Done-for-you offer · Fractional CMO with AI Swarm · audit-trail 4-skill bundle · audit-trail agent
Cross-agent routing audit trail for multi-unit franchise, multi-location retail, multi-location service brand, DTC ecommerce, B2B SaaS, and PE-sponsored portfolio operators — Capture + Sign + Preserve + Attest 4-skill bundle on the audit-trail agent, under a 5-anchor compliance overlay anchored on NIST AI RMF + ISO 42001 + EU AI Act Article 12 record-keeping + Article 13/14/17/ 26/50/72 + ISO 27001 + 27017 + 27018 + SOC 2 Type II, SOX 404 + SEC Item 1.05 + Item 106 + FDA 21 CFR Part 11 + GMLP + SaMD + CDS, attorney-client privilege (Upjohn + work-product + ABA Model Rules + SOX 307), per-vertical (HIPAA 45 CFR 164.312 + 164.530(j)(2) + FCRA + GLBA + Washington MHMDA + PCI DSS Requirement 10 + DTSA), and privacy + CCPA + GDPR Article 22/28/30 + DSA + Colorado AI Act + NYC LL144 + EEOC + COPPA + AADC
Your AI swarm makes continuous cross-agent routing decisions across 10-100 per-agent + per-skill model variants. Every decision must be captured + cryptographically signed + preserved on tamper-evident WORM storage with operator-counsel-approved per-record classification (PHI + PCI + consumer-report + financial + privileged + work- product + trade-secret + MNPI + ordinary-class). NIST AI RMF (NIST AI 100-1) Map + Measure + Manage + ISO/IEC 42001 Clause 8 + EU AI Act (Regulation 2024/1689) Article 12 record-keeping for high-risk AI + Article 13 + Article 14 + Article 17 + Article 26 + Article 50 + Article 72 + ISO/IEC 27001 + ISO/IEC 27017 + ISO/IEC 27018 + SOC 2 Type II impose audit-trail integrity + access-control + retention requirements. SOX Section 404 + SEC Reg S-K Item 1.05 Material Cybersecurity Incidents (effective December 18, 2023) + Item 106 annual cybersecurity disclosure require audit-trail evidence + materiality assessment routing. FDA 21 CFR Part 11 electronic records and signatures + FDA Good Machine Learning Practice (GMLP) + FDA Software as a Medical Device (SaMD) + FDA Clinical Decision Support (CDS) apply when AI operates in regulated computerized systems. Attorney-client privilege under Upjohn v United States (449 U.S. 383, 1981) + work-product doctrine under Hickman v Taylor (329 U.S. 495, 1947) + Federal Rule of Civil Procedure 26(b)(3) + ABA Model Rules 1.6 + 1.13 + 2.1 + SOX Section 307 require privilege-class tagging + segregated privilege-protected audit-class records. Per-vertical HIPAA 45 CFR 164.312 technical safeguards audit controls + 45 CFR 164.530(j)(2) 6-year audit-log retention + FCRA + GLBA + Washington MHMDA + PCI DSS 4.0 Requirement 10 + DTSA apply. CCPA + GDPR Article 22/28/30 + DSA + Colorado AI Act + NYC LL144 + EEOC + Mobley v Workday + COPPA + AADC apply broadly. The WORM storage, audit logging, SIEM, distributed tracing, LLM observability, and eventing vendors below ship strong primitives. The orchestration above them is operator-side architecture. You keep all subscriptions, posture libraries, cryptographic keys, and audit trail. You keep the ability to in-house at any time.
Published September 24, 2026
The real ecosystem this sits above
WORM storage + audit logging + SIEM
WORM storage: AWS S3 Object Lock, GCS retention policy, Azure Blob immutable storage, Snowflake Time Travel. Audit logging: Splunk, Datadog, AWS CloudTrail, Azure Monitor, Google Cloud Audit Logs, Elastic, LogRhythm, IBM QRadar, Sumo Logic. SIEM: Splunk, IBM QRadar, LogRhythm, Exabeam, Sumo Logic, Microsoft Sentinel, Chronicle. Each ships strong primitives. Per-record classification + cryptographic signing + per-statute retention class library above them is operator-side architecture.
