For Compliance / GRC

EU AI Act. SOC 2. HIPAA. One dashboard. One export.

When your auditor asks "how do you govern employee AI use?", Northbeams gives you a 30-second answer and a 30-page evidence pack. Pre-mapped to the controls auditors actually expect.

Start free. Walk into your audit with the evidence pack → See the live demo See the evidence pack

01 / The audit question

"How do you govern employee AI use?"

It's the question on every Vendor Security Questionnaire and every SOC 2 Type II control review in 2026. It's a deal-stopper if you don't have a 30-second answer.

Most companies answer with a Notion doc and an awkward shrug. The auditor asks for evidence. The shrug doesn't fit on a CSV.

VENDOR SECURITY QUESTIONNAIRE Q.41

"Describe the controls your organization has in place to govern, monitor, and limit employee use of third-party AI tools. Provide evidence."

Answer: Northbeams (Sentinel tier). Discovery across browser, desktop, CLI, and MCP. Per-tool policy, including per-MCP-tool allow / warn / block. Signed audit logs. EU AI Act Article 4 evidence pack. Attached as audit-log-2026-Q1.csv.

02 / The compliance checklist

What auditors actually want. Pre-built.

Inventory

Tool inventory by user, time, surface, and category.

Who used what, when, and for what kind of prompt - across browser, desktop apps (Claude Desktop, ChatGPT Desktop, Cursor), CLI tools (Claude Code, Aider), and MCP servers (filesystem, GitHub, Postgres, Stripe, Slack, and the rest). Discovery refreshed continuously and dated, not a quarterly snapshot.

MCP audit trail

Your agent's MCP traffic, on the audit log.

Every MCP tool call your team's coding agents make: server name, tool name, action (allow / warn / block), timestamp, sha256 hash of the arguments. Argument values stay on the laptop. Auditors get the same signed CSV format as the rest of the evidence pack.

Risk classification

Per-tool, per-prompt risk scoring.

Credentials, PII, source code, customer data, contracts. Categorized at capture time so the auditor sees the rationale. Desktop and CLI activity tracked by tool name and frequency, never prompt content.

Policy enforcement

Documented controls with one-click rollback.

Sanctioned, Sandboxed, or Blocked status per tool. Every state change is timestamped and signed for audit trail.

Retention

Immutable signed event log.

SHA-256 signed CSV exports. Tamper-evident retention structured around SOC 2 CC7.2 and ISO 27001 A.12.4. Bring it to your auditor as evidence; they make the determination.

Privacy

On-device classifier. No prompt content stored.

The classifier runs in the browser. Only category labels and a redacted snippet leave the device. Designed in alignment with GDPR Art. 25 (privacy by design) principles and CCPA data-minimisation expectations.

Reporting

Quarterly executive risk-audit report.

A board-ready summary every quarter: tool sprawl trend, incident count by severity, and policy-change history.

03 / The evidence pack

What you hand to the auditor.

A signed CSV. SHA-256 hash. Structured around SOC 2, EU AI Act Article 4, HIPAA technical safeguards, and ISO 27001 controls. Download from the dashboard, attach to the questionnaire, ship.

audit-log-2026-Q1.csv SHA-256 SIGNED TIMESTAMP USER TOOL CATEGORY ACTION CONTROL 09:14:22 d.lin ChatGPT aws_key BLOCKED CC6.1 09:21:08 a.kahn Cursor source_code SANDBOX A.5.34 10:02:51 m.osei Claude none ALLOWED EU 4 10:48:33 r.patel Otter.ai contract BLOCKED HIPAA 11:03:17 d.lin Perplexity none ALLOWED CC7.2 11:39:04 j.tanaka ChatGPT customer_pii SANDBOX CCPA 12:14:46 a.kahn Galileo design_ip SANDBOX A.8.10 14,832 EVENTS · Q1 2026 · SOC 2 / EU AI ACT / HIPAA STRUCTURED Download

Q1 2026 sample. Real audit logs scale to thousands of rows per quarter.

04 / For the board, every quarter

A quarterly executive risk-audit report. Auto-generated.

Sentinel ships a board-ready PDF every quarter. No screenshots-and-Slack-threads. The compliance officer reads it, the CISO presents it, the board approves it.

Pulled from the same signed audit log the auditor sees, so internal and external numbers always agree.

01Tool sprawl trend (quarter-over-quarter)
02Incident count by severity
03Top 5 tools by exposure dollars
04Policy-change history with attribution
05Compliance-control mapping (SOC 2 / EU AI Act / HIPAA)
06Open exceptions and remediation deadlines

05 / Related laws & frameworks

The rules behind the audit questions.

When the auditor asks "how do you govern employee AI use?", they are asking against a specific framework. Here are the field-guide pages for the laws and standards that drive the questions. Cite them, link them, share them with counsel.

Hub

AI laws field guide.

Every US state, EU, and standards-based AI rule covered in one place. At-a-glance comparison matrix.
US state · Colorado

Colorado AI Act.

Effective Feb 2026. Annual impact assessments, consumer notice, 90-day discrimination report. NIST AI RMF and ISO 42001 are recognized safe harbors.
US state · Texas

Texas TRAIGA.

Effective Jan 2026. Prohibits discriminatory and manipulative AI uses. Texas AI Council. Regulatory sandbox for testing.
EU

EU AI Act explainer.

Risk-based tiers, Article 4 AI literacy, high-risk obligations, penalties up to 7% of global revenue. Companion to the EU AI Act readiness PDF.
Standard

ISO/IEC 42001.

The world's first AI management system standard. Plan-Do-Check-Act. 38 Annex A controls. Now appearing in Fortune 500 vendor questionnaires.
Framework

NIST AI RMF.

Govern, Map, Measure, Manage. Voluntary, free, US-government-published. Recognized as a Colorado safe harbor.

06 / Reading list

EU AI Act readiness for non-EU SMBs.

Free PDF · 7 pages

Which articles apply to you, what evidence you need, and the page auditors ask for.

A 7-page printable checklist. Article 4 (AI literacy), risk classification for employee AI use, documentation requirements. In your inbox in under a minute.

Email me the PDF →

07 / What you'd actually buy

Sentinel. Required for any SOC 2, HIPAA, or EU AI Act audit.

Sentinel

A sentinel stands watch and keeps records. For the auditor, the regulator, and your insurer.

$20/ user / moBilled annually · Save 20%

  • Audit-ready immutable signed logs (SHA-256) covering browser, desktop, CLI, and MCP
  • MCP Gateway: per-tool audit trail for Claude Desktop, Cursor, and Claude Code
  • SOC 2 evidence pack (one-click export)
  • EU AI Act Article 4 evidence (AI literacy across surfaces)
  • HIPAA technical-safeguards evidence (164.312 framing)
  • Quarterly executive risk-audit report (board-ready PDF)
  • MDM-managed deployment (Intune, Jamf, Kandji)
  • API access and priority support
Start the 14-day Sentinel trial → All four tiers, comparison table, and FAQ →

30-second answer. 30-page export. By Friday.

Free for 14 days on Sentinel. Talk to us about your audit timeline if it's tight.

Start free. Walk into your audit with the evidence pack → Talk to compliance