HAIEC Compliance Twin™
Prove Your AI Was Compliant — At Any Point in Time
Continuous, versioned, tamper-evident AI compliance history built specifically for regulated AI systems. Not a report. Not a checklist. A permanent compliance record.
The Problem Most AI Companies Cannot See
AI systems change constantly. Regulators do not audit intentions. They audit evidence.
AI systems change constantly:
- Model updates and retraining
- Threshold and confidence adjustments
- Feature engineering changes
- Vendor model swaps
- Data distribution shifts
- Configuration drift over time
When a regulator asks:
“Show your AI system's compliance posture on March 3rd.”
Most organizations cannot.
They have reports. They do not have continuity. They have snapshots from audit day. They do not have a verifiable record of what their system looked like on any arbitrary date.
What Makes Compliance Twin Different
Compliance Twin creates a time-indexed, cryptographically verifiable compliance record for every monitored AI system. Every change is tracked. Every state is provable.
Versioned State Snapshots
SHA-256 hashed, parent-chained snapshots capture your AI system configuration at every point in time. Four snapshot types: Full, Config, Metrics, Compliance.
Jurisdiction-Specific Rules
23 compliance rules across NYC LL144, Colorado AI Act, EU AI Act, and SOC 2. Each rule pack is versioned with effective dates and enforcement tracking.
Cross-Framework Normalization
13 normalized control categories mapping 68 controls across 9 frameworks: SOC 2, ISO 27001, ISO 42001, NIST CSF, EU AI Act, GDPR, HIPAA, NYC LL144, Colorado AI Act.
Compliance Delta Engine
Recursive deep-diff identifies exactly when your compliance posture changed and which rule was impacted. 9 auto-classified change categories with dot-notation paths.
Provenance Anchoring
HMAC-SHA256 signed, append-only provenance log. Every snapshot is auto-anchored on capture. Key rotation support with multi-key verification.
Signed Evidence Bundles
Merkle tree integrity over snapshots, rule executions, compliance checks, drift detections, and config changes. Inclusion proofs for any item in a bundle.
Independent Verification
Public API endpoints for verifying snapshot signatures, bundle integrity, provenance anchors, and Merkle inclusion proofs. No HAIEC account required to verify.
Risk Score Engine
5-dimension weighted composite score: Health (20%), Compliance (30%), Drift (15%), Alerts (15%), Provenance (20%). Levels: Excellent, Good, Fair, Critical.
Zero Prior Knowledge Required
Guided onboarding wizard auto-selects rule packs based on your system type and jurisdiction. Compliance officers and legal teams can operate without engineering support.
Compliance Regression Detection
Automatically detects when your compliance posture degrades. Compares rule executions over time, identifies PASS-to-FAIL regressions, and generates severity-weighted regression reports.
Deterministic Root Cause Analysis
When something fails, know exactly why. Deterministic cause trees trace failures to their root, map cross-framework impact, and generate prioritized remediation steps with regulatory clause references.
Cross-Framework Remediation
Fix one control, satisfy multiple frameworks simultaneously. 66 remediation entries map across 9 frameworks with effort estimates, deadlines, and specific regulatory clause references.
Custom Rule Pack Builder
Build compliance packs tailored to your regulatory mix. Select rules across NYC LL144, Colorado AI Act, EU AI Act, and SOC 2 to create jurisdiction-specific audit configurations.
Built for AI — Not Retro-Fitted GRC
Most compliance platforms were built for policy documents, vendor questionnaires, and access reviews. They are not built for model behavior, drift detection, or AI-specific regulatory requirements.
Compliance Twin is AI compliance infrastructure. It complements — not replaces — your existing GRC tools by adding the technical compliance layer they cannot provide.
How It Works
Six steps from system registration to tamper-evident compliance proof. No prior compliance knowledge required.
Register Your AI System
Guided onboarding wizard. Select your system type, jurisdiction, and environment. No coding required. Rule packs are auto-selected based on your regulatory obligations.
Connect Your Data
Send runtime metrics from your AI system via REST API (POST to /api/compliance-twin/metrics). Include latency, success/fail, confidence scores, and model version. Health monitoring and anomaly detection start automatically. Complementary HAIEC tools (@haiec/openai, @haiec/anthropic, haiec-isaf-logger, GitHub Action) can feed additional data.
Capture Versioned State
Every monitored system is versioned and SHA-256 hashed on configuration change and on schedule. Full, config, metrics, and compliance snapshots are linked via parent references for tamper detection.
Execute Regulatory Rule Packs
23 rules across 4 jurisdiction-specific packs. Each rule is versioned, tracked by jurisdiction and framework, and executed against your system state. Results are persisted with evidence.
