Sentinel · v3.4.3 · Trace-to-Trust kernel for regulated AI

The evidence infrastructure
for regulated AI.

Sentinel is the Trace-to-Trust kernel that turns EU AI Act compliance from a blocker into a baseline. Every agent decision is traced, attested, and sealed at runtime — so your teams stop fighting audits and keep shipping.

Key benefits

Pre-execution, not post-mortem. Evidence is produced the moment each agent acts — not reconstructed when auditors arrive.
Cryptographically bound, legally durable. Ed25519 signatures, RFC-3161 timestamps, and PAdES-sealed packs provide long-term verifiable proof, designed for 10+ year retention.
One baseline for every stakeholder. Product, Risk, Security and Legal work from the same Trace-to-Trust layer — no more reconciling conflicting audit trails.

Apache 2.0

923 tests passing

100% branch coverage

Ed25519 attestations

RFC-3161 timestamping

Air-gapped deployable

BSI IT-Grundschutz preparation

Trace

Runtime capture

Wrap any agent call with a single decorator

Bind input, policy, output, and jurisdiction

Instrument LangChain, CrewAI, AutoGen

Attest

Cryptographic signing

Ed25519 signature on every attestation by default

Hash-chain each record to its namespace predecessor

Verify independently — no vendor required

Audit

Evidence retrieval

Query decisions by agent, policy, or outcome

Retrieve full attestation packages on demand

Stream events to SIEM, GRC, or custom systems

Comply

Regulatory delivery

Package evidence into PAdES-signed PDF bundles

Map to EU AI Act, BAIT, MaRisk, DORA

Deliver what a regulator can verify as a whole

credit_agent.py

capturing

# Your existing agent. Unchanged. from sentinel import Sentinel sentinel = Sentinel() @sentinel.trace(policy="credit_v2") def assess_credit(applicant: dict) -> Decision: return agent.evaluate(applicant) $ python credit_agent.py ✓ trace captured trc_8f2a1b3c ✓ input hash sha256:3c7f..a91e ✓ policy version credit_v2@rev.a47 ✓ signature Ed25519 · 64-byte ✓ attestation ready 1.8ms

att_9f2e8b1a.json

hash-verified

// Tamper-evident attestation · Ed25519 + SHA-256 { "attestation_id": "att_9f2e8b1a4c7d", "timestamp": "2026-04-20T14:03:22.847Z", "chain_namespace": "sentinel-ns:v1:credit_agent:EU-DE:credit", "previous_hash": "sha256:7a4e..dfc3", "decision": { "agent": "credit_agent@v2.1.4", "policy": "credit_v2@rev.a47", "input_hash": "sha256:3c7f..a91e", "output_hash": "sha256:8b2d..4f6c", "result": "APPROVED" }, "signature": "Ed25519:oz0PLc..SG5yZE" }

