Attestation & Compliance API
The attestation and compliance surface transforms the governance telemetry flowing through the platform into audit-grade artifacts for regulators and audit teams.
All evidence is derived automatically from the Glass Box Ledger and governance logs — no separate ingestion step is required. Every artifact is cryptographically linked to the governance chain it describes.
For the architectural overview of how this surface fits into the platform, see Compliance Architecture.
Authentication: Authorization: Bearer <session_token | api_key> with the relevant permission (noted per endpoint).
Endpoints
Compliance frameworks & evidence
| Method | Path | Permission | Purpose |
|---|---|---|---|
GET | /v1/compliance/frameworks | compliance:read | List supported frameworks with coverage status |
POST | /v1/compliance/evidence-snapshot | compliance:read | Generate a point-in-time evidence bundle |
GET | /v1/compliance/evidence-snapshot/{snapshot_id} | compliance:read | Poll snapshot generation status |
GET | /v1/compliance/evidence-snapshot/{snapshot_id}/download | compliance:read | Download the completed snapshot |
Executive summary
| Method | Path | Permission | Purpose |
|---|---|---|---|
GET | /v1/compliance/executive-summary | compliance:read | One-page posture summary for executive review |
Attestation hub
| Method | Path | Permission | Purpose |
|---|---|---|---|
GET | /v1/attestation/report | compliance:read | Latest attestation report (hash chain + coverage) |
POST | /v1/attestation/anchor | compliance:write | Anchor the chain to an external timestamp authority |
GET | /v1/attestation/verify/{chain_root} | compliance:read | Verify a chain root against the live ledger |
Audit violations & data subject requests
| Method | Path | Permission | Purpose |
|---|---|---|---|
GET | /v1/audit/violations | compliance:read | Cross-subsystem violation analytics |
GET | /v1/audit/violations/{violation_id} | compliance:read | Single violation detail |
POST | /v1/compliance/dsr | compliance:write | Submit a Data Subject Request (GDPR / CCPA shred) |
GET | /v1/compliance/dsr/{dsr_id} | compliance:read | Poll DSR status |
OSCAL & compliance reports
| Method | Path | Permission | Purpose |
|---|---|---|---|
GET | /v1/compliance/export/oscal | compliance:read | OSCAL-formatted compliance package |
POST | /v1/compliance/report | compliance:read | Generate a formatted PDF/HTML compliance report |
GET | /v1/compliance/report/{report_id} | compliance:read | Poll report generation |
Auditor activity
| Method | Path | Permission | Purpose |
|---|---|---|---|
GET | /v1/audit/activity | compliance:read | Append-only log of every external-reviewer session |
Shared access links
| Method | Path | Permission | Purpose |
|---|---|---|---|
POST | /v1/shared-links | compliance:write | Create a scoped, time-limited shared link for an external reviewer |
GET | /v1/shared-links | compliance:read | List active shared links |
GET | /v1/shared-links/{link_id} | compliance:read | Get link detail and access log |
DELETE | /v1/shared-links/{link_id} | compliance:write | Revoke a link immediately |
GET /v1/compliance/frameworks
Returns the platform's current coverage status for every supported compliance framework.
{
"frameworks": [
{
"framework_id": "eu_ai_act",
"label": "EU AI Act",
"coverage_status": "covered",
"coverage_pct": 94,
"gap_count": 2,
"gaps": [
{
"article": "Art. 14",
"requirement": "Human oversight mechanism for high-risk systems",
"recommendation": "Enable escalation workflow for blocked verdicts"
}
],
"last_assessed_at": "2026-05-01T00:00:00Z"
},
{
"framework_id": "nist_ai_rmf",
"label": "NIST AI RMF",
"coverage_status": "covered",
"coverage_pct": 100,
"gap_count": 0,
"gaps": [],
"last_assessed_at": "2026-05-01T00:00:00Z"
}
]
}
Supported framework_id values: eu_ai_act, nist_ai_rmf, iso_42001, soc2, hipaa, sec_38a1, pcaob_ssae18, nydfs_500.
POST /v1/compliance/evidence-snapshot
Generate a point-in-time JSON evidence bundle for a specified framework and time period.
