00 · ABSTRACT
Certification status is stated plainly: held, in progress, or roadmap. Nothing is badged that is not held.
01 · FRAMEWORKS
Nine frameworks, each named with its current status and the controls the mapping rests on. The REV date above is the as-of date.
SOC 2 Type I
AICPA Trust Services Criteria
Mapping scope
ISO 27001
Information security management systems
Mapping scope
HIPAA
Health Insurance Portability and Accountability Act
Mapping scope
GDPR
EU General Data Protection Regulation
Mapping scope
PCI DSS
Payment Card Industry Data Security Standard
Mapping scope
NIST AI RMF
NIST AI Risk Management Framework
Mapping scope
ISO 42001
AI management systems
Mapping scope
EU AI Act
EU Artificial Intelligence Act
Mapping scope
FedRAMP
Federal Risk and Authorization Management Program
Mapping scope
A row prints mapped only when a fetchable one-page controls-mapping artifact ships under /security/mappings/. Otherwise it reads mapping in progress.
REC 01 ▸ sha256:df49…e83f ▸ prev 1393…ae54 ▸ build 2026-06-12T03:34Z
02 · CEDAR
Every outbound action carries a Cedar evaluation inside the request path. The ruling lands before the action does.
Policy is data. A Cedar statement reads as a sentence about a principal, an action, a resource, and the conditions under which the combination is permitted, so a security engineer, an auditor, and a platform engineer reason about the same file without translation. Entity data populates from the systems a team already runs: directories, ticketing, change management. A condition like "the linked change record is approved" is expressed directly in the policy.
Policy evaluation runs Rensei's TypeScript implementation of the Cedar policy language, validated against a conformance suite for the Cedar subset in use. It is not the AWS-hosted Cedar service or the Rust reference engine.
// Permit code push only when the linked ticket is DONE// and the agent is acting on behalf of the authorized principal.permit ( principal == Agent::"rensei-fleet-01", action == Action::"push_to_branch", resource in Repository::"api-service")when { context.ticket.status == "DONE" && context.ticket.assignee == principal.operator_id};Cedar is open source. Policies are auditable without Rensei tooling.
REC 02 ▸ sha256:cd4a…7bb8 ▸ prev df49…e83f ▸ build 2026-06-12T03:34Z
03 · AUDIT CHAIN
Per-workspace Ed25519 signing, a published verification protocol, and a chain any holder can check.
Every event is hashed and signed with per-workspace Ed25519 keys; the verification protocol and per-workspace key discovery endpoints are published at /.well-known/audit-keys.json. The chain proves tamper-evidence and completeness, not ground truth at capture, which is why decision records bind model version, prompt, context, and policy ruling.
Crypto-shredding removes payload plaintext while hashes preserve chain integrity. Key rotation is currently a metadata operation; re-signing historical chain segments is on the roadmap. Customer-held keys and HSM support are on the on-prem roadmap. Signing and canonicalization caveats are documented on the verification method page, next to the keys.
dec_d3c0de24dd1c binds the model, prompt envelope, retrieved context, and policy ruling to one signed audit entry.Figures are live component renders, not screenshots. Demo data.
REC 03 ▸ sha256:7864…ce41 ▸ prev cd4a…7bb8 ▸ build 2026-06-12T03:34Z
04 · EGRESS
A missing ruling is a deny.
Enforcement is per-callsite: every outbound tool call passes a Cedar policy-enforcement point before egress, and a missing or failed ruling denies by default. There is no separate network-level gateway appliance; the enforcement point lives in the execution path itself.
The fail-closed surface is every call that modifies external state: file writes, API calls, repository pushes, notification sends. Observation-only reads proceed under policy-engine outage and still land on the audit chain. Workflow authors declare which steps modify state, and lint tooling flags state-modifying patterns inside steps declared observation-only.
REC 04 ▸ sha256:9d6c…11bc ▸ prev 7864…ce41 ▸ build 2026-06-12T03:34Z
05 · PROVENANCE
A decision record binds the model, the prompt envelope, the retrieved context, and the ruling to one signed audit entry.
The same prompt sent to the same model at two different times can return different output. The decision record holds what the moment held: the exact model name and version, the prompt envelope, references to the retrieved context, the Cedar ruling that authorized the action, and the signature binding all of it to one audit entry. An investigation starts from a decision id and walks back to everything that produced the action. Provenance claims one thing: the decision that was made is fully attributable.
dec_d3c0de24dd1c binds the model, prompt envelope, retrieved context, and policy ruling to one signed audit entry.REC 05 ▸ sha256:64e8…4af0 ▸ prev 9d6c…11bc ▸ build 2026-06-12T03:34Z
06 · DEPLOYMENT
Cloud today. VPC and on-prem ship on the published roadmap, in that order; no dates are printed that an engineer did not commit to.
Rensei operates the platform, which runs one tenant today, Rensei's own. The audit chain, its published verification keys, and the policy enforcement path are the same mechanism across every tier.
The control plane deploys inside the customer's cloud account. First in line on the deployment roadmap.
Customer-owned infrastructure. Customer-held keys and HSM support are scoped to this tier.
REC 06 ▸ sha256:dcfa…b63c ▸ prev 64e8…4af0 ▸ build 2026-06-12T03:34Z
07 · THREAT MODEL
The threat model assumes a capable adversary with partial access to the environment. Agents hold elevated privileges, and the design treats them the way privileged access management treats people.
Instructions injected into retrieved data attempt to steer the agent into unauthorized actions. Policy evaluation sits outside the model: a Cedar policy that denies a push to main is not overridden by a retrieved document that asks for one.
An actor with partial access edits a policy to widen its own permissions. Policy changes are themselves recorded events: each change passes policy evaluation and lands on the hash chain beside every other action.
An actor deletes or rewrites audit records to hide an action. Hash chaining makes removal detectable at the break point, and per-workspace Ed25519 signatures make rewriting detectable against the published keys.
A different model version answers than the workflow expected. Decision records capture the exact model name and version at decision time, so substitution surfaces in provenance review.
A step attempts to reach an external system without a ruling. Agent steps hold no direct network access; the runtime mediates every outbound tool call through the Cedar enforcement point in the execution path, and a missing ruling denies by default.
REC 07 ▸ sha256:5210…9b93 ▸ prev dcfa…b63c ▸ build 2026-06-12T03:34Z
08 · DISCLOSURE
What exists is linked. What does not exist yet says so.
REC 08 ▸ sha256:2b71…4e7b ▸ prev 5210…9b93 ▸ build 2026-06-12T03:34Z