From a Risky Action to Evidence an Auditor Trusts
A consequential action, a payment, an IAM change, a bank switch, an agent tool call, gets a SentriAI verdict and an Action Trust Score, is sealed to a hash-chained ledger, and is mapped to the SOC 2 controls it satisfies. Later, verify_chain() proves the record has not been touched.
Illustrative product view
The path from an action to a control it satisfies
In most companies, the moment a risky action happens and the moment you need evidence of it are months apart, and someone reconstructs the trail from logs and email when the audit lands. This flow closes that gap: the decision and the evidence are the same event. When a consequential action is proposed, it is scored, a verdict is attached, the whole thing is sealed to a tamper-evident ledger, and it is mapped to the compliance controls it satisfies, all at the time it happens.
The five governed steps
- 1
1 · Capture the action
The actor (human or agent), the scope, and the intended effect are captured before anything runs.
- 2
2 · Score and decide
SentriAI returns an Action Trust Score and a verdict, allow, challenge, or block, computed on deterministic, explainable inputs.
- 3
3 · Seal it
The action, its score, and its verdict are written to an append-only, hash-chained ledger, so the record cannot be altered after the fact.
- 4
4 · Map to controls
The sealed entry is tagged to the SOC 2 controls it provides evidence for (for example CC6 access, CC7 monitoring), so evidence collection is a by-product of doing the work.
- 5
5 · Verify on demand
verify_chain() recomputes the hash chain to prove the ledger is intact, so an auditor can trust the trail without trusting your word for it.
Decision and evidence, the same event
| Output | What it is | Why it matters |
|---|---|---|
| Verdict | Allow, challenge, or block with a score | A decision at the moment of the action |
| Sealed entry | Append-only, hash-chained record | Tamper-evident proof it happened as recorded |
| Control mapping | Tagged to SOC 2 CC6 / CC7 and more | Evidence collected as a by-product, not a project |
Decides, records, can gate, actuates only at the boundary
Frequently asked questions
What does this incident-to-evidence flow do?
It turns a consequential action into audit-ready evidence in one motion: the action is scored, a verdict is attached, the record is sealed to a hash-chained ledger, and it is mapped to the SOC 2 controls it satisfies, so the decision and the evidence are the same event.
What is the Action Trust Score?
A score attached to a consequential action, computed from deterministic, documented inputs such as the actor trust, the autonomy level, the sensitivity of the scope, and the exposure. It drives an allow, challenge, or block verdict and can always be explained.
What does verify_chain() prove?
It recomputes the hash chain over the sealed ledger to show that no entry has been altered or removed since it was written. That is what makes the trail tamper-evident and trustworthy to an auditor without taking your word for it.
Does SentriAI actually stop a risky action?
It decides, records, and can gate, and live actuation (actually stopping or performing an action) happens at the MCP boundary and is opt-in. Everywhere else it is decide-and-observe: the verdict is real and sealed, but hard enforcement in production is a choice you enable deliberately.
How does this help with SOC 2?
Each sealed action is tagged to the controls it provides evidence for, such as CC6 access and CC7 monitoring, so evidence accumulates as a by-product of normal work instead of being gathered in a scramble before the audit.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
See a whole flow run on one brain
Book a walkthrough and watch a lead, a hire, or a bill move end to end, governed and sealed at every step.
Talk to us