Compliance
EU AI Act, NIST, SOC 2, and ISO 42001 alignment.
KavachOS is built with compliance requirements in mind. Every agent action produces an immutable audit record with enough detail to satisfy the logging and oversight obligations of major AI governance frameworks.
The EU AI Act high-risk provisions take effect August 2, 2026. KavachOS gives you the audit infrastructure to meet the Article 12 and Article 14 requirements before that deadline.
What KavachOS provides
| Requirement | KavachOS feature |
|---|---|
| Immutable audit log | kavach_audit_logs table with result, reason, duration, IP, user-agent |
| Human oversight | Approval flows (CIBA), delegation depth limits, permission constraints |
| Access control | Resource+action permission model with constraints (IP, time window, rate) |
| Identity traceability | Every action links agentId, userId, resource, action, parameters |
| Export | kavach.audit.export() as JSON or CSV |
| Anomaly detection | High-frequency, high-denial-rate, off-hours, privilege escalation |
Frameworks
Generating compliance reports
The audit module provides export functionality for generating compliance evidence:
// Export all audit records for a time range as JSON
const json = await kavach.audit.export({
format: 'json',
since: new Date('2026-01-01'),
until: new Date('2026-03-31'),
});
// Export as CSV for spreadsheet review or SIEM ingestion
const csv = await kavach.audit.export({
format: 'csv',
since: new Date('2026-01-01'),
});
// Query specific events for a compliance review
const denials = await kavach.audit.query({
result: 'denied',
since: new Date('2026-01-01'),
limit: 1000,
});
// Cost summary for Article 15 / A.8.5 reporting
const costs = await kavach.audit.getCostSummary({
since: new Date('2026-01-01'),
});Retention
KavachOS does not automatically delete audit records. Configure retention at the database level using your database's native partitioning or TTL features, or via a scheduled cleanup job.
For EU AI Act Article 12 compliance, the Act currently specifies retention "for a period appropriate to the intended purpose of the high-risk AI system." The generally accepted minimum is one year from the last use of the system.
Do not delete audit records during a live compliance review or audit period. If you need to expire old records, do so only after retention obligations have been met.