Compliance mappings

Mapped to the obligations you already answer to

Each framework below shows the controls Verillian is designed to support. Control-by-control mappings are available for security and procurement review.

Frameworks/ 01

The obligations you map to

Each row pairs a framework with the controls Verillian is designed to support, so a reviewer can read straight down the list.

CJIS v6.0Criminal justice information
Tamper-evident audit chain, one-year retention, fail-closed on loss of audit. Built to CJIS Security Policy v6.0.
HIPAAProtected health information
Redaction before the boundary, customer-held keys, and six-year documentation retention. Built for HIPAA-regulated environments.
FedRAMP / FISMAFederal information systems
Deny-by-default policy, signed policy distribution, attribute-based access control.
CMMC 2.0 / 800-171Controlled unclassified information
Keys on the device, localized deployment, enforcement at the moment of execution.
FERPA / COPPAStudent records
Sensitive-data detection and blocking before student data reaches a provider. Detection is best-effort, and we do not claim it catches everything.
GLBA / SOX / SR 11-7Financial services
Model-activity evidence and policy enforcement across any AI tool or agent that reaches a provider.

aligned, not certified; certification status available on request

Emerging federal AI policy/ 02

Designed to support the new federal AI executive order

On June 2, 2026, the federal government issued the Executive Order Promoting Advanced Artificial Intelligence Innovation and Security. Its detailed requirements, including expectations around covered models and benchmarking, are expected later in 2026 and are not yet final. Verillian is designed to support that direction the same way it supports the frameworks above: control the action, and hold the evidence. Aligned, not certified; no such certification exists yet.

Control at the action layer
Policy is enforced the moment an AI tool or agent acts, before anything crosses the boundary. As covered-model expectations take shape, the enforcement point is already where the action happens.
Evidence on demand
Every captured interaction is signed on the device and hash-chained, so what an AI system was asked and did can be produced and verified, not reconstructed after the fact.
Mapped, not assumed
As requirements are published, each can be expressed as a policy the sentinel enforces and an entry in the record that shows it held. The mapping becomes the evidence.

designed to support, not certified; requirements still emerging

Request a control-by-control mapping

We provide detailed mappings to support your security review and audit preparation.