Distributed tracing + LLM observability + eventing + KMS
Distributed tracing: Jaeger, Zipkin, Grafana Tempo, DataDog, Honeycomb, Lightstep, Splunk Observability. LLM observability: LangSmith, LangFuse, Helicone, Arize Phoenix, Weights & Biases Weave, Datadog LLM Observability. Eventing: Apache Kafka, Confluent, AWS Kinesis, Google Pub/Sub, Azure Event Hubs, Apache Pulsar. KMS: AWS KMS, Google Cloud KMS, Azure Key Vault, HashiCorp Vault. Each ships strong primitives. Operator-counsel-and-regulatory-affairs-approved attorney-client privilege + work-product + FDA Part 11 + per-vertical regulator posture above them is operator-side architecture.
Policy-as-code + legal research
Policy-as-code: OPA Rego, AWS Cedar, Casbin, Cerbos, Oso. Legal: Westlaw, Lexis+, Bloomberg Law, Practical Law. Each ships strong primitives. The 5-anchor compliance gate is operator-side architecture.
Frequently asked
What does cross-agent routing audit trail deliver, and how does the 4-skill bundle decompose?
An orchestration layer above the operator WORM storage + audit logging + SIEM + distributed tracing + LLM observability + eventing + policy-as-code stack that captures every cross-agent routing decision across the operator AI swarm + signs each record + preserves them on tamper-evident WORM storage + attests record integrity under operator-counsel-approved NIST AI RMF + ISO 42001 + EU AI Act Article 12 record-keeping + Article 13/14/17/26/72 + SOX 404 + SEC Item 1.05 + Item 106 + FDA 21 CFR Part 11 + attorney-client privilege preservation + per-vertical regulator + DTSA + privacy + Colorado AI Act + NYC LL144 + EEOC gates. Skill 1 — Capture: capture every routing event across operator distributed tracing (Jaeger + Zipkin + Grafana Tempo + DataDog + Honeycomb + Lightstep + Splunk Observability — operator chooses), LLM observability (LangSmith + LangFuse + Helicone + Arize Phoenix + Weights & Biases Weave + Datadog LLM Observability — operator chooses), eventing (Apache Kafka + Confluent + AWS Kinesis + Google Pub/Sub + Azure Event Hubs + Apache Pulsar — operator chooses), audit logging (Splunk + Datadog + AWS CloudTrail + Azure Monitor + Google Cloud Audit Logs + Elastic + LogRhythm + IBM QRadar + Sumo Logic — operator chooses), and SIEM (Splunk + IBM QRadar + LogRhythm + Exabeam + Sumo Logic + Microsoft Sentinel + Chronicle — operator chooses) with operator-counsel-approved per-record classification (PHI + PCI + consumer-report + financial + privileged + work-product + trade-secret + MNPI + ordinary-class) and per-record privilege-class tagging. Skill 2 — Sign: cryptographically sign each captured record with operator-controlled signing key + per-record timestamp + per-record hash chain + per-record content-hash (SHA-256 or SHA-3) + operator-counsel-approved per-record privilege marker + per-record DTSA trade-secret marker + per-record EU AI Act Article 12 record-keeping classification. Skill 3 — Preserve: write signed records to operator WORM storage (AWS S3 Object Lock with Governance or Compliance mode + GCS retention policy + Azure Blob immutable storage + Snowflake Time Travel — operator chooses) under operator-counsel-approved per-statute retention class (SOX 7 year + SEC Item 1.05 5 year + Item 106 5 year + HIPAA 6 year + 45 CFR 164.530(j)(2) audit-log retention requirements + FCRA 5 year + GLBA 6 year + PCI DSS 1 year minimum audit + 3 month immediately available + FDA Part 11 record retention per per-vertical + Colorado AI Act variable + NYC LL144 variable + GDPR 6 year + CCPA 3 year + COPPA 1 year + DTSA 3 year + IRS 7 year + EU AI Act 10 year + per-vertical regulator variable). Preserve enforces ISO/IEC 27001 + ISO/IEC 27017 (cloud security) + ISO/IEC 27018 (PII protection in cloud) + SOC 2 Type II availability + confidentiality controls + per-vendor sub-processor attestation under GDPR Article 28. Skill 4 — Attest: emit per-record per-class attestation (NIST AI RMF posture + EU AI Act Article 12 record-keeping classification + ISO 42001 posture + SOX 404 evidence + SEC Item 1.05 + Item 106 readiness + FDA Part 11 + per-vertical regulator + privilege-class tagging + DTSA marker + Colorado AI Act + NYC LL144 + EEOC posture + counsel-policy-version + key-rotation-log) to the operator WORM audit trail.
