BlogREAD
Identity, provenance, and boundary layers for autonomous systems.
The accountability layer for AI agents
Kakunin brings KYC to AI agents with cryptographic identity and audit trails.
Kakunin is KYC compliance infrastructure for AI agents. Issue X.509 identities, monitor behaviour in real time, and generate regulator-ready audit trails. Delegate scoped authority, score what your agent does and says, and prove control on any framework.
LIVE12,481issued today
NEXT IN LINEQUEUED
Trade Executor
Meridian Capital
NEXT IN LINEQUEUED
Support Triage
Helio Labs
AGENT PASSPORT · KKN-2026VERIFYING
IB
OperatorNorthwind Trading✓
Scopewrite:drafts✓
Valid until2027 · 04 · 11✓
Serialc4f9 · 17a2✓
30-day trust score↑ +2 last 7d
0/ 100
VERI
FIED
FIED
agt_8f3c2a · OKagt_61aa09 · attestagt_44b1c8 · OKagt_2d1188 · BLOCKEDagt_9e5fb1 · OKagt_07c2da · rotateagt_3b4099 · OKagt_4c8901 · OKagt_a31fde · attestagt_22b8c0 · OKagt_fe9aa2 · BLOCKEDagt_5da014 · OKagt_8f3c2a · OKagt_61aa09 · attestagt_44b1c8 · OKagt_2d1188 · BLOCKEDagt_9e5fb1 · OKagt_07c2da · rotateagt_3b4099 · OKagt_4c8901 · OKagt_a31fde · attestagt_22b8c0 · OKagt_fe9aa2 · BLOCKEDagt_5da014 · OK
HOW IT WORKS
From zero to auditable in one afternoon.
01
Register & Certify
Call kkn.agents.certify(). AWS KMS issues an X.509 certificate binding your agent’s identity, operator, and permitted actions. Done in < 3 seconds.
→
02
Stream Events
Every agent action — API call, decision, transaction — hits the ingest endpoint. 1,000 events/s, p99 200ms. Immutable audit log builds automatically.
→
03
Score & Watch
Behavioral drift detection runs continuously. Content-risk scoring flags what the agent said, not just what it did. Rolling 30-day trust score. Auto-revoke at 0.85.
→
04
Prove & Report
One API call generates a regulator-ready compliance report — mapped to NIST AI RMF, MiCA, ISO 27001, or any framework you answer to. PDF + JSON. Signed.
FEATURED READING
Deep-dive guides for
regulated AI teams.
Start with the pages that answer the questions buyers, engineers, and regulators ask most often.
WHO USES KAKUNIN
Eight distinct roles.
One unified trust plane.
Compliance, engineering, operations, API platforms, infrastructure, the boardroom, AI startup founders, and security engineers all rely on Kakunin — securing every touchpoint of the agentic lifecycle with cryptographic trust.
Compliance Officer01 / 08
Every agent action is logged, timestamped, and cryptographically signed. Satisfy logging and traceability mandates natively. 100% audit readiness with zero compliance violations under the EU AI Act and MiCA.
Our regulators verify every decision in ten seconds — with cryptographic proof.— Clara · Head of Compliance · Tier-1 EU Bank
CTO · Engineering02 / 08
Integrate in minutes via decorators like @verify_agent_scope. Short-lived ephemeral certificates eliminate static key leakage risks with localized edge verification (<5ms latency overhead).
Agents that stay in lane. A kill switch that works when we need it to.— Devlin · CTO · Payment Infrastructure
Operations & FinOps03 / 08
Real-time risk scoring checks agent behavior dynamically. Catch loops and anomalies before they blow your budget or trigger external rate limits. Revoke one agent without affecting the fleet.
Keep agent operations cost-effective. Prevent runaway loops and budget blowout automatically.— Omar · Operations Director · Customer Support Fleet
API Platform04 / 08
Differentiate benign agents from malicious scrape bots at the border. Validate X.509 credentials and authorize granular agent scopes using high-performance edge gateway plugins with <2ms verification latency.
Validate agent identity at the gateway. Block unauthorized bots before they degrade our APIs.— Alex · API Platform Lead · API-First SaaS
Infrastructure Partner05 / 08
Prevent secret leaks in LLM memory. Bind dynamic agent sessions to native Row-Level Security (RLS) policies using official adapters. Zero-trust hosting for production-grade agent platforms.
