air shipped on hn - open-source black box for ai agents, tamper-evident audit trails, 22 mapped controls across soc2, iso 27001, and eu ai act article 12. it's a careful build.
here's the part i keep telling founders shipping audit tooling.
tamper-evident logs are the easy half
merkle trees, hash chains, append-only s3 buckets - the literature is settled. shipping the engineering is a 2-week sprint for a competent team.
translation is the hard half
an auditor doesn't read merkle roots. a procurement team doesn't read soc2 control language. they read a one-page summary that says 'this system meets cc7.2 because the audit log is tamper-evident, retained 6 months, and exportable in case of incident'.
that translation - from control id to plain-english evidence - is what gets the po signed.
the bizsuite layer on top
for any open-source audit log (air, langfuse, traceloop, custom), bizsuite ships the translation:
- map your log schema to the 22 (or 47, or 113) controls the buyer asks about
- generate a procurement-ready pdf with the evidence inline
- update it as your system changes - because controls drift faster than docs
4 hours. $997 per agent. delivered.
the test
ask any audit tool - 'when the buyer's gc emails me asking how we comply with cc7.2, what do i send back'. if the answer is 'a query against the log', that's the engineering. if the answer is 'this paragraph from the procurement-ready pdf', that's the deliverable.
air ships the engineering. bizsuite ships the deliverable.
Top comments (0)