Commercial
Compliance Mapping Matrix
Explicit mapping of ABS Core controls to ISO 27001, SOC 2 Type II, NIST AI RMF, LGPD/GDPR, and BACEN 4.893. Designed for risk officers and compliance teams.
Version: v10.1.5 · Audience: Risk Officers, DPOs, Compliance Teams, Enterprise Architects
This matrix maps ABS Core technical controls to formal regulatory and standards frameworks. Each mapping includes the specific control reference, the ABS Core mechanism that satisfies it, and how to produce evidence for auditors.
| Framework | Status | Scope |
|---|
| ISO/IEC 27001:2022 | Mapped | Information security management |
| SOC 2 Type II | Mapped | Trust Services Criteria (CC, A, PI) |
| NIST AI RMF 1.0 | Mapped | AI risk management — Govern, Map, Measure, Manage |
| LGPD / GDPR | Mapped | Data privacy and protection |
| BACEN 4.893 / CMN 4.893 | Mapped | Brazilian financial institution AI governance |
| PCI-DSS v4.0 | Mapped | Payment card data protection |
| HIPAA | Mapped | Health information privacy |
| ABS Core Control | ISO 27001 Clause | Satisfies | Evidence Available |
|---|
| WASM Policy Engine (inline blocking) | A.8.12 — Data leakage prevention | Prevents agents from exfiltrating data outside authorized execution paths | Policy evaluation logs per request |
| Append-only Forensic Ledger (D1 + L2) | A.8.15 — Logging | Mathematically immutable, tamper-evident audit trail of every agent action | Hash-chained records; Polygon L2 anchoring (Enterprise) |
| Policy-as-a-Token (PAAT) | A.5.15 — Access control | Cryptographically ensures agents access only explicitly authorized tools | Token manifest per agent |
| Secret Vault (JIT credentials) | A.8.12, A.9.4 | API keys never stored in agent code; injected at runtime per action | Vault access log |
| CHI PII Redaction | A.8.12 | CPF, SSN, card numbers, API keys redacted before reaching LLM | CHI redaction event in audit log |
| Heartbeat Sentinel (Dead Man's Switch) | A.8.16 — Monitoring | Detects silent/zombie agents; generates alerts for unresponsive processes | Heartbeat state log per agent |
| Version-pinned policies | A.8.32 — Change management | Every policy change is versioned and signed; rollback available | Policy version history in API |
| Multi-tenant isolation | A.8.3 — Information access restriction | Complete data isolation between workspaces at the WASM execution layer | Workspace boundary enforcement logs |
| ABS Core Control | SOC 2 Criteria | Satisfies | Auditor Note |
|---|
| Zero-Trust Bridge (VPC/On-Prem mode) | CC6.1 — Logical access security | Governance runs inside customer VPC; no data sent to third-party API for policy evaluation | On-prem deployment guide available |
| Shadow Mode (monitor before enforce) | CC7.1 — System operations | Continuous monitoring and risk profiling of new agent behaviors before hard blocking | Shadow log with violation rate metrics |
| Certified Vault Policy Packs | CC3.1 — Risk assessment | Pre-audited, legally vetted policy rulesets; signed by Anthropic-certified policy authors | Pack signing certificate + SBOM |
| Append-only audit log | CC7.2 — Monitoring; CC4.1 — Quality of information | Tamper-evident record of all system activity | Hash verification tool available |
| Policy version control | CC8.1 — Change management | All policy changes tracked, versioned, signed, and reversible | Policy changelog API endpoint |
| Role-based API scopes | CC6.3 — User registration | API tokens scoped to specific operations (read-only, write, admin) | Token scope manifest |
| Rate limiting + backpressure | A1.2 — Availability | System sheds excess load gracefully; validated at 5,000 req/s without 5xx errors | Benchmark report (blockchain-anchored) |
| Heartbeat monitoring | A1.2 — Availability | Detects unavailable agents; triggers alerts before cascading failure | Heartbeat API + webhook payloads |
The NIST AI RMF structures AI risk across four functions: Govern, Map, Measure, Manage.
