One runtime, mapped to every framework your auditors use.
Cortex doesn't just claim alignment — it enforces it at runtime and exports the proof. Pick a framework below to see exactly how controls map, then export an evidence pack straight from the Trust Ledger.
Aligned with — never certified-claimed · EU AI Act · NIST AI RMF · ISO 42001
The regulations that govern enterprise AI — and how Cortex aligns.
Plain-language guides to the frameworks regulated teams answer to, each paired with the exact Cortex controls that satisfy them. Honest framing: Cortex is built for and aligned with these standards — it does not assert certification on your behalf.
EU AI Act
Risk classification, human oversight, logging and traceability, and post-market monitoring for high-risk AI systems.
maps ▸ Oversight modes · Risk register · Trust Ledger logging
NIST AI RMF
Govern, Map, Measure, and Manage functions for trustworthy AI — with documented evidence for each.
maps ▸ Evaluation · Reliability score · Audit evidence
ISO/IEC 42001
An AI management system standard: policies, roles, records, and continual improvement for AI operations.
maps ▸ Policy-as-Code · Risk register · Ledger records
SOC 2
Security, availability, processing integrity, confidentiality, and privacy controls for service organizations.
maps ▸ Agent IAM · DLP · Tamper-evident audit
HIPAA
Safeguards for protected health information — access controls, audit controls, and minimum-necessary use.
maps ▸ Ontology permissions · DLP · Run audit trail
FINRA
Books-and-records, supervision, and communications-review obligations for broker-dealers using AI.
maps ▸ Control Tower · Oversight · Ledger retention
IRS Circular 230
Standards of competence and diligence for tax practitioners — provable, grounded, reviewable work product.
maps ▸ Datapoint provenance · Citations · Review gate
From a written requirement to an enforced control to provable evidence.
Every framework reduces to a set of requirements. Cortex turns each one into a fail-closed runtime gate — and records the verdict in a tamper-evident ledger you can hand an auditor.
| Requirement | Enforced Cortex control | Ledger evidence |
|---|---|---|
| Human oversight of high-risk decisions | Oversight modes + approval gate | 409 hold · approver receipt |
| Logging & traceability of every run | Trust Ledger (hash-chained) | verifyChain ▸ ok: true |
| Access limited to authorized roles | Agent IAM + ontology permissions | 403 on restricted read |
| Spend / resource limits enforced | Cost governance hard cap | 402 over budget |
| Decisions grounded in real sources | Datapoint provenance + citations | 10-hop lineage to source |
| Records are complete & tamper-evident | Signed receipts, sealed chain | hashOk: false flags edits |
One-click evidence export, straight from the Trust Ledger.
Stop assembling screenshots before an audit. A Compliance Pack bundles the control-to-framework mapping table with the live, hash-chained run records that prove each control fired — exported on demand, verifiable offline.
- Control map per framework (EU AI Act · ISO 42001 · NIST AI RMF and more)
- Sealed run records with signed receipts you can verifyChain offline
- Datapoint provenance: every fact threads back through a 10-hop lineage to its source
- Honest by construction — evidence is generated, never asserted
Three steps from policy to provable.
- 01
Map
Pick your frameworks. Cortex lines each requirement up against the runtime gate that enforces it — no spreadsheet archaeology.
- 02
Enforce
Every agent run passes the same fail-closed gates. A denied control returns a real code (402 / 403 / 409) — never a silent pass.
- 03
Prove
Export a Compliance Pack: the mapping table plus the sealed ledger records that show each control fired, verifiable offline.
Turn compliance from a burden into a button.
See how Cortex maps your frameworks to enforced controls and exports auditor-grade evidence on demand.