AI System of Record · for GRC

Hand your auditor an AI System of Record.

A signed, dated, control-mapped Evidence Pack your GRC platform plugs into. Pre-mapped to ISO 42001, EU AI Act Article 26, NIST AI RMF, and SOC 2 AI controls. Generated from real telemetry, not a self-attestation form.

Download a sample Evidence Pack → See the full pack anatomy

Verifiable signatures·Co-listed with Scytale·90-day to 7-year retention·One platform, four surfaces

01 / How Evidence works

Telemetry surfaces ship with every Evidence purchase. The pack has data to cite from day one.

Every Evidence subscription auto-provisions the Northbeams browser extension, desktop sentinel, and MCP gateway. They install across your laptops, observe AI tool use, MCP gateway calls, and LLM traffic, and stream the events into the audit log behind your Evidence Packs. Observation-only by default. No real-time blocking, no per-user dashboard, no end-user friction. If you want enforcement and the SecOps dashboard on top, add Northbeams Sentinel. The data is already flowing.

Telemetry, included

Same surfaces SecOps customers run. Browser, desktop, CLI, MCP. The Evidence Pack cites real events, not a self-attestation form.

Observation-only

Surfaces watch and record, they don't block. No risk of breaking your developers' workflows. The audit-log integrity claim is the only product surface your employees notice.

Add Sentinel for control

Upgrade to Northbeams Sentinel (per-seat) to unlock real-time blocking, per-user attribution, and the SecOps dashboard. Telemetry's already installed; the upgrade is a flag flip.

02 / What you ship to your auditor

Three frameworks. One pack per framework. One sentence.

An Evidence Pack is what auditors actually trust: a single dated PDF with a control-by-control mapping of what your organization observed, who attested to it, how it was retained, and a verifiable signature on the cover. Pick a framework. Pull a pack. Hand it over.

Most-asked / cert-driven

ISO/IEC 42001:2023

38 Annex A controls · PDCA · Annex SL

The world's first AI management system standard. Now in Fortune 500 vendor questionnaires. Northbeams evidences 14 of 38 controls AUTO, the remainder ATTEST or scoped out with reason.

Procurement floor: already in vendor questionnaires.
Read the framework →

Hard deadline

EU AI Act Article 26

Deployer obligations · logging, oversight, monitoring

If your company deploys AI inside the EU (and many do without realizing it), Article 26 logging and human-oversight obligations become enforceable on a fixed date. Northbeams evidences the logging, monitoring, and human-oversight clauses.

Enforceable: December 2026.
Read the framework →

US enterprise ask

NIST AI RMF 1.0

Govern · Map · Measure · Manage

The voluntary baseline US state laws now point to. Recognized as a Colorado safe harbor. Northbeams evidences the MEASURE function (continuous monitoring) and pieces of MANAGE.

Recognized: Colorado AI Act safe harbor.
Read the framework →

02 / The framework your auditor already runs

SOC 2, with AI controls added.

Every enterprise buyer already has SOC 2. AICPA's 2017 Trust Services Criteria don't name AI, but CC6.1, CC7.2, and the AI Controls Matrix from CSA do. Northbeams produces the evidence appendix your auditor staples to the existing Type II report.

SOC 2 + AI addendum

What we add to your existing SOC 2.

Control-mapped evidence for CC6.1 (logical access), CC7.2 (monitoring), and the CSA AI Controls Matrix entries your auditor will increasingly ask for in 2026.

Read the SOC 2 + AI page →

ISO 27001 holders

The 27001 to 42001 stack.

Already certified to 27001? You're 40% of the way to 42001. The Annex SL chassis is shared. Northbeams evidences the AI-specific delta.

