Skip to content

Product · Compliance evidence

Control status and evidence, mapped to the frameworks

Module XIII reads the activity you already record and maps it to per-control status across frameworks like the EU AI Act, NIST AI RMF and ISO/IEC 42001 — then seals the evidence to an append-only, hash-chained ledger. It is control status and evidence you can hand to an auditor, not a certification we issue.

Start self-hosted How it works

In the product

The compliance console

A genuine screenshot, example data. Per-control status across each framework, coverage at a glance, the capability-to-evidence map, and the sealed evidence packages anchored to the ledger. Every report carries the disclaimer: this is control status and evidence, not a certification.

Real screenshot
Olivares compliance console: per-control status across frameworks with states satisfied, by_design, partial, gap and unmapped; a coverage summary, a capability-to-evidence map, and sealed evidence packages — populated with example data.

What it produces

From activity to evidence an auditor can read

Four outputs, each grounded in what the ledger actually recorded — and each labelled honestly.

Per-control status, not a pass/fail badge

Every control resolves to one of five states — satisfied, by_design, partial, gap or unmapped. "Satisfied" is backed by real operational telemetry; "by_design" is a design guarantee with no telemetry yet. We never collapse the two: a design promise is not evidence of operation.

Gap analysis and capability map

The gap analysis names the capabilities you are missing for a given control; the capability-to-evidence map shows which capability produces which evidence. A cross-framework summary rolls it up so one control answers several frameworks at once.

Sealed evidence packages

Evidence is exported as sealed packages anchored to the append-only, hash-chained ledger — so the integrity of what you hand over is verifiable, and a later edit would break the chain. The evidence is the ledger’s, not a document we ask you to trust.

Agent risk classification and residency

Each agent is classified against EU AI Act risk tiers, cross-mapped to NIST AI RMF, alongside a data-residency attestation. Risk tiering and residency are evidence inputs — they inform the control status, they do not certify the outcome.

How it works

Activity becomes mapped, sealed evidence

The activity ledger feeds a controls mapper, which resolves each control to a status; the result is exported as an evidence pack mapped to the frameworks. What is satisfied by telemetry and what is by_design are drawn as distinct states — never merged into a single green tick.

Diagram: an activity ledger → a controls mapper → an evidence pack, mapped to frameworks like EU AI Act, NIST AI RMF, ISO 42001, SOC 2.
Evidence is sealed to the append-only, hash-chained ledger — its integrity is verifiable, and a later edit breaks the chain.

What’s real

Control status and evidence are live; certification is yours to pursue

We are precise about this, because the words carry legal weight:

  • Live, on a stable contract: per-control status, gap analysis, the capability-to-evidence map, the cross-framework summary, sealed evidence packages, agent risk classification and data-residency attestation.
  • Six established framework families are mapped — EU AI Act, NIST AI RMF, ISO/IEC 42001, SOC 2, ISO/IEC 27001 and GDPR. Several further references are design-toward only — OWASP Agentic, CSA MAESTRO, CISA Five-Eyes agentic guidance and NIST overlays — and carry no conformance claim; the design tracks them, it does not assert conformance to them.
  • Not a certification. Olivares is pre-release and is not SOC 2, ISO or EU AI Act certified. This module gives you control status and evidence to support a certification you choose to pursue; it does not issue one, and the absence of certification does not block v1. Every report states this plainly.

Compliance evidence — questions

Does this make us compliant or certified?

No — and we will not say it does. Module XIII produces control status and evidence: a per-control state across each framework, plus sealed evidence packages an auditor can read. Certification against SOC 2, ISO or the EU AI Act is a process you pursue with a certifying body; Olivares itself is pre-release and not certified. Every report carries that disclaimer.

What is the difference between "satisfied" and "by_design"?

"Satisfied" means the control is backed by real operational telemetry — the ledger recorded the activity that demonstrates it. "By_design" means the architecture guarantees the control but no telemetry has yet exercised it. They are deliberately separate states, because a design promise is not the same as evidence that something ran. The other states are partial, gap and unmapped.

Which frameworks are actually mapped?

Six established framework families: the EU AI Act, NIST AI RMF, ISO/IEC 42001, SOC 2, ISO/IEC 27001 and GDPR. Beyond those, the design tracks several non-final references — OWASP Agentic, CSA MAESTRO, CISA Five-Eyes agentic guidance and NIST overlays. We label those design-toward and make no conformance claim against them.

How do I know an evidence package was not edited after export?

Each package is sealed and anchored to the append-only, hash-chained ledger. The integrity is verifiable against the chain, so a later edit to the evidence — or to the activity behind it — would break the hash and show. The trust is in the ledger, not in a PDF we ask you to take on faith.

Hand an auditor evidence, not assertions

Deploy Olivares on your own infrastructure, map your activity to per-control status across the frameworks, and export sealed evidence anchored to the ledger.

Start self-hosted See the access map