Which AI regulations does DeepInspect support?

DeepInspect produces enforcement actions and evidence relevant to HIPAA Security Rule, SOC 2 Trust Services Criteria, the EU AI Act, GLBA Safeguards Rule, SEC Regulation S-P, FINRA Rule 4511, NIST AI RMF, and ISO 42001. The same gateway records satisfy multiple frameworks at once because the underlying technical requirements overlap.

What kind of evidence does the platform produce for auditors?

Every AI request produces a tamper-evident forensic record containing the actor identity, the policy version in effect, the decision taken, and the complete transaction payload. The record is queryable through a read-only projection that an external auditor can connect to with their own credentials. Their queries leave their own trace, and they receive a signed result set.

How are deterministic and natural-language policies distinguished?

Deterministic policies are opt-in detectors for sensitive data classes (PHI, PII, PCI, NPI) with configurable actions and per-role overrides. Natural-language policies are customer-defined governance rules evaluated at request time by a configured LLM or SLM. Both classes are versioned together and both produce forensic records, but only deterministic policies provide repeatable behavior across runs.

Regulation Mapping.

Each framework below carries specific obligations that AI workflows inherit the moment they touch regulated data or regulated decisions. The tables show the requirement, the mechanism in the platform that addresses it, and the evidence that mechanism produces for an external auditor.

HIPAA Security Rule SOC 2 Trust Services Criteria EU AI Act GLBA / SEC Regulation S-P / FINRA Rule 4511 NIST AI RMF and ISO 42001

HIPAA Security Rule

Covered entities and business associates processing PHI through AI assistants inherit the same Security Rule obligations that apply to any other access path to ePHI.

Clause	Requirement	Mechanism	Evidence
45 CFR 164.312(a)(1)	Access control over ePHI	Identity-aware policy evaluation with per-role action overrides on the AI gateway.	Identity-tagged decision records for every AI request, retained in the forensic store.
45 CFR 164.312(b)	Audit controls	Tamper-evident forensic record on every gateway decision, signed and append-only.	Per-event audit trail exportable by control narrative.
45 CFR 164.312(c)(1)	Integrity of ePHI	Inline PHI detection with deterministic redact, tokenize, or block actions.	Original request, transformed request, and policy version preserved per transaction.
45 CFR 164.308(a)(1)(ii)(D)	Information system activity review	Read-only forensic projection queryable by compliance team or external auditor.	Auditor-issued queries leave their own trace; signed result sets are retained.

SOC 2 Trust Services Criteria

Common Criteria points where DeepInspect produces evidence that auditors typically request during a Type II engagement.

Clause	Requirement	Mechanism	Evidence
CC6.1	Logical access controls	Identity-tagged policy evaluation with role-based action maps on every AI request.	Access-decision logs aligned to user identity and policy version.
CC6.6	Monitoring for unauthorized access	Event-level audit trail of allow, redact, tokenize, and block decisions.	Continuous log of attempted and enforced control points.
CC7.2	Monitoring system components for anomalies	Real-time block and escalation paths on policy violation, exported to SIEM.	Incident-grade records for unauthorized prompts, payloads, and identities.
CC8.1	Change management	Policy versioning, staged replay against production traffic, explicit promotion.	Version history, replay diff, and approver record per profile.

Need a written record of where your AI workloads stand against these frameworks?

The two-week compliance audit produces it.

Book a compliance audit →

EU AI Act

Obligations for providers and deployers of high-risk AI systems. DeepInspect supplies the enforcement and record-keeping layer the regulation anticipates.

Clause	Requirement	Mechanism	Evidence
Article 9	Risk management system	Inline policy enforcement at request time with fail-closed defaults.	Configuration history of risk controls and per-request enforcement decisions.
Article 12	Record-keeping	Forensic store retaining decision, policy version, identity, and full transaction.	Tamper-evident logs available for the full retention window.
Article 13	Transparency and information to deployers	Identity-based restrictions and per-role action overrides applied to actor classes.	Mapping of which actor classes are subject to which rules, versioned over time.
Article 17	Quality management system	Policy versioning workflow with staged replay and explicit promotion gates.	Change-control trail per policy profile with reviewer attribution.

GLBA / SEC Regulation S-P / FINRA Rule 4511

Financial services obligations around customer data protection, books-and-records retention, and supervision of representative communications.

Clause	Requirement	Mechanism	Evidence
GLBA Safeguards Rule	Administrative, technical, and physical safeguards for NPI	PII and customer-data detectors with role-based redact, tokenize, or block actions.	Per-transaction record of NPI handling and policy version applied.
SEC Regulation S-P	Protection of customer records and information	Identity-aware segmentation enforced inline at the gateway.	Identity-tagged access trail across every AI interaction touching customer data.
FINRA Rule 4511	Books and records retention	Object-store retention of complete AI request and response payloads.	Customer-configured retention window with cryptographic integrity guarantees.

NIST AI RMF and ISO 42001

Voluntary frameworks that auditors and customers increasingly cite as the baseline for an AI management system. DeepInspect maps to the technical-control portions of both.

Clause	Requirement	Mechanism	Evidence
NIST AI RMF — Govern	Policy, accountability, and oversight structures	Policy profiles bound to application routes, versioned in the control plane.	Profile inventory, version history, and ownership metadata.
NIST AI RMF — Measure	Continuous measurement of AI system behavior	Forensic record of every gateway decision, queryable in the read-only projection.	Time-series and per-event reporting on policy outcomes and exceptions.
NIST AI RMF — Manage	Risk response and continuous improvement	Staged replay of draft policies against production traffic before promotion.	Replay diffs and approver decisions retained per profile change.
ISO 42001 — Clause 8 (Operation)	Operational controls for AI systems	Inline enforcement with deterministic and natural-language policy classes.	Decision record per request, with policy version and action taken.

How the gateway produces this evidence

Every AI request passes through the policy gateway before reaching an upstream model. Identity is resolved at the edge. Deterministic detectors and natural-language policies evaluate the request, and the configured action (allow, redact, tokenize, block) is applied with per-role overrides. The full transaction is retained in a customer-configured object store; the decision is retained in a tamper-evident forensic projection.

For an auditor, this means a single query against the forensic projection returns every policy decision against a given user, payload class, or time range. For an enterprise, this means the same configuration that enforces policy is also the configuration that produces the audit record. The two are not separate systems.

One enforcement layer. Multiple framework obligations addressed.

Book a compliance audit