Skip to main content
XOR
[STANDARDS]

Compliance and Standards

How XOR signed audit logs satisfy SOC 2, EU AI Act, PCI DSS, NIST, and other compliance requirements.

Compliance requires evidence, not promises

Regulatory frameworks require audit trails for AI systems. Current agent logs do not meet evidentiary standards. Verifiable Vibes provides cryptographically signed traces that satisfy compliance requirements across multiple frameworks.

Framework alignment

  1. IETF: Submitted as Internet-Draft with CDDL schema specification
  2. RATS: Agent claims structured as remote attestation evidence
  3. SCITT: Traces registered on transparent supply chain ledger
  4. PCI DSS: Cryptographic audit trails satisfy Section 10 logging requirements
  5. SOC 2: Signed traces provide Trust Services monitoring evidence
  6. NIST CSF: Covers Identify, Protect, and Detect functions for AI systems
  7. EU AI Act: Article 13 transparency and Article 31 accountability requirements for high-risk AI

Status

XOR is submitting an open standard for signed AI agent audit logs through the IETF (the same body that standardized HTTP and TLS). We implement it today.

Built on open internet standards

Supply chain integrity

Signed records that prove agent actions are authentic and unmodified. Based on IETF SCITT.

Remote verification

Independent verification of agent behavior. Based on IETF RATS.

Secure updates

Trusted update and deployment framework. Based on IETF SUIT.

Why open standards matter for agent audit logs

The IETF standards we build on address three core problems in AI agent deployment. Supply Chain Integrity and Transparency (SCITT) provides mechanisms to sign and verify the integrity of software artifacts and their provenance. SCITT defines how to embed cryptographic proof into audit logs so they cannot be altered after creation. Remote Attestation procedures (RATS) enable independent verification of agent behavior by third parties. Your auditors, regulators, or security teams. Without needing access to your internal systems. Software Updates for Internet of Things (SUIT) creates a secure framework for distributing and validating agent updates, ensuring that only authorized versions run in production.

Open standards matter because they let you switch tools without losing your audit trail. A proprietary format locks you into one vendor. An IETF standard means your agent traces remain portable across XOR, your compliance tools, and future platforms.

What XOR implements today

  • A complete record of every agent session and file change
  • Digital signatures so records cannot be altered
  • Test reports attached to every agent pull request
  • SCITT-compliant signed envelopes using COSE_Sign1
  • RATS conformance classes (producer, verifier, consumer)
  • CDDL schema validation for trace structure

What this means for audits

Signed audit logs give compliance teams clear evidence of what an agent did, what it changed, and whether the fix passed. This reduces audit time and shortens approval cycles. Regulators accept cryptographically signed evidence without requiring secondary interviews. Teams can prove compliance automatically instead of spending weeks gathering documentation. See how verification works for the full test pipeline.

[NEXT STEPS]

Start building your compliance evidence

Agent trace verification →Agent safety →How verification works →Building secure skills →

FAQ

Which standards does Verifiable Vibes align with?

IETF (Internet-Draft submission), RATS (Remote Attestation Procedures), SCITT (Supply Chain Integrity), PCI DSS (audit trail requirements), SOC 2 (system monitoring), NIST CSF (identify/protect/detect functions), and EU AI Act (Article 13 transparency, Article 31 accountability).

Does this help with SOC 2 compliance?

Yes. SOC 2 Trust Services Criteria require monitoring of system operations. Verifiable agent traces provide cryptographically signed evidence of what AI agents did, when, and with what outcome.

How does SCITT alignment work?

SCITT defines transparent ledgers for supply chain artifacts. Agent traces are registered as SCITT claims, providing an immutable record that can be independently verified by any party with ledger access.

Is this required for production AI deployments?

Yes. The EU AI Act requires audit trails for high-risk AI systems. SOC 2 requires system monitoring evidence. Verifiable traces provide the evidence layer that compliance teams need without requiring changes to agent code.

[RELATED TOPICS]

How Verification Works

Test agents on real vulnerabilities before shipping fixes.

Automated Vulnerability Patching

AI agents generate fixes for known CVEs. XOR verifies each fix against the vulnerability before it ships.

Benchmark Results

62.7% pass rate. $2.64 per fix. Real data from 1,920 evaluations.

Benchmark Results

62.7% pass rate. $2.64 per fix. Real data from 1,920 evaluations.

Agent Cost Economics

Fix vulnerabilities for $2.64–$52 with agents. 100x cheaper than incident response. Real cost data.

Agent Configurations

15 agent-model configurations benchmarked on real vulnerabilities. Compare pass rates and costs.

See which agents produce fixes that work

128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.