Skip to main content
Most AI compliance work is evidence work: proving that the controls a framework asks for are actually running on the path your agents use, and handing an auditor something they can verify without taking your word for it. OrcaRouter turns a framework into a working set of controls and a signed report in a few steps — you install a pack, watch it in observe mode, then turn enforcement on and generate evidence. This page is the hub. It explains the moving parts and links to the focused page for each one.

1. What ai compliance means on the gateway

A compliance pack is a framework expressed as controls. Installing a pack materializes two real, editable objects in your workspace:
  • one Guardrail — the content-plane controls (PII, secrets, unsafe output) the framework expects on requests and responses;
  • one Firewall policy and its rules — the action-plane controls (which tool calls, MCP dispatches, and egress destinations are allowed).
Because the objects are real, the pack is not a checkbox — it is the same guardrail and firewall machinery the rest of your workspace uses, tagged to the framework so reports can read its state.
Browsing the catalog, installed packs, and readiness is open to every workspace Member and is free. Installing a pack and going live require workspace Admin and a paid plan. Generating a report is also Admin — the free plan includes one PDF report; CSV/JSON exports and additional reports require a paid plan. Setting residency is Admin-gated. See Plan gating.

2. Observe before you enforce

A freshly installed pack lands in observe mode: guardrail actions are coerced to flag (annotate, don’t block) and the firewall policy runs in shadow (it logs [shadow] would … instead of denying). Nothing your agents do is interrupted while you learn what the controls would have caught. When the match and event feeds look clean, you go live — the same objects switch to real enforcement. This observe-then-enforce arc is the single most important habit in compliance rollout, and it has its own page.

Observe vs enforce

The full rollout arc — what observe mode logs, how go-live flips it, and how to read the signal before you commit.

What a pack contains

The exact guardrail and firewall objects a pack materializes, and how they map to the framework’s controls.

3. Pick a framework

The catalog covers general security and AI-governance frameworks (soc2, iso_27001, iso_42001, nist_ai_rmf, eu_ai_act, owasp_llm), sector regimes (hipaa, pci_dss, glba, nist_800_53), and a wide set of regional privacy laws (gdpr, uk_gdpr, ccpa, and more). Browse the live list rather than hard-coding it.

SOC 2

HIPAA

GDPR

EU AI Act

ISO 27001

ISO 42001

NIST AI RMF

OWASP LLM Top 10

PCI DSS

CCPA

All frameworks

Control matrix

4. Install a pack (one concrete flow)

Install runs from the console under Compliance → Catalog, as a workspace Admin. The action is server-gated to a paid plan; it materializes the guardrail and firewall objects in observe mode. The console drives this management route for you (it uses your session, not a relay key): 
POST /api/compliance/packs/soc2/install
Authorization: Bearer <your console session>
After install, open Readiness to see which controls are satisfied, watch the feeds for a week, then go live. The Install a pack page walks the full sequence; Export evidence covers what comes out the other end.
Reads stay open to Members so your security and audit reviewers can watch readiness without write access. Only the Admin who owns rollout needs the install and go-live capability.

5. Signed, verifiable reports

A compliance report is evidence an auditor can trust without trusting you. Every report carries a SHA-256 content hash and an Ed25519 signature over that hash, and is exportable as CSV, JSON, or PDF. The signature is publicly verifiable — anyone with the report and OrcaRouter’s public key can confirm it was not altered.
A workspace Admin generates the report; it is hashed and signed at creation. See Signed report.
Fetch the public key from GET /api/public/compliance/pubkey and POST /api/public/compliance/verify the report — no account needed. See Verify a report.
Mint a read-only link your auditor opens at GET /api/public/compliance/share/:token — scoped to one report, no login. See Export evidence.

6. Data residency for evidence

Residency on the gateway governs where your signed compliance reports are stored and served — not where inference runs. Each report is stamped with your declared region, and a report is only served under a matching declared region; a cross-region read is withheld. The region is one of us, eu, uk, ap, cn, or global, settable by a workspace Admin: 
PUT /api/compliance/residency
Authorization: Bearer <your console session>

{ "region": "eu" }
Residency is a property of the report artifact, not a guarantee that model traffic is geo-pinned. If a regulation requires inference to stay in a region, that is an upstream routing decision, separate from where the evidence lives.

Data residency

Set and change the region your evidence is stored and served under.

Cross-region reads

Why a report stamped one region won’t serve under another, and how to handle multi-region programs.

7. Retention and erasure

Two clocks matter for ai compliance, and both have customer-observable defaults:
SubjectDefaultHard limit
Request-log retention30 days180 days (server-clamped)
User-deletion grace30 days, then PII scrub
Right-to-erasure is built in: a self-delete starts a 30-day grace window, after which PII is scrubbed and the cascade purges guardrail matches, request logs, and firewall events. The Retention, Right to erasure, and Consent pages cover the DSAR mechanics.

8. Where this fits

Compliance reads the same controls the rest of the security model configures. If you are landing here first, start with the concepts:

Shared responsibility

What the gateway secures versus what stays yours — the honest boundary map for any compliance claim.

Enforcement modes

Observe, audit, and enforce — the shared vocabulary behind go-live.

The control stack

Keys, guardrails, firewall, and audit as one picture.

Glossary

Pack, readiness, residency, attestation, and the rest of the terms.
A compliance program on OrcaRouter is the same loop every time: install the pack, observe what it catches, go live, and hand your auditor a signed report they can verify themselves.