Skip to main content

Compliance Overview

Informational only. This page describes technical controls Behavry provides. It is not legal advice. Certifications, audits, and regulatory filings should be reviewed with counsel and qualified assessors.

What Behavry covers

Behavry is the evidence layer for AI agent activity. For every policy-relevant event — tool calls, DLP hits, behavioral anomalies, HITL decisions, user actions — it produces a hash-chained Decision Trace that can be queried, exported, and pushed into downstream systems. On top of that raw evidence, Behavry ships 10 framework mappings that turn the log into continuous, auditor-ready posture.

The 10 frameworks

FrameworkScopePlan
OWASP Top 10 for Agentic SystemsAI-agent-specific risk top 10All plans
SOC 2 Type IIService organization common criteriaAll plans
ISO 27001:2022Information security managementEnterprise
NIST AI RMFAI risk management (US federal)Enterprise
PCI DSS v4.0Payment card industryEnterprise
HIPAAHealthcare / PHIEnterprise
GDPR / Data PrivacyEU personal dataEnterprise
EU AI ActHigh-risk AI systems (EU)Enterprise
FSI ComplianceUS financial services (OCC / NYDFS / SEC / Reg S-P)Enterprise
Framework MappingCross-framework control referenceAll plans

Each framework page has the same shape: covered requirements, per-requirement Behavry control, live posture query, export format.

Continuous posture, not snapshots

Every framework module runs a daily job that computes per-requirement status against the last 30 days of audit events. Status is one of:

  • Green — evidence exists and meets the expected cadence
  • Amber — evidence is sparse or intermittent
  • Red — no evidence in the expected window

The Compliance hub in the dashboard shows all frameworks side-by-side; click any card for the drill-down. Dips (green → amber, amber → red) raise alerts the same way any behavioral anomaly does.

What the dashboard shows

Compliance → Overview

  • A grid of framework cards with current status and 90-day trend
  • Active / locked / coming-soon states (locked means your plan tier doesn't entitle the vertical; coming-soon means the framework is queued)
  • One-click pivot into any framework page

Compliance → (framework)

  • Per-requirement cards with status, description, and Behavry capability
  • Drill-down drawer with the underlying audit query and the last 10 supporting events
  • Export buttons: CSV / JSON / PDF

Where the evidence comes from

Evidence typeSource
Audit trailaudit_events TimescaleDB hypertable — every event, hash-chained
DLP hitsdlp_findings on every event
Policy decisionspolicy_result, policy_id, policy_reason on every event
Behavioral anomaliesalerts table
HITL decisionsescalations table
Access controladmin_users table + SSO attribute mapping
Change managementPolicy version history + change requests

Exports stream from the same tables so the PDF, CSV, and JSON always reflect reality at export time — there is no separate "compliance database" to drift out of sync.

Export formats

FormatUse
CSVEvidence folders, auditor spreadsheets
JSONGRC tools (Vanta, Drata, SecureFrame, OneTrust)
PDFRegulator / QSA / customer audit hand-off

All framework pages expose /api/v1/compliance/{framework}/export?format=pdf|csv|json.

Evidence for the AI-agent slice only

Behavry provides evidence for the AI-agent-specific parts of your compliance program. It does not replace:

  • Physical security, HR, change management of unrelated systems
  • Infrastructure-level controls (TLS termination, network segmentation, backups)
  • Your broader ISMS / risk register

Behavry slots into your existing program as the evidence layer for AI agent activity. Most customers pair it with their existing GRC platform so the Behavry exports land alongside the rest of their controls.