Cytra EU AI Act & NIST AI RMF Compliance
CYber Trust, Resilience & Assurance
Cytra gets you to — and keeps you at — alignment with the EU AI Act, NIST AI RMF, and ISO/IEC 42001, then proves it. The compliance collector runs standalone — deploy it behind your own firewall with no inbound ports (outbound-only), and it still turns every AI action into continuous, audit-ready evidence mapped to the frameworks. Add the managed MCP gateway when you want full runtime evidence: per-call policy, credential brokering, and sandboxed execution, all producing the same hash-chained record.
How the evidence is made
One agent action, five deterministic steps — policy, credential broker, sandbox, then the record. The raw key never reaches the agent, the tool never runs unsandboxed, and the action (allowed or denied) becomes tamper-evident evidence mapped to the EU AI Act and NIST AI RMF. That's how Cytra keeps your evidence audit-ready. Sequence illustrative; the gateway that produces it is in private beta.
AGENT CALL
POST /v1/tools/.../invoke
acme.gateway.cytra.io
2026-05-09 14:31:46Z
POLICY
POL-014 // allow
Per-tenant rules + kill-switch
2026-05-09 14:31:46Z
CREDENTIAL
Scoped token // 5m TTL
Raw key never leaves vault
2026-05-09 14:31:46Z
SANDBOX
Isolated // no egress
Deny-by-default, hard timeout
2026-05-09 14:31:47Z
AUDIT RECORD
WORM #00104782
Evidence → EU AI Act Art. 12 / NIST AI RMF
2026-05-09 14:31:47Z
What you get / how it's delivered
One set of controls, mapped once to the obligations of the EU AI Act, NIST AI RMF, and ISO/IEC 42001 — so a single piece of evidence answers the same control across every framework. Cytra keeps you aligned and audit-ready; it doesn't claim to certify you.
Every governed AI action becomes evidence the moment it runs — mapped to the control objectives of the frameworks. The audit pack is a by-product of operating, current the day the auditor asks, not a quarter-end reconstruction.
Every action — including every denial — lands in a per-tenant SHA-256 hash-chain built for an outside party to verify. Reorder, delete, or mutate one record and the chain fails verification. The evidence stands up to inspection.
AIF360-aligned fairness metrics and drift detection run continuously to satisfy the measurement obligations of the frameworks; threshold breaches raise audit-trail entries, not just dashboard pings.
The collector runs standalone (no gateway required). Add Cytra Gateway for the complete runtime layer: a per-tenant policy engine (prod-write blocks, IP allowlists, budget ceilings, approval gates, PII redaction) before every call, with one operator kill-switch. Gateway evidence and standalone collector evidence land in the same hash chain. Gateway is in private beta.
Raw keys stay envelope-encrypted in a per-tenant vault — the gateway issues a short-lived, scoped token per call; tools run in a deny-by-default sandbox with runtime DLP and prompt-injection defense; agents are first-class identities (NHI) with their own policy lane and audit trail.
Next step // get audit-ready
Start with the compliance collector — deploy it entirely behind your firewall (no inbound ports, outbound-only) and it immediately turns your AI activity into audit-ready evidence mapped to the EU AI Act, NIST AI RMF, and ISO/IEC 42001. Add the managed MCP gateway for full runtime evidence when you're ready. Aligned and audit-ready, not certified — SOC 2 Type II and a HIPAA BAA are in process; we never train on your data. The gateway is in private beta.