Compliance Mapping
How Ctrl AI maps to EU AI Act, DORA, SOC 2, and HIPAA requirements.
Ctrl AI provides a compliance mapping page (Settings > Compliance) that maps platform controls to specific regulatory articles. This page is available to org admins.
| Article | Requirement | How Ctrl AI Addresses It |
|---|
| Art. 9 | Risk Management | Coverage gap tracking, audit warnings trend, model auditor |
| Art. 10 | Data Governance | Expert-authored units with provenance, not uncontrolled training data |
| Art. 11 | Technical Documentation | Units with Given/When/Then + typed I/O, workflows, model provenance per inference |
| Art. 12 | Record-Keeping | Append-only audit_logs + inference_logs with full execution traces |
| Art. 13 | Transparency | Trust gradient per claim, expert attribution, model auditor warnings |
| Art. 14 | Human Oversight | 4-role RBAC, separation of duties, interactive protocol gates |
| Art. 15 | Accuracy & Robustness | Deterministic programs (zero hallucination), LLM-constrained structured units, AES-256-GCM encryption |
| Art. 17 | Quality Management | Verification workflow with element-level consensus, version tracking |
| Article | Requirement | How Ctrl AI Addresses It |
|---|
| Art. 6 | ICT Risk Management | Health check API, audit warnings trend analysis, model provenance logging |
| Art. 28 | Third-Party Risk | Pluggable LLM providers with per-inference model logging, BYOK support |
| Control | Requirement | How Ctrl AI Addresses It |
|---|
| CC6.1 | Access Control | withOrgAuth middleware, 4-role RBAC, API key SHA-256 hashing |
| CC7.1 | Change Management | Append-only audit logs with CSV export |
| CC8.1 | Encryption | HSTS + TLS in transit, AES-256-GCM at rest |
| Section | Requirement | How Ctrl AI Addresses It |
|---|
| 164.312(a) | Access Controls | ULID-based user IDs, session auth, AES-256-GCM encryption for PHI |
| 164.312(b) | Audit Controls | audit_logs + inference_logs with CSV export |
Navigate to Settings > Compliance to see each control with its current status:
- Implemented — the control is fully in place
- Partial — the control exists but may need additional configuration
- Planned — the control is on the roadmap