Multi-vendor. Cryptographically signed. Local-first. Built for EU AI Act Article 12. The audit infrastructure your regulator can verify without trusting your AI vendor.
No demo required for first call. 30-minute consultation. We listen first.
Three regulatory layers are forcing change. SOC 2 Type II is now required by 66% of B2B buyers before vendor consideration, and AI agent activity is in scope. EU AI Act Article 12 record-keeping for high-risk systems is binding from December 2, 2027 (delayed from August 2, 2026 via the Digital Omnibus, finalized May 7, 2026), with penalties up to €15M or 3% of global annual revenue. The Colorado AI Act takes effect June 30, 2026, with similar requirements for any company doing business in Colorado.
The procurement clock is faster than the regulatory clock. Enterprise vendor selection cycles run 6 to 18 months. Buyers preparing for Dec 2027 compliance are shopping now. Buyers facing SOC 2 Type II audits this year cannot wait.
Most existing audit tools were designed for generic SaaS logging. They store events in the vendor's cloud, the vendor signs them, and the vendor attests to integrity. For a regulator, that's a problem: vendor self-attestation is not regulator-acceptable evidence. Independent third-party verification is the entire point of an audit trail.
A regulated enterprise running AI agents emits OpenTelemetry traces into SteelSpine. The receiver signs and chains every event. At audit time, one command generates the regulator-verifiable deliverable.
Three commands. Hours-to-implement, regulator-verifiable. No vendor self-attestation required. The chain proves itself.
SteelSpine was designed clause by clause against Article 12. These four properties are the ones most named competitors miss.
Every event is sealed with HMAC-SHA256 and an Ed25519 cryptographic chain. An auditor with the public key verifies integrity on their own machine. No SteelSpine install needed. No trust in the AI vendor required. The chain proves itself.
Works with Claude, OpenAI, Gemini, local LLMs, and 50+ frameworks via the OpenTelemetry receiver. One signed audit log captures every decision regardless of which model produced it. No vendor lock-in. No patchwork to reconcile.
Audit logs are stored on systems you control. No vendor cloud dependency. No cross-border data residency complications. Banking, healthcare, defense, and air-gapped deployments are first-class, not exceptions.
Optional ML-DSA-65 (NIST FIPS 204) post-quantum signing for audits that must remain valid past 2030. RFC 3161 timestamping via eIDAS-accredited TSAs for EU legal recognition. Article 12 retention windows often extend past current cryptography lifetimes. SteelSpine plans for that.
The audit-trail category is filling in fast. Here is where SteelSpine differs from what the major players ship today.
| Property | Anthropic Claude Managed Agents | Cloud-first GRC platforms (OneTrust, Credo AI, Modulos, Holistic AI) |
SteelSpine |
|---|---|---|---|
| Works with | Claude only | Generic logs, any source | Multi-vendor: Claude, OpenAI, Gemini, local, 50+ frameworks |
| Where logs live | Claude Console + self-hosted sandboxes | Vendor cloud (most) | Local-first by default. Air-gap supported. |
| Cryptographic signing | Not announced | Most: no | HMAC-SHA256 + Ed25519 chain. ML-DSA-65 post-quantum option. |
| Independent verifiability | Anthropic self-attests | Vendor self-attests | Regulator runs verify-run with public key. No vendor needed. |
| EU AI Act Article 12 specific | Generic audit log | Generic GRC coverage | Clause-by-clause design. --compliance-html auditor deliverable. |
| Article 14 human oversight gate | Not built-in | Workflow tools, not pre-execution gate | --require-approval pauses runs before execution. Decline is part of the audit trail. |
| RFC 3161 / eIDAS timestamping | No | Rare | Auto-enabled with compliance_mode. Sectigo TSA default. |
For the full clause-by-clause Article 12 mapping plus ISO 42001, NIST AI RMF, and AIUC-1 coverage, see the technical compliance guide.
The proof that an audit chain meets Article 12 is in the verification path. Here is exactly what a compliance officer or external auditor does with a SteelSpine deployment, on their own machine, without trusting the AI vendor.
1. Your team exports a portable audit packet covering the period under review:
steelspine pack-create <event_index>2. The packet is a single signed .spine.tgz file. Send it to the auditor.
