Where Ledgerline maps to existing regulation.
We are not a compliance product. We are a control plane that produces the evidence a compliance officer needs. This page maps Ledgerline's primitives to the regulatory frameworks that buyers most often ask about.
Canada — AIDA (Artificial Intelligence and Data Act)
AIDA is expected to require operators of high-impact AI systems to maintain records of how the system is used, who is accountable, and what mitigations exist. The text continues to evolve. The shape of the obligation, though, is settled enough that we can map to it now.
| AIDA-style obligation | What Ledgerline provides |
|---|---|
| Identification of the natural person or organization responsible for an AI system's output | Identity hierarchy ending at a human principal; every action carries the chain at decision time |
| Records sufficient for an audit of system use | Hash-chained, append-only audit log with policy and budget context per decision |
| Risk-mitigation controls before high-impact actions | Policy engine + per-action budget reservation + kill switch |
| Notification of material harm or malfunction | Audit query API surfaces denied actions and chain-integrity breaks; webhooks on policy-violation events |
European Union — AI Act
The EU AI Act applies risk-tiered obligations to "high-risk" AI systems. For autonomous agents that take consequential actions, several articles are directly relevant:
| EU AI Act obligation | What Ledgerline provides |
|---|---|
| Article 12 — Logging, automatic recording of events | Append-only, tamper-evident decision log with cryptographic integrity check |
| Article 13 — Transparency to deployers | Authorization-decision API returns reasons (which policy fired, which budget was hit) so the deployer's UI can surface them |
| Article 14 — Human oversight | Co-signer policies, threshold-based escalation, and instant kill-switch revocation |
| Article 15 — Accuracy, robustness, cybersecurity | Hash-chained audit; policy and budget enforcement applied at every action |
Canada — OSFI E-23 (Model Risk Management)
OSFI E-23 governs how federally regulated financial institutions manage model risk. AI agents that take financial actions are squarely in scope.
| OSFI E-23 expectation | What Ledgerline provides |
|---|---|
| Inventory of models and their use | Identity registry + policy attachments per identity; queryable inventory |
| Approval workflows before deployment | Policies are versioned, attributable to a human approver, and required at decision time |
| Ongoing monitoring of model behaviour | Audit log of every decision; anomaly review via export |
| Effective challenge / independent review | Audit log is read-only and hash-chained — independent reviewers can verify it without access to live systems |
United States — NYDFS Part 500
NY DFS Cybersecurity Regulation 23 NYCRR 500 applies to many financial services entities operating in New York. Several controls are directly satisfied by Ledgerline primitives.
| 23 NYCRR 500 control | What Ledgerline provides |
|---|---|
| 500.06 — Audit trail | Hash-chained audit log retained per tenant policy |
| 500.07 — Access privileges | Identity revocation with cascade; periodic review queries |
| 500.09 — Risk assessment | Per-identity policy and budget posture is queryable as a snapshot for risk-assessment exercises |
SOC 2 trust service criteria
Ledgerline's design supports SOC 2 Type II audits both for the platform itself and for our customers' control attestations.
| TSC | How Ledgerline supports it |
|---|---|
| CC6 — Logical access controls | Identity hierarchy, revocation, privileged action audit |
| CC7 — System operations / monitoring | Authorization decisions and anomalies are surfaced via audit log and webhook |
| CC8 — Change management | Policy changes are versioned; identity tree is journaled |
| P (Privacy) | Audit log is per-tenant and segregated; data export and erasure supported through tenant API |
Our own compliance posture
- SOC 2 Type I attestation: scoping in progress with our auditor as of Q2 2026.
- Incorporation: Canadian federal corporation. Toronto-headquartered.
- Data residency: control plane runs in Canadian regions for Canadian customers; multi-region available for design partners with specific requirements.
- Subprocessors: a short list, published in the customer trust portal under NDA. Notable mention: Lithic for card issuance.
If your procurement team needs a specific regulatory citation we haven't covered, write to [email protected]. The fastest way to get coverage added here is to ask.