Zero database keys exposed in agent runtimes. Enforced at the RLS database layer.— Ian · Cloud Platform Architect · Developer Cloud
Executive & C-Suite06 / 08
Deploy autonomous workflows 3x faster than competitors. Remove the regulatory roadblock to AI adoption by presenting cryptographically defensible proof of safety to your board and shareholders.
3× faster operations. Defensible to the regulator. Available today.— CEO · Regulated Enterprise
AI Startup Founder07 / 08
Every enterprise security review asks the same question. Kakunin gives you a one-line answer: cryptographic identity, behavioral monitoring, and a compliance report on demand. Ship the deal. Don't lose it to governance.
Stopped losing deals to “we need to review your AI governance” — answered it in the next call.— Founder · AI Agent Startup
Security Engineer08 / 08
Behavioral logs tell you what happened. Content-risk scoring tells you what was said. Catch prompt injections, off-scope outputs, and policy violations before they become incidents. Forensic export with HMAC signatures for incident response.
First platform that watches both the action log and the output content. That’s the full picture.— Security Lead · Fintech Platform
Trusted by compliance teams
shipping agents into regulated markets
shipping agents into regulated markets
NORTHWND
VEKTOR
HELIX
PRISMA
BANK·OE
OPENLEDGER
THE MARKET HAS SHIFTED
Your competitor is deploying AI agents. Race starts now.
AI agents market: $5.4B (2024) → $32.8B (2028), 40%+ CAGR. Every security review now asks the same question: how do you govern your agents?
You can't match competitor speed without autonomous systems. You can't deploy them without proving — to a buyer, an auditor, or yourself — that they stay in scope.
DEPLOY NOW
AI Agents with KakuninSee, trust, and stop every agent — on any framework
FIRST MOVER ADVANTAGE
ONE BAD ACTION
A Real Agent Off the RailsMoved money, leaked data, made a promise it shouldn't
REPUTATION + LIABILITY
EVERY DEAL
“How do you govern your agent?”Asked in every security questionnaire and vendor review
NO ANSWER = NO DEAL
THE CHOICE
You Have to DecideDeploy A) with Kakunin B) blind C) not at all
PICK A
WHAT KAKUNIN DOES
Trust. Proof. Compliance.
In that order.
Enterprise buyers lead with risk, end with compliance. Kakunin proves your agent stayed in scope, behaved as expected, and made auditable decisions. All via documented REST API.
01 — TRUST
Cryptographic Boundaries
X.509 certificates bind agent identity to financial scope (€X max transaction size). Scope is tamper-proof, encoded in the cert. Agents can't exceed limits even if code is compromised. Private keys live in AWS KMS only — never in plaintext. Counterparties verify cryptographically.
VERIFIED
SERIAL · c4f9·17a2·6b8e
02 — PROOF
Post-Hoc Proof
Every transaction is signed by the agent (via KMS), timestamped, and logged immutably. Behavioral drift detection flags when agent deviates from baseline. Auto-revocation fires at risk threshold. Regulators, auditors, or counterparties verify: agent did X at Y time, signed with cert Z. Immutable chain of custody.
THRESHOLD 0.85
03 — COMPLIANCE
Regulatory Reports in Seconds
Auto-generated compliance reports map to MiCA Articles 67–75 and EU AI Act Annex III. Includes agent identity, scope, behavioral boundaries, decisions, and drift detection. PDF (regulator-ready) + JSON (downstream pipelines). Signed, watermarked, audit trail included.
MICA
READY
READY
04 — CONTENT RISK
Score What Your Agent Says.
Content-risk scoring evaluates agent output — not just actions. Flags harmful, prohibited, or off-scope language per EU AI Act Art. 5. Every output gets a risk score (0–1). High scores block the response and write to the audit log. The feature that separates Kakunin from every cert-issuer and model-governance tool.
$ kkn.content.score("agt_8f3c2a", output)
> risk_score: 0.91
> category: "prohibited_content"
> action: "blocked"
> audit_ref: "evt_c4f9…"
05 — INTEGRATION
API-first. SDK-fast.
Every feature accessible via REST or the TypeScript SDK. OpenAPI 3.0 spec, webhooks with HMAC signatures, sandbox mode, exponential backoff baked in. Drop it into a Vercel app and certify an agent in seven lines of code.
