Compliance evidence bundle
One zip of offline-verifiable evidence for SOC 2 and ISO 27001 audits.
When an auditor asks how you govern your AI agents, the evidence bundle is the
answer: a one-click zip, assembled live from your control plane, that an
auditor can verify offline without an AxioRank account. Every artifact is
mapped to SOC 2 (Trust Services Criteria) and ISO/IEC 27001:2022 Annex A controls
in the bundled CONTROLS.md.
The bundle is a point-in-time snapshot. Activity counts cover the trailing 90 days; the integrity artifacts cover the audit ledger's entire checkpoint history. Everything in it is already redacted and safe to leave the platform: the governance config carries no secrets, and the ledger artifacts are signatures and hashes.
Who can generate it
Admins and owners only, since the bundle contains the access review and the
full governance config. It is available on the Team plan and above; other
plans receive a 403.
Generate it
Download it from Dashboard → Zero Trust Maturity (/maturity) or
Dashboard → Audit Integrity (/integrity), or hit the route directly:
GET /api/compliance/evidence-bundleThis is a dashboard route authenticated by your signed-in session (it is a
download link, not an API-key endpoint). The response is application/zip,
named axiorank-evidence-YYYY-MM-DD.zip from the generation date.
Contents
| Path | What it is |
|---|---|
manifest.json | Workspace, generation time, the covered period, and a sorted list of every other file in the zip. |
README.md | What the bundle is and how its folders fit together. |
CONTROLS.md | Each artifact mapped to SOC 2 and ISO 27001 Annex A controls. |
VERIFY.md | Step-by-step offline verification instructions for your auditor. |
maturity/scorecard.json | The Zero-Trust maturity scorecard: overall tier plus per-domain scores. |
maturity/scorecard.html | The same scorecard as a self-contained, printable page. |
integrity/signed-tree-head.json | The latest Ed25519 signed tree head over the sealed audit ledger. |
integrity/checkpoints.json | The full checkpoint chain: sequence, window, row count, hashes, Merkle root, tree size. |
integrity/jwks.json | The public signing keys, as published at /api/v1/audit/public-key. |
governance/config.json | The enforced policy, detector, and response configuration as code. |
access/access-review.json | Members with roles and join dates, plus MFA and SSO enforcement. |
retention/retention-and-siem.json | Audit and inbound retention windows, and configured SIEM destinations. |
activity/decision-summary.json | Allow, deny, hold, and total decision counts for the 90-day period. |
Verify offline
The integrity/ artifacts are designed so an auditor needs nothing but the
published public key:
- Signature: the signed tree head's Ed25519 signature verifies against a
key in
integrity/jwks.json. Pin the JWKS out of band (or refetch it from/api/v1/audit/public-key) so verification does not trust the bundle itself. - Chain: each entry in
integrity/checkpoints.jsonlinks to the previous viaprevHash, so any altered, deleted, inserted, or reordered row breaks the chain from that point forward. - Per-row proof: any individual audit row can be proven with a verifiable receipt against the tree head in this bundle.
The open-source verifier runs entirely offline:
npm install @axiorank/audit-verifyimport { verifyReceipt } from "@axiorank/audit-verify";
const result = verifyReceipt(receipt, jwks); // jwks pinned out of band
console.log(result.ok, result.checks); // leaf, inclusion, sthSignature, provenancepip install "axiorank[verify]"from axiorank import verify_receipt
assert verify_receipt(receipt, jwks) is TrueThe bundled VERIFY.md walks your auditor through the same steps, so they can
verify without ever reading these docs.
Use cases
- Auditor handoff: drop one zip into the evidence request portal instead of screenshotting a dozen dashboards.
- Quarterly access review:
access/access-review.jsonis a member, role, MFA, and SSO snapshot you can archive and sign off each quarter. - Vendor questionnaires: the scorecard and control mapping answer most "how do you govern agent actions?" questions verbatim.
Guidance, not certification
The control mappings exist to speed your auditor's review. They are not a SOC 2 report or an ISO certificate.
Next steps
- Audit integrity: how sealing, tree heads, and receipts work.
- Config as code: the export behind
governance/config.json. - Privacy & data rights: the retention policy the bundle reports.