Docs

Compliance Frameworks

Stryda ships with mappings for the major AI and data-handling frameworks. Enable one, and your existing policies + audit trail become the evidence. No separate compliance stack, no duplicate logging, no end-of-quarter scramble.

Supported frameworks

Enforces August 2, 2026

EU AI Act

Risk classification, documentation requirements, human oversight obligations, transparency rules. Stryda maps your agent configurations to the Act's risk categories and generates the required technical documentation — including the Annex IV technical file and the post-market monitoring log.
Enforces June 30, 2026

Colorado SB24-205

Algorithmic discrimination prevention, impact assessments, consumer notification. Stryda tracks which agents make consequential decisions and maintains the audit trail Colorado requires, including the pre-deployment impact assessment and the annual review artifact.
Voluntary framework

NIST AI RMF

Govern, Map, Measure, Manage. Stryda provides control mapping with evidence tracking across all four functions — with the RMF crosswalk rendered as a live dashboard showing which controls have evidence and which are gaps.
International standard

ISO 42001

AI management system requirements. Stryda runs gap analysis against ISO 42001 clauses, tracks remediation, and exports the Statement of Applicability auditors ask for.
Continuous

SOC 2 Type II

Security, Availability, Confidentiality trust-service criteria. The MCP audit ledger is already SOC 2-grade — hash-chained, tamper-evident, retained per policy. Evidence export ships with the observation period and the control matrix pre-filled.
Per-workspace opt-in

HIPAA / GDPR

PHI / PII handling requirements. Enabling either framework raises the data-privacy policy defaults — tools touching classified data run through redaction before the adapter sees the arguments, and ledger entries carry the classification labels.

How the mapping works

Each framework is expressed as a set of controls. Each control has:

  • A human-readable description (pulled from the framework text, rendered with clause refs).
  • One or more evidence queries — structured queries over the ledger and the registry that produce the artifacts an auditor would ask for.
  • An applicability filter — which workspaces, which systems, which risk levels the control applies to.

The Compliance view renders a live crosswalk: each control shows green if the evidence query returns recent, valid data; amber if the evidence is stale; red if the query returns nothing and the control is a gap.

Evidence export

From the Compliance page, pick a framework and a period, and export a single bundle containing:

  • The ledger slice for the period, verified against the hash chain.
  • The control matrix with each evidence query's result inlined.
  • The registry snapshot at the start and end of the period.
  • Policy change history, approval history, and scope change history.

Format options are PDF (auditor-ready), JSON (tool-ingestible), and CSV (per-control). The PDF includes the hash-chain verification digest on the cover page.

Enabling a framework

  1. Open Compliance in the dashboard.
  2. Pick a framework. A dialog shows the controls it introduces, the policies it recommends enabling, and the data classifications it requires.
  3. Accept — the framework is now applied to the workspace. The Compliance page populates over the next 24 hours as evidence queries backfill.
  4. Any gaps are listed as actionable items: "Enable X policy", "Add risk classification to Y integration", "Resolve the 3 open escalations".