Compliance Playbooks
Enterprise compliance guides for EU AI Act, SOC 2, HIPAA, and GDPR.
OVERVIEW
Tessorium TTP provides built-in capabilities for meeting regulatory requirements around AI governance. These playbooks provide step-by-step implementation guides for enterprise compliance.
COMPLIANCE_COVERAGE
Tessorium provides audit trails, human oversight, and governance controls that map directly to regulatory requirements. Each playbook includes configuration examples and verification steps.
REGULATIONS_COVERED
- EU AI Act (2024/1689)
- SOC 2 Type II
- HIPAA Security Rule
- GDPR Articles 22, 35
- NIST AI RMF
CAPABILITIES_PROVIDED
- Immutable audit trails
- Human oversight workflows
- Risk classification
- Data retention controls
- Export formats (JSON, CSV, PDF)
EU_AI_ACT_COMPLIANCE
The EU AI Act (Regulation 2024/1689) establishes requirements for AI systems based on risk level. Tessorium helps you implement required controls for high-risk AI systems.
COMPLIANCE_DEADLINE
High-risk AI systems must comply by August 2, 2027. Start implementation now to ensure adequate testing and validation time.
Article 9: Risk Management
REQUIRED- Continuous risk assessment
- Trust score monitoring
- Anomaly detection alerts
- Risk mitigation controls
Article 12: Record Keeping
REQUIRED- Automatic logging of AI decisions
- Immutable audit trails
- Configurable retention periods
- Export in required formats
Article 13: Transparency
REQUIRED- Agent identity verification
- Trust score visibility
- Decision explanation logging
- User notification system
Article 14: Human Oversight
REQUIRED- Approval workflows
- Kill switch capability
- Real-time intervention
- Escalation procedures
ARTICLE_14_IMPLEMENTATION
Article 14 requires human oversight measures for high-risk AI systems. Implement using Tessorium's Human Oversight and Kill Switch APIs.
1. OVERSIGHT_CONFIGURATION
oversight-config.ts
import { createOversightLayer, KillSwitch } from '@tessorium/sdk';
// Article 14(1): Human oversight measures
const oversight = createOversightLayer({
apiKey: process.env.TESSORIUM_API_KEY!,
// Actions requiring human approval per Article 14(4)
requireApproval: [
'automated_decision', // Decisions affecting natural persons
'personal_data_processing', // GDPR intersection
'high_risk_classification', // Risk assessment decisions
'system_modification' // Changes to AI behavior
],
// Article 14(4)(a): Enable human to understand AI capabilities
documentation: {
includeSystemCapabilities: true,
includeKnownLimitations: true,
format: 'user-friendly'
},
// Article 14(4)(b): Awareness of automation bias
automationBiasWarnings: {
enabled: true,
warningThreshold: 0.8, // Warn when confidence > 80%
requireAcknowledgment: true
},
// Article 14(4)(c): Correct interpretation of output
outputExplanation: {
enabled: true,
includeConfidenceScores: true,
includeAlternatives: true
},
// Article 14(4)(d): Ability to decide not to use or override
overrideCapability: {
enabled: true,
requireReason: true,
auditOverrides: true
},
// Article 14(4)(e): Ability to intervene or interrupt
intervention: {
enabled: true,
immediateEffect: true,
notifyStakeholders: true
}
});
// Article 14(5): Kill switch for immediate stop
const killSwitch = new KillSwitch({
apiKey: process.env.TESSORIUM_API_KEY!,
// Real-time stop capability
immediateStop: true,
// Notification on activation
notifyOnActivation: [
'dpo@company.com', // Data Protection Officer
'ai-governance@company.com', // AI Governance Team
'legal@company.com' // Legal compliance
],
// Automatic triggers
automaticTriggers: {
trustScoreBelow: 50,
