Compliance
An evidence primitive your governance framework consumes.
Audicta is not a competing governance regime. The
audicta.pa.v1 record is built so that fields you already need for HIPAA, SR 11-7,
21 CFR Part 11, EU AI Act, and ABA Resolution 1.1 are present
contemporaneously, hash-bound, and independently verifiable.
The mappings below identify which fields in a record satisfy which requirements. Take them to your model risk committee or audit-readiness review.
What to bring to your compliance review
A compliance officer evaluating Audicta against an existing model risk or audit-readiness program typically needs four artifacts. All four are produced or referenced by the record itself; nothing additional is required from the engineering team.
- 1. Schema reference. The audicta.pa.v1 schema and the audit-defensibility role of each field.
- 2. A reproducible record. A real or sample record (the replay corpus) for byte-verification in your own browser.
- 3. Framework mapping. The five sections below — annotated with the controls your committee is evaluating against.
- 4. Deployment posture. On-prem evaluator option, content-hash retention policy, KB snapshot strategy. Available in detail under NDA.
Skip ahead to your framework: HIPAA · SR 11-7 · 21 CFR Part 11 · EU AI Act · ABA Resolution 1.1
HHS · OCR
HIPAA Security Rule — §164.312 technical safeguards
For US healthcare deployments, the Security Rule's technical safeguards (§164.312) are where an Audicta record provides the most direct evidence. The Privacy Rule's BAA requirement (45 CFR 164.504(e)) is a separate operational gate; see the deployment-posture note below.
| Section | Requirement | audicta.pa.v1 element |
|---|---|---|
| §164.312(b) | Audit controls — hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI | record_id + decided_at + content_hash + decided_by_chain — every PHI-bearing decision is a content-addressed audit entry retrievable by ID |
| §164.312(c)(1) | Integrity — protect ePHI from improper alteration or destruction | content_hash invariant — any byte change re-derives a different SHA-256; tampering is cryptographically detectable, not policy-dependent |
| §164.312(c)(2) | Mechanism to authenticate ePHI — corroborate that ePHI has not been altered or destroyed | SHA-256 verification (browser-recomputable) — the mechanism is the hash, recomputable independently of Audicta infrastructure |
| §164.312(d) | Person or entity authentication — verify that a person or entity seeking access is the one claimed | agent_genome_hash + decided_by_chain — cryptographically binds the producing agent's prompt and version to the record's content_hash |
| §164.502(b) | Minimum necessary standard — limit ePHI use to the minimum necessary for the purpose | evaluator_isolation_attestation — the evaluator cannot access PHI; it sees only the decision record. PHI never leaves the agent layer |
Operational gate — BAA required
The Privacy Rule (45 CFR 164.504(e)) requires a Business Associate Agreement before a vendor handles ePHI. Audicta's deployment posture for HIPAA-bound workloads (Anthropic BAA, on-premises local evaluator, at-rest encryption) is part of the F4 deployment track. Synthetic dry-run cases are the only cases that run through the public live demo today — see the banner on replay. hello@audicta.com to discuss BAA timing for your deployment.
Federal Reserve · OCC · FDIC
SR 11-7 — Supervisory guidance on model risk management
The Fed's letter sets the bar for model risk in regulated financial institutions: independent validation, effective challenge, ongoing monitoring, and documentation that an audit can reproduce. Audicta supplies an evidence object that answers each of these head-on.
| Section | Requirement | audicta.pa.v1 element |
|---|---|---|
| III.B | Effective challenge of models — independent and competent review | evaluation.evaluator_local + evaluation.evaluator_cloud (independently trained, dual-scored) |
| III.B | Ongoing monitoring of model outputs | evaluator_isolation_attestation + reproduction harness (replay yields the same scores across time) |
| IV | Internal audit's independent assessment of the model risk management framework | record_id + content_hash + decided_at — enable retrieval and re-verification by an auditor with no system access |
| V.A | Documentation sufficient to allow third parties to understand how a model operated at a given time | agent_genome_hash + kb_snapshot_hash + agent_chain[*].output — pins the agent state and reasoning substrate |
FDA
21 CFR Part 11 — Electronic records, electronic signatures
Part 11 is the FDA rule that determines whether an electronic record is acceptable in lieu of a paper one. The ladders the rule climbs — accurate copies, protection of records, audit trails, signature/record linking — are what content-addressed, hash-bound records were designed for.
| Section | Requirement | audicta.pa.v1 element |
|---|---|---|
| §11.10(b) | Ability to generate accurate and complete copies of records | content_hash invariant — any byte change re-derives a different hash |
| §11.10(c) | Protection of records to enable accurate and ready retrieval throughout the retention period | content addressing + record_id — retrieval by ID, integrity self-attesting |
| §11.10(e) | Use of secure, computer-generated, time-stamped audit trails to record the date and time of operator actions | decided_at, agent_chain[*].timestamp, decided_by_chain (ordered chain of producing agents) |
| §11.10(f) | Use of operational system checks to enforce permitted sequencing of steps | evaluation.convergence (dual-evaluator agreement gate) + ceo_flag (escalation when divergence exceeds threshold) |
| §11.50, §11.70 | Signature manifestation and signature-to-record linking | agent_genome_hash binds the producing agent identity to the record's content_hash; the link is cryptographic, not merely associative |
European Union
EU AI Act — Annex IV technical documentation
Annex IV enumerates the technical documentation a high-risk AI provider must maintain. The articles below are where the decision-record fields land. Article 12 (Logging) and Article 14 (Human Oversight) sit beside Annex IV and bind the record to the operational lifecycle.
| Section | Requirement | audicta.pa.v1 element |
|---|---|---|
| Annex IV §2(b) | Logic of the AI system: design specifications, classification choices, optimisation | agent_chain[*].output.what / why / alternatives_considered / tradeoff |
| Annex IV §2(g) / Art. 14 | Human oversight measures, including conditions under which the system requires human review | decision.alternative_pathway_cited + evaluation.convergence.ceo_flag (deterministic escalation conditions) |
| Annex IV §2(i) | Validation and testing procedures and results | evaluation.scores + evaluation.convergence.max_dimension_divergence — independent dual scoring |
| Art. 12 | Logging: automatic recording of events relevant to system operation, sufficient to ensure traceability | record_id + decided_at + content_hash — persistent, content-addressed decision trace queryable by ID |
American Bar Association
ABA Resolution 1.1 — Generative AI in legal practice
Resolution 1.1 reaffirms that the duties already set by the Model Rules of Professional Conduct apply in full when lawyers use generative AI: competence, supervision, candor to the tribunal, and confidentiality. Each duty translates directly into something the record must show.
| Duty | What the audit asks | audicta.pa.v1 element |
|---|---|---|
| Rule 1.1 · 3.3 | Competence and candor: did the AI cite real authorities, and can each citation be verified independently? | citations[*].kb_chunk_hash — every cited source is byte-verifiable against the KB snapshot at decision time |
| Rule 5.3 | Supervision over non-lawyer assistance: was the AI's reasoning reviewable by the supervising attorney? | agent_chain[*].output (full reasoning trace) + evaluation.scores (independent quality signal) |
| Rule 1.6 | Confidentiality: where does client information go to produce the record? | Local-evaluator deployment option; record produced on infrastructure under the firm's control, not a vendor's |
| Rule 1.4 · 1.5 | Communication and reasonable fees: can the client see what AI did versus what was lawyer work? | decided_by_chain + agent_genome_hash — explicit attribution of work to the specific automated chain |
Questions on a specific framework or your firm's review template? hello@audicta.com