Compliance
Evidence for AI agent actions, mapped to your frameworks
Cosignet produces one thing that compliance programs keep asking for: signed, tamper-evident, independently verifiable proof that a human approved a specific agent action before it ran. These pages map that evidence to the frameworks you report against. Every page is candid about the boundary.
Scope. Cosignet provides verifiable approval evidence only; it does not determine legal applicability, certify compliance, replace regulated controls, or substitute for legal, compliance, or audit advice.
The consistent framing: Cosignet is not certified against any of these frameworks, and does not make you compliant. It provides verifiable evidence artifacts in support of your own compliance program. The obligations, and the certifications, remain yours.
Mappings
- DORA (Regulation (EU) 2022/2554), applies since 17 January 2025. ICT traceability, logging of critical operations, and incident evidence for AI-agent actions. Includes the candid third-party-register discussion.
- PSD2 dynamic linking. The SCA construction (a code bound to amount and payee) generalized to agent-initiated actions via payload-bound passkey signatures.
- EU AI Act, human oversight and logging. Article 14 (human oversight) and Article 12 (record-keeping), with the post-Omnibus timeline.
- SOC 2. Mapping to your control families: authorization of changes and transactions, logical access, monitoring.
- ISO/IEC 42001. Oversight and logging controls for AI management systems.
The evidence, in one place
Whatever the framework, the underlying artifact is the same:
- A passkey signature over
nonce ‖ SHA-256(payload), bound to the exact action. - An append-only Merkle transparency log with an Ed25519-signed tree head, anchored into Bitcoin.
- An exportable evidence pack that verifies offline, without a Cosignet account.
See the evidence pack format specification.
Put auditor-reviewable evidence in front of your riskiest actions
Free to start, no credit card.
Informational, not legal advice. These pages explain how Cosignet evidence artifacts can support your compliance program. They are not legal opinions, and Cosignet is not certified against these frameworks. Verify all regulatory references against their primary sources and confirm applicability with your own counsel and auditor.