Compliance

LIVE
SOC
Coming soon

Compliance attestation — coming when it can be done for real.

We are not shipping a compliance dashboard until it reflects controls that are actually enforced and evidence that is genuinely tamper-evident. Anything less would be a checkbox theatre — and the whole point of this lab is that nothing on screen is fake.

Why it's not here yet

AGT ships an “OWASP Agentic Top 10 — 10/10 Covered” badge and an agt verify command, and it is tempting to surface those as a compliance score.

AGT doesn't provide real compliance out of the box
“10/10 Covered” is an import-presence check, not enforcement

Our hands-on evaluation found that agt verify and the coverage badge are an import-presence check: they confirm the relevant modules importnot that any control is enforced, nor that any attack is actually stopped. We will not present that as assurance.

Evidence · AGT evaluation memo (2026-06-11)

What we'll ship instead

Outcome-based compliance, built on the real tamper-evident hash-chained audit chain — every allow / deny / step-up decision captured as evidence — then mapped to recognised frameworks. Assurance comes from what govern() actually did, not from what imported.

EU AI Act
High-risk AI system obligations
mapping · planned
NIST AI RMF
Govern · Map · Measure · Manage
mapping · planned
ISO/IEC 42001
AI management system controls
mapping · planned
SOC 2
Trust services criteria evidence
mapping · planned
Evidence source · Audit chain
Status: pending — unblocks when (1) govern() runs for real so Decisions / Audit become source_mode=live, and (2) the framework mapping is built. Tracking AGT upstream for genuine compliance support.
source_system=Microsoft Graph tenant=kpmgplayground source_mode=synthetic agt=4.1.0 2026-06-14
DESIGN PREVIEW · Compliance is a planned screen; no live attestation yet.