General AvailabilitySpanForge SDK v1.0.4

Ship AI that passes audits. Signed evidence in 5 minutes.

SpanForge is an AI audit SDK. It gives compliance teams a signed, ready-to-submit evidence bundle for every AI decision — without slowing the engineers who build them.

Most teams spend weeks assembling evidence after an AI incident. SpanForge captures proof continuously at the SDK layer — so your compliance team always has a signed bundle ready for auditors, from day one.

✓ EU AI Act-ready✓ HIPAA-aligned✓ SOC 2 framework✓ MIT licensed
Start Your First Audit

Trusted by compliance teams at financial services, healthcare, and regulated tech · Free to start · No contract required

Launch path

From install to regulator-ready evidence in five steps.

  1. 01
    Install

    Add SpanForge to any Python project with zero runtime dependencies.

  2. 02
    Instrument

    Wrap AI actions with @spanforge.trace to capture every decision event.

  3. 03
    Enforce

    Apply PII redaction, secrets scanning, and drift policies before output persists.

  4. 04
    Sign

    Every event is cryptographically chained — giving regulators verifiable, tamper-proof proof of every decision.

  5. 05
    Export

    Hand your compliance team a signed evidence bundle they can give directly to auditors — no spreadsheets, no chasing engineers.

Independently verifiable

Open sourceMIT licensedpip install spanforgeAvailable on PyPIZero runtime depsNo heavy platform requiredPython 3.9+Broad version supportv1.0.4 GAGenerally Available release

Trusted by compliance teams shipping regulated AI — built for the standards your auditors require

EU AI ActGDPRHIPAASOC 2ISO 42001NIST AI RMF
EU AI Act-ReadyHIPAA-AlignedGDPR-ReadySOC 2 FrameworkISO 42001

SpanForge gave our compliance team the audit trail they needed without slowing down engineering at all. We handed the evidence bundle directly to regulators.

Head of AI Governance, Global Financial Services Firm

SDK v1.0.4 Generally AvailableLaunched May 20266 compliance frameworks mapped on day one0 hours assembling evidence before your next audit

Why SpanForge?

Regulatory risk is live

EU AI Act enforcement began August 2025. HIPAA and GDPR apply to every AI system handling personal data. Compliance is no longer optional.

Auditors want evidence chains

Regulators expect machine-readable records with framework mappings — not screenshots and manually assembled spreadsheets. SpanForge generates them automatically.

Prevention costs less than recovery

Unlike custom logging or manual evidence assembly, SpanForge captures cryptographically signed proof at the SDK layer from day one — before a regulator ever asks.

Our mission: make AI compliance infrastructure as automatic as security scanning.

After years leading enterprise AI programs, I kept seeing the same gap: teams built capable AI but couldn’t prove it was safe, compliant, or auditable. SpanForge closes that gap — at the SDK layer, before production.

Founder, SpanForge (est. 2024) · 5+ years enterprise AI program leadership

Who is this for?

Developers

Instrument, enforce, and audit AI actions from a single SDK surface. Zero required dependencies.

Explore the SDK →Compliance Teams

Get auditor-ready evidence bundles mapped to EU AI Act, GDPR, HIPAA, SOC 2, and more.

Explore Advisory →Enterprise Leaders

Governed AI deployment with architecture reviews, evidence walkthroughs, and deployment planning.

Talk to us →
Platform overview

A cleaner path from experimentation to accountable production.

Instrument every AI action, enforce policy automatically, and generate evidence your auditors can verify — all from a single SDK surface with zero required dependencies.

01

Instrument every model interaction

Trace prompts, outputs, latency, token cost, retrieval behavior, and human review events in one event model built for agentic systems.

02

Enforce policy before risk lands

Block secrets, redact sensitive data, catch drift, and route low-confidence decisions to humans before records are persisted.

03

Prove compliance with evidence

Generate signed bundles with framework mappings, chain verification, and auditor-friendly artifacts without manual spreadsheet work.

Explore the full SDK surface →

Live evidence chain

Every LLM call, policy event, and review decision is signed and stored.

SpanForge turns AI operations into a traceable ledger of actions. That means better incident response, cleaner reviews with compliance stakeholders, and fewer blind spots when a model starts behaving differently in production.

Why it matters

Operations teams need proof, not screenshots and institutional memory.

What changes

Telemetry, redaction, secrets policy, and human escalation live in the same chain of record.

spanforge audit-chain — live
[14:32:07.114] SIGNED llm.trace.started chain:4821 prev:4820 hmac:a3f7c2d1… ✓[14:32:07.441] SIGNED llm.cost.recorded gpt-4o · $0.0043 · 1,720 tokens · proj:loan-v2[14:32:07.891] BLOCKED llm.secrets.detected STRIPE_LIVE_KEY · entropy:5.1bits/char · auto-blocked ✕[14:32:08.203] REDACT llm.pii.detected EMAIL → [REDACTED:pii] · GDPR Art.5(1)(f) ✓[14:32:08.550] SIGNED llm.guard.evaluated confidence:0.41 < threshold:0.70 → HITL queue[14:32:08.890] SIGNED llm.trace.completed chain:4822 hmac:c8e2f1a3… latency:778ms ✓[14:32:09.110] VERIFY chain verified 4,822 events · 0 gaps · 0 tampering · EU AI Act Art.12 ✓
SDK surface

One core job: an unbroken, signed audit chain for every AI decision.

sf_audit and sf_cec are the foundation — instrument one action and your compliance team gets a signed, auditor-ready bundle. Nine supporting services extend from there.

sf_audit

compliance

Tamper-evident HMAC-SHA256 audit chains with WORM storage patterns, retention support, and chain verification.

sf_cec

compliance

Evidence bundles with clause mapping, attestations, and exportable artifacts for audits and enterprise reviews.