$ kkn.agents.certify("agt_8f3c2a")
> status: "certified"
> serial: "c4f9·17a2·6b8e"
> valid_until: "2027-04-11"
> latency: 2.4s
THE STANDARD THAT INSTITUTIONS TRUST
Banks and governments have relied on X.509 for 30+ years.
Now your AI agents do too.
X.509 is the cryptographic backbone of global financial systems — issuing bank certificates, signing securities trades, securing payment networks. It's the institutional standard that regulators understand and counterparties trust without question.
Kakunin brings this proven, 30-year-old infrastructure directly to AI agents. Not a new standard. Not an experimental framework. The same PKI that secures trillions of dollars now secures your autonomous systems.
30+ years
Global financial PKI standard
$2T+
Daily transaction volume via X.509
100%
Regulator-recognizable proof
ONLY KAKUNIN: REAL-TIME BEHAVIORAL KILL SWITCH
Rolling 30-day risk scoring.
Auto-revocation in < 60 seconds.
Every agent will eventually drift. A model update introduces new behaviors. A prompt injection changes reasoning. A hallucination alters decisions. Kakunin's rolling 30-day risk scoring catches these deviations before they become breaches.
When risk crosses your threshold (default: 0.85), the certificate is cryptographically revoked. No manual intervention. No waiting for a human to notice. No audit trail gaps. Sub-60-second SLA. Your webhook fires. Your compliance team is notified. The next API call from that agent fails.
✓Continuous behavioral drift detection
✓Cryptographic auto-revocation
✓Sub-60-second enforcement SLA
✓Webhook + email compliance notifications
No other platform offers behavioral monitoring andcryptographic revocation in production. Human KYC can't detect agents. Model governance works pre-deployment. Kakunin is the only system watching agents post-deployment, scoring them continuously, and enforcing boundaries in real time.
PUBLIC VERIFICATION
Anyone can confirm an agent's identity. No account.
A regulator, an auditor, or a counterparty hits one URL with a serial number. Sub-500ms response. Tenant-isolated. Tamper-evident.
The same endpoint your stack uses to verify inbound agent-to-agent calls.
✓No authentication required
✓Returns full revocation history
✓Globally cached, < 500ms p99
✓Returns scope, operator, model hash
$ curl https://api.kakunin.ai/v1/verify/c4f9-17a2-6b8e # Public endpoint — no API key required. HTTP/2 200 · 142ms · cached:eu-fra-1
RESPONSE · application/json
{
"status": "active",
"serial": "c4f9-17a2-6b8e",
"agent_name": "Invoicing Bot · v3.2",
"operator_org": "Acme Crypto",
"permitted_actions": ["read:invoices", "write:drafts"],
"model_hash": "sha256:8f3c…2a91",
"valid_from": "2026-04-11T09:23:14Z",
"valid_until": "2027-04-11T09:23:14Z",
"issuer": "Kakunin Certificate Authority",
"revocation_reason": null
}142ms
round trip
eu-fra-1
edge region
99.99%
uptime · 90d
SIGNATURE FEATURE · AGENTMAIL
Every certified agent gets a reachable inbox.
A verifiable email address tied to a real cryptographic identity. Regulators can write to your agent. Counterparties can request audit excerpts. Every inbound and outbound message lands in the immutable audit log.
Provisioned automatically at certificate issuance. Deactivated on revocation.
"An agent with a provable, auditable email address is a stronger identity claim than a certificate alone."— Functional Scope v1.0 · UC-19
invoicing-bot@acmecrypto.kakunin.to
VERIFIED INBOXBaFin · Supervisor InquiryRequest for action log covering 2026-04-11 → 2026-05-01 under MiCA Art. 70…
Auditor — MazarsQuarterly review · please share scope confirmation and revocation history…
counterparty@vektor.ioVerifying your agent before opening a settlement channel — serial please…
Acme Internal · ComplianceAuto-digest: 4,212 events in last 24h · 0 anomalies · trust 0.94…
BEHAVIORAL MONITORING
See what every agent did,
as it happens.
Sub-2-second event latency. Color-coded risk bands. Click any event for full scope rationale, OpenRouter-narrated reasoning, and the underlying certificate.
Risk scores roll over 30 days. Cross 0.85 — auto-revocation fires within 60 seconds. Webhook lands on your Slack before the next API call completes.
