Get a Demo
AI Agent Auditing

Audit AI agents the way your risk committee actually wants:
cryptographically, continuously, vendor-independently.

Vortalis records every AI agent action on a tamper-evident audit chain, signs every identity and intent with ES256, maps every action to the regulation in force at the time it happened, and exports signed evidence packs your auditor can verify in their own tooling. No callbacks, no proprietary viewers, no software install.

Book an audit walkthrough

Three audit layers, one platform

Audit isn't one job. Vortalis serves all three lines of defence and the external audit firm at the same time, from the same data.

Head of Markets Tech, CIO, platform owner
1st line: operations

Continuous policy enforcement at the agent layer. Every action is decided, signed, and audited in tens of milliseconds. Your operators see compliance as a property of the platform, not a separate workstream.

Head of Compliance, CRO, MRM lead
2nd line: compliance and risk

Real-time, machine-readable compliance dashboard. EU AI Act, DORA, SR 11-7, MiFID II, FCA Consumer Duty status without manual evidence collection. Findings, remediation, and sign-off built into the audit flow.

Internal audit, Big-4 partner, supervisor
3rd line: internal and external audit

Signed evidence packs the auditor consumes in their own tooling. Vendor-neutral verification against the public JWKS. Same data, same answer, no platform dependency. Maps to ISO 42001, NIST AI RMF and DORA Article 28.

What's in an evidence pack

The artefact your auditor actually wants. Generated in 30 seconds, replacing the three-to-six-week MRM evidence-collection cycle.

manifest.json

Pack metadata: tenant, period, filters, counts, Merkle root, regulatory mapping with regime versions.

manifest.sig.json

Detached ES256 signature over canonicalised manifest bytes. Verifiable against the public JWKS.

audit-entries.jsonl

Every agent action (allowed, denied, or HITL), with chained entry hashes for tamper detection.

iat-attestations.jsonl

Identity Attestation Tokens: signed JWTs proving who the agent was at the time of each action.

via-assertions.jsonl

Verifiable Intent Artifacts: signed JWTs proving what the agent was authorised to do (per Mastercard VIA spec).

jwks.json

Snapshot of active and rotated public keys at export time. Lets the verifier reproduce the cryptographic state.

regulatory-mapping.json

Each regulatory tag with the regime version in force at the time of the action: EU AI Act, DORA, MiFID II, and others.

chain-verification.json

Per-entry previous_hash → entry_hash pairs for independent O(n) chain re-validation.

README.md

Six-line Python verification snippet so the auditor verifies in their own tooling without help.

Regulatory coverage on day one

Every audit row carries the regimes that apply, with the version in force at the time of the action. No mapping spreadsheets, no compliance officer tagging. It's a property of the action.

EU AI Act (2024/1689)DORA (2022/2554)MiFID II / RTS 6 (2014/65/EU)GDPR (2016/679)PSD2 (2015/2366)PCI DSS v4.0.1HIPAANHS DSPTCaldicott PrinciplesSRA Standards 2019ABA Model Rule 5.12 / Op. 512FCA Consumer Duty (PS22/9)FCA SS1/23SR 11-7 (Fed)NIST AI RMFISO 42001

See an evidence pack verified live in your browser.

No demo data, no animations. The actual platform, signed evidence, Web Crypto verification you can do on your own laptop.

Book a 30-min audit walkthrough