3. The auditor verifies independently on their own machine using only the public key:
steelspine pack-verify <packet.spine.tgz>4. The verifier independently checks every event's hash chain link, every Ed25519
signature, and (if compliance_mode was on) every RFC 3161 timestamp from
the eIDAS-accredited TSA. Any tampering, removal, or reordering produces a hard fail
with a specific event ID.
steelspine verify-run --compliance-html > article_12_audit.htmlA self-contained HTML file the regulator opens in any browser. Per-run integrity check, compliance tag block, hash chain head, public key signature, pass/fail verdict.
SteelSpine integrates with the four tools defining modern AI engineering in 2026. Native OpenTelemetry ingest plus 50+ supported agent frameworks means audit coverage across the actual production stack, not just the demo.
Claude Code (Anthropic's CLI agent) emits OpenTelemetry signals natively. Set
CLAUDE_CODE_ENABLE_TELEMETRY=1 and point
OTEL_EXPORTER_OTLP_ENDPOINT at SteelSpine. Every tool call, every
token, every session is captured into the signed audit chain. Zero patches.
steelspine watch passively observes Docker containers, log files,
systemd services, and process trees. Agents running inside containers emit OTLP
to SteelSpine running outside. The audit chain spans the boundary cleanly.
steelspine compare --strict exits code 2 when a new agent run is a
regression versus baseline. Drop into GitHub Actions, GitLab CI, or Jenkins.
Full CI/CD recipe at /docs/ci-cd.html.
Audit evidence travels with the PR.
Cursor emits AI vs human code attribution as agent-trace JSON records. The SteelSpine Cursor adapter watches a repo for these records, parses them, and emits each contribution as a signed event in your audit chain. See /integrations/cursor.html for setup.
Plus 50+ OpenTelemetry-instrumented frameworks: LangChain, LangGraph, CrewAI, LlamaIndex, OpenAI Agents SDK, Haystack, DSPy, and any agent that emits OTLP. Set
OTEL_EXPORTER_OTLP_ENDPOINT and you are integrated.
Does SteelSpine replace our SOC 2 / ISO 27001 / ISO 42001 program?
No. SteelSpine is a logging and verification layer. It satisfies the record-keeping clauses of EU AI Act Article 12, the operational evidence controls of ISO 42001 Annex A, and the MEASURE/MANAGE functions of the NIST AI RMF. It does not replace your impact assessments, fundamental rights assessments, conformity assessments, or governance program. Combine it with those. The technical guide details the exact control mapping.
Can SteelSpine run fully air-gapped for banking or defense deployments?
Yes. SteelSpine is local-first by default. No outbound network is required for
capture, signing, storage, or verification. The optional RFC 3161 timestamping
requires reaching an external Timestamp Authority, which can be configured to use
an internal TSA, deferred batch timestamping, or disabled entirely with
--no-notarize.
How does this compare to Anthropic's Claude Managed Agents audit logs (announced May 2026)?
Anthropic's audit logs are vendor self-attested, Claude-only, and stored in the Claude Console or self-hosted sandboxes. They validate that AI agent audit trails matter, which sharpens the market thesis. For a multi-vendor agent stack (Claude + OpenAI + local models, common in production) Anthropic's logs cover only the Claude portion. Independent regulator verifiability, the structural point of Article 12, is not addressable by the vendor whose product is being audited.
What about our existing SIEM, observability platform, or logging stack?
SteelSpine forwards via OpenTelemetry, so events flow into Splunk, Datadog, Elastic, Honeycomb, or any OTLP-compatible system. The difference is the cryptographic chain travels with the event. Your existing observability stack keeps doing what it does; SteelSpine adds the regulator-verifiable layer on top.
Is there a pilot or proof-of-concept option?
Yes. The standard enterprise engagement opens with a 30 to 60 day pilot where SteelSpine is deployed against a non-production agent or workflow of your choice. Your security and audit teams run their evaluation. Pricing and contract terms follow successful pilot acceptance. We discuss pilot scope on the first call.
Who is behind SteelSpine?
SteelSpine is built by Felps Enterprises Inc., an Ontario, Canada company. Founder: Jeremy Felps (LinkedIn). Patents pending on the cryptographic event chain method.
The first call is a 30-minute discovery conversation. No product demo, no sales pitch. We listen to your current audit setup, your Article 12 exposure, and your regulatory timeline. From there we determine whether SteelSpine is the right fit before either of us invests further time.
Prefer email? Reach us directly at hello@steelspine.ai.