Open Framework · Version 1.0 Draft

Signatrust Compliance & Governance Framework

An open framework for verifiable AI accountability — receipts, chain of custody, human oversight tiers, risk classification and independent verification, aligned with the EU AI Act, ISO/IEC 42001, ISO/IEC 27001 and the NIST AI RMF.

Published: June 2026· Spec status: Open draft· Issuer: Signatrust· License: CC BY 4.0
Get the full framework View table of contents

1. Purpose

The purpose of this framework is to establish a standardized approach for creating, verifying, auditing, and governing AI Decision Receipts (ADR).

The framework aims to improve:

  • Accountability
  • Traceability
  • Auditability
  • Risk Management
  • Regulatory Readiness
  • Trust in Autonomous AI Systems

… without requiring disclosure of prompts, outputs, proprietary models, or sensitive business data.

2. Scope

This framework applies to:

  • AI Agents
  • Autonomous Systems
  • Agentic Workflows
  • Decision Support Systems
  • Multi-Agent Environments
  • Human-AI Hybrid Systems

… across public and private sectors.

3. Core Principles

3.1 Verifiability

Every recorded AI action shall be independently verifiable.

3.2 Integrity

Recorded receipts shall be cryptographically protected against unauthorized modification.

3.3 Privacy

Verification must not require disclosure of confidential business information.

3.4 Interoperability

Receipt formats shall remain platform-neutral and vendor-neutral.

3.5 Human Accountability

Human oversight responsibilities must remain identifiable and auditable.

Regulatory clock — where the EU AI Act stands today

On 7 May 2026 the European Council adopted the Digital Omnibus, postponing most high-risk enforcement dates. The widely-cited August 2026 deadline no longer applies. The obligations that are already binding require years of audit history when regulators come asking — and that history can only be built one signed decision at a time.

In force now
2 Feb 2025

Article 5 — prohibited practices

Manipulation, social scoring, real-time biometric ID, emotion inference at work and school. Fines up to €35M or 7% global turnover.

In force now
2 Aug 2025

GPAI model obligations

Technical documentation, training-data summaries, copyright policies; adversarial testing for systemic-risk models.

Postponed
2 Dec 2027

Annex III — high-risk

Credit, employment, education, essential services, law enforcement, migration. Postponed from Aug 2026 by the Digital Omnibus.

Postponed
2 Aug 2028

Annex I — embedded high-risk

AI as a safety component of products under EU harmonisation law: medical devices, machinery, in-vitro diagnostics, lifts, toys.

Sources: Regulation (EU) 2024/1689; Digital Omnibus political agreement, 7 May 2026. Always confirm dates against the Official Journal and your own counsel.

Stay in the loop

The full framework is published openly below

All 16 sections, the AI Decision Receipt field reference and the EU AI Act / ISO 42001 / NIST AI RMF crosswalk are public — just keep scrolling. If you'd like a print-ready copy and occasional governance updates, leave your email. It's entirely optional.

We will only contact you about this framework and related governance updates. No marketing spam. See our privacy notice.

4. AI Decision Receipt Standard

Each receipt should contain:

Mandatory Fields

  • Receipt ID
  • Timestamp
  • Agent Identifier
  • Action Type
  • Permission Scope
  • Policy Version
  • System Identifier
  • Cryptographic Signature

Optional Fields

  • Human Reviewer ID
  • Risk Classification
  • Confidence Score
  • Workflow Identifier
  • Previous Receipt Hash

5. Chain of Custody Model

Every receipt should be capable of linking to previous receipts through cryptographic hash references.

Objectives:

  • Tamper Evidence
  • Event Continuity
  • Historical Verification
  • Independent Auditability

6. Identity Requirements

Organizations should maintain:

  • Agent identities
  • System identities
  • Human approver identities

Every action must be attributable to a uniquely identifiable actor.

7. Human Oversight Controls

The framework defines three oversight levels:

Level 1

Fully automated actions.

Level 2

Human review available on demand.

Level 3

Human approval required before execution.

Receipt records should indicate applicable oversight levels.

8. Risk Classification Framework

Organizations should classify AI actions according to operational impact.

Suggested categories:

Low Risk

Routine operational actions.

Medium Risk

Actions affecting customers or business processes.

High Risk

Actions affecting legal, financial, healthcare, safety, employment, or regulated outcomes.

9. Audit Requirements

Organizations implementing this framework should maintain:

  • Receipt archives
  • Verification logs
  • Policy histories
  • Identity records
  • Cryptographic verification records

10. Privacy Requirements

The framework should avoid storing:

  • Personal prompts
  • Sensitive business content
  • Model internals
  • Customer confidential information

… unless explicitly required by law or organizational policy.

11. Security Requirements

Recommended controls:

  • Ed25519 digital signatures
  • Hash chaining
  • Secure key management
  • Role-based access control
  • Cryptographic verification services

12. Alignment with Governance Frameworks

This framework is intended to complement:

EU AI Act

Supporting:

  • Traceability
  • Logging
  • Governance
  • Post-market monitoring
  • Accountability

ISO/IEC 42001

Supporting AI management systems.

ISO/IEC 27001

Supporting information security governance.

NIST AI Risk Management Framework

Supporting governance, measurement, and oversight functions.

13. Trust Passport Concept

Organizations may aggregate receipt history into a Trust Passport.

Potential indicators:

  • Verification Success Rate
  • Human Oversight Rate
  • Incident History
  • Policy Compliance Rate
  • Risk Exposure Metrics

14. Insurance Readiness

The framework may support future insurance assessment by providing:

  • Verifiable historical records
  • Governance evidence
  • Operational risk indicators
  • Audit documentation

15. Independent Verification

Any authorized third party should be capable of verifying:

  • Receipt authenticity
  • Signature validity
  • Chain integrity
  • Identity consistency

… without requiring access to internal systems.

16. Future Standardization

The framework is intended as an open proposal for discussion among:

  • Standards bodies
  • Regulators
  • Researchers
  • Auditors
  • Insurers
  • AI Governance Professionals

Future revisions may evolve into a formal interoperability standard.

Conclusion

Trustworthy AI requires more than model performance.

Organizations increasingly need verifiable evidence regarding how AI systems operate, act, and make decisions.

AI Decision Receipts provide a potential foundation for establishing that evidence while preserving privacy, interoperability, and independent verification.

Annex A — Verify this framework live

Signatrust operates a reference implementation of this framework. Anyone can issue, sign, and independently verify AI Decision Receipts at:

© 2026 Signatrust. This framework is published under CC BY 4.0 — free to share and adapt with attribution.