cogward
Book a briefing
Audit and regulatory proof

Compliance traceability: from regulation to runtime pillar.

cogward's five pillars map to specific requirements in DORA, EU AI Act, SOC 2, HIPAA, MiFID II, and other frameworks. This page is the traceability matrix — from regulation to pillar to runtime capability.

The audit log is not retrofitted for compliance. It is designed from the ground up around the evidentiary requirements of each framework below: tamper-evident, privacy-preserving, independently verifiable, and exportable without engineering interpretation.

Staging

Compliance capability staging

Evidence first. Compliance mappings second. cogward does not claim compliance by acronym. It produces runtime evidence that customers can map to their control frameworks.

Phase 1 — design partners

  • tamper-evident audit event model
  • privacy-preserving evidence structure
  • hash-chained event integrity
  • runtime identity, tool, resource, lifecycle, and policy records
  • exportable evidence format

Next

  • SOC 2, DORA, and NIST AI RMF reporting templates
  • GRC export
  • audit team query interface
  • validated control mappings with design partners

Later

  • MiFID II, HIPAA, EU AI Act Article 13, FedRAMP / IL-5, and SR 11-7 sector-specific evidence packs
  • lineage-linked explainability
  • snapshot-linked forensic replay
Pillar-to-regulation mapping

From regulation to runtime pillar.

Each pillar maps to specific regulatory requirements. An auditor can trace from regulation → pillar → cogward capability. This is what makes the compliance page a procurement artifact rather than a marketing page.

Pillar 1 · Runtime

What runtime control satisfies

DORA Article 9 (Protection and prevention) · DORA Article 11 (Response and recovery — kill switch and lifecycle) · EU AI Act Article 15 (Accuracy, robustness, cybersecurity) · SOC 2 CC6 (Logical access — singular enforcement point)

Pillar 2 · Authority and Accountability

What execution identity satisfies

SOC 2 CC6 (Logical access) · DORA Article 9 (Identification and management) · EU AI Act Article 12 (Record-keeping — dual attribution is the property the regulation requires) · HIPAA §164.308 (Administrative safeguards — identifying who acted)

Pillar 3 · Lifecycle Control

What lifecycle authority satisfies

DORA Article 7 (ICT change management — versioning and rollback) · DORA Article 11 (Response and recovery — kill switch) · EU AI Act Article 14 (Human oversight — HITL approval workflow and lifecycle authority) · SOC 2 CC8 (Change management)

Pillar 4 · Audit-Grade Evidence

What audit-grade evidence satisfies

DORA Article 28 (Record-keeping and reporting) · EU AI Act Article 12 (Record-keeping) · HIPAA §164.312(b) (Audit controls) · SOC 2 CC7 (System operations — monitoring and evidence) · GDPR Article 17 (Right to erasure — the GDPR-excisable property)

Pillar 5 · Agent Estate Intelligence

What estate intelligence satisfies

EU AI Act Article 17 (Post-market monitoring) · EU AI Act Article 72 (Post-market monitoring system) · DORA Article 12 (Detection — anomaly detection at the runtime layer)

Evidence model

Tamper-evident by design. Independently verifiable.

Integrity

Hash-chained construction

Every audit record contains a cryptographic hash of the previous record. Chain integrity is verifiable without vendor involvement — your auditor can verify it with standard tooling.

Privacy

Privacy-preserving structure

Sensitive content — PHI, PII, confidential data — is referenced by hash and classification, never stored inline. The compliance record is readable by auditors without exposing raw sensitive data.

GDPR

Deletion without breaking the chain

Individual records can be cryptographically excised — the content is removed, the structural position is preserved. The integrity of records above and below the deletion is maintained.

Independence

No vendor involvement required

Integrity verification, audit export, and compliance reporting do not require cogward involvement. Your audit team can access, query, and verify the record independently.

Primary mappings — shipping with the platform

Frameworks mapped to runtime primitives.

EU Financial Services

DORA

Operational resilience for AI-driven processes. Article 28 ICT third-party risk evidence templates included. Incident classification mapped to lifecycle event types.

Trust services

SOC 2 Type II

Access, change management, and audit logging controls mapped to runtime enforcement primitives. CC6.1 identity attribution covered by machine identity per agent.

AI risk

NIST AI RMF

Govern, map, measure, manage — mapped to the platform's identity, policy, evidence, and lifecycle primitives. Framework alignment documentation included.

Sector-specific packs — following customer validation

Validated against real audit requirements.

Sector packs are published after validation against real customer audit requirements. We do not publish speculative mappings.

EU Markets

MiFID II

Record-keeping and algorithmic trading documentation for agent-driven decisions in the trade lifecycle. Audit format aligned to record-keeping obligations under Article 16.

Healthcare

HIPAA

Accounting of disclosures, PHI boundary enforcement, memory residency controls. Agent actions involving PHI recorded without storing raw PHI in the audit log. Phase 4

EU AI Act

Article 13

Transparency and explainability evidence — output-to-source lineage through the agent execution path. Requires data lineage capability.

Federal

FedRAMP / IL‑5 Later / specialized track

Air-gapped deployment profile with classified-environment operational support. Tier C deployment is the enabling infrastructure.

Model risk

SR 11‑7

Independent model validation evidence for autonomous AI actions. Agent-initiated actions are distinguishable from human-initiated actions by machine identity — the specific gap in managed runtimes that use on-behalf-of-user authorisation patterns.

GRC integration

Audit log into your existing governance stack.

cogward's audit log is designed to integrate with the GRC platforms your compliance team already uses. The goal: real execution evidence flows into your CMDB and risk platform, replacing self-reported compliance status with verifiable runtime data.

GRC

ServiceNow GRC

Audit log export to CMDB. Policy state synchronisation. Agent lifecycle events surfaced as IT incidents. Phase 2

GRC

Archer

Compliance evidence export aligned to Archer risk and control frameworks. Phase 2

Trust management

Vanta

Automated evidence collection for SOC 2 Type II and ISO 27001 via Vanta's evidence connector. Phase 2

Custom

Export formats

Structured JSON and CSV export in auditor-recognised formats. Custom export schemas available for enterprise contracts.