Compliance & certification

Certify AI agents against any compliance framework

Built-in support for GDPR, SOC 2, EU AI Act, HIPAA, ISO 42001, and custom policies. Per-requirement evidence tracking. Auto-expiry by risk tier. Drift detection every 15 minutes.

Request early access Speak with an expert
How it works

Built for auditors who've seen the gap before.

Per-requirement evidence tracking

Map each agent to specific requirements within each framework. Upload evidence per requirement. Track completion percentage in real time. Requirements never fall through the cracks because there's nowhere for them to hide.

EU AI Act, billing-copilot
Requirement Status Evidence
Art. 11: Technical documentation Passed 2 files
Art. 12: Record-keeping Passed 1 file
Art. 14: Human oversight Pending Upload
Art. 15: Accuracy & robustness Failed -
Completion 50%

Auto-expiry by risk tier

Critical agents (Tier 4) re-certify every 90 days. High-risk every 180. Standard agents annually. The system enforces this, you don't have to remember. Agents approaching expiry appear in the dashboard before they become a compliance gap.

Certification expiry
Agent Tier Expires
billing-copilot Critical Jun 1, 2026
support-triage High Aug 15, 2026
data-pipeline-agent Critical Expiring in 5 days
code-review-bot Low Mar 1, 2027

Drift detection every 15 minutes

When an agent's configuration changes, its owner departs, or a certification expires, you know within minutes, not at the next quarterly review. Every drift event is logged with a timestamp, actor, and the specific attribute that changed.

Drift event log
14:32:07 billing-copilot Config changed: model updated to gpt-4o-2026
13:55:14 data-pipeline-agent Certification expired, production gate triggered
11:20:41 support-triage Owner departed: j.morrison@acme.com
09:04:58 code-review-bot Framework mapping updated: ISO 42001 added
Last check: 3 min ago  ·  Next: 12 min

Audit-ready export

Export the full compliance posture for any agent, framework, or time range. Filtered by resource, actor, action, or date. Ready for any auditor, no additional formatting required.

Export compliance report
Format
Date range
Jan 1, 2026 Mar 29, 2026
Filter by
EU AI Act SOC 2 billing-copilot All agents
Retirement

Retirement compliance: because decommissioning is a governance event

When an agent is retired, its compliance record doesn't disappear. Every certification, every drift event, every audit trail entry is preserved and remains queryable, exportable as CSV or JSON at any point. For regulated industries where liability extends years beyond decommissioning, this is the difference between a clean audit and a finding.

Record preservation

Full lifecycle history archived at retirement: registrations, classifications, certifications, drift resolutions, configuration changes, and ownership transfers. Queryable and exportable indefinitely.

Succession linking

When a replacement agent takes over, link the predecessor's compliance history to the successor. Auditors see continuity, not a gap.

Regulatory coverage

EU AI Act Article 72, SOC 2 CC6.5, HIPAA system decommissioning, and ISO 42001 Clause 8.4, all satisfied by the retirement workflow.

The problem

Compliance gaps hide between audits.

Annual reviews miss drift that happens on a Tuesday afternoon. Without continuous certification, you can't prove which agents were reviewed, when, or against what criteria.

Without continuous certification
  • Compliance evidence gathered manually before each audit
  • No way to prove which agents were certified and when
  • Certification status tracked in a document nobody updates
  • Drift between audits goes undetected for months
  • High-risk agents reach production without review
With Roval
  • Certify against any framework with per-requirement evidence
  • Immutable audit trail of every certification event
  • Auto-expiry: 90 days for critical, 180 for high, 365 for low
  • Drift detection runs every 15 minutes
  • Lifecycle gates block uncertified agents from production
Supported frameworks

Built-in frameworks. Custom ones too.

Every framework ships with pre-mapped requirements. Bring your own internal policy and Roval will track it the same way.

EU
EU AI Act eu-ai-act

Risk classification, conformity assessment, human oversight, and transparency requirements for high-risk AI systems.

Active
24 requirements Effective Aug 2026
Industry
SOC 2 Type II soc2-type-ii

Trust service criteria mapped to agent governance: security, availability, processing integrity, confidentiality, and privacy.

Active
18 requirements Annual audit
Industry
ISO 42001 iso-42001

AI management system standard: governance, risk, data management, and continuous improvement for organizations using AI.

Active
31 requirements AIMS certification
US
HIPAA hipaa

PHI access controls, audit trail requirements, and breach notification rules for healthcare AI agents.

16 requirements Healthcare
EU
GDPR gdpr

Data processing, consent management, right to explanation, and data protection impact assessments for AI systems.

14 requirements Data protection
US
NIST AI RMF nist-ai-rmf

Risk management framework for AI: govern, map, measure, and manage AI risks across the system lifecycle.

22 requirements Risk management
Policies

Pre-built policies. Ready to activate.

Start from a template, customize the rules, and activate. Every policy enforces blocked paths, sensitive commands, and read-only protections on your agents.

Production security

Blocks access to credentials, secrets, and system directories. Prevents destructive shell commands. Enforces read-only on configuration files.

Active
12 blocked · 5 sensitive · 8 read-only
PII protection

Flags prompts containing emails, phone numbers, SSNs, and credit card numbers. Blocks PII from reaching external model APIs.

Active
4 blocked · 6 sensitive · 2 read-only
Data exfiltration prevention

Detects and blocks patterns that suggest data exfiltration: large payloads to external URLs, base64-encoded bulk exports, and credential harvesting.

8 blocked · 3 sensitive · 4 read-only
Cost control

Limits token spend per agent, enforces model allow-lists, and alerts on spend spikes above configurable thresholds per team.

3 blocked · 2 sensitive · 1 read-only
Prompt injection defense

Detects common prompt injection patterns: role-override attempts, system prompt leaks, and instruction-ignoring sequences. Alerts on suspicious prompts.

6 blocked · 4 sensitive · 0 read-only
HIPAA compliance

Blocks PHI patterns in prompts and responses. Enforces audit logging for all agent interactions with patient data systems.

9 blocked · 7 sensitive · 5 read-only
Platform

The rest of the platform.

Agent Registry

Register every agent with framework, model, owner, risk tier, and dependency graph. Search by natural language.

Learn more

Observer & LLM Monitor

Capture every tool call and LLM request. Flag PII and policy violations in under 30 seconds.

Learn more

Dashboard

KPI cards, compliance posture, drift alerts, and a live event feed, on one screen, no clicking around.

Learn more

Ready for your next audit?

Join the private beta. Compliance coverage from day one.

Request early access