Where does single-vendor WORM storage stop compounding for cross-agent routing audit trail at AI-swarm scale?
Single-vendor WORM storage is solved. AWS S3 Object Lock + GCS retention policy + Azure Blob immutable storage + Snowflake Time Travel ship strong WORM primitives. Splunk + Datadog + AWS CloudTrail + Azure Monitor + Google Cloud Audit Logs + Elastic + LogRhythm + IBM QRadar + Sumo Logic ship strong audit logging. Splunk + IBM QRadar + LogRhythm + Exabeam + Sumo Logic + Microsoft Sentinel + Chronicle ship strong SIEM. Jaeger + Zipkin + Grafana Tempo + DataDog + Honeycomb + Lightstep + Splunk Observability ship strong distributed tracing. LangSmith + LangFuse + Helicone + Arize Phoenix + Weights & Biases Weave + Datadog LLM Observability ship strong LLM observability. Apache Kafka + Confluent + AWS Kinesis + Google Pub/Sub + Azure Event Hubs + Apache Pulsar ship strong eventing. The compound case the audit-trail agent has to handle is the one where (a) operator runs an AI swarm with 10-100 per-agent + per-skill model variants concurrently in production making continuous cross-agent routing decisions with operator-counsel-approved per-record classification needs (PHI + PCI + consumer-report + financial + privileged + work-product + trade-secret + MNPI + ordinary-class), (b) NIST AI RMF (NIST AI 100-1) Map + Measure + Manage functions impose continuous record-keeping obligations + EU AI Act (Regulation 2024/1689) Article 12 record-keeping for high-risk AI + Article 13 transparency + Article 14 human oversight + Article 17 quality management system + Article 26 deployer + Article 72 post-market monitoring + Article 50 generative-content marking, (c) ISO/IEC 42001 Clause 8 + Clause 9 Performance evaluation + Clause 10 Improvement + ISO/IEC 27001 information security management + ISO/IEC 27017 cloud security + ISO/IEC 27018 PII protection in cloud + SOC 2 Type II availability + confidentiality controls impose audit-trail integrity + access-control + retention requirements, (d) SOX Section 404 internal controls over financial reporting + Section 302 CEO/CFO + Section 906 + Section 307 attorney reporting + SEC Reg S-K Item 1.05 Material Cybersecurity Incidents (effective December 18, 2023) four-business-day Form 8-K + Item 106 annual cybersecurity disclosure require audit-trail evidence + materiality assessment routing, (e) FDA 21 CFR Part 11 electronic records and signatures (audit trail integrity + access control + computer-system validation + electronic signature + time stamping requirements) + FDA Good Machine Learning Practice (GMLP) + FDA Software as a Medical Device (SaMD) + FDA Clinical Decision Support (CDS) apply when AI swarm operates in regulated computerized systems, (f) attorney-client privilege preservation under Upjohn v United States (449 U.S. 383, 1981) + work-product doctrine under Hickman v Taylor (329 U.S. 495, 1947) + Federal Rule of Civil Procedure 26(b)(3) + ABA Model Rules 1.6 + 1.13 + 2.1 + SOX Section 307 attorney reporting up-the-ladder require privilege-class tagging + segregated privilege-protected audit-class records to prevent privilege waiver under subject-matter test + selective-waiver doctrine, (g) per-vertical regulator — HIPAA 45 CFR 164.312 technical safeguards audit controls require recording and examining activity in information systems that contain PHI + HIPAA Security Rule audit-trail requirements + 45 CFR 164.530(j)(2) audit-log retention 6 years; HITECH Act expanded business-associate liability; FCRA 15 USC 1681 audit trail when consumer-report data processed; GLBA Safeguards Rule audit trail when financial data; Washington MHMDA audit trail when consumer health data; per-vertical FDA OPDP + DEA + DISCUS + per--regulator + FDA CTP + state insurance + state medical-board, (h) DTSA 18 USC 1836 + state Uniform Trade Secrets Act when audit-trail records contain operator trade-secret or could expose operator to vendor trade-secret claims, (i) privacy + per-vendor sub-processor + CCPA + GDPR Article 22 + Article 28 + Article 30 records of processing + Article 32 security + Article 35 DPIA + DSA + COPPA + AADC + Colorado AI Act SB 24-205 (effective February 1, 2026) + NYC Local Law 144 (effective July 5, 2023) + EEOC algorithmic discrimination guidance + Mobley v Workday class certification 2024. Without an orchestration layer above the WORM + audit logging + SIEM + distributed tracing + LLM observability + eventing vendors, NIST AI RMF + EU AI Act Article 12 record-keeping fragments, ISO/IEC 27001 + 27017 + 27018 + SOC 2 evidence breaks, SOX 404 internal-controls evidence breaks, SEC Item 1.05 materiality assessment + Item 106 disclosure preparedness fragments, FDA Part 11 + GMLP + SaMD + CDS posture fragments when regulated AI applies, attorney-client privilege fragments when AI-generated content circulates without privilege markers + work-product markers, per-vertical regulator audit-trail requirements (HIPAA 164.312 + FCRA + GLBA + Washington MHMDA) fragment, DTSA exposure compounds, Colorado AI Act + NYC LL144 + EEOC posture goes unmaintained. The orchestration above the vendors is what holds the cross-agent + cross-skill + cross-vertical + cross-jurisdiction invariants.
How does Skill 3 Preserve handle FDA 21 CFR Part 11 electronic records and signatures + audit trail integrity + access control + computer-system validation?
FDA Part 11 posture is operator-counsel-and-regulatory-affairs-approved per-system-class. FDA 21 CFR Part 11 (Electronic Records; Electronic Signatures) imposes integrity + authenticity + security + audit-trail + access-control requirements on electronic records used to meet predicate-rule recordkeeping requirements. Subpart B closed-system controls require validation of systems to ensure accuracy + reliability + consistent intended performance + ability to discern invalid or altered records + ability to generate accurate + complete copies of records in human-readable and electronic form + protection of records to enable accurate + ready retrieval throughout the records retention period + access limited to authorized individuals + secure computer-generated time-stamped audit trails to independently record date and time of operator entries and actions that create, modify, or delete electronic records (without obscuring previously recorded information) + use of operational system checks to enforce permitted sequencing of steps and events as appropriate + authority checks to ensure that only authorized individuals can use the system + electronically sign + access the operation or computer system input or output device + alter a record + perform the operation at hand + use of device checks + persons who develop maintain or use electronic record/electronic signature systems have the education training and experience to perform their assigned tasks + establishment of and adherence to written policies that hold individuals accountable + appropriate controls over systems documentation. Subpart C electronic signatures require unique identification + non-repudiation. FDA Good Machine Learning Practice (GMLP) guidance applies when AI/ML used in medical devices. FDA Software as a Medical Device (SaMD) guidance applies when software meets device definition. FDA Clinical Decision Support (CDS) guidance applies when software supports clinical decisions. Per-vertical FDA OPDP + DEA + DISCUS + per--regulator + FDA CTP + state insurance + state medical-board impose additional per-vertical requirements. Preserve enforces operator-counsel-and-regulatory-affairs-approved Part 11 posture per system class (not Part-11-subject + Part-11-subject with full subpart B + subpart C compliance + Part-11-subject with paper-equivalent equivalence + paused pending review + prohibited). Per-system-class Part 11 + GMLP + SaMD + CDS + per-vertical regulator attestation writes to operator WORM audit trail with rule-citation evidence + counsel-policy-version + regulatory-affairs-policy-version.
How does the orchestration preserve attorney-client privilege + work-product doctrine + ABA Model Rules + SOX 307 across AI-generated routing records?
