SOX-Ready Audit Infrastructure for AI Agents
AI agents making financial decisions create audit obligations. Sigmodx provides the evidence layer.
SOX was written for humans. AI agents don't fit.
Section 404 of the Sarbanes-Oxley Act requires management to assess and document internal controls over financial reporting. When those controls involve AI agents — approving transactions, flagging anomalies, generating forecasts — auditors have no established standard for what evidence is required or how to evaluate it.
The result: most companies using AI agents in financial workflows are either (a) excluding them from SOX scope, which creates risk, or (b) improvising audit evidence, which creates a different risk.
An audit trail built for the regulator, not the product roadmap
Immutable Decision Log
Every agent decision is recorded in an append-only structure. No UPDATE or DELETE operations are permitted after insertion. Enforced at the database layer.
Cryptographic Fingerprinting
Every attestation carries a SHA-256 report hash. A human-readable verification string can be included in regulatory filings. Any auditor can independently confirm the record matches the hash.
State Change Audit Trail
Every change to an agent's reliability state (ALLOW → LIMIT → BLOCK) is logged with a timestamp and immutable reason. The causal chain from performance deterioration to execution restriction is fully traceable.
Human Approval Gates
Material decisions can require human approval before execution. Approval actions are logged in the append-only record. The requires_approval flag is enforceable at the policy layer.
How Sigmodx maps to Section 404 requirements
| SOX 404 Requirement | Sigmodx Capability |
|---|---|
| Document internal controls over financial reporting | Institutional Mode: org dashboard, governance summary, role-based controls |
| Provide evidence controls are operating effectively | Append-only audit log with root hash; reproducibility verification endpoint |
| Restrict access to authorized personnel | Tenant isolation, RBAC (admin / member / auditor / read-only), org API keys |
| Detect and prevent unauthorized changes | HMAC-signed attestations; append-only enforcement at DB layer; access log root hash |
| Enable independent verification | Public verification API; reproduction endpoint; verification string |
| Control AI agent decisions touching financial data | ALLOW / LIMIT / BLOCK state via cinmon-control integration; fleet capital caps via EmbiPay |
One string. Anyone can check it.
Every Sigmodx attestation produces a verification string — a compact, human-readable fingerprint derived from a SHA-256 hash of the complete attestation record. It looks like this:
[SIGMODX]-[SNAPSHOT_ID]-[HASH]
Include it in a regulatory filing. Send it to your auditor. Post it publicly. Anyone can submit it to Sigmodx's public verification endpoint and confirm that the underlying record matches — without needing system access, credentials, or trust.
Enterprise and pilot access
Sigmodx institutional mode is available to organizations that need private tenant isolation, compliance evidence export, and SOC 2 controls mapping. Pilot access is available now.
Or email support@sigmodx.com