How to Prove Compliance in AI-Generated Code
Every security tool tells you what's wrong. None prove what's right. Here's how compliance evidence maps change the audit conversation.
The Problem: AI Writes Code. Auditors Ask Questions.
84% of developers now use AI coding tools (Stack Overflow 2025). Claude Code, Cursor, and Copilot generate thousands of lines of code per week. That code ships to production, handles patient data, processes payments, and runs critical infrastructure.
Then the auditor arrives.
"Show me where you implement encryption at rest."
"Show me your audit logging for ePHI access."
"Show me evidence that your access controls meet SOC 2 CC6.1."
And the engineering team scrambles. Someone opens git blame. Someone searches Confluence. Someone opens a spreadsheet that was last updated three months ago. Six weeks later, the evidence package is assembled — manually, expensively, and probably incomplete.
This is broken. Not because the code is non-compliant, but because there's no automated way to prove it is.
Why Traditional Security Tools Don't Solve This
SAST tools like SonarQube, Semgrep, and Snyk find violations. They tell you "line 45 has an SQL injection vulnerability" or "this function uses MD5 hashing." That's valuable — but it's only half the picture.
When an auditor asks "show me where you implement audit logging," no existing tool can answer that question. They can tell you where audit logging is missing, but they can't point to the file and line where it's implemented.
This gap is the difference between:
| Approach | What it tells you |
|---|---|
| Violation scanning | "You have 7 critical findings" (every tool does this) |
| Compliance evidence | "Your code satisfies 124 of 130 applicable requirements, with evidence at these locations" (nobody does this) |
Introducing the Compliance Evidence Map
A compliance evidence map inverts the traditional scanner model. Instead of only finding what's wrong, it also identifies where your code satisfies each regulatory requirement — with the exact file, line number, and matched pattern.
For each rule in a compliance framework, the evidence map reports one of four statuses:
- ✅ Met — code evidence found that satisfies the requirement
- ❌ Violated — violations detected by the scanner
- 🔍 Manual Review — documentation obligation with no matching docs found
- ➖ Not Applicable — no files match the rule's scope
The coverage percentage tells you how many applicable requirements have verified implementations. An auditor can look at "87.2% coverage — 156 requirements met" and immediately understand your compliance posture.
How Evidence Collection Works
Different rule types generate evidence in different ways.
Required patterns become proof of implementation
Many compliance frameworks require specific capabilities to exist in your code. HIPAA requires audit logging. IEC 62304 requires configuration management. SOC 2 requires access controls.
When a required pattern rule finds the pattern in your code, that's evidence:
HIPAA-164.312-b (required_pattern): MET
→ middleware/audit.py:14 — Implements audit-logging-required: import logging
→ api/patients.py:3 — Implements audit-logging-required: import logging
The auditor sees exactly where audit logging is implemented, in which files, on which lines.
Violation rules prove clean code
For rules that check for vulnerabilities — SQL injection, hardcoded secrets, weak crypto — a clean scan across all files is evidence of compliance:
OWASP-A01-001 (regex): MET
→ (project-wide) — No violations of no-permissive-cors across 43 file(s)
Documentation detection satisfies process requirements
Many regulatory frameworks require documentation — risk management plans, data governance policies, security procedures. Sentrik searches your .md, .adoc, .rst, and .txt files for relevant keywords and links them to the requirement:
HIPAA-164.308-a1 (documentation_obligation): MET
→ docs/risk-analysis.adoc:14 — Documentation found matching: risk, analysis, vulnerabilities
If you write your risk management documentation in AsciiDoc and keep it in the repo, Sentrik finds it and links it to HIPAA §164.308(a)(1) automatically.
What This Looks Like in Practice
Here's a real example from a medical device API project scanned against HIPAA, OWASP, SOC 2, and IEC 62304 simultaneously:
$ sentrik compliance-map
Compliance Evidence Map
Coverage: 87.2%
Met: 156
Violated: 18
Manual: 0
N/A: 33
Out of 207 applicable requirements across four frameworks:
- 156 have verified code or documentation evidence
- 18 have violations that need fixing
- 0 require manual review — all documentation obligations were satisfied by files in the repo
The HTML report groups results by framework, so the HIPAA auditor sees only HIPAA controls, and the SOC 2 auditor sees only Trust Services Criteria.
Smart Rules: Only Fire When Relevant
Not every rule applies to every project. HIPAA rules shouldn't fire on a fintech app. EU AI Act rules shouldn't fire on a project with no ML code.
Sentrik uses applies_when conditions to make rules contextual:
-
HIPAA rules only fire when code contains
patient/health/medical/PHIkeywords - EU AI Act rules only fire when PyTorch, TensorFlow, or other ML libraries are imported
-
PCI-DSS rules only fire when
payment/credit card/merchantkeywords are present
This eliminates false positives from irrelevant frameworks and keeps the evidence map focused on what actually applies to your project.
From Evidence Map to Audit Evidence
The evidence map is the foundation. On top of it, you can generate:
| Output | Description |
|---|---|
| Per-framework compliance reports | Clause-by-clause status for a specific standard |
| Trust center page | Public-safe HTML showing compliance scores without code paths |
| Signed attestation | HMAC-SHA256 cryptographic proof of compliance state at a point in time |
| Auditor portal | Read-only access with time-limited tokens, no codebase access needed |
| Evidence export | ZIP bundle with findings, reports, and attestation for audit submission |
sentrik trust-center --org "Your Company"
sentrik attest
sentrik auditor create --name "Jane Smith" --email jane@auditor.com
Getting Started
Sentrik's free tier includes SOC 2 and OWASP Top 10 — 99 rules with evidence mapping, no credit card required.
npm install -g sentrik
sentrik scan
sentrik compliance-map
The evidence map generates in seconds from your last scan. For HIPAA, IEC 62304, PCI-DSS, and other regulated frameworks, upgrade to the Team tier at $29/month.
Originally published at sentrik.dev
Top comments (0)