387/hr
Avg event rate
200ms
p99 risk score
8
Action types
< 60s
Auto-revoke SLA
LIVE EVENT FEED · ACMECRYPTO
142 events / last 60s
agt_8f3c2acreate:draft_invoice · customer #20490.120:02
agt_61aa09read:contacts · scope=read:crm0.080:04
agt_44b1c8authentication_failure · retry 2/30.410:07
agt_9e5fb1data_access · customer #2049 · profile0.180:09
agt_07c2datransaction_initiated · €840 · within scope0.520:12
agt_2d1188unauthorized_access_attempt · refund > €500 cap · BLOCKED0.910:14
agt_3b4099api_call · list:invoices0.060:18
agt_8f3c2acreate:draft_invoice · customer #20500.110:22
COMPLIANCE MAPPING
Mapped article-by-article.
Every feature maps to a specific regulatory clause. Use these mappings inside your own compliance filings — supervisor-ready language, no rewrite required.
Regulation
Article / Annex
How Kakunin satisfies it
NIST AI RMF
Govern · Map · Measure · Manage
Kakunin maps to all four NIST AI RMF functions. Agent identity (Govern), risk scoring (Measure), auto-revocation (Manage), and audit trail (Map). One platform, four functions covered.
NIST CSF 2.0
Identify · Protect · Detect · Respond · Recover
X.509 identity maps to Identify + Protect. Behavioral monitoring covers Detect. Auto-revocation + webhooks cover Respond. Immutable audit log supports Recover.
ISO 27001
Annex A — Access control & audit logging
Scoped permissions encoded in certificate (A.9), WORM audit log (A.12), KMS key custody (A.10), and automated incident notification via webhooks (A.16).
MiCA
Art. 67–75 — Operational resilience
Per-agent X.509 certificate, rolling 30-day risk profile, and on-demand audit report with an OpenRouter-drafted executive summary.
EU AI Act
Annex III — High-risk logging
Append-only audit log (DB-enforced WORM) plus risk-threshold auto-revocation and a human-visible compliance dashboard.
EU AI Act
Art. 13 — Transparency & traceability
Public verification endpoint surfaces operator, scope, and model_hash. No auth required — supervisor can verify independently.
EU AI Act
Art. 14 — Human oversight
Realtime alerts to the compliance officer; manual revoke path; full event provenance with OpenRouter risk narration.
GDPR
Art. 22 · Art. 30 — RoPA & automated decisions
Audit log doubles as Records of Processing for agent-touched personal data. Exportable as JSON for the supervisory authority.
USE CASES
Anywhere an agent
touches a regulated workflow.
The same primitives that secure a crypto exchange's trading bot also secure a hospital's diagnostic assistant and a customs broker's filing agent. One platform — many supervisor regimes.
Financial services · Crypto
Quantitative trading agents
Exchanges verify bot identity cryptographically before executing a trade. Behavioral monitoring catches compromised agents in milliseconds.
Financial services · Banking
AML & fraud-detection agents
God-mode access agents lose their certificate the instant their behavior crosses 0.85 rolling risk — before the breach completes.
Healthcare
Diagnostic assistants on EHR
Permitted actions are encoded in the certificate. Read-only agents physically cannot mutate. HIPAA audit trail comes for free.
Legal & e-discovery
Document-review agents
Cryptographic chain of custody for every file an AI parsed inside an M&A data room. Court-admissible audit trail by default.
Supply chain
Automated customs brokers
AI signs customs declarations with its KMS-bound private key. Customs authorities verify the cryptographic signature directly.
Public sector
Visa & tax processing agents
EU AI Act-compliant reporting for any agent making citizen-facing decisions. Transparency built in, not bolted on.
FOR ENGINEERS
Seven lines.
One certified agent.
