Runfile
Book a call

The rules we map to. The ones we don’t pretend to.

Several frameworks demand concrete, dateable, evidence-producing logs of what an AI agent did. We lead with those. Everything else is principles — we cover them, but we will not market them as deadlines.

Tier 01 — Concrete Sell directly against these

Frameworks with dateable obligations.

Each carries a specific demand for tamper-evident, reconstructable, retained event records. Each comes with a deadline. We have a control-mapping pack for each.

EU AI Act

Article 12 & 26(6)

per the May 2026 Digital Omnibus

High-risk AI systems must “technically allow for the automatic recording of events over the lifetime of the system,” and deployers must retain those logs for at least six months — a floor, not a target; sector law (AML, SOX, HIPAA) routinely demands longer. Article 17 adds a Quality Management System; Annex IV adds technical documentation.

The Act does not explicitly require cryptographic logs — but it does require completeness, integrity, and reconstruction. A mutable log fails all three. Runfile produces an Article 12 monthly log-integrity report as a single command.

The May 2026 Digital Omnibus moved standalone high-risk obligations to 2 Dec 2027 and embedded high-risk to 2 Aug 2028. Both are now fixed calendar dates, not standards-conditional.

Standalone high-risk2 Dec 2027
Embedded high-risk2 Aug 2028
Retention floor≥ 6 months
Penalty (Tier 2)€15M / 3%
Tier 1 (prohibited practices) runs to €35M / 7%; Tier 3 (incorrect info) €7.5M / 1%.
EU · DORA

Digital Operational Resilience Act

Live across EU financial services since 17 Jan 2025. ICT risk management, ICT third-party register, incident reporting within 48 hours, and audit trails. Mid-2025 BaFin guidance pulled AI explicitly into DORA scope; the UK CTP regime adopted parallel rules from 1 Jan 2025.

Runfile generates DORA major-ICT-incident packets directly from the captured event graph — detection, classification, response, recovery, post-incident review — with hashes that survive the 48-hour timeline.

Live17 Jan 2025
Incident SLA48 hours
Retention~5 years
ScopeEU + UK CTP
US · Fed / FDIC / OCC

Interagency MRM Principles (Apr 2026)

On 17 April 2026 the Fed, FDIC and OCC rescinded SR 11-7, SR 21-8, OCC 2011-12, the OCC MRM Handbook booklet, and OCC Bulletins 1997-24 and 2021-19, replacing them with risk-tiered, principles-based, technology-neutral interagency guidance. The agencies signaled a forthcoming AI-specific RFI; dedicated agentic-AI guidance is still pending. SR 11-7’s three pillars — independent validation, ongoing monitoring, documentation — remain the operating template AI and agentic systems will be measured against.

Runfile ships an annual model-documentation pack and a continuous monitoring report that maps directly to those three pillars.

Effective17 Apr 2026
RFI pendingAgentic AI
PredecessorSR 11-7
SectorUS banking
GDPR

Article 22 & Article 30

Article 22 governs automated decisions with legal or significant effect on a person; Article 30 mandates records of processing. When an agent denies credit, declines a claim, or routes a hire, both articles fire.

Runfile records the human-in-the-loop intervention that lifts a decision out of Article 22’s “solely automated” carve-out — with the approver identity, timestamp and signed justification needed to prove it.

LiveMay 2018
Penalty€20M / 4%
ScopeEU + UK
US · SOX

Sarbanes-Oxley §404

When an agent triggers or affects a financial control — revenue recognition, journal entries, period close — the agent action becomes SOX-relevant. Internal Audit teams already worry about this; few have the records to answer.

Seven-year retention with continuous integrity proofs and reconstruction queries on any single financial control event.

Live2002
Retention7 years
OwnerInternal Audit
US · HIPAA

OCR audit logs

Six-year retention. When an agent is the actor touching PHI, the covered entity needs an identifiable agent principal, the action, the PHI fields touched, and any human approval. BAA-capable from day one; healthcare residency on request.

Live1996
Retention6 years
BAADay one
Tier 02 — Principles We support, we don’t over-claim

Principles-based regimes, mapped quietly.

Important to your auditor. Less useful as a sales narrative. We support them; we will not pretend they have August deadlines.

Framework What it asks How Runfile helps Status
NIST AI RMF + GenAI Profile Govern · Map · Measure · Manage. Voluntary US vocabulary. Event-graph mapping to MEASURE and MANAGE outcomes; CSA Agentic Profile companion. Supported
ISO/IEC 42001:2023 AI Management System. Certifiable. Procurement pull is real. Evidence repository feeds your 42001 audit out of the box. Supported · roadmap own cert Q2 2027
UK · FCA & PRA Technology-neutral. SS1/23 MRM principles + Consumer Duty + SMCR. UK residency. SS1/23 model-documentation pack. Live Testing cohort compatible. Supported
FINRA Notice 24-09 Existing rules apply to AI-assisted communications and supervision. Communication-side agent capture with supervisor approval trails. Supported
Colorado AI Act Risk management programme for high-risk AI; consumer notice. Risk-mgmt programme template + audit-ready evidence. Supported · effective date amended in 2025; confirm with counsel
TRAIGA (Texas) Responsible AI governance with documented controls. Same evidence pack, retitled for state filings. Supported · amended in 2025; confirm with counsel
SOC 2 (AI considerations) Trust services criteria with AICPA AI add-ons. Runfile is SOC 2 Type II; helps your AI engagement too. Both directions
FDA SaMD AI-ML Predetermined change control with full change logs. Captured natively; PCCP-mode export. Supported · on request
§ Next step

Pick a framework. We’ll show you the package.

We’ll send the actual evidence-package PDF for the framework most relevant to your remit — redacted reference data, real cryptographic structure.

Dates above reflect public guidance current to May 2026, including the Digital Omnibus. For programme decisions, confirm with your regulatory counsel.

Book a design-partner call Read the technical whitepaper