Compliance

EU AI Act, SOC 2, HIPAA.
One dashboard. One export.

Every AI event across browser, desktop, CLI, and MCP lands on one immutable, signed log with per-user attribution. The Manifest, our compliance evidence pack, turns that log into proof an auditor can read.

See your shadow AI free Book a demo
Browser · Desktop · CLI · MCP · Network
The Manifest

The evidence, not the promise of it.

Auditors do not accept good intentions. The Manifest is a signed evidence pack that maps your real AI activity to the controls each framework asks for. One export, timestamped and attributed to a person, gathered every day instead of reconstructed the week before the audit.

Frameworks covered

One log. The frameworks your auditor asks for.

The same signed evidence maps to every framework below. Start with the one your customers or regulators are pushing on.

EU AI Act
Inventory, attribution, and evidence for Article 4 AI literacy, Article 26 deployer obligations, and Article 50 transparency. See the EU AI Act page →
ISO 42001
The AI management system standard. The evidence pack supports the controls an auditor tests toward certification. See ISO 42001 →
SOC 2 + AI
AI events mapped to the Common Criteria for access, monitoring, and change. See SOC 2 for the AI era →
NIST AI RMF
Govern, Map, Measure, and Manage, each backed by real inventory and signed evidence. See NIST AI RMF →
HIPAA technical safeguards
Audit controls and access evidence: which AI tool touched what, attributed to a user, on a signed log.
Already hold ISO 27001?
Extend the management system you already run to cover AI. The 27001 to 42001 bridge →
Where the evidence comes from

One immutable, signed log. Per-user attribution.

Every AI event across all four surfaces, plus the network layer, writes to a single append-only log. Signed and timestamped, so an auditor can trust it was not edited after the fact.

ATTRIBUTED
Each event carries a user, a tool, a category, a model, and a time. Not a mystery IP.
IMMUTABLE
Append-only and signed. Unlimited history, with 7-year retention on Enterprise.
EXPORTED
One click produces the pack, mapped to the framework controls your auditor reads.
Honest about what this is. The Manifest is accepted as part of your evidence library. It is not the audit itself. You still engage a certified auditor such as Scytale, A-LIGN, or Schellman, and Northbeams gives them clean, signed evidence to work from. We are also classified as a tool, not an AI provider, so your obligations hinge on how your team uses AI.
Feeds your stack

Into the GRC platform and SOC you already run.

The Manifest does not replace your GRC platform. It supplies the AI evidence layer those platforms have been missing, and streams the same events into your SIEM.

  • Evidence automation with Vanta, Drata, OneTrust, and Scytale on Enterprise
  • SIEM streaming to Splunk and Microsoft Sentinel, Datadog on request
  • Immutable signed logs with 7-year retention on Enterprise
  • Owned by GRC? See the GRC and compliance view
Our own posture
Northbeams runs its own SOC 2 Type II observation window with Scytale, and is a Drata Alliance member. See the Trust Center.
EU AI Act·SOC 2 + AI·ISO 42001·NIST AI RMF·HIPAA technical safeguards·Signed evidence

Turn AI activity into audit evidence.

One dashboard. One export. Free to see, pay to govern.

See your shadow AI free Book a demo