Privilege posture is operator-counsel-approved per-record-class. Upjohn v United States (449 U.S. 383, 1981) established the subject-matter test for corporate attorney-client privilege — communications between counsel and employees within the scope of their employment for the purpose of obtaining legal advice are privileged when made with the intent of confidentiality and not waived. Work-product doctrine under Hickman v Taylor (329 U.S. 495, 1947) and Federal Rule of Civil Procedure 26(b)(3) protects materials prepared in anticipation of litigation. Privilege can be waived through (a) disclosure to non-privileged parties, (b) subject-matter waiver when partial disclosure on a subject is made, (c) selective-waiver doctrine (varies by circuit — some circuits do not recognize selective waiver to government agencies). AI-generated records circulating without privilege markers risk waiver. ABA Model Rules 1.6 (confidentiality of information) + 1.13 (organization as client) + 2.1 (lawyer as adviser) impose attorney professional responsibility for protecting privileged communications. SOX Section 307 (attorney conduct) requires attorney reporting up-the-ladder when there is credible evidence of material violations + breaches of fiduciary duty. The orchestration assigns each routing record an operator-counsel-approved privilege-class tag (not privileged + privileged-attorney-client-communication + privileged-work-product + dual-purpose-privileged-and-business + selective-waiver-class + waived-but-segregated + paused pending counsel review + prohibited from routing without privilege review). Preserve segregates privilege-protected audit-class records from ordinary-class records with separate retention class + separate access control + separate cryptographic signing key + separate WORM container. Per-record privilege-class tagging + Upjohn subject-matter analysis + work-product analysis + selective-waiver-class analysis + ABA Model Rules 1.6 + 1.13 + 2.1 + SOX Section 307 attestation writes to operator WORM audit trail with case-law-citation evidence + counsel-policy-version + privilege-counsel-stamp.
What compliance does the orchestration enforce, and how does it map to NIST AI RMF + ISO 42001 + EU AI Act Article 12 + SOX 404 + SEC + FDA Part 11 + privilege + per-vertical + DTSA + privacy?
Five anchors. Anchor 1 — NIST AI RMF + ISO 42001 + EU AI Act Article 12 + Article 13/14/17/26/72 + ISO 27001 + ISO 27017 + ISO 27018 + SOC 2. NIST AI RMF (NIST AI 100-1) Map + Measure + Manage. ISO/IEC 42001 Clause 8 Operation + Clause 9 Performance evaluation + Clause 10 Improvement. EU AI Act (Regulation 2024/1689) Article 12 record-keeping for high-risk AI + Article 13 transparency + Article 14 human oversight + Article 17 quality management system + Article 26 deployer obligations + Article 50 generative-content marking + Article 72 post-market monitoring. ISO/IEC 27001 information security management. ISO/IEC 27017 cloud security. ISO/IEC 27018 PII protection in cloud. SOC 2 Type II availability + confidentiality controls. Anchor 2 — SOX 404 + SEC Item 1.05 + Item 106 + FDA Part 11 + GMLP + SaMD + CDS + per-vertical regulator. SOX Section 404 internal controls over financial reporting + Section 302 CEO/CFO + Section 906 + Section 307 attorney reporting + SEC Reg S-K Item 1.05 Material Cybersecurity Incidents (effective December 18, 2023) + Item 106 annual cybersecurity disclosure + FDA 21 CFR Part 11 electronic records and signatures + Subpart B closed-system controls + Subpart C electronic signature requirements + FDA Good Machine Learning Practice (GMLP) + FDA Software as a Medical Device (SaMD) + FDA Clinical Decision Support (CDS) + per-vertical FDA OPDP + DEA + DISCUS + per--regulator + FDA CTP + state insurance + state medical-board. Anchor 3 — Attorney-client privilege + work-product + ABA Model Rules + SOX 307. Upjohn v United States (449 U.S. 383, 1981) + Hickman v Taylor (329 U.S. 495, 1947) + Federal Rule of Civil Procedure 26(b)(3) + ABA Model Rules 1.6 + 1.13 + 2.1 + SOX Section 307 attorney reporting up-the-ladder + privilege-class tagging + segregated privilege-protected audit-class records + selective-waiver doctrine + subject-matter waiver analysis. Anchor 4 — Per-vertical regulator + DTSA. HIPAA 45 CFR Parts 160 + 164 + 164.312 technical safeguards audit controls + 45 CFR 164.530(j)(2) 6-year audit-log retention + HIPAA Security Rule audit-trail requirements + HITECH Act + Office of Inspector General compliance program guidance + FCRA 15 USC 1681 + GLBA Safeguards Rule + Washington My Health My Data Act + PCI DSS 4.0 Requirement 10 logging and monitoring + per-vertical FDA OPDP + DEA + DISCUS + per--regulator + FDA CTP + state insurance + state medical-board + DTSA 18 USC 1836 + state Uniform Trade Secrets Act. Anchor 5 — Privacy + per-vendor sub-processor + DSA + Colorado AI Act + NYC LL144 + EEOC + COPPA + AADC. CCPA Section 1798.140(ae) cross-context + state-comprehensive-privacy + GDPR Articles 5 + 6 + 9 + 22 automated individual decision-making + 25 + 26 + 28 processor + 30 records of processing + 32 + 35 DPIA + ePrivacy + UK GDPR + UK PECR + EU DSA Article 16 + Article 28 + COPPA + AADC + Colorado AI Act SB 24-205 (effective February 1, 2026) + NYC Local Law 144 (effective July 5, 2023) + EEOC algorithmic discrimination guidance + Mobley v Workday class certification 2024 + EEOC 4/5ths rule. Broader gate enforced via policy-as-code. WORM audit trail with per-statute retention (SOX 7yr + SEC Item 1.05 5yr + Item 106 5yr + HIPAA 6yr per 45 CFR 164.530(j)(2) + FCRA 5yr + GLBA 6yr + PCI DSS 1yr minimum audit + 3 months immediately available + FDA Part 11 variable + Colorado AI Act variable + NYC LL144 variable + GDPR 6yr + CCPA 3yr + COPPA 1yr + DTSA 3yr + IRS 7yr + EU AI Act 10yr + privilege SOL variable) per operator counsel policy.
What does the engagement look like across Tier 1 → Tier 2 → Tier 3, and what does the Tier 3 reporting cycle commit to?
Tier 1 AI Readiness Assessment (2-3 weeks): audits the operator current cross-agent routing audit trail posture; gap-pack identifies which routing events lack per-record classification (PHI + PCI + consumer-report + financial + privileged + work-product + trade-secret + MNPI + ordinary-class), which lack cryptographic signing + per-record hash chain + per-record content-hash, which lack WORM preservation under operator-counsel-approved per-statute retention class, which lack NIST AI RMF + ISO 42001 + EU AI Act Article 12 record-keeping + Article 13/14/17/26/72 posture, which lack SOX 404 internal-controls + SEC Item 1.05 materiality + Item 106 disclosure preparedness, which lack FDA 21 CFR Part 11 + GMLP + SaMD + CDS + per-vertical regulator posture, which lack attorney-client privilege preservation + work-product + ABA Model Rules + SOX 307 + privilege-class tagging + segregated privilege-protected audit-class records, which lack per-vertical HIPAA 164.312 + 164.530(j)(2) + FCRA + GLBA + Washington MHMDA + PCI DSS audit-trail posture, which lack DTSA + state UTSA register, which lack CCPA + GDPR + DSA + Colorado AI Act + NYC LL144 + EEOC + COPPA + AADC posture. Tier 2 AI Swarm Setup Sprint (4-8 weeks): builds the 4-skill bundle on the audit-trail agent, wires WORM storage + audit logging + SIEM + distributed tracing + LLM observability + eventing + policy-as-code (operator-chosen subset), configures the operator-counsel-and-regulatory-affairs-and-AI-governance-team-approved per-record classification + cryptographic signing + WORM preservation + NIST AI RMF + ISO 42001 + EU AI Act Article 12/13/14/17/26/50/72 + ISO 27001/27017/27018 + SOC 2 + SOX 404 internal-controls + SEC Item 1.05 + Item 106 + FDA Part 11 + GMLP + SaMD + CDS + per-vertical regulator + attorney-client privilege + work-product + ABA Model Rules + SOX 307 + per-vertical HIPAA + FCRA + GLBA + DTSA register + CCPA + GDPR + DSA + Colorado AI Act + NYC LL144 + EEOC + COPPA + AADC, runs 30-day shadow + canary with Preserve in dry-run before flipping to enforce-mode. Tier 3 Fractional CMO with AI Swarm (6-month minimum): continues with continuous Capture + Sign + Preserve + Attest. Tier 3 reporting is a 6-workstream pre-engagement-baseline reporting cycle (per-record classification freshness + cryptographic signing + key-rotation log freshness + NIST AI RMF + EU AI Act Article 12 + ISO 42001 evidence + SOX 404 + SEC Item 1.05 + Item 106 routing freshness + FDA Part 11 + per-vertical regulator posture freshness + attorney-client privilege preservation + work-product evidence + per-vertical HIPAA + FCRA + GLBA audit-trail completeness + WORM audit-trail tamper-evidence completeness) measured against the operator’s pre-engagement baseline. Reporting carries explicit caveats: vendor SLA + NIST AI RMF version updates + ISO 42001 + ISO 27001 + ISO 27017 + ISO 27018 amendments + EU AI Act implementing acts + EU AI Office guidance + SOC 2 Type II framework updates + SOX 404 evolving guidance + SEC Item 1.05 + Item 106 interpretive guidance + FDA Part 11 + GMLP + SaMD + CDS guidance evolution + per-vertical regulator amendments + ABA Model Rules amendments + SOX 307 + privilege case-law evolution (Upjohn progeny + work-product progeny + selective-waiver doctrine evolution) + HIPAA + FCRA + GLBA + Washington MHMDA + PCI DSS amendments + DTSA + state UTSA case-law + Colorado AI Act progeny + NYC LL144 amendments + EEOC + Mobley v Workday progeny + DSA + CCPA + state-comprehensive-privacy implementing rules sit outside Completions control. Attorney-client privilege preservation across operator-counsel-and-regulatory-affairs-approved rulesets.
