How to Prove Compliance in AI-Generated Code

Max Gerhardson — Sat, 11 Apr 2026 01:45:56 +0000

How to Prove Compliance in AI-Generated Code

Every security tool tells you what's wrong. None prove what's right. Here's how compliance evidence maps change the audit conversation.

The Problem: AI Writes Code. Auditors Ask Questions.

84% of developers now use AI coding tools (Stack Overflow 2025). Claude Code, Cursor, and Copilot generate thousands of lines of code per week. That code ships to production, handles patient data, processes payments, and runs critical infrastructure.

Then the auditor arrives.

"Show me where you implement encryption at rest."

"Show me your audit logging for ePHI access."

"Show me evidence that your access controls meet SOC 2 CC6.1."

And the engineering team scrambles. Someone opens git blame. Someone searches Confluence. Someone opens a spreadsheet that was last updated three months ago. Six weeks later, the evidence package is assembled — manually, expensively, and probably incomplete.

This is broken. Not because the code is non-compliant, but because there's no automated way to prove it is.

Why Traditional Security Tools Don't Solve This

SAST tools like SonarQube, Semgrep, and Snyk find violations. They tell you "line 45 has an SQL injection vulnerability" or "this function uses MD5 hashing." That's valuable — but it's only half the picture.

When an auditor asks "show me where you implement audit logging," no existing tool can answer that question. They can tell you where audit logging is missing, but they can't point to the file and line where it's implemented.

This gap is the difference between:

Approach	What it tells you
Violation scanning	"You have 7 critical findings" (every tool does this)
Compliance evidence	"Your code satisfies 124 of 130 applicable requirements, with evidence at these locations" (nobody does this)

Introducing the Compliance Evidence Map

A compliance evidence map inverts the traditional scanner model. Instead of only finding what's wrong, it also identifies where your code satisfies each regulatory requirement — with the exact file, line number, and matched pattern.

For each rule in a compliance framework, the evidence map reports one of four statuses:

✅ Met — code evidence found that satisfies the requirement
❌ Violated — violations detected by the scanner
🔍 Manual Review — documentation obligation with no matching docs found
➖ Not Applicable — no files match the rule's scope

The coverage percentage tells you how many applicable requirements have verified implementations. An auditor can look at "87.2% coverage — 156 requirements met" and immediately understand your compliance posture.

How Evidence Collection Works

Different rule types generate evidence in different ways.

Required patterns become proof of implementation

Many compliance frameworks require specific capabilities to exist in your code. HIPAA requires audit logging. IEC 62304 requires configuration management. SOC 2 requires access controls.

When a required pattern rule finds the pattern in your code, that's evidence:

HIPAA-164.312-b (required_pattern): MET
  → middleware/audit.py:14 — Implements audit-logging-required: import logging
  → api/patients.py:3    — Implements audit-logging-required: import logging

The auditor sees exactly where audit logging is implemented, in which files, on which lines.

Violation rules prove clean code

For rules that check for vulnerabilities — SQL injection, hardcoded secrets, weak crypto — a clean scan across all files is evidence of compliance:

OWASP-A01-001 (regex): MET
  → (project-wide) — No violations of no-permissive-cors across 43 file(s)

Documentation detection satisfies process requirements

Many regulatory frameworks require documentation — risk management plans, data governance policies, security procedures. Sentrik searches your .md, .adoc, .rst, and .txt files for relevant keywords and links them to the requirement:

HIPAA-164.308-a1 (documentation_obligation): MET
  → docs/risk-analysis.adoc:14 — Documentation found matching: risk, analysis, vulnerabilities

If you write your risk management documentation in AsciiDoc and keep it in the repo, Sentrik finds it and links it to HIPAA §164.308(a)(1) automatically.

What This Looks Like in Practice

Here's a real example from a medical device API project scanned against HIPAA, OWASP, SOC 2, and IEC 62304 simultaneously:

$ sentrik compliance-map

Compliance Evidence Map
  Coverage:  87.2%
  Met:       156
  Violated:   18
  Manual:      0
  N/A:        33

Out of 207 applicable requirements across four frameworks:

156 have verified code or documentation evidence
18 have violations that need fixing
0 require manual review — all documentation obligations were satisfied by files in the repo

The HTML report groups results by framework, so the HIPAA auditor sees only HIPAA controls, and the SOC 2 auditor sees only Trust Services Criteria.

Smart Rules: Only Fire When Relevant

Not every rule applies to every project. HIPAA rules shouldn't fire on a fintech app. EU AI Act rules shouldn't fire on a project with no ML code.

Sentrik uses applies_when conditions to make rules contextual:

HIPAA rules only fire when code contains patient / health / medical / PHI keywords
EU AI Act rules only fire when PyTorch, TensorFlow, or other ML libraries are imported
PCI-DSS rules only fire when payment / credit card / merchant keywords are present

This eliminates false positives from irrelevant frameworks and keeps the evidence map focused on what actually applies to your project.

From Evidence Map to Audit Evidence

The evidence map is the foundation. On top of it, you can generate:

Output	Description
Per-framework compliance reports	Clause-by-clause status for a specific standard
Trust center page	Public-safe HTML showing compliance scores without code paths
Signed attestation	HMAC-SHA256 cryptographic proof of compliance state at a point in time
Auditor portal	Read-only access with time-limited tokens, no codebase access needed
Evidence export	ZIP bundle with findings, reports, and attestation for audit submission

sentrik trust-center --org "Your Company"
sentrik attest
sentrik auditor create --name "Jane Smith" --email jane@auditor.com

Getting Started

Sentrik's free tier includes SOC 2 and OWASP Top 10 — 99 rules with evidence mapping, no credit card required.

npm install -g sentrik
sentrik scan
sentrik compliance-map

The evidence map generates in seconds from your last scan. For HIPAA, IEC 62304, PCI-DSS, and other regulated frameworks, upgrade to the Team tier at $29/month.

Originally published at sentrik.dev

DEV Community: Max Gerhardson

How to Prove Compliance in AI-Generated Code

How to Prove Compliance in AI-Generated Code

The Problem: AI Writes Code. Auditors Ask Questions.

Why Traditional Security Tools Don't Solve This

Introducing the Compliance Evidence Map

How Evidence Collection Works

Required patterns become proof of implementation

Violation rules prove clean code

Documentation detection satisfies process requirements

What This Looks Like in Practice

Smart Rules: Only Fire When Relevant

From Evidence Map to Audit Evidence

Getting Started