SOC 2 Type II
Certified
Annual third-party audit coverage.
Security & trust
The governance layer must be more secure than the system it protects.
Thoth is built for regulated infrastructure. Decisions are auditable and explainable at the moment of action, not days later in incident review.
Runtime compliance
Compliance as code, not docs.
Static posture reports show policy intent. AIRS enforcement shows policy execution.
FrameworkStatusImplementation
EU AI Act (Article 12)
Ready
Traceability of functioning is covered through runtime evidence and WORM records.
ISO 42001
Certified
AI management system controls in active operation.
HIPAA
Compliant
BAA available with PHI-handling controls in policy enforcement.
NIST AI RMF
Aligned
Behavioral baselines are mapped to risk management functions.
AIRS standard
Static posture ends at approval. Runtime enforcement starts at execution.
The post-approval gap starts after IAM and OAuth grant access. Thoth enforces at the moment of action.
Static posture
Sees configuration state and control coverage. Cannot stop a live agent action.
Runtime enforcement (AIRS)
Evaluates intent, context, and policy on each tool call, then allows, steps up, or blocks it.
WORM-compliant hash chaining
Every decision is written to a cryptographically linked chain. Insertion, deletion, or tampering is detectable.
Fail-closed logic
If the enforcer path fails, actions default to BLOCK for protected workflows.
Zero-knowledge identity handling
Thoth does not store API keys or OAuth tokens. It evaluates metadata, context, and intent at runtime.
Tenant isolation
Enterprise tenants run with isolated VPC, compute, and KMS boundaries.
Data governance & privacy
We see intent. We never see payload.
Customer telemetry is encrypted with customer-managed keys (CMK) in AWS KMS.
What we process
- Agent ID and tool call metadata
- Timestamp, decision, and risk score
- Policy pack, rule trigger, and evidence reference
What we never process
- Tool call payload bodies
- End-user PII from tool responses
- Customer API credentials or OAuth tokens
Vetting & disclosure
Production-proven, externally tested.
- Annual third-party penetration tests
- Responsible disclosure process with 24-hour response target
- AARM Foundation Technical Working Group membership
Your agents act autonomously. So does Thoth.
Start in shadow mode with no workflow disruption, then enforce where control is required.