Compliance is a query, not a quarter.
Article 12 asks for automatic, lifetime event records. Article 19 asks you to keep them six months. This runtime already signs a receipt for every agent run and every authorization decision — compliance is querying records you already have, not instrumenting code you haven't written.
receipts for ai systems · explicit authority · no ambient trust
Records your agents write today are already admissible evidence. Retention starts counting the day you deploy — not the day the regulator asks.
Four articles. Four primitives. Zero instrumentation.
asks · High-risk AI systems must technically allow automatic recording of events over their lifetime.
runtime · Every skill invocation seals an Ed25519-signed execution receipt: caller, grants, tool calls, file ops, timing, outcome. Recorded by the runtime, not by your app code.
asks · Automatically generated logs are kept for at least six months.
runtime · Retention policy floored at 180 days while the EU AI Act framework is active — enforced at write time and re-checked inside the purge path. Legal hold blocks deletion outright.
asks · Systems are designed so natural persons can effectively oversee them.
runtime · Every authorization decision records who decided — auto, policy, or human. Human-in-the-loop approvals are distinguishable in the grant chain, not asserted after the fact.
asks · Documentation is drawn up before market placement and kept current.
runtime · Agent card, version, image digest, risk tier, intended purpose, and oversight statement export as a per-system dossier inside the evidence pack.
One query across every decision your agents made.
Skill executions, authorization decisions, and administrative actions normalize into a single record shape. Filter by agent, outcome, kind, or date range. Open a record and the platform re-verifies its Ed25519 signature in front of you — proof, not a promise.
No second store to sync, no ETL to a compliance warehouse. The records the auditor reads are the records the runtime wrote.
See replay & receipts →{
"record_id": "rcpt_9f2ce41b",
"kind": "skill_execution",
"agent_name": "invoice-triage",
"actor": "user:finance-ops",
"action": "skill:classify_invoice",
"outcome": "ok",
"occurred_at": "2026-07-05T09:14:22Z",
"verifiable": true,
"signature_status": "valid",
"details": {
"grant_ids": ["gr_71aa04"],
"tool_calls": 3,
"eval_score": 0.97
}
}The evidence pack answers the questionnaire.
A single JSON export: decision records, agent dossiers, signature verification results, and the control mapping inlined — an auditor who has never seen this platform can read it cold.
EU AI Act
Queryable decision records, 180-day floored retention, human-oversight attribution, per-system documentation. Enforcement for high-risk systems begins 2 August 2026.
NIST AI RMF 1.1
Org policy with named owners, agent inventory with risk tiers, eval scores on receipts, scoped authority and budget caps — mapped function by function in the export.
ISO/IEC 42001
The evidence pack answers the AI-management-system questionnaire your buyer's procurement team sends: traceability, operational control, performance evaluation.
Governed agent execution is the compliance program.
Run
Agents execute under scoped, signed grants. No ambient trust — every action already carries its authority.
Record
The runtime seals each run into a signed receipt and each authorization into the grant chain. Zero instrumentation in your agent code.
Query
Decision records are one API: filter by agent, outcome, kind, date range. Signature re-verified when you open a record.
Export
One click produces a self-describing evidence pack — records, agent dossiers, control mapping — ready for auditors and procurement.
Deploy governed. Query compliant.
Retention windows only protect the records that exist. Every day agents run ungoverned is a day of evidence you can't produce later.