Skip to content

docs(fleet): add the compliance crosswalk #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Xaxis merged 1 commit into from
Jun 4, 2026
Merged

docs(fleet): add the compliance crosswalk #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions src/components/docs/nav.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -491,6 +491,11 @@ export const DOCS_NAV: DocsSection[] = [
label: 'Bond verification',
blurb: 'GET /api/bond — re-resolve a bond against live bitcoin UTXO state. The load-bearing leg.',
},
{
href: '/fleet/compliance',
label: 'Compliance crosswalk',
blurb: 'Fleet artifacts mapped to EU AI Act / SOC 2 / NIST AI RMF — with honest rails. The procurement exit.',
},
{
href: '/fleet/webhooks',
label: 'Webhooks',
Expand Down
72 changes: 72 additions & 0 deletions src/pages/fleet/compliance.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
export const metadata = {
title: 'Fleet compliance crosswalk',
description:
'How OC Fleet artifacts — signed delegations, stamped actions, revocations, bonded pledges, and offline-verifiable audit bundles — map to EU AI Act, SOC 2, and NIST AI RMF controls. Evidence infrastructure, stated honestly: what it gives an auditor, and what it explicitly does not.',
};

# Compliance crosswalk

Enterprise AI-agent rollouts stall in the same place: a compliance reviewer asks
_who authorized this agent to do that, what was it allowed to do, when was it
revoked, and what does it have to lose if it misbehaves_ — and the team cannot
answer with evidence that survives scrutiny. Service accounts collapse the
user→agent→tool chain into one shared credential, which is the SOC 2 CC6 finding
auditors now reject outright.

Fleet's artifacts are built to answer those questions with **content-addressed,
BIP-322-signed, OpenTimestamps-anchored evidence that verifies offline against
Bitcoin** — no trust in fleet required. This page maps each control family to
the artifact that satisfies it.

## Read this first — the honesty rails

These four statements bound everything below. Quote them to your reviewer; they
are the difference between an honest control and an overclaim.

1. **Fleet is evidence infrastructure, not a compliance guarantee.** It produces
the audit trail a framework asks for. It does not certify you against any
framework. Your auditor still audits you.
2. **Protocol cannot transfer liability.** A bonded pledge is verifiable
economic exposure, not an indemnity. No envelope makes someone else legally
responsible for an agent's act.
3. **Fleet is not a real-time kill-switch.** Revocation is a signed, anchored
fact that any verifier honors going forward; it is not an in-band interceptor
that halts a running tool call. Fleet **composes under** your runtime
guardrails and observability stack — it does not replace them.
4. **A bond proves skin-in-the-game, not good behavior.** It raises the cost of
misbehaving and makes that cost verifiable. It does not prevent the act.

## EU AI Act

| Article | Requirement | Fleet artifact |
| ------------------------------------------ | ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Art. 12 — Record-keeping** | Automatic logging of events over the system's lifetime, tamper-evident. | Every action is a kind-30084 envelope: content-addressed, BIP-322-signed by the agent, OTS-anchored to a Bitcoin block. The audit bundle is the lifetime log; the block anchor is the tamper-evidence. |
| **Art. 14 — Human oversight** | A human can understand, oversee, and intervene. | Authority originates in a **human-signed** delegation (BIP-322 over the principal's Bitcoin address) with an explicit scope grammar and a block-height expiry; intervention is a human-signed **revocation** envelope. Oversight is the scoped grant; intervention is the signed revoke. |
| **Art. 14 — Traceability of intervention** | Ordering of act vs. intervention is non-repudiable. | OTS block-height anchoring gives an offline verifier a non-malleable clock to order an action against its revocation deterministically — a signed wall-clock is forgeable, a block height is not. |

## SOC 2

| Criterion | Requirement | Fleet artifact |
| ------------------------------------------ | ----------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **CC6.1 — Logical access** | Least-privilege, per-identity access; no shared credentials. | Each agent acts under its **own** Bitcoin-address identity and its **own** scoped delegation — the opposite of a shared service account. Scope is an explicit, attenuable grammar, not "all of the API". |
| **CC6.2 / CC6.3 — Provisioning & removal** | Authorization is granted and revoked through a controlled, evidenced process. | Grant = signed delegation; removal = signed revocation. Both are first-class, exportable, offline-verifiable envelopes — the provisioning record _is_ the artifact. |
| **CC7.2 / CC7.3 — Monitoring & evidence** | Immutable, exportable activity logs. | NDJSON / JSON / CSV audit-bundle export; every row re-verifies against the agent's signature and the Bitcoin header chain with `@orangecheck/agent-core`. |

## NIST AI RMF

| Function | What fleet contributes |
| ----------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| **GOVERN** | A named, address-keyed authority model: who delegated, to whom, with what scope, with what bond. |
| **MAP** | The scope grammar makes an agent's permitted actions explicit and enumerable before deployment. |
| **MEASURE** | The bond gives a measurable, chain-verifiable stake (`sats × days_unspent`); the action stream gives in-scope vs. out-of-scope counts. |
| **MANAGE** | Scoped, revocable authority + a bonded accountability signal that a counterparty can weigh — without custody, without an account. |

## The bond as a control

Most frameworks above are satisfied by _capability + audit_, which an ordinary
keypair could also provide. The differentiator that needs Bitcoin is the
[bond](/fleet/bond): a counterparty can verify the agent (or the org running it)
has real, unspent, aged bitcoin exposure to losing — re-resolved live against
UTXO state, trusting no one. That is the one control on this page that does not
reduce to a verifiable credential. See [Bond verification](/fleet/bond) for the
contract and its honest limitations.