errorRateAbove: 0.3,
anomalyScoreAbove: 0.9
}
});2. APPROVAL_WORKFLOW
approval-workflow.ts
// Implement approval workflow per Article 14(4)(d)
async function processHighRiskAction(action: AIAction) {
// Check if action requires human approval
if (isHighRiskAction(action)) {
const review = await oversight.requestReview({
action: action.type,
agentDid: action.agentDid,
description: action.description,
// Provide context for informed decision
context: {
aiRecommendation: action.recommendation,
confidenceScore: action.confidence,
alternativeOptions: action.alternatives,
potentialImpact: action.impactAssessment,
affectedPersons: action.affectedPersonsCount
},
// Compliance metadata
compliance: {
regulation: 'EU_AI_ACT',
article: '14(4)(d)',
riskLevel: 'high'
},
// Require acknowledgment of automation bias
requireAcknowledgment: {
automationBiasWarning: true,
limitationsUnderstood: true
}
});
// Log decision for Article 12 compliance
await auditLog.record({
type: 'human_oversight_decision',
action: action.type,
decision: review.status,
decidedBy: review.approvedBy || review.rejectedBy,
reason: review.notes || review.reason,
timestamp: new Date().toISOString(),
complianceReference: 'EU_AI_ACT_Article_14'
});
if (review.status !== 'approved') {
throw new Error(`Action not approved: ${review.reason}`);
}
}
// Execute the action
return executeAction(action);
}3. COMPLIANCE_VERIFICATION
compliance-check.ts
// Verify Article 14 compliance before deployment
async function verifyArticle14Compliance(): Promise<ComplianceReport> {
const checks = {
humanOversight: await verifyHumanOversightCapability(),
killSwitch: await verifyKillSwitchFunctionality(),
auditTrails: await verifyAuditTrailCompleteness(),
documentation: await verifyDocumentationAvailability()
};
return {
regulation: 'EU_AI_ACT',
article: '14',
compliant: Object.values(checks).every(c => c.passed),
checks,
generatedAt: new Date().toISOString()
};
}
// Generate compliance report for regulators
const report = await oversight.generateComplianceReport({
framework: 'EU_AI_ACT_ARTICLE_14',
period: '2026-Q1',
includeEvidencePackage: true
});
// Export in regulator-friendly format
await report.exportPDF('./eu-ai-act-compliance-q1-2026.pdf');RISK_CLASSIFICATION
Map your AI agents to EU AI Act risk categories and apply appropriate controls.
| Risk Level | Examples | Tessorium Controls |
|---|---|---|
| Unacceptable | Social scoring, manipulation | Block via policy, no integration |
| High Risk | HR decisions, credit scoring, healthcare | Full oversight, kill switch, audit |
| Limited Risk | Chatbots, content generation | Transparency requirements, logging |
| Minimal Risk | Spam filters, search ranking | Standard trust verification |
risk-policy.yaml
# Risk-based policy configuration
policy:
name: eu-ai-act-risk-based
version: "1.0"
regulation: EU_AI_ACT
risk_levels:
high_risk:
agents:
- "did:tessorium:agent:hr-assistant:*"
- "did:tessorium:agent:credit-scorer:*"
- "did:tessorium:agent:healthcare-ai:*"
requirements:
min_trust_score: 90
require_identity: true
require_human_approval: true
kill_switch_enabled: true
audit_level: comprehensive
retention_days: 365
limited_risk:
agents:
- "did:tessorium:agent:chatbot:*"
- "did:tessorium:agent:content-gen:*"
requirements:
min_trust_score: 70
require_identity: true
transparency_notice: true
audit_level: standard
retention_days: 90
minimal_risk:
agents:
- "did:tessorium:agent:*" # Default
requirements:
min_trust_score: 50
audit_level: minimal
retention_days: 30SOC_2_AUDIT_TRAIL
Configure Tessorium to meet SOC 2 Type II audit requirements for AI agent operations.