Who owns the WORM storage, the SIEM, the privilege-class tagging register, the per-statute retention policy, and the audit trail?
Operator owns every artifact. WORM storage (AWS S3 Object Lock + GCS retention policy + Azure Blob immutable storage + Snowflake Time Travel — operator chooses) runs under operator cloud account. Audit logging (Splunk + Datadog + AWS CloudTrail + Azure Monitor + Google Cloud Audit Logs + Elastic + LogRhythm + IBM QRadar + Sumo Logic — operator chooses) runs under operator account. SIEM (Splunk + IBM QRadar + LogRhythm + Exabeam + Sumo Logic + Microsoft Sentinel + Chronicle — operator chooses) runs under operator account. Distributed tracing (Jaeger + Zipkin + Grafana Tempo + DataDog + Honeycomb + Lightstep + Splunk Observability — operator chooses) runs under operator account. LLM observability (LangSmith + LangFuse + Helicone + Arize Phoenix + Weights & Biases Weave + Datadog LLM Observability — operator chooses) runs under operator account. Eventing (Apache Kafka + Confluent + AWS Kinesis + Google Pub/Sub + Azure Event Hubs + Apache Pulsar — operator chooses) runs under operator account. Operator-controlled signing keys live in operator KMS (AWS KMS + Google Cloud KMS + Azure Key Vault + HashiCorp Vault + per-FIPS 140-2 + per-FIPS 140-3 + Common Criteria certified HSM — operator chooses). The operator-counsel-and-regulatory-affairs-and-AI-governance-team-approved per-record classification register + cryptographic signing + key-rotation policy + per-statute retention class library + NIST AI RMF + ISO 42001 + EU AI Act Article 12/13/14/17/26/50/72 documentation + ISO 27001/27017/27018 + SOC 2 evidence library + SOX 404 internal-controls documentation + SEC Item 1.05 materiality assessment library + Item 106 annual cybersecurity disclosure library + FDA Part 11 + GMLP + SaMD + CDS + per-vertical regulator library + attorney-client privilege + work-product + ABA Model Rules + SOX 307 + privilege-class tagging library + per-vertical HIPAA 164.312 + 164.530(j)(2) + FCRA + GLBA + Washington MHMDA + PCI DSS audit-trail library + DTSA register + CCPA + GDPR + DSA + Colorado AI Act + NYC LL144 + EEOC + COPPA + AADC records all live in operator counsel + regulatory affairs + CISO + AI-governance + CFO + audit-committee repo. The Capture + Sign + Preserve + Attest skill code lives in operator code repo. The policy-as-code policies live in operator code repo, counsel-aligned. The WORM audit trail lives on operator-controlled cloud storage. Completions owns the orchestration knowledge and transfers it under the Tier 3 transition path (30-60 days at engagement end). Completions credentials revoke on engagement-end.
Engage Completions
Start with the AI Readiness Assessment (Tier 1, 2-3 weeks). Hand off to Tier 2 AI Swarm Setup Sprint (4-8 weeks). Continue under Tier 3 Fractional CMO with AI Swarm ( 6-month minimum, 1-2 days/wk embedded).