Compliance crosswalk
Enterprise AI-agent rollouts stall in the same place: a compliance reviewer asks who authorized this agent to do that, what was it allowed to do, when was it revoked, and what does it have to lose if it misbehaves — and the team cannot answer with evidence that survives scrutiny. Service accounts collapse the user→agent→tool chain into one shared credential, which is the SOC 2 CC6 finding auditors now reject outright.
Fleet's artifacts are built to answer those questions with content-addressed, BIP-322-signed, OpenTimestamps-anchored evidence that verifies offline against Bitcoin — no trust in fleet required. This page maps each control family to the artifact that satisfies it.
Read this first — the honesty rails
These four statements bound everything below. Quote them to your reviewer; they are the difference between an honest control and an overclaim.
- Fleet is evidence infrastructure, not a compliance guarantee. It produces the audit trail a framework asks for. It does not certify you against any framework. Your auditor still audits you.
- Protocol cannot transfer liability. A bonded pledge is verifiable economic exposure, not an indemnity. No envelope makes someone else legally responsible for an agent's act.
- Fleet is not a real-time kill-switch. Revocation is a signed, anchored fact that any verifier honors going forward; it is not an in-band interceptor that halts a running tool call. Fleet composes under your runtime guardrails and observability stack — it does not replace them.
- A bond proves skin-in-the-game, not good behavior. It raises the cost of misbehaving and makes that cost verifiable. It does not prevent the act.
EU AI Act
| Article | Requirement | Fleet artifact |
|---|---|---|
| Art. 12 — Record-keeping | Automatic logging of events over the system's lifetime, tamper-evident. | Every action is a kind-30084 envelope: content-addressed, BIP-322-signed by the agent, OTS-anchored to a Bitcoin block. The audit bundle is the lifetime log; the block anchor is the tamper-evidence. |
| Art. 14 — Human oversight | A human can understand, oversee, and intervene. | Authority originates in a human-signed delegation (BIP-322 over the principal's Bitcoin address) with an explicit scope grammar and a block-height expiry; intervention is a human-signed revocation envelope. Oversight is the scoped grant; intervention is the signed revoke. |
| Art. 14 — Traceability of intervention | Ordering of act vs. intervention is non-repudiable. | OTS block-height anchoring gives an offline verifier a non-malleable clock to order an action against its revocation deterministically — a signed wall-clock is forgeable, a block height is not. |
SOC 2
| Criterion | Requirement | Fleet artifact |
|---|---|---|
| CC6.1 — Logical access | Least-privilege, per-identity access; no shared credentials. | Each agent acts under its own Bitcoin-address identity and its own scoped delegation — the opposite of a shared service account. Scope is an explicit, attenuable grammar, not "all of the API". |
| CC6.2 / CC6.3 — Provisioning & removal | Authorization is granted and revoked through a controlled, evidenced process. | Grant = signed delegation; removal = signed revocation. Both are first-class, exportable, offline-verifiable envelopes — the provisioning record is the artifact. |
| CC7.2 / CC7.3 — Monitoring & evidence | Immutable, exportable activity logs. | NDJSON / JSON / CSV audit-bundle export; every row re-verifies against the agent's signature and the Bitcoin header chain with @orangecheck/agent-core. |
NIST AI RMF
| Function | What fleet contributes |
|---|---|
| GOVERN | A named, address-keyed authority model: who delegated, to whom, with what scope, with what bond. |
| MAP | The scope grammar makes an agent's permitted actions explicit and enumerable before deployment. |
| MEASURE | The bond gives a measurable, chain-verifiable stake (sats × days_unspent); the action stream gives in-scope vs. out-of-scope counts. |
| MANAGE | Scoped, revocable authority + a bonded accountability signal that a counterparty can weigh — without custody, without an account. |
The bond as a control
Most frameworks above are satisfied by capability + audit, which an ordinary keypair could also provide. The differentiator that needs Bitcoin is the bond: a counterparty can verify the agent (or the org running it) has real, unspent, aged bitcoin exposure to losing — re-resolved live against UTXO state, trusting no one. That is the one control on this page that does not reduce to a verifiable credential. See Bond verification for the contract and its honest limitations.