Compliance
Compliance & Audit
Every authorization decision AGF makes produces a signed, tamper-proof audit artifact. These records are designed to answer the questions regulators and auditors actually ask — who, what, when, why allowed or denied, under which policy.
Audit artifact structure
Artifacts are written once, never mutated, and cryptographically signed. Retrieve any artifact by its artifact_id using GET /v1/audit/{artifact_id}.
| Field | Type | Description |
|---|---|---|
| artifact_id | string | Globally unique ID — use this as your compliance evidence reference |
| agent_id | string | The DID of the agent that made the request |
| action | string | The action the agent attempted |
| resource | string | The target resource URI (if provided) |
| decision | enum | allow or deny |
| reason | string | Deny reason code (null on allow) |
| policy_ref | string | Exact policy ID and version that made the decision |
| trust_score | float | 0.0–1.0 trust score at decision time |
| evaluated_at | datetime | ISO 8601 timestamp of the decision |
| signature | string | EdDSA signature over the artifact body — verify against the AGF public key |
Verify a signature
# Download the AGF public key once
curl https://api.agentgovernancefoundation.com/v1/keys/public > agf-public.pem
# Verify an artifact signature
curl https://api.agentgovernancefoundation.com/v1/audit/art_7fKm3pQz \
-H "Authorization: Bearer <YOUR_API_KEY>" \
| jq -r '.signature' \
| openssl dgst -sha256 -verify agf-public.pem -signature /dev/stdinCompliance framework mapping
How AGF capabilities map to the major AI governance standards.
The National Institute of Standards and Technology AI Risk Management Framework. AGF maps to the GOVERN, MAP, MEASURE, and MANAGE functions.
| GOVERN | Policy-as-code in a versioned Git repository with approval workflows |
| MAP | Agent passports record context, intended purpose, and delegation lineage |
| MEASURE | Trust scores and anomaly metrics give continuous quantitative risk signals |
| MANAGE | Branch-cut revocation and incident response playbook address identified risks |
The international AI Management System standard. AGF's audit artifacts and policy lifecycle directly support clause 6 (Planning) and clause 9 (Performance evaluation).
| Clause 6 — Planning | Policy authoring, review, and versioning workflows |
| Clause 8 — Operation | PDP enforcement at every agent action boundary |
| Clause 9 — Evaluation | Signed, tamper-proof audit artifacts for every decision |
| Clause 10 — Improvement | Policy drift detection and anomaly alerting |
AGF's audit trail and human oversight mechanisms are designed to satisfy the transparency and accountability requirements for high-risk AI systems under the EU AI Act.
| Art. 13 — Transparency | Every decision record includes agent_id, action, resource, policy_ref, and trust_score |
| Art. 14 — Human oversight | Policies require human review and approval before deployment |
| Art. 17 — Quality mgmt | Git-backed policy versioning with full change history |
| Art. 26 — Record-keeping | Audit artifacts retained with cryptographic integrity proofs |
Exporting audit logs
Use the list endpoint with filters to pull the records an auditor needs. Export formats: JSON (all plans), CSV (Standard and above).
# All deny decisions for a specific agent in a date range
GET /v1/audit?agent_id=did:agf:agt_01abc&decision=deny&from=2025-01-01&to=2025-06-30
# Export as CSV (Standard plan and above)
GET /v1/audit/export?format=csv&from=2025-01-01&to=2025-06-30Need compliance assistance?
Enterprise plans include direct support for compliance reviews, auditor Q&A sessions, and pre-built evidence packages for NIST AI RMF, ISO 42001, and EU AI Act submissions.

