Every osModa server ships with a SHA-256 hash-chained audit ledger.
Tool calls, config changes, access events — all logged cryptographically.
Structured JSON with hash verification. SOC 2, HIPAA, 21 CFR Part 11 ready.
Audit and Compliance for AI Agent Operations
Generate compliance evidence for every action your AI agents take in production. osModa's tamper-evident audit ledger records tool calls, configuration changes, access events, and system operations with SHA-256 hash chain verification. Export structured evidence for SOC2, HIPAA, and 21 CFR Part 11 audit contexts.
In 2026, regulatory scrutiny of AI systems has intensified significantly. The EU AI Act now mandates comprehensive audit trails for high-risk AI applications. In the United States, the SEC and FDA have increased enforcement actions against organizations deploying AI without adequate operational documentation. Meanwhile, SOC2 auditors report that AI agent observability is the fastest-growing area of inquiry during Type II examinations. The gap between “we deployed an agent” and “we can prove what it did” has become a compliance liability. osModa closes that gap with cryptographically verifiable evidence generation built into the platform layer -- not bolted on as an afterthought.
This is not a compliance certification product. osModa does not certify your organization for SOC2, HIPAA, or any regulatory standard. What it does is generate the structured, tamper-evident evidence that auditors and regulators require. The difference matters: certification is a process your organization undertakes. Evidence generation is an infrastructure capability. osModa provides the latter.
TL;DR
- • osModa generates compliance evidence -- it does not provide SOC2, HIPAA, or FDA certification itself
- • Every agent action is recorded in a SHA-256 hash-chained audit ledger that is tamper-evident and exportable
- • Evidence maps to SOC2 Trust Service Criteria, HIPAA 45 CFR 164.312, and 21 CFR Part 11 requirements
- • The audit system runs as a platform-level Rust daemon, capturing events application-level logging would miss
- • All compliance features are included on every plan from $14.99/month -- no add-ons or premium tiers
Compliance Evidence Capabilities
Each capability is a deep dive into how osModa generates evidence for a specific compliance framework. All capabilities are included on every plan.
Why Compliance Evidence Matters for AI Agents
Traditional software systems have well-established audit patterns. Databases log queries. Web servers log requests. CI/CD pipelines log deployments. But autonomous AI agents introduce a new category of operational activity that existing audit infrastructure was never designed to capture.
Autonomous Decision-Making
AI agents make decisions and take actions without human approval for every step. They call tools, modify files, send network requests, and interact with external APIs. Without a tamper-evident record of these actions, you cannot demonstrate to auditors what your agent actually did -- or did not do -- in production. In regulated industries, this gap is a compliance violation waiting to happen.
Multi-Agent Coordination
When multiple agents collaborate through the P2P mesh network, the interaction patterns become complex. Agent A delegates to Agent B, which calls an external API, which triggers Agent C. The audit ledger records the complete chain of causation across all agents, providing the kind of cross-system traceability that auditors require for SOC2 CC7.2 and CC7.3 criteria.
Configuration Drift Detection
NixOS declarative configuration means the intended system state is always known. The audit ledger records every generation switch, package change, and configuration modification. If the actual system state ever diverges from the declared configuration, the audit trail shows exactly when and why. This is critical for HIPAA change management controls and SOC2 CC8.1.
Incident Forensics
When something goes wrong -- and in production, something always eventually goes wrong -- the audit ledger provides a complete, chronological, tamper-proof record of every event leading up to the incident. No log rotation deleting evidence. No admin accidentally overwriting records. The SHA-256 hash chain guarantees the integrity of every entry from the moment it was written.
How the Tamper-Evident Audit Ledger Works
The audit ledger is one of 9 Rust daemons in the osModa stack. It operates at the platform level, below your agent code, which means it captures events that application-level logging would miss.
