An auditor walks in and asks for evidence that your AI agents are governed. You have signing data scattered across API responses, CSVs from different time ranges, and a vague explanation of how your Merkle verification works. Good luck putting that together under time pressure.
This is the compliance evidence problem. You have the data, but packaging it into something an auditor can actually verify takes hours of manual work.
Compliance bundles in asqav 0.2.11
The new export_bundle function takes a list of signatures and a compliance framework identifier, then returns a self-contained JSON document with a Merkle root. One file. Everything an auditor needs.
import asqav
asqav.init(api_key="sk_...")
agent = asqav.Agent.create("compliance-demo")
# Collect signatures from your agent pipeline
signatures = []
signatures.append(agent.sign("sql-read", {"query": "SELECT * FROM users"}))
signatures.append(agent.sign("http-external", {"endpoint": "api.openai.com"}))
signatures.append(agent.sign("file-write", {"path": "/reports/q1.pdf"}))
# Package into a compliance bundle
bundle = asqav.export_bundle(signatures, "eu_ai_act_art12")
bundle.to_file("audit-q1-2026.json")
The output JSON contains the framework metadata, every signature receipt, individual receipt hashes, and a Merkle root computed over all of them. An auditor can independently verify the root by re-hashing the receipts.
Four supported frameworks
The framework parameter accepts four values out of the box:
-
eu_ai_act_art12- EU AI Act Article 12 record-keeping requirements -
eu_ai_act_art14- EU AI Act Article 14 human oversight requirements -
dora_ict- Digital Operational Resilience Act (DORA) for financial services -
soc2- SOC 2 Type II audit evidence
Each framework maps to specific metadata that gets embedded in the bundle, so the auditor knows exactly which standard the evidence targets.
What is in the bundle
The ComplianceBundle dataclass gives you several ways to work with the data:
# Inspect before saving
print(bundle.merkle_root) # SHA-256 Merkle root
print(bundle.receipt_count) # Number of signatures included
print(bundle.framework) # "eu_ai_act_art12"
# Export options
bundle.to_file("audit.json") # Write to disk
json_str = bundle.to_json() # Get JSON string
data = bundle.to_dict() # Get plain dict
The verification section of the JSON includes the Merkle root, the hash algorithm (SHA-256), and individual receipt hashes so anyone can rebuild the tree and confirm nothing was tampered with.
How it fits into a real workflow
You probably already have signatures from your agent pipeline. The typical flow looks like this:
- Your agents run and sign actions through asqav (LangChain, CrewAI, whatever framework you use)
- At the end of an audit period, pull signatures via
asqav.export_audit_json() - Feed them into
asqav.export_bundle(signatures, "eu_ai_act_art12") - Hand the auditor one JSON file
No more exporting CSVs. No more explaining your signing pipeline. The bundle is self-describing and independently verifiable.
Getting started
pip install asqav==0.2.11
The compliance module works entirely client-side. Merkle root computation happens locally using SHA-256, so no extra API calls are needed beyond the signatures you already have.
Top comments (0)