Home/For Compliance Officers
Compliance Officers

Audit trails for AI agents that hold up in an exam.

WORM audit logs, real-time risk scoring, and regulator-accessible verification. Capture defensible evidence chains for every AI agent decision under MiCA, EU AI Act, GDPR, and HIPAA.

WORMImmutable audit log
0.85Auto-revocation threshold
<60sRevocation SLA
4 frameworksMiCA · AI Act · GDPR · HIPAA
01 — HOW IT WORKS

Your regulatory readiness workflow

End-to-end regulatory readiness — from agent registration through behavioral monitoring to supervisor-ready reporting. Every step leaves a tamper-proof record.

1

Monitor behaviour events

1,000 events/sec: transaction, data_access, api_call, auth_failure. Streamed in real-time with timestamps and actor context. Each event is cryptographically signed and written to immutable storage — providing an evidence chain that satisfies supervisory traceability mandates under the EU AI Act and MiCA Art. 70.

Rolling 30-day risk score
2

Risk scoring & alerts

Automated risk assessment from behavioral patterns. 0.75 = pre-revocation warning, 0.85 = auto-revocation. Every score change leaves a traceable record — a timestamped entry with the triggering event, calculated band, and responsible actor. Your team is notified by webhook before the next API call completes.

GET /api/v1/agents/{id}/risk
3

Immutable audit log

WORM (Write-Once-Read-Many). No UPDATE/DELETE permitted — enforced at the database layer, not just application policy. Full traceability: registration, certificate issuance, behavioral events, risk changes, revocation. Append-only by design. A supervisory authority sees exactly what happened, when, and in what sequence — nothing redacted, nothing reordered.

audit_log table (immutable)
4

Regulatory reporting

Auto-generated reports mapping to MiCA Art. 61–75, EU AI Act Annex III, GDPR Art. 22, HIPAA. Each report includes agent identity, scope, behavioral boundaries, decisions, and drift detection — in PDF for supervisors and JSON for downstream pipelines. Signed, watermarked, with a traceable evidence chain included.

GET /api/v1/reports/compliance
02 — FRAMEWORKS

Regulatory framework coverage

Four major frameworks, mapped article-by-article. Use Kakunin's regulatory mappings inside your own filings — supervisor-ready language, no rewrite required.

MiCA (Art. 61–75)

Cryptographic asset custody & AI governance. X.509 certificates (365-day per Art. 70), behavioral monitoring, auto-revocation SLA, tamper-proof evidence chain. The MiCA Article 72 revocation reason is recorded, timestamped, and surfaced in every generated report — ready for the supervisory authority without further formatting.

Learn more

EU AI Act (Annex III, Art. 13–15)

High-risk system logging, transparency, human oversight, and robustness. The immutable event log, rolling risk scoring, and behavioral proof satisfy Annex III traceability obligations. The regulator-accessible /v1/verify endpoint provides Art. 13 transparency — no authentication, no intermediary.

Verification API

GDPR (Art. 22, 30)

Automated decision records & Records of Processing Activities (RoPA). Every AI agent action that touches personal data is logged with actor, timestamp, and scope. The full regulatory record is exportable for the Data Protection Authority (DPA) on request — in JSON matching their standard schema.

Event Ingestion

HIPAA

Healthcare privacy & tamper-proof logging. WORM storage with read-only agent scope enforced at the certificate layer — a diagnostic agent physically cannot mutate a patient record. Every access is logged for regulatory inspections. The evidence chain ships automatically; no separate HIPAA logging tool required.

Healthcare case study
03 — THE GAP

Why financial services compliance software wasn't built for agents

Traditional financial services compliance software tracks human actors — traders, advisors, relationship managers. AI agents operate at a different scale and speed.

Agents act in milliseconds

A trading agent executes thousands of decisions per second. Human-centric surveillance tools sample events; Kakunin ingests every one at 1,000 events/sec per tenant, scoring in real-time. Nothing is sampled. Nothing is lost. The regulatory record is complete by construction.

Agents have no legal identity

Without a cryptographic identity, an AI agent is indistinguishable from a rogue script. Kakunin issues X.509 certificates to each agent — binding name, operator, model version, and permitted actions into a tamper-proof credential that regulators and counterparties can verify independently.

Agents drift without notice

A model update, a prompt injection, a context change — any of these can alter agent behavior post-deployment. Rolling 30-day risk scoring detects behavioral drift before it becomes a breach. Auto-revocation fires within 60 seconds. No human needs to notice first.

Regulators need independent access

Supervisory authorities cannot depend on the operator to provide verification. The public /v1/verify endpoint requires no credentials — a BaFin supervisor, an ECB examiner, or an FCA reviewer can confirm agent identity and standing directly, without involving the regulated firm.

04 — SUPERVISOR ACCESS

Verification built for regulators

Independent, tamper-evident, always available. Supervisors and external reviewers get direct access — no intermediary, no portal login, no waiting for your team.

Public verification

Regulators & supervisors verify agent certificates via /api/v1/verify/{cert_serial}. No authentication required. <500ms p99 latency, globally CDN-cached. Returns operator, scope, model hash, validity window, and revocation status in a single call.

Audit trail export

Full regulatory reports exportable in PDF (supervisor-ready) or JSON (pipeline-ready). Complete chain-of-custody from agent registration through revocation. WORM guarantee — the record cannot have been modified after the fact, by anyone.

Risk scoring proof

Every risk score update logged with triggering event and rationale. 30-day rolling window. Threshold breaches trigger pre-warning (0.75) then auto-revocation (0.85). Each step leaves a timestamped, immutable entry — defensible in a supervisory exam.

Certificate revocation list

Public CRL endpoint. Revoked certificates listed with reason, timestamp, actor. Updated in real-time. Supervisors can monitor the CRL feed independently — no coordination with the operator required.

Get started

Ready to govern your AI agent fleet?

Immutable audit trail + regulator-accessible verification. Deploy AI agents with cryptographic defensibility — built for financial services teams that cannot afford a supervisory gap.