Agent Governance Foundation

Compliance

Compliance & Audit

Every authorization decision AGF makes produces a signed, tamper-proof audit artifact. These records are designed to answer the questions regulators and auditors actually ask — who, what, when, why allowed or denied, under which policy.

Audit artifact structure

Artifacts are written once, never mutated, and cryptographically signed. Retrieve any artifact by its artifact_id using GET /v1/audit/{artifact_id}.

FieldTypeDescription
artifact_idstringGlobally unique ID — use this as your compliance evidence reference
agent_idstringThe DID of the agent that made the request
actionstringThe action the agent attempted
resourcestringThe target resource URI (if provided)
decisionenumallow or deny
reasonstringDeny reason code (null on allow)
policy_refstringExact policy ID and version that made the decision
trust_scorefloat0.0–1.0 trust score at decision time
evaluated_atdatetimeISO 8601 timestamp of the decision
signaturestringEdDSA signature over the artifact body — verify against the AGF public key

Verify a signature

# Download the AGF public key once
curl https://api.agentgovernancefoundation.com/v1/keys/public > agf-public.pem

# Verify an artifact signature
curl https://api.agentgovernancefoundation.com/v1/audit/art_7fKm3pQz \
  -H "Authorization: Bearer <YOUR_API_KEY>" \
  | jq -r '.signature' \
  | openssl dgst -sha256 -verify agf-public.pem -signature /dev/stdin

Compliance framework mapping

How AGF capabilities map to the major AI governance standards.

NIST AI RMF

The National Institute of Standards and Technology AI Risk Management Framework. AGF maps to the GOVERN, MAP, MEASURE, and MANAGE functions.

GOVERNPolicy-as-code in a versioned Git repository with approval workflows
MAPAgent passports record context, intended purpose, and delegation lineage
MEASURETrust scores and anomaly metrics give continuous quantitative risk signals
MANAGEBranch-cut revocation and incident response playbook address identified risks
ISO 42001

The international AI Management System standard. AGF's audit artifacts and policy lifecycle directly support clause 6 (Planning) and clause 9 (Performance evaluation).

Clause 6 — PlanningPolicy authoring, review, and versioning workflows
Clause 8 — OperationPDP enforcement at every agent action boundary
Clause 9 — EvaluationSigned, tamper-proof audit artifacts for every decision
Clause 10 — ImprovementPolicy drift detection and anomaly alerting
EU AI Act

AGF's audit trail and human oversight mechanisms are designed to satisfy the transparency and accountability requirements for high-risk AI systems under the EU AI Act.

Art. 13 — TransparencyEvery decision record includes agent_id, action, resource, policy_ref, and trust_score
Art. 14 — Human oversightPolicies require human review and approval before deployment
Art. 17 — Quality mgmtGit-backed policy versioning with full change history
Art. 26 — Record-keepingAudit artifacts retained with cryptographic integrity proofs

Exporting audit logs

Use the list endpoint with filters to pull the records an auditor needs. Export formats: JSON (all plans), CSV (Standard and above).

# All deny decisions for a specific agent in a date range
GET /v1/audit?agent_id=did:agf:agt_01abc&decision=deny&from=2025-01-01&to=2025-06-30

# Export as CSV (Standard plan and above)
GET /v1/audit/export?format=csv&from=2025-01-01&to=2025-06-30

Need compliance assistance?

Enterprise plans include direct support for compliance reviews, auditor Q&A sessions, and pre-built evidence packages for NIST AI RMF, ISO 42001, and EU AI Act submissions.