hash verified · independently recomputable

sentinel chain verify att_9f2e

Sentinel Control Plane

LIVE · last 24h

47,283

Decisions

47,283

Attestations

312

Denied

1.8ms

Median latency

Time

Agent

Policy

Outcome

Evidence

14:03:22 credit_agent credit_v2@a47 Approved0.94 att_9f2e

14:03:24 kyc_verification kyc_v1@c02 Approved0.89 att_3a7b

14:03:26 claims_processor claims_v3@f12 Review0.47 att_5e9f

14:03:29 credit_agent credit_v2@a47 Denied0.12 att_7c2d

14:03:31 aml_monitor aml_v4@b21 Approved0.91 att_1b4a

14:03:35 fraud_scorer fraud_v2@d33 Review0.58 att_8d2c

audit_package_att_9f2e8b1a.pdf

1 / 1

Audit Package

att_9f2e8b1a · credit_agent@v2.1.4

Generated 2026-04-20
Retention until 2036-04-20
PAdES-signed

Decision

APPROVED · confidence 0.94 · 2026-04-20T14:03:22.847Z

Policy Context

credit_scoring_v2@rev.a47 · signed by compliance@swentures

Input Integrity

sha256:3c7f..a91e · 1,284 bytes

Output Integrity

sha256:8b2d..4f6c · 412 bytes

Jurisdiction

EU-DE · on-premise · no cross-border egress

Regulatory Mapping

EU AI Act Art. 12+17 · MaRisk AT 4.3.1 · BAIT §6.3

Attestation hash independently verified · Ed25519 + SHA-256

sentinel comply verify pack.pdf

The Consequence

Pilots become production. Scale is no longer blocked by audit reconstruction. The next agent is a decision, not a debate.

With evidence running at runtime, compliance moves from blocker to companion — and new AI use-cases ship through the same governed path as every other agent.

Your stack
already has most
of this.

In most regulated organisations the AI stack is already assembled from third-party tools of different vendors: governance tools, observability platforms, LLM providers, identity systems. Each layer lives with its own vendor.

What is missing is the layer that turns this heterogeneous stack into a regulatorily usable whole — the knot-resolver that produces the single audit package a regulator can verify, without replacing any of your existing investments.

Regulatory Frame

EU AI ActBAITMaRisk DORANIS2BSI IT-GrundschutzGDPR

Defines what must be auditable

Identity & Access

Agent authorization

SPIFFEKeycloakEntra

Governance

Policy enforcement

Microsoft AGTOPACedar

Evidence Runtime

Signed audit packages

Sentinel

Observability

Trace & telemetry

LangfuseOpenTelemetry

LLM & Agent

Execution layer

AnthropicMistralLangChain

Layers 1, 2, 4, 5 are typically third-party in most enterprises. Layer 3 is the gap. Sentinel is not a new bottleneck — it is the knot-resolver that holds the heterogeneous third-party stack together, regulatorily.

What Sentinel is

The cryptographic evidence layer for regulated AI.

Every agent decision becomes a signed, hash-linked attestation. Every evidence pack PDF carries a PAdES signature with EU-sovereign RFC-3161 timestamp. Every chain of decisions can be verified independently by your auditor — air-gapped, offline, no vendor lock-in.

Sentinel maps directly to EU AI Act Art. 12 (record-keeping) and Art. 17 (quality management). It supports BSI IT-Grundschutz preparation, BaFin and MaRisk requirements, and any regulator who asks the fundamental question: “Can you prove what your AI did, and when?”

Where Sentinel fits in your stack

Sentinel is the cryptographic evidence layer that observability and governance tools don’t produce.

Not observability

Langfuse, Datadog, Arize, and LangSmith give you performance, cost, and drift signals. Sentinel gives you legally durable evidence of what each agent decided.

Not governance enforcement

Microsoft AGT, OPA, Cedar, and Bedrock Guardrails enforce policies at runtime. Sentinel seals the cryptographic proof that those policies were applied.

When an auditor asks for courtroom-defensible proof, that is the question Sentinel answers — and the question no observability or governance tool was designed to solve.

Start in 2 minutes

Four commands.
Zero accounts. Zero network.

Scaffold a local pilot, run ten decisions through @sentinel.trace, write a signed PDF evidence pack, score yourself against EU AI Act Art. 12.

Install

shell

# Core — @sentinel.trace, Ed25519 signing, hash chain, RFC-3161 $ pip install sentinel-kernel # With PDF evidence packs $ pip install 'sentinel-kernel[pdf]' # With PAdES PDF signing only (lighter than [pdf]) $ pip install 'sentinel-kernel[pades]' # With post-quantum signing (ML-DSA-65) $ pip install 'sentinel-kernel[pqc]' # Or everything at once $ pip install 'sentinel-kernel[pdf,pades,pqc]'

The core install produces a fully working Sentinel with Ed25519 default signing, RFC-3161 EU-sovereign timestamping, hash-chain attestations, and SQLite / PostgreSQL / filesystem storage. Extras opt in to heavier or optional capabilities: [pdf] pulls reportlab + pyhanko for evidence-pack PDFs; [pades] is [pdf] without reportlab; [pqc] adds ML-DSA-65 post-quantum signing via oqs-python.

