Your teams are deploying AI agents. When an auditor, a customer questionnaire, or the EU AI Act asks "what are these agents actually doing — and who authorized it?", this kit is how you answer with evidence instead of a spreadsheet. It pairs with our methodology whitepaper and the broader question we keep returning to: who audits the agents?
Methodology whitepaper · a 5-framework control crosswalk · a sample evidence pack. No spam — this is a demand check; we'd genuinely like to know who finds it useful.
Prefer email? Write [email protected].
The agent inventory and finding count are committed together (a Merkle root with the count bound in). A reviewer can confirm no finding was dropped after the fact — the basis for the auditable proof chains we use.
Findings are content-hashed and the report is signed. Change one character and the hash no longer matches — the same signing discipline behind agent trust via Nostr proofs and verifiable agent delegation.
No. The evidence pack ships with a key-free verifier: your auditor re-computes the hashes and confirms the signature without any BlindOracle secret or API. This is the design goal we describe in agents without surveillance — verify the math, not the vendor. New to the model? Start with how it works.
Optional and off by default: the integrity root can be anchored to independent public witnesses for a notarized timestamp. Most compliance teams don't need it — the signed, hashed, key-free-verifiable pack already satisfies chain-of-custody. The broader trust stack is covered in the trust gap in the agent economy.
Each OWASP ASI Top-10 (2026) finding maps to controls across four other frameworks. This is the actual mapping our compliance engine applies — drop it straight into an ISO 42001 Annex or NIST AI RMF evidence file. For a real example, see the worked crosswalk; for how the control checks are wired in code, the compliance-hook codewalk walks it line by line.
| OWASP ASI | Risk | NIST AI RMF | ISO 42001 clause | CSA AICM domain | MAESTRO |
|---|---|---|---|---|---|
| ASI01 | Agent Goal Hijacking | GOVERN, MAP, MEASURE | 6 Planning / 9 Performance | Risk Mgmt / System Integrity | Prompt Injection |
| ASI02 | Tool Misuse | MAP, MEASURE | 8 Operation | Operations Security | Tool Abuse |
| ASI03 | Identity & Privilege Abuse | GOVERN, MANAGE | 7 Support | Access / Identity Mgmt | Identity & Access |
| ASI04 | Supply Chain | MAP | 7 Support | Supply Chain | Supply Chain |
| ASI05 | Code Execution | MEASURE, MANAGE | 8 Operation | Operations Security | Tool Abuse |
| ASI06 | Memory Poisoning | MEASURE, MANAGE | 8 Operation | Data Protection | Data Poisoning |
| ASI07 | Inter-Agent Comms | MEASURE, MANAGE | 8 Operation | Communication Security | Communication |
| ASI08 | Cascading Failures | MAP, MANAGE | 4 Context | Incident Response | Cascading |
| ASI09 | Trust Exploitation | GOVERN | 5 Leadership | AI Governance | Trust |
| ASI10 | Rogue Agents | GOVERN | 5 Leadership | AI Governance / System Integrity | Rogue Behavior |
Coverage rule: a category is "covered" when residual risk is below medium (< 4.0 / 10). Frameworks: OWASP Agentic Top-10 (2026), NIST AI RMF 1.0, ISO/IEC 42001, CSA AI Controls Matrix (243 controls / 18 domains), MAESTRO. Regulatory context for why this matters now: the legal agent stack and the Wyoming wrapper architecture.
What a finished audit returns. Percentages below are a representative example, not a specific customer.
| Control | Current state | Severity | Remediation |
|---|---|---|---|
| ASI04 — Supply Chain | No SBOM, partially pinned deps | high | SBOM + dependency pinning + vuln scanning (~24h) |
| ASI06 — Memory Poisoning | No provenance tracking on memory writes | medium | Provenance + write-isolation (~40h) |
| ASI03 — Identity Abuse | Delegation not cryptographically attributed | high | Signed delegation chain — see verifiable agent delegation |
| # | Action | Frameworks improved | Effort |
|---|---|---|---|
| 1 | Supply-chain controls (SBOM, pinning, scanning) | OWASP +10% · NIST +5% · ISO +7% | ~24h |
| 2 | Memory provenance + isolation — see CaMeL content-trap security | OWASP +10% · NIST +5% | ~40h |
| 3 | Signed delegation attribution | OWASP +10% · ISO +7% | ~16h |
The verifier confirms hashes and signatures with no BlindOracle key or API. That's the difference between "trust our PDF" and "verify it yourself." We run this on our own fleet and publish the result — the self-audit is the credential. Background: the agent security crisis and trusting an agent you've never met.
An audit is one piece of a working agent economy. Adjacent reading: when agents pay agents (settlement + the trust envelope) and the how-to on BlindOracle (onboard, get audited, transact). Pricing for a managed audit is on the pricing page.
No cost, no commitment. We'll inventory one agent, map findings to your framework, and hand back a verifiable evidence pack. 20 minutes to scope it.
Book a free audit →