Step 1: Event Capture
Every system event -- tool calls, process lifecycle events, configuration changes, access events, network operations -- is captured by the audit writer daemon. Events are structured with a timestamp (UTC, nanosecond precision), actor identity (agent ID, user SSH session, or system daemon), action type, payload, and result status. This is not free-text logging. Every field is typed and indexed.
Step 2: Hash Chain Sealing
Each new audit entry is hashed with SHA-256 together with the hash of the previous entry. This creates a cryptographic chain: entry N's hash depends on entry N-1's hash, which depends on entry N-2's hash, and so on back to the genesis entry. Modifying any single entry would change its hash, which would break every subsequent hash in the chain. Tampering is not just detectable -- it is mathematically provable.
Step 3: Evidence Export
When you need to provide evidence for an audit, export the ledger entries as structured JSON with full hash chain metadata. Auditors can independently verify the chain by recomputing hashes. Exports can be filtered by time range, event type, agent identity, or compliance framework. The export format includes mapping annotations that link events to specific SOC2 criteria, HIPAA controls, or 21 CFR Part 11 requirements.
// Example audit ledger entry
{
"seq": 847291,
"timestamp": "2026-03-01T14:23:07.847291000Z",
"actor": "agent:crewai-research-01",
"action": "tool_call",
"tool": "http_request",
"payload": {
"method": "GET",
"url": "https://api.example.com/data",
"status": 200
},
"prev_hash": "a1b2c3d4e5f6...",
"entry_hash": "f6e5d4c3b2a1..."
}Compliance Framework Mapping
The audit ledger generates evidence that maps to specific controls and criteria across multiple compliance frameworks. Here is how osModa capabilities align with the most common audit requirements for AI agent operations.
| Requirement | SOC2 | HIPAA | 21 CFR Part 11 |
|---|---|---|---|
| Immutable audit trail | CC7.2, CC7.3 | 164.312(b) | 11.10(e) |
| Access control logging | CC6.1, CC6.2 | 164.312(a)(1) | 11.10(d) |
| Change management | CC8.1 | 164.312(c)(1) | 11.10(e) |
| Incident detection | CC7.3, CC7.4 | 164.308(a)(6) | 11.10(e) |
| Data integrity verification | CC6.6 | 164.312(c)(2) | 11.10(a) |
For detailed mapping to each framework, visit the dedicated pages: SOC2 Evidence, HIPAA Audit Controls, 21 CFR Part 11.
The 2026 AI Compliance Landscape
The regulatory environment for AI systems has changed dramatically. Organizations deploying AI agents in production face new requirements across multiple jurisdictions and frameworks.
EU AI Act Enforcement
The EU AI Act, which entered full enforcement in 2025, requires comprehensive audit trails for high-risk AI applications. Organizations deploying AI agents in healthcare, financial services, law enforcement, or critical infrastructure must maintain detailed records of AI system behavior. Penalties for non-compliance reach up to 35 million euros or 7% of global annual turnover. The osModa audit ledger generates the operational evidence these requirements demand.
SOC2 AI Agent Inquiries
SOC2 auditors have begun specifically asking about AI agent controls during Type II examinations. Questions focus on how autonomous agent actions are logged, how tool access is controlled, how agent failures are detected and recovered, and how inter-agent communications are secured. Organizations without structured answers to these questions face qualified opinions or exceptions in their SOC2 reports.
FDA Digital Health Guidance
The FDA has expanded its 21 CFR Part 11 guidance to explicitly address AI and machine learning systems used in pharmaceutical manufacturing, clinical trials, and quality management. AI agents operating in these contexts must maintain audit trails that meet the same electronic records standards as traditional computerized systems. The osModa ledger satisfies the four key Part 11 requirements: attribution, timestamp, reason for change, and tamper detection.
Infrastructure That Makes Compliance Possible
Compliance evidence is only as strong as the infrastructure generating it. The osModa stack provides several foundational capabilities that make reliable evidence generation possible.
