You can’t govern what
you can’t see.
SpanForge is the compliance and governance platform for agentic AI systems. Structured RFC-0001 events, HMAC-signed audit chains, PII redaction, and regulatory evidence packages — provable compliance before auditors or incidents find the problem first.
See it in action.
Three scenarios. Three ways SpanForge generates compliance evidence that your dashboards miss. Switch between tabs to explore — consent records, audit chain verification, and PII redaction events.
These are representative examples. Real output varies by agent configuration and playbook definitions.
Everything production AI needs.
Structured compliance events
Every LLM call, tool invocation, decision, and guardrail check is recorded as a typed RFC-0001 event — a structured envelope with required fields, audit metadata, and schema-validated payloads.
HMAC-SHA256 audit chains
Every emitted event is cryptographically signed with HMAC-SHA256 and chained to its predecessor via prev_id. Verifying the chain proves the event stream has not been modified, reordered, or truncated.
PII redaction & secrets scanning
First-class PII detection and redaction including a Presidio NLP backend covering 15 entity types with ≥ 95% true-positive rate. Secrets scanning with a 20-pattern registry detects API keys, tokens, and private keys before they leave your app.
Regulatory framework mapping
ComplianceMappingEngine maps events to obligations under EU AI Act, GDPR, SOC 2, ISO 42001, HIPAA, and NIST AI RMF. HMAC-signed evidence packages with remediation guidance and Markdown reports generated on demand for auditors.
Runtime governance control plane
Five runtime policy actions — allow, allow+log, redact, block, human_review — enforced by sf_policy, sf_scope, sf_rbac, sf_rag, and sf_lineage. Every decision is signed and attached to explainability evidence for operator review.
Compliance Evidence Chain (sf-cec)
Signed ZIP compliance bundles with five-framework clause mapping, DPA generation, RFC 3161 timestamps, and verifiable HMAC signing — ready for auditor hand-off.
T.R.U.S.T. Scorecard (sf-trust)
Five-pillar trust dimensions — Transparency, Reliability, UserTrust, Security, Traceability — with configurable weights, SVG badge output, history time-series, and HallucCheck pipeline integrations.
CI/CD Gate Pipeline (sf-gate)
YAML-driven quality gate pipeline with six gate executors covering schema, secrets, performance, PRRI, and trust. Blocking trust gate prevents unsafe releases from reaching production.
Enterprise hardening (sf-enterprise)
Multi-tenancy with project-level isolation, data residency enforcement (EU/US/AP/IN), AES-256-GCM encryption at rest, envelope encryption via cloud KMS, mTLS, FIPS 140-2 mode, and air-gap offline deployment.
SSO & Identity (sf-identity)
SFIdentityClient with SAML 2.0, SCIM 2.0 User/Group CRUD, OIDC PKCE relying party, API key management, TOTP, magic links, and SSO session delegation.
Alert routing (sf-alert)
Topic-based publish with deduplication, rate limiting, escalation policy, and maintenance windows. Sinks for Slack, Teams, PagerDuty, OpsGenie, VictorOps, Incident.io, SMS, and Webhook.
Export to any backend
OTLP, Webhook, JSONL, Datadog, Grafana Loki, Splunk, Elastic, SIEM (CEF/Syslog), OpenInference, and WORM-compliant S3/GCS backends. EventStream multiplexer with Apache Kafka support.
Security Review (sf-security)
OWASP API Security Top 10 audit, STRIDE threat modelling, dependency vulnerability scanning, static analysis, and secrets-in-logs detection — integrated into the compliance evidence workflow.
Up and running in an afternoon.
Instrument
pip install spanforge and emit RFC-0001 events from every LLM call, tool invocation, and decision point. Zero required dependencies. One-line setup with spanforge.configure().
Sign
Every event carries an HMAC-SHA256 signature chained to the previous — tamper-evident audit trail by design, not by configuration.
Govern
Runtime policy actions (allow, block, redact, human_review) enforced by sf_policy, sf_scope, sf_rbac, sf_rag, and sf_lineage — coordinated through one signed control plane.
Prove
ComplianceMappingEngine generates HMAC-signed evidence packages mapped to EU AI Act, GDPR, SOC 2, HIPAA, ISO 42001, and NIST AI RMF. Export operator packages and enterprise bundles for auditors.
Built for regulated, high-stakes AI.
Financial services
Credit decisions, fraud detection, customer communication agents, AML monitoring.
Healthcare
Clinical decision support, triage routing, patient-facing assistants, prior authorisation agents.
Legal & compliance
Contract analysis, regulatory monitoring, compliance automation, document review agents.
Operations & Automation
Procurement automation, HR decision support, internal knowledge agents, IT service automation.
The complete SpanForge stack.
From the open standard to the production SDK and developer tooling — every layer of the compliance stack is documented and ready to use.
RFC-0001 SPANFORGE
The schema specification at the core of the ecosystem. Defines the event envelope, 15 compliance & governance namespaces, HMAC audit chains, and four conformance profiles. Open and vendor-neutral.
Read the standard →SpanForge SDKpip install spanforge
The reference implementation. pip-installable, zero required dependencies, covers all 15 namespaces with quickstart, integrations, and a full CLI.
Explore the SDK →Developer ToolSpanForge Debug
Inspect, replay, and visualise SpanForge traces. Timeline views, span trees, tool-call analysis, cost attribution, and trace diffing for debugging production behaviour.
Explore SpanForge Debug →Compliance ToolSpanForge Validate
Reference validation CLI and Python SDK. Validate JSON/JSONL event streams against the SPANFORGE schema, verify HMAC chains, and integrate into CI pipelines for compliance gating.
Explore SpanForge Validate →Know what your AI is doing. Always.
SpanForge is the compliance and governance platform for agentic AI systems. Instrument, sign, validate, and prove compliance from day one.