ComplyAI

From Regulation to Proof — Automatically

ComplyAI reads what your regulations require. Creates the governance rules that enforce them in Constrix. Generates the evidence package your auditor accepts.

EU AI Act · Aug 2026NIST AI RMFISO 42001HIPAAGDPRSaudi SDAIASOC 2

The Regulation Problem

Every regulation demands the same thing in different words.

Prove that your AI acted within documented, controlled, accountable boundaries. The EU AI Act calls it "transparency." NIST AI RMF calls it "accountability." ISO 42001 calls it "operational records." HIPAA calls it "audit controls." Saudi SDAIA calls it "registration and identity." They all mean the same thing: a tamper-proof record that a human authorized this AI action, within this policy, at this time, and that the record cannot be changed after the fact. Without Constrix, producing this evidence requires manual log reconstruction — if the logs exist, if they haven't been altered, if an administrator can find the right entries across a system that was never designed to produce regulatory evidence. With Constrix, this record is created automatically, for every AI decision, in a format that any auditor can verify.

How ComplyAI Works

Four steps from regulation to proof.

Regulation Ingested

ComplyAI reads the regulation article — the specific clause, the specific obligation. Not the entire document. The specific requirement your AI system must satisfy.

Controls Mapped

Each regulatory obligation is mapped to a specific Constrix architectural property or governance control. Article 13 transparency becomes an agent identity requirement. §8.4 operational records become CAPL retention policy.

Governance Rules Deployed

ComplyAI generates the Rego governance rule that enforces the mapped control. The rule is deployed to your Constrix instance. From this moment, your AI is structurally required to comply — not asked to.

Evidence Package Generated

When your auditor or regulator requests evidence, you export a package. Sealed CAPL records for the review period, organized by regulation article, with cryptographic proof for every claim.

Regulation→Controls→Governance Rules→Evidence Package

Regulation Coverage

Every major AI governance framework. Mapped to specific controls.

Constrix does not produce a compliance checklist. It produces the actual technical controls each regulation requires — and the cryptographic proof that those controls were active.

EU AI Act

Enforcement: Aug 2026

Every EU-facing AI deployment

Article 12 — Automatic logging of AI system events
Article 13 — Transparency and agent attribution
Article 17 — Quality management documentation
Article 9 — Risk management controls

NIST AI RMF

NIST SP 600-1

US federal contractors and regulated organizations

GOVERN 1.1—1.7 — Policy and accountability controls
MAP 1.1 — Risk classification per decision type
MEASURE 2.5 — Continuous risk signal from CAPL
MANAGE 1.3 — Active risk treatment controls

ISO 42001

ISO/IEC 42001:2023

Global AI management system certification

§6.1 — AI risk treatment controls
§8.4 — Operational management records
§9.1 — Performance evaluation evidence
§10.2 — Corrective action documentation

HIPAA

45 CFR Part 164

Healthcare AI systems touching patient data

§164.312(b) — Audit controls for ePHI access
§164.308(a)(1) — Security management process
Agent identity for every clinical AI action
Sealed access records per patient session

GDPR

GDPR 2016/679

EU personal data processing

Art. 22 — Automated decision accountability
Art. 25 — Data protection by design
Art. 5(1)(f) — Data minimization in AI access
Sealed proof of every automated decision

Saudi SDAIA / NCA

Vision 2030

Saudi Arabia and GCC AI deployments

NCAI-AI-01 — AI system registration requirements
NCAI-AI-04 — Audit trail and accountability
NCA CSF — Cybersecurity framework controls
PDPL — Personal data processing accountability

SOC 2 Type II

AICPA SOC 2

Enterprise customers requiring SOC 2 attestation

CC6 — Logical and physical access controls
CC7 — System operations monitoring
CC9 — Vendor and third-party risk management
Agent identity provides non-human CC6 coverage

Evidence Package

When your auditor asks, you export a package.

When your auditor or regulator requests evidence, you export a package. It contains: the sealed CAPL records for the period under review, organized by regulation article, with a narrative explaining which control was active and what it produced. Every claim in the narrative is cryptographically traceable to a sealed record your auditor can verify independently — without access to Constrix infrastructure.

evidence-package-q1-2026.zip

├── eu-ai-act/

│ ├── art-12-logging/ (847 sealed records)

│ ├── art-13-transparency/ (847 sealed records)

│ └── art-17-quality/ (12 policy versions)

├── nist-ai-rmf/

│ └── govern-map-measure/ (consolidated)

├── narrative.pdf (cryptographically signed)

└── verify.sh (offline verification script)

Sealed CAPL Records

Every AI decision in the review period, sealed with Ed25519. Tamper-evident. Independently verifiable by any standard cryptographic library.

Organized by Article

Records grouped by the regulation article they satisfy. Your auditor finds Article 13 evidence under Article 13 — not buried in a raw log export.

Cryptographic Traceability

Every narrative claim traces to a specific sealed record. Nothing is asserted without cryptographic backing your auditor can independently verify.

No Constrix Required to Verify

Your auditor verifies the package using any standard Ed25519 verification library. They do not need access to Constrix systems or infrastructure.

Ready to turn your regulations into proof?

Start with ComplyAI on the Free tier. No credit card. Your first compliance score in minutes.