Compliance pack

One PDF, signed and Bitcoin-anchored, that your auditor and your board accept.

The AgentGuard Compliance pack is the artefact your CRO opens when APRA asks “tell me about your AI agents”. It maps every action your production agents took to APRA CPS 230 Operational Risk Management, the EU AI Act implementation timeline, and ISO 42001 controls. One PDF. Signed. Anchored. Done.

What’s in it

Built for the audit, not for the brochure.

The pack is generated from your live audit log and reviewed against a control library that maps directly to the frameworks your auditor already uses. Every row links back to a signed event in the log, anchored to the Bitcoin block-chain so the record is tamper-evident.

  • Control narratives mapped to CPS 230 §§13–22 and §§35–40
  • EU AI Act Annex III high-risk obligations & transparency duties
  • ISO 42001 control implementation statements
  • Statistical sampling plan (50 / 100 / 200 events)
  • Spend & rate-limit attestations
  • Tool-call inventory and approval log
  • Signed Merkle root + Bitcoin anchor transaction ID
Sample TOC
01 Executive summary
02 Scope & agent inventory
03 Risk taxonomy & control map
04 CPS 230 control narratives
05 EU AI Act Article 9 / 10 / 13 / 14
06 ISO 42001 control statements
07 Statistical sampling & testing
08 Incident & killswitch register
09 Third-party & model registry
10 Signature & chain anchor proof
How it’s generated

One command. One signed PDF.

/01

Stream events

Every tool call, every model output, every spend event flows into the audit log as it happens — signed at write time.

/02

Map to frameworks

Control library applies CPS 230, EU AI Act, and ISO 42001 mappings to each event class. You can override the mapping for bespoke controls.

/03

Anchor & sign

The pack’s Merkle root is anchored to Bitcoin via OpenTimestamps. The PDF is signed with your CA-issued key.

terminal
$ agentguard evidence build \
    --framework cps230,eu_ai_act,iso42001 \
    --window 2026-04-01..2026-06-30 \
    --sample 100 \
    --anchor btc \
    --sign ./keys/cro.pem

  ✓ 84,213 events scanned
  ✓ 12 controls mapped (CPS 230 §§13–22, §§35–40)
  ✓ 18 controls mapped (EU AI Act Annex III)
  ✓ 9 controls mapped (ISO 42001)
  ✓ Merkle root anchored — txid: 4f2c…b91d
  ✓ Signed PDF: ./evidence/cps230-2026Q2.pdf  (4.2 MB)
EU AI Act

Ready for the high-risk obligations.

The EU AI Act’s high-risk obligations land in waves through 2026 and 2027. AgentGuard ships pre-built mappings for every gate in the official implementation timeline — risk management (Art. 9), data & governance (Art. 10), technical documentation (Art. 11), record-keeping (Art. 12), transparency (Art. 13), and human oversight (Art. 14). Each is cross-linked to its CPS 230 cousin so AU teams aren’t maintaining two control libraries.

Risk management
Art. 9
Data governance
Art. 10
Technical documentation
Art. 11
Record keeping
Art. 12
Transparency
Art. 13
Human oversight
Art. 14
ISO/IEC 42001

AI management system, evidence first.

ISO 42001 is the AI management system standard your certification body will start auditing against in 2026. AgentGuard maps clauses 6–10 (planning, support, operation, performance evaluation, improvement) to live evidence pulled from your audit log — so the initial certification audit and the surveillance audits use the same artefact your APRA submission already used.

Who it’s for

If APRA writes to you, this is for you.

Neobanks & BNPL

50–500 employees, scaling AI agents in customer ops & collections, with a CISO who’s now also accountable for AI risk.

Super funds

Mid-market funds modernising member services, where SPS 220 and CPS 230 overlap and the board needs one artefact.

Mortgage & lending tech

Brokers and originators using AI in credit decisioning, where ASIC, AUSTRAC, and APRA all want a paper trail.

Stop building bespoke evidence packs. Generate them.