CC6.1: Security Events
REQUIRED- Log all trust verifications
- Track authentication events
- Record authorization decisions
- Monitor anomalous behavior
CC7.2: Incident Response
REQUIRED- Kill switch audit trail
- Circuit breaker activations
- Security alert history
- Response time metrics
SOC_2_CONFIGURATION
soc2-audit.ts
import { AuditLogger, createTessorium } from '@tessorium/sdk';
// Configure audit logging for SOC 2
const auditLogger = new AuditLogger({
// Immutable storage backend
storage: {
type: 'append-only',
provider: 'aws-s3',
bucket: 'audit-logs-immutable',
encryption: 'AES-256',
versioning: true
},
// SOC 2 required events
events: {
// CC6.1: Logical access controls
authentication: true,
authorization: true,
trustVerification: true,
// CC6.2: Prior to issuing credentials
agentRegistration: true,
apiKeyGeneration: true,
// CC6.7: Restrict access to system configurations
policyChanges: true,
configurationChanges: true,
// CC7.2: Security events
securityAlerts: true,
killSwitchActivations: true,
circuitBreakerEvents: true
},
// Retention per SOC 2 requirements
retention: {
standard: 365, // 1 year minimum
securityEvents: 730, // 2 years for security
incidentResponse: 1095 // 3 years for incidents
},
// Tamper-evident logging
integrity: {
hashAlgorithm: 'SHA-256',
chainVerification: true,
merkleTree: true
}
});
// Initialize Tessorium with audit logging
const tessorium = createTessorium({
apiKey: process.env.TESSORIUM_API_KEY!,
mode: 'hybrid',
auditLogger
});
// All operations automatically logged
const trust = await tessorium.verify('did:tessorium:agent:example:v1');
// Logged: trust_verification event with full context
await tessorium.rate('did:tessorium:agent:example:v1', { ... });
// Logged: rating_submitted eventAUDIT_REPORT_GENERATION
soc2-report.ts
// Generate SOC 2 audit report
const report = await auditLogger.generateReport({
framework: 'SOC_2_TYPE_II',
period: {
start: '2025-01-01',
end: '2025-12-31'
},
// Trust Services Criteria
criteria: ['CC6', 'CC7', 'CC8'],
// Include evidence
includeEvidence: {
sampleSize: 25, // Per criteria
randomSeed: 42 // For reproducibility
},
// Control effectiveness
controlTesting: true
});
// Export for auditors
await report.exportPackage({
format: 'zip',
includes: [
'executive-summary.pdf',
'detailed-findings.pdf',
'evidence-samples.json',
'control-matrix.xlsx'
],
outputPath: './soc2-audit-package-2025.zip'
});HIPAA_LOGGING_CONFIG
Configure Tessorium for HIPAA-compliant AI agent operations in healthcare environments.
PHI_HANDLING
Tessorium audit logs should not contain PHI. Configure payload filtering to exclude protected health information from audit trails.
hipaa-config.ts
import { createTessorium, HIPAAComplianceConfig } from '@tessorium/sdk';
const hipaaConfig: HIPAAComplianceConfig = {
// 164.312(b): Audit Controls
auditControls: {
enabled: true,
logAllAccess: true,
retentionYears: 6,
// Exclude PHI from logs
payloadFilter: {
exclude: [
'patient_name',
'ssn',
'dob',
'medical_record_number',
'diagnosis',
'treatment'
],
redactPattern: /\b\d{3}-\d{2}-\d{4}\b/g // SSN pattern
}
},
// 164.312(c): Integrity Controls
integrityControls: {
hashAllMessages: true,
verifyOnRetrieve: true,
alertOnTampering: true
},
// 164.312(d): Person Authentication
personAuthentication: {
requireIdentityVerification: true,
minTrustScore: 85,
multiFactorRequired: true
},
// 164.312(e): Transmission Security
transmissionSecurity: {
requireTLS: true,
minTLSVersion: '1.3',
certificatePinning: true
},
// Access Control (164.312(a))
accessControl: {
roleBasedAccess: true,
minimumNecessary: true,
accessReviewInterval: '90d'
}
};
const tessorium = createTessorium({
apiKey: process.env.TESSORIUM_API_KEY!,
mode: 'hybrid',
compliance: hipaaConfig
});
// Healthcare-specific agent verification
async function verifyHealthcareAgent(agentDid: string) {
const trust = await tessorium.verify(agentDid, {
scopes: ['healthcare', 'phi_access'],
requireIdentity: true
});
// HIPAA requires minimum necessary access
if (!trust.scopes?.healthcare === 'high') {
throw new Error('Agent lacks healthcare authorization');
}
// Log access for audit trail (without PHI)
await auditLogger.logAccess({
type: 'healthcare_agent_verification',
agentDid,
trustScore: trust.score,
accessGranted: true,
timestamp: new Date().toISOString()
});
return trust;
}BREACH_NOTIFICATION
breach-notification.ts
// Configure breach detection and notification
const breachMonitor = tessorium.createBreachMonitor({
// Detection triggers
triggers: {
unauthorizedAccess: true,
trustScoreAnomaly: {
threshold: 30, // Score drop of 30+
window: '1h'
},
bulkDataAccess: {
threshold: 100, // Records per hour
alertLevel: 'warning'
}
},
// HIPAA 164.408: Notification requirements
notification: {
immediate: ['security@hospital.com', 'privacy-officer@hospital.com'],
// Within 60 days per HIPAA
regulatoryNotification: {
enabled: true,
template: 'hipaa-breach-notification',
threshold: 500 // Affected individuals
}
},
// Evidence preservation
forensics: {
preserveEvidence: true,
snapshotOnDetection: true,
lockAffectedRecords: true
}
});
await breachMonitor.start();GDPR_COMPLIANCE
Implement GDPR requirements for AI-driven automated decision making (Article 22) and data protection impact assessments (Article 35).