Wrap one function

hello_sentinel.py

from sentinel import Sentinel sentinel = Sentinel() @sentinel.trace async def approve(request: dict) -> dict: return await your_agent.run(request) # Every call is now a signed, verifiable attestation.

One decorator. One line. Your LLM, ML classifier, rule engine, or robot control loop — Sentinel does not care what the function does, only that its decisions can be recomputed and verified later.

EU AI Act Coverage

What Sentinel covers.
What it does not.

Sentinel automates EU AI Act Art. 12/13/14/17 — the logging, transparency, oversight, and quality-management obligations. Other articles require organisational action. We mark the split honestly.

ArticleRequirementSentinel

Art. 12Automatic tamper-resistant loggingFull

Art. 13Transparency to deployer / userFull

Art. 14Human oversight (kill switch)Full

Art. 17Quality-management traceabilityFull

Art. 9Risk managementPartial

Art. 16Provider obligationsPartial

Art. 26Deployer obligationsPartial

Art. 72GPAI post-market monitoringConditional

Art. 11Technical documentation (Annex IV)Human action

Art. 10Data governanceHuman action

Art. 15Accuracy & robustnessHuman action

Sentinel never overclaims. Articles requiring human action are clearly marked. Partial articles are those where Sentinel produces the evidence but an organisational deliverable must still be written. Run sentinel audit-gap to see the exact split for your setup.

Where procurement is already active

Where the
deadline bites first.

EU AI Act enforcement applies to decisions that touch rights, access to services, safety, or meaningful financial outcomes. The architecture is technology-agnostic; the sectors below are where procurement is already active.

Banking & Financial Services

A German bank runs credit decisioning, fraud scoring, AML, and transaction approval through Sentinel. When BaFin requests evidence on model drift under BAIT §6.3, they deliver signed evidence packs in minutes — not weeks of log reconstruction.

EU AI ActDORABaFin BAITMaRisk

Defence & Aerospace

Procurement, logistics, dual-use assessment. Air-gapped and classified deployments with VS-NfD path. Cryptographic evidence that survives supply-chain scrutiny and export-control audits.

EU AI ActBSI IT-GrundschutzVS-NfD

Enterprise Software & AI Platform Providers

Enterprise software firms embed AI into products sold to regulated customers. Sentinel gives their customers the evidence packs needed to deploy those products under the EU AI Act — without reinventing compliance infrastructure per vendor.

EU AI ActISO 42001Customer conformity assessments

Public Sector & KRITIS

Benefit eligibility, permit approval, critical-infrastructure AI. Statutory transparency under NIS2 and sector law. Evidence packs that regulators, courts, and citizens can independently verify.

EU AI ActNIS2E-Government law

Industrial Manufacturing

Quality control, predictive maintenance, robotic decisioning. Standards-aligned retention across plant lifetimes — 15+ year evidence archival in formats that outlive every vendor swap.

EU AI ActISO 42001IEC 62443

Runtime

Evidence at runtime, not after the fact

Sentinel wraps each agent decision as it happens. Input, policy, output, and jurisdiction are bound into a signed attestation before the next call begins. No log collection, no post-hoc reconstruction, no manual mapping under audit pressure.

Capture input hash, output hash, policy version, jurisdiction at the moment of decision

Bind every decision to a reproducible attestation with Ed25519 integrity

Decorate existing agents — LangChain, CrewAI, AutoGen — with one line

Sub-millisecond overhead per attestation on commodity hardware

Independent

Verifiable without operator trust

An auditor can only trust evidence as far as they trust whoever produced it. Sentinel runs as an independent layer — not owned by the operator, not owned by the LLM vendor, not owned by the cloud provider. The signature chain holds whether anyone trusts you or not.

