Home / Features / Compliance evidence

Compliance evidence for AI agents — computed, not claimed

Auditors don't want your intentions; they want evidence. Kynara maps your live configuration — policies, roles, approvals, budgets, audit chain — to named controls in OWASP AI Exchange, MITRE ATLAS, ISO/IEC 42001 and the EU AI Act, and exports it in one click.

Evidence, not checkbox theatre

Most compliance pages are static claims. Kynara's Compliance Evidence report is generated from what is actually enforced in your org at request time. If nothing uses taint tracking, the control shows not configured — and tells you how to fix it. When your auditor asks "show me your human-oversight control," the answer is an export with the implementing policies listed by ID.

The control mapping

Kynara mechanismOWASP AI ExchangeMITRE ATLASISO / EU AI Act
Role-scoped agent permissions (RBAC gate)#LEAST MODEL PRIVILEGEAML.M0028ISO 27002 8.2
require_approval policies + review queue#OVERSIGHTAML.M0029ISO 42001 B.9.3 · EU AI Act Art. 14
Taint tracking (is_tainted downgrade)#LEAST MODEL PRIVILEGE (risk elevation)AML.M0030
Sequence policies (preceded_by)#OVERSIGHT (step sanity checks)AML.M0029/M0030
Delegation non-escalation (scope intersection)#LEAST MODEL PRIVILEGE (honor the served)AML.M0027
Daily action budgetsExhaustion controlsAML.M0026
Hash-chained audit log + verificationISO 42001 records · EU AI Act Art. 12 · SOC 2 CC7.2
Agent kill switch#OVERSIGHT (halt)EU AI Act Art. 14(4)(e)
Approval-fatigue monitoring#OVERSIGHT (limitations)Art. 14 effectiveness
The OWASP AI Exchange feeds directly into EU AI Act harmonized standards and ISO work — implementing its named controls is the shortest defensible path to "we follow recognized practice." Kynara cites the control IDs in the export so your auditor can verify the mapping.

How it works

Walk into your next audit with evidence

Free plan: 3 seats, 10k decisions/month.

Get started freeOWASP coverage detailSequence policies →