Compliance ¶

The Compliance page is the compliance evidence pack for your AI estate. It rolls everything AI Hypervisor observed during a chosen evidence period (control coverage, PII events, SBOM components and their CVEs, and the audit trail of platform activity) into a single report you can hand to an auditor, brief the board with, or upload to a GRC tool.

The data is the same as what you see scrolling Briefing, Data Tracks, and the rest. Compliance packages it for a fixed time window and signs the result, so an evidence pack is reproducible and exportable without manual data-stitching.

Frameworks and control mapping¶

The current release frames the evidence pack against three frameworks:

• SOC 2 (CC6 logical access, CC7 system operations)

• EU AI Act (Articles 9–15: risk management, data governance, transparency, logging, human oversight)

• NIST AI RMF (Govern, Map, Measure, Manage)

Each framework has its own control-coverage table, mapping every control to the platform signal that backs it:

Additional frameworks (ISO 42001, ISO 27001, GLBA, NYDFS 500, PCI DSS) are surfaced under the Compliance risk category in Findings. Full Compliance coverage for them is on the roadmap.

What goes into a report¶

A report has four evidence types, each fed by a different platform signal. Each is also available independently through the platform API.

• AI Software Bill of Materials (AI-SBOM). Every package, model weight, MCP server binary, container image, and library running in your AI stack, with version, ecosystem, licence, CVE mapping, and a load-time-risk flag set for pickle and torch loads. Backed by Supply Chain.

• Coverage heatmap. Per framework, every control labelled Covered, Partial, or Gap against observed evidence.

• Session audit logs. Every agent session preserved end to end: caller identity and class, application, full chronological waterfall (prompt → LLM call → tool call → response), step status, session status. Backed by User Tracks.

• PII flow records. Every flow that carried PII: source entity, destination, PII classes, data classification, the rule that matched, volume, and time window. Backed by Data Tracks.

The rendered PDF also carries an executive-summary card (four numbers: controls covered, PII events, SBOM components, risk score) and a metadata block (tenant, cluster, scanner version, data-source provenance).

Evidence period, attestation, and export¶

When you generate a report, you choose its evidence period: the time window the report aggregates over. The range is bounded by tenant retention. Default retention is 90 days for session and PII data, indefinite for SBOM and previously generated reports. Longer retention is available on request: contact Wallarm sales.

Each report carries an attestation block at the foot: generation signature, timestamp, and content hash. The hash binds the document to the exact dataset it was generated from, so any later edit is detectable. Auditors who care about chain-of-custody check this first.

The same content is also available via the platform API, scoped by tenant and evidence period. Teams running their own GRC tooling (ServiceNow GRC, OneTrust, Vanta, in-house) integrate against the API to flow evidence into the GRC pipeline without downloading PDFs.

Cross-references¶

Settings that affect Compliance¶

• Frameworks covered are controlled by the platform release; not configurable per tenant.

• Evidence period is bounded by your tenant's retention window (90 days default for session and PII data).

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send