The full compliance brief is in active development. Here's the structure of what it will cover when published — and how to get the working draft today.
A complete map of how Permit0 contributes to the AI compliance frameworks regulated buyers ask about — what's in scope, what isn't, and what evidence we produce.
Cross-vertical: EU AI Act, Colorado AI Act, NIST AI RMF (incl. GenAI Profile), ISO 42001, SOC 2 Type II. Vertical-specific: SR 11-7 (banking), NAIC AI Model Bulletin (insurance), HHS Section 1557 + HTI-1 (healthcare), NYC LL 144 + IL AIVID + CO AI Act (HR), CFPB Circular 2023-03 (collections), ABA Formal Opinion 512 (legal). For each: what Permit0 enforces, what it produces evidence for, and what's explicitly out of scope.
The DecisionRecord format — every block, allow, and escalation cryptographically signed with policy version, risk score, capability token, actor identity, payload hash, and decision provenance. Designed to be the artifact your auditor reads, not the one your engineers retrofit.
How DecisionRecords export: machine-readable (JSON, NDJSON, Parquet for log-warehouse ingestion) and human-readable (PDF audit packets, evidence bundles, replayable session traces). Built to drop into the formats Vanta, Drata, Secureframe, and direct-auditor reviews already accept.
How a regulatory clause becomes a Permit0 policy and an audit artifact. Worked examples: EU AI Act Article 14 (human oversight) → policy approval requirements + DecisionRecord. NIST AI RMF MAP-2.3 → action taxonomy mapping. SR 11-7 model risk → pre-execution validation evidence. The methodology is repeatable across frameworks.
Honest scope: Permit0 enforces and evidences action-level controls. Permit0 does not validate models, audit training data, certify SaMD, run bias detection on the LLM itself, or replace a Section 1557 covered-entity assessment. We're explicit about the line between what we deliver and what your team or other tools must own.
Patterns we've seen across regulated buyers: how to present Permit0 evidence in a SOC 2 audit, how to map DecisionRecords to NAIC market conduct exam requirements, what to share before a CFPB examination, and how to build the audit packet your auditor will accept on the first pass.
Two paths — pick whichever fits your timeline.
The founders are happy to share the WIP architecture document on a 30-minute call and answer security questions in real time. We've done dozens of these — they're substantive, not sales calls.
Talk to founders →One email when this document ships. No newsletter, no marketing cadence — just the link to the published doc.
We'll only use your email to send this single notification.