COMPLIANCE BY CONSTRUCTION

Evidence isn't assembled after the fact. It's produced at the moment of action — structured, signed, and machine-verifiable.

Most compliance is a narrative you write later. ByteVerity's is a byproduct of operation: the same receipt that governs the action is the audit evidence. Hand an auditor the bundle and a public key; they verify every claim offline, with no ByteVerity dependency.

Handling note

A record cites the upstream receipts it composes, so it can carry the very data it attests to. Secrets are masked on display (portal and CLI), but the exported bundle should be classified and shared under the same controls as the data it describes — Lineage adds no secrets of its own, but it does not strip what an upstream system already signed.

FRAMEWORK COVERAGE

The frameworks your auditor already asks for — rendered from the record.

No spreadsheet of asserted controls. Each mapping derives from the same signed receipts, so the answers are evidence, not estimates.

  • EU AI Act

    Art. 12 (record-keeping / traceability), Art. 9, 10, 11, 14. Lineage renders the Art. 12 pack straight from the signed record.

  • AI-BOM

    CycloneDX 1.6 ML-BOM + SPDX 3.0 AI Profile, derived from the record.

  • NIST

    SP 800-207 (Zero Trust) and SP 800-218A (Secure SDLC for AI).

  • SOC 2

    CC-6.1, CC-7.1, CC-8.1.

  • GDPR

    Art. 25, 32, 44–49.

A technical control, not a dashboard. Attaches to security and compliance budgets you already have — not a discretionary AI-experiment line item.

INSPECT A SAMPLE EVIDENCE PACK

The EU AI Act Art. 12 + AI-BOM bundle, as an auditor receives it.

This is a real signed record — seven planes composed into one causal chain. The verifier recomputes the SHA-256 over its content and compares it to the signed manifest root. Zero install, zero network, and we never see it.

eu-ai-act-12+ai-bom.lnrlive
record
refund-incident-1947
root
sha256:54bc0655abbf
planes
approval code conformance data knowledge policy run  (7)
signer
ed25519 · keyid d2f381d7b0b5
  • runstep 9 — refunded an already-delivered orderproven
  • knowledgeretrieved doc-1 — a stale refund-policy docproven
  • policyrefund-limit rule evaluated → allowproven
  • data→causesuspected-cause (uncounted)asserted · uncounted
VERIFIEDoffline · engine absentnet requests: 0

Verified offline. 3 proven planes, 1 asserted and uncounted. 0 network requests.

What's in this pack

  • EU AI Act Art. 12 — record-keeping and traceability, rendered straight from the signed record.
  • AI-BOM — CycloneDX 1.6 ML-BOM + SPDX 3.0 AI Profile, derived from the same record.
  • Causal chain — code, run, knowledge, policy, approval, data, and drift, composed into one record.
  • Public key — everything re-verifies offline, with no ByteVerity dependency.
Verify this pack

A technical control, not a dashboard.