Read the stacking guide →

Northbeams Evidence Pack

ISO/IEC 42001:2023

Period: 2026-Q2 · Generated 2026-05-21 14:02 UTC

OrganizationAcme Holdings, Inc.
Framework version42001:2023
Controls in scope38 of 38
Auto-evidenced14
Attested19
Scoped out5 (with reason)
Underlying events142,318
Signing identityCN=Northbeams Evidence v1
SHA-256: 7b32fc4e91d83a9e02c6 b5d419af8e7c3d0a51f4 6e2f7a8b9c0d1e2f3a4b 5c6d7e8f9a0b1c2d3e4f
Cover · 1 of 7 Verifiable at /trust/verify

03 / Anatomy of the pack

Seven sections. One PDF. Auditor-ready.

The Evidence Pack is a structured PDF an auditor can read on a plane. Every section is there because auditors asked for it, not because it photographs well.

  • Cover . org, framework, period, SHA-256, signing identity.
  • Scope . which surfaces are observed, which agents, what's explicitly out.
  • Control mapping . AUTO / ATTEST / scoped-out per control, with the underlying query.
  • Evidence appendix . sampled events. Top high-risk tool calls, blocked actions, attestations with actors.
  • Exceptions & gaps . controls not satisfied, with reason and remediation owner.
  • Methodology . collection, retention, hash-chained integrity claim.
  • Signatures . owner attestation + cryptographic signature over the document.
Walk through the pack →

04 / Not a quarterly snapshot

Continuous Control Monitoring.

A daily job re-evaluates every AUTO check, compares to the last run, and emits a control_status_changed event when a control flips. The webhook hits your GRC platform within minutes; the in-app "Controls" banner shows newly-failing controls within the hour.

Quarterly audits ask once, every 90 days. Northbeams asks every 24 hours. That's the difference between "we passed last quarter" and "we are currently passing."

01Daily re-evaluation of every AUTO control.
02Webhook on control-status change.
03In-app banner with newly-failing controls.
04Scheduled Evidence Pack monthly, or on demand.
05Hash-chained append-only event log; integrity claim travels with the pack.
06Sampled events in the appendix prove the AUTO check, not just claim it.

05 / For the auditor reading this

Every pack is signed. Every signature is verifiable.

Built for the auditor's review, not the vendor's pitch.

Every Northbeams Evidence Pack carries a SHA-256 hash and a detached signature on the cover. Paste the hash at /trust/verify and we'll confirm the pack hasn't been altered and was signed by Northbeams on the date claimed. HMAC v1 today, X.509 v2 within 90 days, with optional customer-side key escrow for the highest tier.

Verify a pack →

06 / The Compliance tier

Annual, flat fee, partner-aware.

Compliance buyers don't think in seats; they think in line items. The Compliance tier sits next to the existing per-seat ladder. Sold annually. Flat fee. One contract.

Compliance Starter

$12,000/ year

For one framework. Lands in one GRC platform.

  • 1 framework (ISO 42001, EU AI Act, NIST AI RMF, or SOC 2 + AI)
  • Monthly Evidence Pack
  • 1 GRC platform integration
  • 90-day retention
  • Email support
Talk to us →

Compliance Pro

$36,000/ year

All frameworks. All integrations. Always-on monitoring.

  • All four frameworks
  • On-demand + scheduled Evidence Packs
  • All GRC platform integrations
  • 1-year retention
  • Continuous Control Monitoring + webhook alerts
  • Priority support
Talk to us →

Compliance Enterprise

$72,000+ / year

For Big-4-audited orgs and regulated industries.

  • Everything in Pro
  • SSO, audit-trail integrity attestation
  • Dedicated CSM and private Slack
  • Custom controls + custom frameworks
  • 7-year retention
  • Contractual SLAs and audit support
Talk to us →

Already on per-seat Sentinel? Compliance + Sentinel bundle is 15% off the per-seat side. See full pricing →

One install. One dashboard. One pack.

Get the sample Evidence Pack PDF. Forward it to your auditor. Ask them what's missing. We'll iterate with you from there.

Download a sample pack → Talk to compliance