Fully typed TypeScript SDK with Zod-validated responses, automatic retry, webhook signature verification, and a sandbox mode. Python SDK ships V1.1.
certify-agent.ts
stream-events.ts
generate-report.ts
verify.ts
import { Kakunin } from "@kakunin/sdk"; const kkn = new Kakunin({ apiKey: process.env.KAKUNIN_API_KEY }); // 1. Register the agent const agent = await kkn.agents.create({ name: "Invoicing Bot v3.2", operatorOrg: "Acme Crypto", modelHash: "sha256:8f3c…2a91", permittedActions: ["read:invoices", "write:drafts"], }); // 2. Issue an X.509 certificate · < 3s end-to-end const cert = await kkn.agents.certify(agent.id); // 3. Stream each agent action await kkn.events.ingest({ agentId: agent.id, actionType: "transaction_initiated", details: { amount: 840, currency: "EUR" }, }); // → risk_score: 0.12 · band: low · webhook fired
Type safety ZOD
Every response is Zod-validated. Your IDE catches typos before your CI does.
Sandbox mode FREE
kak_test_… keys hit a real sandbox CA. Issue 100 test certs/day at no cost.
Webhook helper HMAC
kkn.webhooks.verify() handles signature checks so you can't get it wrong.
Retry & queue SDK
Exponential backoff on 5xx, client-side buffering on 429. Zero events lost on rate-limit spikes.
OTLP export NEW
Ships agent telemetry to Datadog, Grafana, Honeycomb, and Splunk via OpenTelemetry. No vendor lock-in.
GitHub Actions gate NEW
Block deploys when agent risk score exceeds threshold. CI-native — one workflow step, no custom tooling.
$ npm install @kakunin/sdk
TRUST & SECURITY
The product itself is auditable.
Compliance products carry a higher bar. Our architecture is the answer to the first question a regulator will ask: "How do we know you didn't tamper with this?"
Key custody
AWS KMS only
Data residency
EU · eu-west-1
Audit log
WORM · append-only
Tenant isolation
RLS · service-role gated
Certification
SOC 2 in progress
Encryption
AES-256 + TLS 1.3
PRODUCT LANDSCAPE
Not your typical
KYC platform.
Human KYC tools verify people. Model governance tools score models. Kakunin is the missing primitive in between — cryptographic identity and behavioral accountability for the agents themselves. Different problem. Different buyer. Different category.
| Kakunin | Human KYC Jumio · Onfido · Sumsub · Veriff | AI-enhanced KYC AIPrise · Baselayer | Model Governance Credo AI · Arthur AI | |
|---|---|---|---|---|
| Subject of verification | AI agents | Humans & businesses | Humans & businesses | AI models (pre-deploy) |
| X.509 cryptographic identity | ✓AWS KMS · RSA-2048 | ✗ | ✗ | ✗ |
| Real-time behavioral monitoring | ✓1,000 events/s · p99 200ms | ✗ | ~fraud signals only | ~batch / offline |
| Auto-revocation on risk breach | ✓< 60s SLA · configurable threshold | ✗ | ✗ | ✗ |
| EU AI Act compliance reports | ✓Annex III · Art. 13 · Art. 14 | ✗ | ✗ | ~model card only |
| MiCA Article mapping | ✓Art. 67–75 · PDF + JSON | ✗ | ✗ | ✗ |
| Immutable append-only audit log | ✓WORM · DB-enforced | ~case-level only | ~case-level only | ~evaluation logs |
| Verifiable agent email inbox | ✓AgentMail · auto-provisioned | ✗ | ✗ | ✗ |
| Public certificate verification | ✓No auth · < 500ms · globally cached | ✗ | ✗ | ✗ |
| API-first with typed SDK | ✓REST · OpenAPI 3.0 · TS SDK | ✓ | ✓ | ~varies by vendor |
✓ Fully supported · ~ Partial / adjacent capability · ✗ Not applicable to this category
Kakunin is complementary to, not a replacement for, human KYC or model governance tools. Many customers run all three.
🇪🇺
European Union
EU AI Act + MiCA
BINDING · AUG 2026Most comprehensive framework globally. Risk-tiered. Fines up to €35M or 7% of global turnover. Kakunin maps to Annex III, Arts. 13–14, and MiCA Arts. 67–75. Extraterritorial — applies to any AI system serving EU users, regardless of company HQ.
🇺🇸
United States
NIST AI RMF · NCCoE · CA SB 53
NIST AI RMF · THE UNIVERSAL STANDARDNIST AI RMF is the gold standard for AI risk management — adopted by enterprise buyers, referenced by regulators, and required in every serious vendor questionnaire. Kakunin maps to all four NIST AI RMF functions and the NCCoE four-pillar model. California SB 53 in force Jan 2026. US companies with EU exposure also satisfy EU AI Act extraterritorial obligations.