{
"framework": "eu_ai_act",
"period": {
"from": "2026-01-01T00:00:00Z",
"to": "2026-03-31T23:59:59Z"
},
"include_raw_logs": false,
"include_training_history": true,
"guardian_ids": ["gov_01JF8R3M3X4N5Q6T7V8W9Y0Z1A"]
}
| Field | Type | Description |
|---|---|---|
framework | string | Framework ID (see above). Omit for a framework-agnostic bundle |
period | object | ISO-8601 timestamps |
include_raw_logs | boolean | Include individual governance log entries. Default false (summary only) |
include_training_history | boolean | Include Guardian version and training job history |
guardian_ids | string[] | Scope to specific Guardians. Omit for all |
Response — 202 Accepted
{
"snapshot_id": "snp_01JF8RSNP1A2B3C4D5E6F7G8H9I",
"status": "generating",
"framework": "eu_ai_act",
"period": { "from": "2026-01-01T00:00:00Z", "to": "2026-03-31T23:59:59Z" },
"created_at": "2026-05-01T22:00:00Z",
"estimated_completion": "2026-05-01T22:03:00Z"
}
Poll GET /v1/compliance/evidence-snapshot/{snapshot_id} until status is completed or failed. Then download via GET /v1/compliance/evidence-snapshot/{snapshot_id}/download.
GET /v1/compliance/executive-summary
Returns a one-page posture summary suitable for executive review: violation rate, NHI posture, policy coverage, fleet health, and the top concrete actions to improve your posture.
{
"generated_at": "2026-05-01T22:00:00Z",
"violation_rate": 0.23,
"nhi_posture": 0.91,
"policy_coverage_pct": 87,
"fleet_health": 1.0,
"top_actions": [
{
"priority": 1,
"action": "Assign Guardians to 4 ungoverned NHIs",
"impact": "Improves nhi_posture to 1.0"
},
{
"priority": 2,
"action": "Finalize Q2 GDPR policy update",
"impact": "Closes 3 EU AI Act framework gaps"
},
{
"priority": 3,
"action": "Promote PII-Redactor v4 to production",
"impact": "Reduces violation rate by ~0.04%"
}
]
}
GET /v1/attestation/report
Returns the latest attestation report for the organization: hash chain root, coverage statistics, and external anchor details.
{
"report_id": "atr_01JF8RATR1A2B3C4D5E6F7G8H9I",
"generated_at": "2026-05-01T22:00:00Z",
"chain_root": "sha256:8f3c44a1e2b...",
"chain_length": 1482301,
"chain_integrity": "verified",
"period": {
"from": "2026-01-01T00:00:00Z",
"to": "2026-05-01T22:00:00Z"
},
"anchors": [
{
"anchor_id": "anc_01JF8RANC1A2B3C4D5E6F7G8H9I",
"type": "rfc3161",
"timestamp_authority": "https://timestamp.digicert.com",
"anchored_at": "2026-04-01T00:00:00Z",
"anchor_receipt": "MIIEcTCCA1mg..."
}
],
"framework_coverage": {
"eu_ai_act": 94,
"nist_ai_rmf": 100,
"iso_42001": 88
}
}
POST /v1/attestation/anchor
Anchor the current chain root to an external timestamp authority, creating an independently verifiable proof that the governance record existed at a specific moment.
{
"anchor_type": "rfc3161",
"timestamp_authority": "https://timestamp.digicert.com"
}
anchor_type | Standard | Notes |
|---|---|---|
rfc3161 | IETF RFC 3161 | Standard PKI timestamp; widely accepted by auditors |
rekor | Sigstore Rekor | Public, append-only transparency log; open source |
zk_snark | zk-SNARK | Prove outcome without revealing underlying data |
Response — 202 Accepted
{
"anchor_id": "anc_01JF8RANC2B3C4D5E6F7G8H9I0J",
"type": "rfc3161",
"chain_root": "sha256:8f3c44a1e2b...",
"status": "anchoring",
"estimated_completion": "2026-05-01T22:01:00Z"
}
GET /v1/audit/violations
Cross-subsystem violation analytics — a queryable view of every Guardian corrected and blocked verdict, enriched with policy node citations.
Query parameters
| Param | Type | Description |
|---|---|---|
from / to | ISO-8601 | Time range |
guardian_id | string | Filter to a specific Guardian |
nhi_id | string | Filter to a specific NHI |
outcome | corrected | blocked | Filter by verdict |
severity | low | medium | high | critical | Filter by violation severity |
framework | string | Filter to violations relevant to a specific compliance framework |
limit / offset | — | Offset pagination |
{
"violations": [
{
"violation_id": "vio_01JF8RVIO1A2B3C4D5E6F7G8H9I",
"occurred_at": "2026-05-01T14:32:11Z",
"guardian_id": "gov_01JF8R3M3X4N5Q6T7V8W9Y0Z1A",
"guardian_name": "PII-Redactor",
"outcome": "corrected",
"severity": "high",
"rule": "pii.ssn_unredacted",
"detail": "SSN pattern detected in assistant message",
"policy_node_id": "gdpr_art5_sec1_f",
"correction_applied": true,
"log_id": "log_01JF8RLOG1A2B3C4D5E6F7G8H9I"
}
],
"pagination": { "total": 312, "limit": 50, "offset": 0 }
}
POST /v1/compliance/dsr
Submit a Data Subject Request — GDPR Article 17 erasure, CCPA deletion, or CPRA correction. The platform issues a verifiable shred receipt once all PII-bearing governance log entries for the data subject are cryptographically zeroed.