| NIST AI RMF Sub-category | ABS Core Mechanism |
|---|
| GOVERN 1.1 — Policies, processes established | Version-pinned YAML policies; mandatory CHI declaration before execution |
| GOVERN 1.2 — Accountability assigned | Per-agent policy binding; agent ID in every audit record |
| GOVERN 1.7 — Risk tolerance documented | Policy DSL includes explicit risk thresholds (low/medium/high/critical) per action type |
| NIST AI RMF Sub-category | ABS Core Mechanism |
|---|
| MAP 1.1 — Context established | CHI intent field forces agent to declare operational context before any write |
| MAP 2.1 — Scientific basis | Benchmark report (blockchain-anchored) provides empirical performance evidence |
| MAP 3.5 — Risk impacts documented | Policy pack includes explicit blockReason and ruleId per violation type |
| NIST AI RMF Sub-category | ABS Core Mechanism |
|---|
| MEASURE 1.1 — Test set established | Three-tier benchmark: endurance, load, stress (see benchmark report) |
| MEASURE 2.5 — Bias/drift evaluated | CHI semantic drift detection; configurable drift threshold per agent profile |
| MEASURE 2.7 — Eval results documented | Blockchain-anchored benchmark report; L2 decision ledger (Enterprise) |
| NIST AI RMF Sub-category | ABS Core Mechanism |
|---|
| MANAGE 1.1 — Response plans | Circuit breaker → Fail-Safe ALLOW; Heartbeat ZOMBIE escalation → PagerDuty/Slack |
| MANAGE 2.2 — Risk response executed | Rate limiter, DENY verdicts, agent suspension available via API |
| MANAGE 4.1 — Residual risk monitored | Shadow Mode + continuous telemetry; Sentry integration for anomaly alerts |
| Privacy Principle | ABS Core Mechanism | Legal Basis |
|---|
| Data Minimization | CHI PII Redaction intercepts CPF, SSN, card numbers, API keys before LLM context | LGPD Art. 6 VII; GDPR Art. 5(1)(c) |
| Purpose Limitation | YAML policy allowed_actions list prevents data reuse outside declared purpose | LGPD Art. 6 II; GDPR Art. 5(1)(b) |
| Cross-border transfer prevention | Local governance enforcement prevents PII from leaving jurisdiction-controlled infra | LGPD Art. 33; GDPR Chapter V |
| Right to explanation | Every DENY verdict includes blockReason, ruleId, traceId — auditable explanation | LGPD Art. 20; GDPR Art. 22 |
| Data Subject Rights support | Audit log exposes all agent actions per agentId; exportable for DSAR response | LGPD Art. 18; GDPR Art. 15-20 |
| Consent and legitimate interest | Policy packs include LGPD-specific consent verification actions | LGPD Art. 7-8 |
| BACEN Requirement | ABS Core Mechanism | Evidence |
|---|
| Art. 4 — Risk governance | Policy-as-code with mandatory pre-execution evaluation; version-controlled | Policy version history; audit log |
| Art. 5 — Audit trail | Append-only ledger; SHA-256 hash-chained; Polygon L2 anchoring (Enterprise) | GET /v1/events + L2 explorer |
| Art. 6 — Data residency | Sovereign VPC mode: governance runs 100% within Brazilian data center boundary | On-prem deployment guide |
| Art. 9 — Incident reporting | Heartbeat ZOMBIE state + PagerDuty/Slack integration; Sentry issue creation | Alert configuration docs |
| CMN 4.893 Art. 7 — Model risk | CHI semantic drift detection; hallucination vaccine blocks non-existent resource references | CHI configuration guide |
| Resolução 4.557 — Risk appetite | Per-agent risk thresholds configurable in policy DSL; pre-approved action allowlist | Policy authoring guide |
| PCI-DSS Requirement | ABS Core Mechanism |
|---|
| Req. 3 — Protect stored data | Secret Vault: card numbers never stored in agent code; injected JIT |
| Req. 6 — Secure systems | WASM sandboxing; prompt injection detection blocks code injection attempts |
| Req. 7 — Access control | PAAT token per agent; minimum privilege enforced via allowed_actions |
| Req. 10 — Logging | Append-only audit log; tamper-evident; 7-year retention available |
| Req. 12 — Security policy | Certified policy packs include PCI-DSS preset (policy-pci) |
| HIPAA Rule | ABS Core Mechanism |
|---|
| Privacy Rule — PHI access control | CHI PII redaction for health identifiers (MRN, DOB, SSN) before LLM context |
| Security Rule — Audit controls | Append-only audit log; all PHI-touching agent actions recorded |
| Security Rule — Integrity | Hash-chained audit records; tamper detection |
| Breach Notification Rule | Heartbeat + anomaly alerts; Sentry integration for immediate notification |
| Minimum necessary standard | allowed_actions policy enforces minimum access; blocks PHI queries outside declared purpose |
| Framework | What to export | How |
|---|
| ISO 27001 | Audit log for the control period | GET /v1/events?from=&to=&limit=10000 |
| SOC 2 | Policy version history + decision log | Policy changelog API + events API |
| NIST AI RMF | Benchmark report + drift detection log | /docs/technical/benchmark-report + CHI log |
| LGPD/GDPR | PII redaction events | GET /v1/events?type=pii_redaction |
| BACEN | Full transaction governance log | GET /v1/events?agentId=&format=bacen |
| PCI-DSS | Vault access log + card-related events | Vault API + events filtered by ruleId |
The compliance moat: While other platforms attempt to make AI "safe enough," ABS Core is purpose-built to make AI auditable enough for formal regulatory sign-off — with every decision cryptographically provable, every policy version immutable, and every violation traceable to a specific rule and timestamp.