AI is now in scope for SOC 2. Your auditor is going to ask which models touched customer data, which agents acted on which systems, and which policy approved each call. If your answer is a screenshot of a dashboard, you are going to spend the next two weeks writing memos.
What `reframe audit export` produces
A signed bundle, scoped to the period and frameworks you specified, containing:
- Event log — every prompt, tool call, model response, redaction decision, policy hit, agent action.
- Control mapping — each event tagged with the SOC 2 Common Criteria items (CC6.x access controls, CC7.x system operations) and ISO 27001 Annex A items it satisfies.
- Policy bundle — the signed policy that was in force, with hash chain proving it was not modified during the period.
- Identity and key references — tied to your SSO and customer-managed KMS so the auditor can verify on their side.
The bundle is signed by the harness with a key chain you can verify independently. Drop it into the auditor's portal exactly as exported.
How this compares to "we log everything"
Most teams have logs. Few teams have evidence. Logs become evidence when they are scoped to a control, immutable, signed, and reproducible. Reframe Harness is built for that step.
NIST AI RMF and EU AI Act
The same export covers NIST AI RMF (GOVERN, MAP, MEASURE, MANAGE) artifacts and EU AI Act conformity-assessment records. One pipeline, every framework.