Compliance
The frameworks your AI operation answers to. The evidence the substrate produces.
Each framework asks, in its own vocabulary, the same thing: prove what happened. None of them is satisfied by a model that probably behaves. The substrate produces the attributable, tamper-evident record of what every agent actually did, under whose policy, kept inside your boundary. This is not a certification claim. It is the evidence the governance each framework expects assumes you can produce.
2026 interagency model-risk guidance that supersedes SR 11-7 and scopes agentic AI out of its model-risk scope. That exclusion leaves governance of those systems to the institution's own practice; the evidence is the record of what every agent did.
Read the SR 26-2 page →
Mandatory cybersecurity standards for the Bulk Electric System. Agents that touch in-scope systems inherit the control obligations; the substrate produces the attributable, tamper-evident record those controls assume.
Read the NERC CIP page →
The AI Risk Management Framework and its Generative AI Profile ask for governed, mapped, measured, and managed AI. Attribution and an interrogable audit record are how you evidence the Manage function for agents.
Read the NIST AI RMF 1.0 page →
Regulation (EU) 2024/1689 sets record-keeping (Art 12) and transparency (Art 13) obligations for high-risk AI. The substrate produces the attributable, interrogable record of what each agent did, retained inside your boundary.
Read the EU AI Act page →
Regulation (EU) 2022/2554 mandates ICT event logging, incident-trace retention, and regulator reporting for financial entities. Agents that touch that ICT scope produce the reconstructable record those obligations assume. The AI-decision-record home is the EU AI Act, not DORA.
Read the DORA page →
This material is informational, not legal or regulatory advice. The substrate produces the record; assess your specific obligations with qualified counsel.