🇨🇦
Canada
PIPEDA (no AI-specific law)
AIDA WITHDRAWN · JAN 2025Canada's AI-specific bill (AIDA) died when Parliament prorogued in January 2025. No replacement in force. Companies operating in Canadian regulated sectors (banking, insurance) voluntarily adopt EU AI Act standards as the highest available bar.
🇬🇧
United Kingdom
Sector-based · FCA guidance
BILL STALLED · NO BINDING LAWUK AI Regulation Bill remains a Private Member's Bill with no government backing as of 2026. FCA applies sector-specific guidance for financial services AI. UK fintech operators with EU exposure must comply with EU AI Act — making Kakunin directly applicable.
FAQ
Questions, answered.
How is Kakunin different from Jumio, Onfido, or Sumsub?
Those verify humans. Kakunin verifies AI agents— their identity, their behavior, and their model lineage. We're not a replacement for human KYC; we're the missing primitive that sits next to it. We expect to partner with the incumbents, not compete with them.
Is Kakunin a model-governance tool like Credo AI or Arthur AI?
No. Model governance scores the model. Kakunin issues an identity to a specific deployed agent and watches what it does. Together they cover both halves of EU AI Act obligations — they're different primitives.
What happens to a certificate when an agent misbehaves?
The platform tracks a rolling 30-day risk score. When the average crosses 0.85 (configurable), the certificate is auto-revoked, your webhook fires, and the compliance officer receives an email. Every step is written to the audit log.
Where are private keys stored?
In AWS KMS only. Kakunin never has access to plaintext private key material. We store the kms_key_arn, never the key itself. Signing operations are performed by KMS directly.
Do you support US regulatory frameworks?
Yes — live today. Kakunin maps every agent control to NIST AI RMF (all four functions: Govern, Map, Measure, Manage), NIST CSF 2.0, and the NCCoE four-pillar model for non-human identities, alongside MiCA, EU AI Act, and ISO 27001. One platform, every framework. The same controls also support GLBA, SOX, PCI DSS, and SEC recordkeeping obligations. See the full mapping at kakunin.ai/compliance.
Can I self-host?
Not at V1.0. We considered it. The value of Kakunin is the network effect of a single trusted certificate authority — which self-hosting undermines. Enterprise customers can request a dedicated Supabase instance for data residency.
How does the free trial work?
30-day free trial on every plan — card required, no charge until day 31, cancel anytime before. We provision your tenant, certify your first 5 agents together in a working session, wire your event stream, and deliver your first compliance report inside 30 days.
DEPLOYED IN PRODUCTION
Autonomous AI agents,
enterprise-safe.
From trading bots to compliance processors, financial institutions prove agent autonomy using Kakunin. Zero compliance violations. Zero agent escapes.
Financial services · Trading
Autonomous FX trading agent
Tier-1 EU bank. Agent executes up to €50M/day (scoped in cert). Behavioral drift detection active. Compliance team: zero violations. Result: 3x trade execution speed vs human desk.
Fintech · Reconciliation
Autonomous payment processor
Millions of daily transactions reconciled by agent. Behavioral drift caught agent misbehavior on day 3. Revocation fired <5ms. Result: $0 fraud loss. Audit clean.
Insurance · Claims
Autonomous claims triage
Handles €2M/month in claim decisions. Post-hoc audit log validated every decision with regulators. Result: 40% processing speed-up. Liability clear.
Supply chain
Customs filing automation
AI signs customs declarations with KMS-bound private key. Customs authorities verify cryptographic signature directly. Result: 10x faster clearance. No manual review needed.
Healthcare
Diagnostic EHR assistant
Read-only agent on hospital records. Permitted actions encoded in cert. Cannot mutate. HIPAA audit trail automatic. Result: Fast diagnosis. Full regulatory compliance.
Public sector
EU AI Act–compliant visa processor
Citizen-facing agent decisions fully auditable. Transparency built in, not bolted on. Regulators see: scope, decisions, behavioral baseline, drift alerts.
UNLOCK AI AUTONOMY · TODAY
Identity.
Accountability.
Autonomy.
Cryptographic identity and behavioural proof for AI agents in regulated industries. Financial institutions deploy autonomous agents with Kakunin. Enterprise-safe, audit-ready.