Regulatory Alignment
DRS is designed to produce evidence that satisfies the specific record-keeping requirements of AI governance regulations. The receipts are cryptographically signed and independently verifiable — an auditor does not need operator cooperation to authenticate the evidence.
EU AI Act
Article 12 — Record-keeping for high-risk AI systems
Article 12 requires high-risk AI systems to automatically log events with sufficient detail to enable post-market monitoring and investigation. DRS Delegation Receipts satisfy this:
- Tamper-evident: Ed25519 signatures; any modification breaks verification
- Independently verifiable: Public keys are encoded in the DID — no central authority needed
- Comprehensive: Every delegation hop and every invocation is receipted
Article 13 — Transparency
Article 13 requires transparency in the operation of high-risk AI systems. DRS provides:
- Human-readable policy translation at the point of consent (the
drs_consent.policy_hashcovers the text the user saw — not just the machine-readable JSON) - Complete chain reconstruction without operator involvement
- Per-invocation records linking every agent action to the authorising human
Current state: there is no dedicated EU AI Act export command in the CLI
yet. Today, evidence is assembled from bundle.json, drs verify, and
drs audit output.
HIPAA §164.312(b) — Audit Controls
For healthcare deployments handling PHI, HIPAA §164.312(b) requires audit controls that record and examine activity. DRS provides:
- Invocation Receipts recording every agent action with full delegation provenance
- Signed proof that access was authorised before it occurred (not just a log that it happened)
- Tier 3 / Tier 4 deployment postures with timestamping support
AIUC-1 Certification
AIUC (AI Underwriting Company, founded July 2025 with $15M seed) certifies AI systems for insurance underwriting. AIUC-1 requires demonstrable proof of authorisation for every agent action — not just server logs.
The AIUC-1 requirement: "For any agent action, provide cryptographic proof that the action was within the scope of an authorisation granted by an identifiable principal."
DRS Delegation Receipts satisfy this directly. AIUC-1 is identified as the primary near-term commercial opportunity for DRS-based deployments.
SOC 2 Type II
SOC 2 requires continuous evidence of access controls. DRS provides:
- Signed receipts for every delegation grant (who authorised what, when, with what constraints)
- Tamper-evident chain linking every action to its authorisation
- Revocation mechanism for compromised keys
FINOS AI Governance Framework
FINOS Tier 3–4 levels require chain-of-custody evidence admissible in legal proceedings. DRS Delegation Receipts are:
- Based on open standards (Ed25519, JWT, RFC 8785 JCS) and designed for OAuth-oriented ecosystems — no proprietary formats
- Independently verifiable — no vendor lock-in for evidence authentication
- Exportable in structured formats
Relevant financial regulations: SR 11-7 (Federal Reserve model risk management), EBA Guidelines on ICT risk, GDPR Article 22 (automated decision-making explainability), MiFID II audit trails.
Storage tiers and retention
| Tier | storage_tier | Backend | Status |
|---|---|---|---|
| Session | 0 | In-memory | Implemented |
| Ephemeral | 1 | Local filesystem | Implemented |
| Durable | 2 | S3-compatible object store | Roadmap |
| Compliant | 3 | Filesystem + RFC 3161 timestamping | Partial |
| Timestamped | 4 | Tier 3 deployment posture | Partial |
| On-chain | 5 | Ethereum anchor | Roadmap |
Configure via storage_tier in the Operator Configuration.