Mapped to the obligations you already answer to
Each framework below shows the controls Verillian is designed to support. Control-by-control mappings are available for security and procurement review.
The obligations you map to
Each row pairs a framework with the controls Verillian is designed to support, so a reviewer can read straight down the list.
- CJIS v6.0Criminal justice information
- Tamper-evident audit chain, one-year retention, fail-closed on loss of audit. Built to CJIS Security Policy v6.0.
- HIPAAProtected health information
- Redaction before the boundary, customer-held keys, and six-year documentation retention. Built for HIPAA-regulated environments.
- FedRAMP / FISMAFederal information systems
- Deny-by-default policy, signed policy distribution, attribute-based access control.
- CMMC 2.0 / 800-171Controlled unclassified information
- Keys on the device, localized deployment, enforcement at the moment of execution.
- FERPA / COPPAStudent records
- Sensitive-data detection and blocking before student data reaches a provider. Detection is best-effort, and we do not claim it catches everything.
- GLBA / SOX / SR 11-7Financial services
- Model-activity evidence and policy enforcement across any AI tool or agent that reaches a provider.
aligned, not certified; certification status available on request
Designed to support the new federal AI executive order
On June 2, 2026, the federal government issued the Executive Order Promoting Advanced Artificial Intelligence Innovation and Security. Its detailed requirements, including expectations around covered models and benchmarking, are expected later in 2026 and are not yet final. Verillian is designed to support that direction the same way it supports the frameworks above: control the action, and hold the evidence. Aligned, not certified; no such certification exists yet.
- Control at the action layer
- Policy is enforced the moment an AI tool or agent acts, before anything crosses the boundary. As covered-model expectations take shape, the enforcement point is already where the action happens.
- Evidence on demand
- Every captured interaction is signed on the device and hash-chained, so what an AI system was asked and did can be produced and verified, not reconstructed after the fact.
- Mapped, not assumed
- As requirements are published, each can be expressed as a policy the sentinel enforces and an entry in the record that shows it held. The mapping becomes the evidence.
designed to support, not certified; requirements still emerging
Request a control-by-control mapping
We provide detailed mappings to support your security review and audit preparation.