Audit & Compliance

Audit trails that can't lie.

Faramesh writes a tamper-evident record for every tool call. The verdict, the policy, the rule, the input, the output, the latency. Hash-chained, replayable, and durable. The trail your security team and auditors will actually want to see.

Live audit trail

What you see when you tail the trail.

Real output from faramesh audit tail. Every verdict streams in the moment Faramesh decides. Permit, deny, defer. Color-coded so you can scan it.

faramesh audit tail
What gets recorded

Four fields. Every action. No exceptions.

Faramesh records the same four pieces of evidence for every tool call. No partial entries, no skipped fields, no quiet failures.

VERDICT

Permit, deny, or defer.

Every tool call resolves to one of three outcomes. The verdict is recorded with a timestamp accurate to the millisecond.

POLICY MATCH

The exact rule that fired.

Which policy version was active. Which rule matched. Why this rule and not another. Auditors can reconstruct the decision.

INPUT & OUTPUT

What the agent tried to do.

Tool name, arguments, and outputs are captured in their canonical form. PII redaction rules apply where you configure them.

LATENCY

How long the engine took.

Engine evaluation time and full pipeline latency, recorded per decision. Useful for SLA monitoring and incident forensics.

Tamper-evident by structure

Records that prove themselves.

The audit chain is structurally tamper-evident. You can verify integrity from any point in time without trusting the storage layer.

The chain
record #001PERMIT
prev: init
hash: a3f9...e2c1
record #002DENY
prev: a3f9...e2c1
hash: 7d2b...4f8a
record #003DEFER
prev: 7d2b...4f8a
hash: f1e0...9b3d

Each record stores the hash of the record before it. Any modification to record #001 changes its hash, which breaks the linkage to #002, which breaks #003, and so on. Verifying the chain takes one pass.

HASH-CHAINED

Every record links to the last.

Each entry's hash includes the previous entry's hash. Modify any record and every record after it breaks the chain.

WAL-BACKED

Durable before the action runs.

Decisions are written to a write-ahead log before execution. The log is the source of truth.

FAILS CLOSED

No log, no execution.

If the audit write fails for any reason, the verdict converts to deny. There is no path to action without a durable record.

Replay & explain

Pull any decision back. See exactly why.

Every action gets an ID. Six months later when an auditor asks why, run faramesh explain against the ID. The same policy version that was active when the call happened replays the same verdict. Deterministic by design.

faramesh explain act_7f9k2m
$ faramesh explain act_7f9k2m
 
Action ID:act_7f9k2m
Timestamp:2026-04-25T14:23:11.412Z
Agent:payment-bot
Tool:stripe/refund
Verdict:DEFER
Latency:47us
 
Policy version:v23(active 2026-04-20 -> present)
Matched rule:rules.defer.stripe/refund
Reason:"high value refund"
 
Input:
charge_id:ch_abc123def456
amount:12000
currency:USD
 
Decision:awaiting approval(assigned to finance)
Notify sent:finance@company.com(2026-04-25T14:23:11.428Z)
 
Hash:f1e0d7a3...9b3d2e8c
Previous:7d2b9c44...4f8a1e02
Why this matters

Probabilistic governance can't replay decisions. The same input run twice produces different outputs. There is no defensible answer to "why did this happen." Faramesh's evaluation is a pure function of policy and input.

Tail in real time

faramesh audit tail streams every verdict as it fires. Combine with the explain command to drill into anything that catches your attention.

Evidence your auditors will ask for

Evidence in the formats auditors recognize.

Compliance teams are asked the same questions during every audit. Faramesh records the evidence that answers them.

Logical access control

SOC 2 CC6.1ISO 27001 A.9.4

Every tool call recorded with the verdict, the policy version active at decision time, and the specific rule that fired. Hash-chained and replayable on demand.

Authentication & authorization audit trails

SOC 2 CC6.2HIPAA §164.312(b)

Every credential issuance is logged with the policy that authorized it. Vault-brokered with TTL. Agent never holds raw credentials.

Change management records

SOC 2 CC8.1

Policy changes are versioned. Decisions are tied to specific policy versions. Replay any decision against the exact policy active when it ran.

Tamper-evident logging

SOC 2 CC7.2ISO 27001 A.12.4

Hash-chained WAL-backed records. Modifying any record breaks the chain. Failed write converts the verdict to deny. No execution without durable evidence.

Faramesh produces evidence formats commonly accepted by auditors during SOC 2, ISO 27001, and HIPAA audits. Faramesh does not provide certification or attestation services. Your organization's controls, policies, and processes determine compliance outcomes.

Observability

Plugs into the tools you already run.

Faramesh exposes Prometheus-compatible metrics on a standard endpoint. Build dashboards, set alerts, correlate with the rest of your stack.

Prometheus

Native metrics on /metrics. Scrape with your existing stack.

Grafana

Build dashboards from Faramesh metrics. Alert on verdict patterns and latency.

Datadog & New Relic

OpenMetrics scraping. Correlate verdicts with the rest of your application telemetry.

Keep exploring

Three pillars of agent governance.

PLATFORM

Runtime Enforcement

Pre-execution control of every tool call. Non-bypassable across 13 frameworks.

PLATFORM

Policy Engine

Deterministic verdicts in microseconds. FPL, YAML, or Python annotations.

PLATFORM

Integrations

Vault, AWS, GCP, Azure for credentials. Prometheus for metrics. SPIFFE for identity.

Get started

Ship your agents to production.

Every agent you deploy deserves a policy, an audit log, and a human in the loop.

Early accessView on GitHub

Open source. Self-hosted or cloud. No credit card required.