The AI compliance platform
for agentic systems.
spanforge is compliance infrastructure — not a monitoring add-on. It gives every AI action in your stack a cryptographically signed, privacy-safe, regulator-ready record. Built on RFC-0001, the open event-schema standard for AI governance.
The problem we are solving.
You are building AI applications in a world where regulators are catching up fast. The EU AI Act is in force. GDPR applies to every LLM that touches personal data. SOC 2 auditors want evidence that your AI systems are governed. And your team is stitching together ad-hoc logs, hoping they will hold up in an audit.
spanforge solves this. It is a compliance-first platform that gives every AI action a cryptographically signed, tamper-evident record — from the first pip install to the auditor hand-off.
We build for teams that have shipped a working model and are now asking the hard questions: How do we prove compliance? How do we audit this? How do we detect drift? What happens when it fails?
spanforge answers those questions with 11 SDK services, 33 CLI commands, and article-level mapping to 6 regulatory frameworks — all available today via pip install spanforge.
What spanforge is — and is not.
spanforge IS
A compliance-first SDK for agentic AI systems
HMAC-signed audit chain infrastructure (sf_audit)
PII redaction and privacy enforcement (sf_pii)
Secrets scanning with SARIF output (sf_secrets)
Regulatory evidence bundles for auditors (sf_cec)
A 6-gate CI/CD compliance pipeline (sf_gate)
A T.R.U.S.T. scorecard with SVG badge + trend API (sf_trust)
Observability to any OTLP-compatible backend (sf_observe)
RAG tracing with LlamaIndex and LangChain auto-instrumentation (sf_rag)
An open standard — RFC-0001, MIT-licensed, zero call-home
spanforge IS NOT
An MLOps platform (no model serving infrastructure)
A model provider or AI model builder
A cloud infrastructure platform
An agent framework or orchestration engine
A replacement for legal or compliance teams
A replacement for cloud billing or FinOps tools
A detached consulting business that sits outside the product
A replacement for existing CI/CD tooling — sf_gate extends it
Three things spanforge guarantees.
Compliance by default.
Every event your app emits is HMAC-signed, PII-redacted, and stored — with zero per-call boilerplate. spanforge.configure() and you are compliant.
Regulator-ready evidence.
sf_cec generates HMAC-signed ZIP bundles mapping telemetry to EU AI Act, GDPR, SOC 2, HIPAA, ISO 42001, and NIST AI RMF at the article level — ready for auditor hand-off.
Zero required dependencies.
Pure Python 3.9+ stdlib. Local fallback mode. Sandbox mode. mock_all_services() for testing. Works in air-gapped environments with no egress.
Four principles. Non-negotiable.
Build in the open.
The standard is public. The schema is public. The SDK is MIT-licensed. AI needs more transparency, not less.
Opinionated by design.
spanforge has a clear position on how AI should be governed. We would rather be useful and direct than vague and universally palatable.
Production is the point.
A model in a notebook is not AI. We build for teams shipping to real users in regulated environments — not for the demo.
Standards before shortcuts.
Every SDK service exists because we have seen what happens when it is absent. Compliance infrastructure is not overhead — it is the foundation.
Ready to make your AI production-ready?
One pip install. Zero required dependencies. Start instrumenting your AI for compliance in under five minutes.