{
"type": "erasure",
"subject_identifier": { "type": "email", "value": "jane.doe@example.com" },
"regulation": "gdpr",
"requestor_reference": "DSR-2026-0142"
}
{
"dsr_id": "dsr_01JF8RDSR1A2B3C4D5E6F7G8H9I",
"type": "erasure",
"status": "processing",
"created_at": "2026-05-01T22:00:00Z",
"estimated_completion": "2026-05-01T22:10:00Z"
}
When status reaches completed, the response includes a shred_receipt — a cryptographically signed document proving the erasure occurred and when.
GET /v1/compliance/export/oscal
Export a machine-readable OSCAL (Open Security Controls Assessment Language) compliance package for use with GRC tools.
Query parameters
| Param | Type | Description |
|---|---|---|
framework | string | Framework to export (e.g. nist_ai_rmf, soc2) |
period | string | ISO-8601 range (2026-Q1, or from=...&to=...) |
format | json | xml | OSCAL serialization format. Default json |
Returns the OSCAL package directly as application/json or application/xml. The package includes system security plan elements, assessment results, and POA&M items for open gaps.
Shared Access Links — External Reviewers
POST /v1/shared-links
Create a time-limited, scope-locked link that gives an external counterparty read-only access to specific compliance data — no platform credentials required.
{
"label": "Deloitte Q1 2026 AI Audit",
"scopes": ["evidence_snapshots", "attestation_reports", "executive_summary"],
"expires_at": "2026-06-30T23:59:59Z",
"allowed_frameworks": ["eu_ai_act", "iso_42001"],
"ip_allowlist": ["203.0.113.0/24"],
"require_mfa": true
}
| Field | Type | Description |
|---|---|---|
label | string | Identifies the link in audit logs |
scopes | string[] | What the counterparty can see: evidence_snapshots, attestation_reports, executive_summary, violation_analytics, oscal_exports |
expires_at | ISO-8601 | Hard expiry; link is revoked automatically |
allowed_frameworks | string[] | Restrict visibility to specific frameworks. Omit for all |
ip_allowlist | string[] | CIDR blocks; requests from other IPs are rejected |
require_mfa | boolean | Require the counterparty to complete a TOTP challenge before accessing data |
Response — 201 Created
{
"link_id": "lnk_01JF8RLNK1A2B3C4D5E6F7G8H9I",
"portal_url": "https://portal.trinitite.ai/lnk_01JF8RLNK1A2B3C4D5E6F7G8H9I",
"label": "Deloitte Q1 2026 AI Audit",
"expires_at": "2026-06-30T23:59:59Z",
"access_count": 0,
"created_at": "2026-05-01T22:00:00Z"
}
Share only the portal_url with the counterparty. Every access is recorded in the auditor activity log.
DELETE /v1/shared-links/{link_id}
Revoke a link immediately. Outstanding sessions using the link are terminated within 60 seconds. Returns 204 No Content.
GET /v1/audit/activity
Append-only log of every external-reviewer access via shared links. External reviewers can see what they accessed, and your organization can see what they saw — both views derive from the same Glass Box Ledger.
{
"activity": [
{
"event_id": "act_01JF8RACT1A2B3C4D5E6F7G8H9I",
"link_id": "lnk_01JF8RLNK1A2B3C4D5E6F7G8H9I",
"link_label": "Deloitte Q1 2026 AI Audit",
"occurred_at": "2026-05-02T09:14:33Z",
"ip_address": "203.0.113.42",
"action": "evidence_snapshot.download",
"resource_id": "snp_01JF8RSNP1A2B3C4D5E6F7G8H9I"
}
],
"pagination": { "total": 7, "limit": 50, "offset": 0 }
}
Errors
| HTTP | error.code | Cause |
|---|---|---|
400 | validation_error | Body or query failed schema validation |
401 | unauthenticated | Missing or invalid credential |
403 | forbidden | Caller lacks the required compliance:* permission |
404 | not_found | Snapshot, report, link, or violation not found |
409 | conflict | Snapshot already generating for this period + framework combination |
410 | resource_gone | Link has expired or been revoked |
422 | unprocessable_entity | Invalid period range; anchor authority unreachable |
429 | rate_limited | Per-organization rate limit exceeded |
Next steps
- Read the architectural overview → Compliance Architecture
- Understand the full audit log schema → Logs API
- Govern AI agent identities → NHI Governance
- Build the evidence baseline from policy documents → Policies API