NixOS Declarative State
Every system configuration is defined in a single Nix flake. The audit ledger records every generation switch, creating a complete history of system state changes. Auditors can verify that the system was in a known, declared state at any point in time. This eliminates the “configuration drift” problem that plagues traditional compliance approaches.
Dedicated Servers
Every osModa deployment runs on a dedicated Hetzner server. No multi-tenancy means no risk of cross-tenant data exposure. Auditors can verify physical isolation. This is particularly important for HIPAA covered entities and organizations handling FDA-regulated data where shared infrastructure creates unacceptable compliance risk.
Post-Quantum Encryption
Inter-agent communication through the P2P mesh uses Noise_XX + ML-KEM-768 hybrid encryption. This satisfies current encryption requirements and provides forward-looking protection against quantum computing threats. NIST finalized ML-KEM as a post-quantum standard in 2024, and regulatory bodies are beginning to require quantum-resistant encryption for sensitive data.
Open Source Verifiability
The entire osModa codebase is open source at github.com/bolivian-peru/os-moda. Auditors can inspect the audit writer daemon source code to verify that evidence is generated correctly. This level of transparency is increasingly important for compliance assessments where auditors want to verify the tooling itself, not just the output it produces.
Frequently Asked Questions
Does osModa provide SOC2 certification?
No. osModa generates compliance evidence that supports SOC2 audit processes. The tamper-evident audit ledger records every agent action, tool call, configuration change, and access event with SHA-256 hash chain verification. You export this evidence for your auditors. We provide the evidence generation infrastructure, not the certification itself.
How does the tamper-evident audit log work?
Every event in the osModa audit ledger is sealed with a SHA-256 hash that chains to the previous entry. If anyone modifies, deletes, or reorders a record, the hash chain breaks and the tampering is immediately detectable. This is the same cryptographic principle used in blockchain systems, applied to operational audit logging.
What compliance frameworks does the evidence support?
The osModa audit ledger generates evidence relevant to SOC2 Trust Service Criteria (especially CC6, CC7, CC8), HIPAA audit controls under the Security Rule (45 CFR 164.312), and 21 CFR Part 11 electronic records requirements for FDA-regulated industries. The evidence format is framework-agnostic and can be adapted to other standards as needed.
Can I export audit logs for external review?
Yes. The audit ledger supports full export in structured JSON format with cryptographic verification metadata. Each export includes the hash chain so auditors can independently verify that no records have been tampered with. Exports can be filtered by time range, event type, agent identity, or action category.
How is this different from standard application logging?
Standard application logs (syslog, journald, CloudWatch) are mutable. An administrator can delete or modify entries without detection. The osModa audit ledger uses cryptographic hash chaining so that any modification breaks the verification chain. Additionally, the ledger captures structured compliance-relevant metadata rather than free-text log lines.
Does the audit system impact agent performance?
Minimally. The audit writer daemon is one of 9 Rust daemons in the osModa stack. It operates asynchronously, writing audit entries to the ledger without blocking agent execution. The SHA-256 hashing operation takes microseconds per entry. In benchmark testing, the audit system adds less than 1ms of latency to agent operations.
What events are captured in the audit ledger?
The ledger captures tool calls and their results, agent process starts, stops, and crashes, configuration changes, secrets access events, SSH sessions, NixOS generation switches, watchdog recovery actions, mesh network connections, and all system-level operations. Every event includes a timestamp, actor identity, action type, and SHA-256 hash linking to the previous entry.
Is the audit system available on all plans?
Yes. The tamper-evident audit ledger is included on every osModa plan, from the $14.99/month Starter tier to the $125.99/month Enterprise tier. There are no add-on charges for compliance features. Every plan includes all 9 Rust daemons, including the audit writer.
Start Generating Compliance Evidence Today
Every osModa plan includes the tamper-evident audit ledger, SOC2 evidence export, and compliance framework mapping. Deploy your agent and start generating auditor-ready evidence from day one. Plans from $14.99/month.
Last updated: March 2026