AEGIS
Sign in Start free

Docs · Compliance + audit

Compliance, operational.

AEGIS ships SOC 2 / ISO 27001 / NIST AI RMF / EU AI Act control evidence as a live API. Auditors hit one endpoint and get a signed JSON artifact mapping each control to AEGIS runtime data — no slideware, no after-the-fact storytelling.

Cryptographic audit (RFC 6962)

Every audit row and compliance bundle appends to an append-only Merkle log. Tree roots are Ed25519-signed and published daily. Customers can fetch a root + an inclusion proof + the leaf, and verify the chain offline with a zero-dependency CLI under tools/verify-log/.

Witness cosignature (Sigstore-style) is available — third parties co-sign roots so a compromised AEGIS infrastructure alone can't rewrite history.

Compliance bundle endpoint

One endpoint, four frameworks. Each returns a JSON artifact mapping each control to live evidence (audit rows, policy enforcement counts, detector coverage, anomaly thresholds, etc.).

POST /api/v1/compliance/bundle/soc2
POST /api/v1/compliance/bundle/iso27001
POST /api/v1/compliance/bundle/nist-ai-rmf
POST /api/v1/compliance/bundle/eu-ai-act

→ Signed JSON: { controls: [...], evidence: [...], signature: "..." }

The bundle's signature field is Ed25519 over a canonical-JSON form of the body. Auditors verify with our published public key at .well-known/aegis-release-pubkey.pem.

SOC 2 Type II

  • Current status: framework documents + evidence endpoint shipping. Drata / Vanta integration planned 2026 Q3.
  • Target audit: 2026 Q4 with a regulated CPA.
  • Scope: Security, Availability, Confidentiality (Trust Services Criteria).
  • Common Criteria mapping: CC1.1 — CC9.2 each mapped to AEGIS evidence; see repo for the full table.

ISO 27001 / 27018

  • Same evidence backbone as SOC 2; control mapping to ISO 27001 Annex A.
  • ISO 27018 (cloud-PII) controls included via the privacy-redaction + retention policy machinery.

NIST AI Risk Management Framework (AI 600-1)

  • Govern / Map / Measure / Manage functions mapped to AEGIS features.
  • Map: capability risk scorer (action / egress / secrets / pii / scale dimensions).
  • Measure: anomaly detector (Mahalanobis + IF + HST + Conformal + ADWIN ensemble), policy effectiveness scoring.
  • Manage: policy enforcement, transparency log, witness cosignature.

EU AI Act

  • Art. 14 (human oversight): pending-checks flow + cockpit reviewer queue + counterfactual explainer.
  • Art. 15 (accuracy + cybersecurity): detector chain + transparency log audit.
  • Art. 12 (record-keeping): immutable audit log + per-call traces with PII redaction.

HIPAA / PCI / GDPR — case-by-case

  • GDPR / UK GDPR: DPA at /dpa; SCCs incorporated.
  • HIPAA: BAA available on Enterprise tier — email sales@aegis.dev.
  • PCI-DSS: Stripe handles card data; AEGIS itself stays out of PCI scope.

Pen-test posture

  • First external pen-test scheduled 2026 Q4 with one of Bishop Fox / NCC Group / Cure53.
  • Internal red-team via continuous prompt-injection corpus (26 patterns × 6 categories) — every deployment auto-scored on coverage.
  • Public security disclosure at /.well-known/security.txt; advisories at GitHub Security.

Hall of fame

Security researchers who report valid vulnerabilities are credited here (with their consent) once the report is remediated. /security#hall-of-fame.

Next