Explore supporting services (9 more) →

sf_pii

compliance

Sensitive-data detection and redaction pipelines across GDPR, HIPAA, CCPA, DPDP, and PIPL-aligned policies.

sf_secrets

security

Pattern and entropy-based secret scanning with SARIF output, vault migration hints, and policy-driven blocking.

sf_identity

security

Keys, JWT, magic links, SAML, SCIM, OIDC PKCE, session delegation, and brute-force lockout controls.

sf_observe

ops

OpenTelemetry-aligned tracing with exporter support for Datadog, Grafana, Splunk, Elastic, and OTLP backends.

sf_alert

ops

Alert routing for Slack, Teams, PagerDuty, OpsGenie, and signed webhook automation with deduplication.

sf_gate

devops

A governance pipeline that turns policy into release criteria across code review, testing, provenance, and compliance checks.

sf_trust

governance

A configurable T.R.U.S.T. scorecard spanning transparency, reliability, user trust, security, and traceability.

sf_rag

ops

RAG tracing with retrieval scoring, grounding metrics, and auto-instrumentation for LlamaIndex and LangChain.

sf_feedback

governance

Structured feedback collection — NPS, CSAT, thumbs, Likert — linked to T.R.U.S.T. dimensions and audit records.

Risk detection

Examples of the kinds of failures the platform is meant to intercept.

SpanForge intercepts real failure modes before they reach storage, downstream systems, or your audit record — with full context preserved for incident response.

Blocked secret exposure

sk_live_4xK9mR2p8vB3nQ...

A live Stripe key appeared in model output and was blocked before persistence, audit insertion, or downstream storage.

Entropy score: 5.1 bits/char | Confidence: 0.97

PII redaction applied

user@company.com -> [REDACTED:email]

Email content was detected in a response and rewritten before the event entered the evidence chain.

GDPR Article 5(1)(f) aligned | Metadata recorded

Behavioral drift escalated

drift_score: 0.31 (threshold: 0.20)

A distribution shift crossed the policy threshold, triggered an incident workflow, and paused the affected agent.

3.1 sigma from baseline | PagerDuty fired in 847ms

Framework coverage

Built for regulated AI programs, security reviews, and enterprise buying conversations.

Map your AI operations to article-level obligations across six regulatory frameworks. Signed evidence packages ready for auditor hand-off — no manual spreadsheet work.

View framework coverage table →
FrameworkCoverage focusRelevant SDK surface
EU AI ActRisk management, data governance, record-keeping, transparency, human oversight, and accuracy monitoring.sf_gate / sf_audit / sf_cec
GDPRData minimization, right to erasure, records of processing, and processor accountability support.sf_pii / sf_audit / sf_cec
HIPAASafe Harbor redaction patterns, access logging, and audit trail support for regulated workloads.sf_pii / sf_audit / sf_identity
SOC 2Logical access, system operations monitoring, and risk mitigation controls tied to evidence artifacts.sf_audit / sf_gate / sf_cec
ISO 42001Risk assessment, impact assessment, monitoring, and continuous improvement controls for AI systems.sf_cec / sf_trust
NIST AI RMFGovern, map, measure, and manage workflows backed by telemetry, policy, and trace evidence.sf_gate / sf_cec / sf_trust
sf_cec.build_bundle(project_id, date_range, frameworks=["eu_ai_act", "iso_42001", "soc2"])

Generate a signed evidence bundle with chain proof, framework mappings, and attestation artifacts. View the SDK documentation.

Common questions

Objections we hear — and the direct answers.

If you have a question not answered here, reach out directly.

Do I need to change my AI provider or LLM setup?

No. SpanForge wraps your existing model calls at the SDK layer. You keep your current provider, prompts, and infrastructure. Nothing changes in production except every decision now has a signed record.

How is SpanForge different from standard application logging?

Standard logs are mutable and context-free. SpanForge creates HMAC-SHA256 chained records with framework mappings, PII redaction, and cryptographic signatures — the format auditors and regulators actually accept.

We are not yet subject to regulation. Do we still need this?

EU AI Act enforcement began August 2025. HIPAA and GDPR already cover most AI systems processing personal data. Instrumenting from day one costs a fraction of the retroactive compliance work that follows an audit notice.

Does SpanForge add latency to production workloads?

SpanForge has zero required runtime dependencies and is built for production. Actions are wrapped asynchronously where possible — no external call sits on your critical path.

Can I try it without involving procurement?

Yes. SpanForge is MIT licensed and on PyPI. Run pip install spanforge and generate your first signed evidence bundle in under five minutes — no contract, no credit card required.

Products

New

AI Governance Kit

Everything your team needs to implement AI governance from day one — master policies, risk assessments, model cards, incident response plans, inventory registers, and a 30-day roadmap. Ready-to-use documents built for compliance teams, legal, and AI program leads.

Explore AI Governance Kit →
SpanForge Newsletter

Stay ahead on AI compliance.

Analysis, framework updates, SDK release notes, and practical guidance on shipping production AI that meets real regulatory expectations. No filler.

Delivered via Substack. Unsubscribe any time. By subscribing, you agree to our Privacy Policy.

Open source · MIT licensed · pip install spanforge · GA v1.0.4 · Released May 2026

Get signed AI evidence in under five minutes.

Install the SDK, instrument an AI action, and generate a signed evidence bundle — before you involve procurement. Community support on GitHub. Enterprise teams get priority response.

Get Started FreeRegulated rollout? Talk to the team →

Questions? hello@getspanforge.com · Docs · View pricing