One PDF, signed and Bitcoin-anchored, that your auditor and your board accept.
The AgentGuard Compliance pack is the artefact your CRO opens when APRA asks “tell me about your AI agents”. It maps every action your production agents took to APRA CPS 230 Operational Risk Management, the EU AI Act implementation timeline, and ISO 42001 controls. One PDF. Signed. Anchored. Done.
Built for the audit, not for the brochure.
The pack is generated from your live audit log and reviewed against a control library that maps directly to the frameworks your auditor already uses. Every row links back to a signed event in the log, anchored to the Bitcoin block-chain so the record is tamper-evident.
- Control narratives mapped to CPS 230 §§13–22 and §§35–40
- EU AI Act Annex III high-risk obligations & transparency duties
- ISO 42001 control implementation statements
- Statistical sampling plan (50 / 100 / 200 events)
- Spend & rate-limit attestations
- Tool-call inventory and approval log
- Signed Merkle root + Bitcoin anchor transaction ID
One command. One signed PDF.
Stream events
Every tool call, every model output, every spend event flows into the audit log as it happens — signed at write time.
Map to frameworks
Control library applies CPS 230, EU AI Act, and ISO 42001 mappings to each event class. You can override the mapping for bespoke controls.
Anchor & sign
The pack’s Merkle root is anchored to Bitcoin via OpenTimestamps. The PDF is signed with your CA-issued key.
$ agentguard evidence build \
--framework cps230,eu_ai_act,iso42001 \
--window 2026-04-01..2026-06-30 \
--sample 100 \
--anchor btc \
--sign ./keys/cro.pem
✓ 84,213 events scanned
✓ 12 controls mapped (CPS 230 §§13–22, §§35–40)
✓ 18 controls mapped (EU AI Act Annex III)
✓ 9 controls mapped (ISO 42001)
✓ Merkle root anchored — txid: 4f2c…b91d
✓ Signed PDF: ./evidence/cps230-2026Q2.pdf (4.2 MB)Ready for the high-risk obligations.
The EU AI Act’s high-risk obligations land in waves through 2026 and 2027. AgentGuard ships pre-built mappings for every gate in the official implementation timeline — risk management (Art. 9), data & governance (Art. 10), technical documentation (Art. 11), record-keeping (Art. 12), transparency (Art. 13), and human oversight (Art. 14). Each is cross-linked to its CPS 230 cousin so AU teams aren’t maintaining two control libraries.
- Risk management
- Art. 9
- Data governance
- Art. 10
- Technical documentation
- Art. 11
- Record keeping
- Art. 12
- Transparency
- Art. 13
- Human oversight
- Art. 14
AI management system, evidence first.
ISO 42001 is the AI management system standard your certification body will start auditing against in 2026. AgentGuard maps clauses 6–10 (planning, support, operation, performance evaluation, improvement) to live evidence pulled from your audit log — so the initial certification audit and the surveillance audits use the same artefact your APRA submission already used.
If APRA writes to you, this is for you.
Neobanks & BNPL
50–500 employees, scaling AI agents in customer ops & collections, with a CISO who’s now also accountable for AI risk.
Super funds
Mid-market funds modernising member services, where SPS 220 and CPS 230 overlap and the board needs one artefact.
Mortgage & lending tech
Brokers and originators using AI in credit decisioning, where ASIC, AUSTRAC, and APRA all want a paper trail.