ARTICLE_22_AUTOMATED_DECISIONS
gdpr-article22.ts
import { createOversightLayer } from '@tessorium/sdk';
// Article 22: Automated individual decision-making
const gdprOversight = createOversightLayer({
apiKey: process.env.TESSORIUM_API_KEY!,
// Article 22(1): Right not to be subject to automated decision
automatedDecisionPolicy: {
// Require human review for decisions with legal effects
requireHumanReview: [
'credit_decision',
'employment_decision',
'service_denial',
'contract_termination'
],
// Article 22(3): Safeguards
safeguards: {
rightToObtainHumanIntervention: true,
rightToExpressViewpoint: true,
rightToContestDecision: true
}
},
// Article 22(2)(c): Explicit consent pathway
consentManagement: {
requireExplicitConsent: true,
consentRecordRetention: '7y',
withdrawalProcess: 'self-service'
}
});
// Process with GDPR safeguards
async function processAutomatedDecision(decision: AIDecision) {
// Check for consent
const consent = await checkExplicitConsent(decision.subjectId, 'automated_decision');
if (!consent.valid) {
// Must use non-automated pathway
return routeToHumanDecision(decision);
}
// Proceed with safeguards
const review = await gdprOversight.requestReview({
action: decision.type,
context: {
...decision,
gdprArticle22: true,
subjectRights: ['human_intervention', 'express_viewpoint', 'contest']
}
});
// Log for Article 30 records of processing
await recordProcessingActivity({
type: 'automated_decision',
legalBasis: 'consent',
consentId: consent.id,
decision: review.status,
safeguardsApplied: true
});
return review;
}ARTICLE_35_DPIA
gdpr-dpia.ts
// Generate DPIA for AI agent deployment
const dpia = await tessorium.generateDPIA({
aiSystem: {
name: 'Customer Service AI Agent',
did: 'did:tessorium:agent:customer-service:v1',
purpose: 'Automated customer inquiry handling',
dataProcessed: ['customer_name', 'email', 'inquiry_content']
},
// Risk assessment
riskAssessment: {
necessity: 'Proportionate to legitimate business interest',
dataSubjectRights: ['access', 'rectification', 'erasure', 'portability'],
safeguards: ['encryption', 'access_control', 'audit_logging']
},
// Tessorium-specific controls
tessoriumControls: {
trustVerification: true,
humanOversight: true,
killSwitch: true,
auditTrail: true
},
// Include trust metrics
includeTrustMetrics: true
});
// Export DPIA document
await dpia.exportPDF('./dpia-customer-service-ai.pdf');AUDIT_EXPORTS
Export audit data in formats required by auditors and regulators.
audit-export.ts
import { AuditExporter } from '@tessorium/sdk';
const exporter = new AuditExporter({
apiKey: process.env.TESSORIUM_API_KEY!
});
// Export trust verification history
await exporter.export({
type: 'trust_verifications',
period: {
start: '2026-01-01',
end: '2026-03-31'
},
format: 'json',
output: './exports/trust-verifications-q1-2026.json'
});
// Export with attestation signatures
await exporter.exportWithAttestation({
type: 'human_oversight_decisions',
period: { start: '2026-01-01', end: '2026-03-31' },
format: 'pdf',
includeSignatures: true,
attestor: 'compliance-officer@company.com',
output: './exports/oversight-report-q1-2026.pdf'
});
// Export compliance evidence package
await exporter.exportCompliancePackage({
frameworks: ['EU_AI_ACT', 'SOC_2', 'GDPR'],
period: '2026-Q1',
includeEvidence: true,
outputDir: './compliance-packages/q1-2026'
});
// Available formats
const formats = [
'json', // Raw data
'csv', // Spreadsheet compatible
'pdf', // Human-readable reports
'xml', // Regulator interchange
'parquet' // Big data analysis
];NEXT_STEPS
LAST_UPDATED: 2026-02-21EDIT_ON_GITHUB