Skip to content

Compliance Documentation

Lucid provides a comprehensive compliance platform for AI systems, helping organizations meet regulatory requirements across 36+ frameworks worldwide. This section provides guidance for compliance officers and regulated industries on how to configure Lucid for specific regulatory obligations.

How Lucid Supports Compliance

Lucid's compliance approach is built on three pillars:

  1. Auditor-Based Controls - Each auditor implements specific security and compliance controls that map directly to regulatory requirements
  2. Cryptographic Evidence - All auditor decisions are cryptographically signed within hardware-secured enclaves (TEEs), creating tamper-proof compliance records
  3. AI Passports - Every AI inference generates a verifiable certificate proving which controls were enforced

Supported Compliance Frameworks

Lucid's official auditors map to disclosure requirements across the following regulatory frameworks:

United States

Framework Description Key Auditors
SOC 2 Service Organization Control 2 Observability, PII Compliance, Guardrails
SOX Sarbanes-Oxley Act Observability, Eval, PII Compliance
CCPA California Consumer Privacy Act PII Compliance, Observability
HIPAA Health Insurance Portability and Accountability Act PII Compliance, Observability, Guardrails
PCI-DSS Payment Card Industry Data Security Standard Guardrails, PII Compliance, Secrets, Observability
GLBA Gramm-Leach-Bliley Act PII Compliance, Observability
FERPA Family Educational Rights and Privacy Act PII Compliance, Observability
FedRAMP Federal Risk and Authorization Management Program All auditors
CMMC Cybersecurity Maturity Model Certification Guardrails, Eval, PII Compliance, Observability
Colorado AI Act Algorithmic discrimination prevention Fairness, Guardrails, Observability
NIST AI RMF AI Risk Management Framework All auditors

European Union

Framework Description Key Auditors
GDPR General Data Protection Regulation PII Compliance, Observability, Sovereignty, Fairness
EU AI Act European AI Act Red Team, Guardrails, Observability, Watermark
DORA Digital Operational Resilience Act Observability, Guardrails, Eval, PII Compliance
NIS2 Network and Information Security Directive Guardrails, Observability, PII Compliance
ISO 27001 Information Security Management Guardrails, Observability, PII Compliance, Eval
ISO 42001 AI Management System Eval, Observability, Watermark
C5 German Cloud Security Standard Guardrails, Observability, PII Compliance, Eval

India

Framework Description Key Auditors
DPDP Digital Personal Data Protection Act PII Compliance, Observability, Sovereignty, Fairness
RBI FREE RBI Framework for Responsible AI All auditors
RBI IT RBI IT Framework Guardrails, Observability, PII Compliance, Eval
SEBI SEBI Cybersecurity Framework Guardrails, Observability, PII Compliance
CERT-In CERT-In Directions Guardrails, Observability, PII Compliance
IRDAI IRDAI IT Guidelines Guardrails, Observability, PII Compliance
India AI India AI Ethics Guidelines All auditors

Asia-Pacific

Framework Description Key Auditors
LGPD Brazil - Lei Geral de Protecao de Dados PII Compliance, Observability, Sovereignty, Fairness
PIPL China - Personal Information Protection Law PII Compliance, Observability, Sovereignty, Fairness
APPI Japan - Act on Protection of Personal Information PII Compliance, Observability, Fairness
PDPA SG Singapore - Personal Data Protection Act PII Compliance, Observability, Sovereignty
PDPA TH Thailand - Personal Data Protection Act PII Compliance, Observability, Sovereignty

Industry Standards

Framework Description Key Auditors
CSA STAR Cloud Security Alliance STAR PII Compliance, Observability, Sovereignty
HITRUST Healthcare Information Security Guardrails, Observability, PII Compliance, Eval
CIS Controls Critical Security Controls Guardrails, Observability, PII Compliance, Eval
COBIT IT Governance Framework Observability, PII Compliance
OECD AI OECD AI Principles All auditors
AIUC-1 AI Use Case Standard All auditors

Quick Start: Compliance Profiles

Lucid provides pre-configured compliance profiles that bundle the appropriate auditors for common regulatory scenarios:

# Deploy with GDPR compliance profile
lucid apply --app open-webui --model llama-3.1-8b --profile gdpr

# Deploy with HIPAA compliance profile
lucid apply --app open-webui --model llama-3.1-8b --profile hipaa

# Deploy with SOC 2 compliance profile
lucid apply --app open-webui --model llama-3.1-8b --profile soc2

# Deploy with EU AI Act compliance profile
lucid apply --app open-webui --model llama-3.1-8b --profile eu-ai-act

The Official Auditors

Lucid provides the following official auditors that cover the compliance control areas:

Auditor Control Area Primary Regulations
Guardrails Auditor Prompt injection, jailbreak defense, toxicity detection SOC 2, HIPAA, PCI-DSS, EU AI Act, FedRAMP
Eval Auditor Model safety benchmarks, explainability EU AI Act, NIST AI, ISO 42001
Red Team Auditor Adversarial testing and vulnerability assessment EU AI Act, NIST AI, Colorado AI Act
Fairness Auditor Bias detection and fairness evaluation Colorado AI Act, NIST AI, DPDP, RBI FREE
Observability Auditor Audit logging and activity monitoring All frameworks requiring audit trails
PII Compliance Auditor PII detection and access control SOC 2, GDPR, HIPAA, PCI-DSS, all privacy laws
Secrets Auditor Credential scanning and secret detection SOC 2, HIPAA, PCI-DSS, FedRAMP
Model Security Auditor Model integrity and security verification EU AI Act, HIPAA, SOC 2
Policy Auditor Policy enforcement and compliance rules All frameworks
RAG Quality Auditor RAG pipeline quality and accuracy NIST AI, ISO 42001
Sovereignty Auditor Data residency and localization GDPR, DPDP, PIPL, LGPD, PDPA
Watermark Auditor AI content provenance EU AI Act, NIST AI, ISO 42001, India AI

Compliance-Specific Guides

Select your regulatory framework for detailed guidance:

Detailed Control Mappings

For the complete matrix showing which auditors map to which specific regulatory controls (article numbers, section references, etc.), see the Auditor Catalog. The catalog includes:

  • Specific control citations for each framework
  • Tooltips explaining why each auditor addresses each control
  • Framework reference tables with descriptions

Working with Your Compliance Team

For Compliance Officers

  1. Identify applicable frameworks - Determine which regulations apply to your organization based on industry, geography, and data types
  2. Select the appropriate profile - Use the compliance profile that best matches your primary regulatory obligation
  3. Review the AI Passport - Every inference generates a cryptographic certificate documenting which controls were enforced
  4. Export audit evidence - Use lucid passport list and lucid passport export to generate compliance reports

For Auditors and Assessors

Lucid provides verifiable evidence for control assessments:

  • Hardware attestation - Cryptographic proof that controls executed in a secure enclave
  • Immutable audit logs - TEE-signed traces of all AI system activities
  • Policy documentation - Machine-readable policies that map to specific control requirements

Continuous Compliance Monitoring

# View recent AI Passports (compliance certificates)
lucid passport list

# Export compliance evidence for a date range
lucid passport export --from 2024-01-01 --to 2024-01-31 --format json

# Check current compliance status
lucid status --compliance

Need Help?

  • Review the Auditor Catalog for detailed control mappings
  • See Policy as Code for custom compliance rules
  • Contact your Lucid representative for compliance assessment support