Vendor-neutral — structurally independent of governance, observability, and LLM layers

EU-jurisdiction native — on-premise deployment, no CLOUD-Act exposure

Audit integrity — evidence operated and evaluated by different parties, no structural conflict of interest

Apache 2.0, hash-verified — inspect the kernel, recompute any attestation, own your evidence

Integration

Built for your existing stack

Sentinel does not replace your governance tools, observability platform, or LLM provider. It sits between them — receiving policy results, enriching with traces, emitting signed evidence. Bidirectional by design: allow signals feed innovation, kill signals gate risk.

Python-native kernel with OpenTelemetry-compatible span export

Langfuse, OpenTelemetry, Prometheus — trace ingestion hooks ready today

Microsoft AGT, OPA, Cedar — governance bridges for bidirectional flow

SIEM, GRC, SOAR — stream events to existing enterprise infrastructure

Lifecycle

Stable across LLM generations

Regulatory retention runs ten years or longer. Your LLMs and agents will not. The evidence layer must outlive every model, every framework, every vendor swap — stable signature format, stable storage interface, stable regulatory mapping.

10-year retention by default — EU AI Act Article 17 compliant

Storage-agnostic — SQLite, PostgreSQL, S3-compatible, filesystem

Air-gapped deployment — evidence stays inside your security boundary

BSI IT-Grundschutz preparation and VS-NfD-capable deployment path

Roadmap

Primitives today.
Ecosystem with the community.

We are building Sentinel the way HashiCorp built Terraform: primitive hooks in the kernel, the ecosystem grows through the community. Three stages, honestly labelled.

Currently shipping in v3.4.3

Kernel primitives

Production-ready, Apache 2.0, 923 tests passing. Install with pip install sentinel-kernel.

@sentinel.trace decorator Ed25519 attestations (default, out of the box) Hash-chain attestation linkage RFC-3161 EU-sovereign timestamping (default) SHA-256 content hashing (hash-only privacy default) Kill switch (EU AI Act Art. 14) PAdES PDF signing ([pdf] extra) Optional ML-DSA-65 post-quantum signing ([pqc] extra) LangChain · CrewAI · AutoGen · Haystack · FastAPI · Django integrations SQLite · PostgreSQL · Filesystem storage backends OpenTelemetry span export Air-gapped / VS-NfD / EU-sovereign deployment paths BSI IT-Grundschutz preparation scaffolding

In development (v3.5+)

Architecture bridges for enterprise stacks

Four architectural items raised by design partners. All four have committed design docs under docs/architecture/. Each item re-ships to production only after passing our fresh-venv E2E verification harness — discipline over shipping speed.

OpenTelemetry causal-context bridge · when OTEL spans exist, read context and preserve parent-child linkage in cryptographic attestations JSON-LD + PROV-O semantic export · 10-15 year retention format, W3C-standard ontology, offline-verifiable evidence packs Fine-grained retention policies · YAML rules per agent / jurisdiction / policy family, with field-level redaction Write-once storage backends · application-layer tamper prevention (filesystem, S3 Object Lock, Azure Immutable Blob)

Further ecosystem bridges · community-driven

MCP gateway integration Microsoft AGT bridge Langfuse ingestion hooks OPA native decision-log export format Cedar policy binding Redis · Legal-hold APIs

With the community

Enterprise ecosystem

The devil sits in the details of complex enterprise landscapes. These integrations we build with the community, not for it.

SAP agents Salesforce Agentforce Azure AI Foundry Google ADK AWS Bedrock Agents ServiceNow GRC · OneTrust · Archer your use-case

Enterprise AI infrastructure is complex. Sentinel solves one layer — the regulatory evidence layer. The other layers need other tools, and those tools work best when integrated. We build the hooks for the ecosystem. The community fills them.

The evidence infrastructurefor regulated AI.