Detect Compliance Shifts
Delta engine computes recursive JSON deep-diff between snapshots. Changes are auto-classified into 9 categories: config, threshold, baseline, health, compliance, metric, alert, drift, and other.
Generate Tamper-Evident Proof
Signed evidence bundles with Merkle tree integrity. HMAC-SHA256 provenance anchoring with key rotation support. Every bundle can be independently verified through public verification endpoints.
How Compliance Twin Is Built
Five layers from input to tamper-evident output. Each layer is independently verifiable.
Your Journey to Provable Compliance
11 steps from system registration to regulator-ready evidence. Most steps are fully automated.
Register AI System
Use the Onboarding Wizard to name your system, select type (Hiring, Lending, Insurance, etc.), and choose environment (Production/Staging/Development).
Creates MonitoredSystem record. Auto-selects jurisdiction-specific rule packs based on system type. Captures first FULL snapshot immediately. Schedules daily auto-audits.
System ID + first versioned snapshot (v1) with SHA-256 hash + daily audit schedule
No Prior Compliance Knowledge Required
We built Compliance Twin so that compliance officers, legal teams, and business leaders can operate it without engineering support.
- Guided onboarding — 3-step wizard: pick your system type, name it, and you are monitoring.
- Auto-selected rule packs — Rules are chosen based on your jurisdiction. No manual configuration.
- Plain-language results — Compliance checks report pass/fail with human-readable evidence.
- One-click evidence export — Download signed audit bundles ready for regulator submission.
Jurisdiction-Specific Rule Packs
23 compliance rules across 4 jurisdictions. Each rule pack is versioned, tracked by effective date, and executed against your system state.
NYC Local Law 144
5 rules- Bias audit recency (365-day validation)
- Public disclosure of audit results
- Candidate notice requirements
- System logging and monitoring
- Continuous monitoring controls
NYC Hiring AI Compliance
If you use an Automated Employment Decision Tool in New York City, you are required to conduct annual bias audits, publish results, and provide candidate notices. Compliance Twin provides:
- Versioned bias audit evidence tracking
- Proof of audit recency (365-day validation)
- Rule execution mapped to NYC Admin Code §20-871
- Historical compliance record for regulator inquiries
- Signed audit bundle export
If the Department of Consumer and Worker Protection asks tomorrow — you are prepared.
Colorado High-Risk AI Compliance
Colorado introduces obligations for high-risk AI systems including risk management documentation, impact assessments, ongoing monitoring, and consumer rights compliance. Compliance Twin enables:
- Versioned high-risk AI documentation
- Monitoring continuity evidence
- Rule pack tracking aligned to SB 24-205
- Control gap detection over time
- Signed compliance history
Colorado requires ongoing oversight — not static reports. Compliance Twin provides the continuous evidence trail.
Who This Is For
If enterprise procurement or regulatory compliance is part of your revenue model, Compliance Twin matters.
AI Companies Selling Into Enterprise
Prove compliance posture to procurement teams with signed evidence bundles.
Regulated Industries Deploying AI
Healthcare, finance, insurance, and government AI systems with compliance obligations.
HR Teams Subject to NYC LL144
Automated employment decision tools requiring bias audits and candidate notices.
AI Providers Operating in Colorado
High-risk AI systems subject to SB 24-205 deployer obligations.
Organizations Preparing for EU AI Act
High-risk AI systems requiring conformity assessments and ongoing monitoring.
Compliance Officers and Legal Teams
Non-technical users who need to manage AI compliance without engineering support.
Enterprise AI Assurance
Compliance Twin is enterprise infrastructure. Pricing reflects the value of permanent, verifiable compliance history.
Professional
Includes onboarding, rule pack configuration, and compliance baseline setup.
- Up to 5 monitored AI systems
- 4 jurisdiction rule packs included
- Versioned state snapshots
- Signed evidence bundles
- Compliance delta tracking
- Risk score dashboard
- Email support
Enterprise
Multi-system support, advanced jurisdiction packs, and dedicated compliance advisory.
- Unlimited monitored AI systems
- All jurisdiction rule packs
- Custom rule pack development
- Dedicated compliance advisor
- SSO and access control
- Webhook and Slack alerting
- Priority support with SLA
- On-premise deployment option
Frequently Asked Questions
Can you prove what your AI looked like last quarter?
If not, you are relying on memory.
HAIEC Compliance Twin™ gives you permanent, verifiable AI compliance history.
HAIEC Compliance Twin™ is protected by five patent-pending innovations covering precision drift detection, deterministic root cause analysis, cross-framework compliance mapping, modular audit engine composition, and cryptographic evidence fingerprinting.