switch, escalation, human resolution trails in the operator console.

Security overview · Signed action tokens

More: all posts · runtime trust layer · open Sanctum Console

Build AI humans can trust.

Open the cloud console to manage runtimes and policies, or self-host the open-source runtime from GitHub.

Start with RuntimeEnterprise