Regulated Industry Blueprints
MeshGuard blueprints are deployment and evidence packages for regulated AI agent governance. They are not certification claims by themselves. Customers still need environment validation, legal review, auditor review, contractual artifacts, and operating evidence before making compliance claims.
| Blueprint | Primary evidence |
|---|---|
| HIPAA | ePHI policy guardrails, access logs, audit controls, BAA workflow inputs, breach-investigation evidence. |
| FedRAMP Moderate | Rev. 5 control-family evidence, FIPS deployment posture, SSP boundary insert, continuous-monitoring package. |
| FINRA and SEC 17a-4 | Supervisory approval, immutable retention export, customer-communication surveillance, WORM-compatible archive receipts. |
| SOC 2 | Security, availability, processing integrity, confidentiality, privacy evidence. |
| PCI-DSS | Card-data exfiltration controls and audit export. |
| ISO 27001 | Logging, access, incident, and supplier controls. |
| GDPR / EU AI Act / DORA | Data residency, lineage, subject export, operational resilience. |
Production Blueprint Contents
Each production blueprint contains:
- Reference deployment topology across MeshGuard control plane, gateway, guardian sidecar, egress proxy, identity provider, key management, SIEM, and evidence archive.
- Terraform bootstrap for MeshGuard agents, policy resources, and compliance alert channels.
- Policy pack with default-deny regulated workload behavior.
- Control-to-evidence map naming event types, required fields, owners, retention posture, and review cadence.
- Runbook for preflight, daily operations, evidence export, exception handling, incident response, and quarterly review.
HIPAA Blueprint
The HIPAA package is scoped to agents that may process electronic protected health information.
| Control area | MeshGuard implementation | Evidence |
|---|---|---|
| Access control | Dedicated production tenant, SSO/MFA, SCIM roles, agent trust tiers, explicit ePHI policy bindings. | identity.assignment, agent.lifecycle, policy.decision, access review attestation. |
| Audit controls | Append-only audit for every agent decision, policy change, operator action, alert, and evidence export. | Signed quarterly evidence bundle with root hash and witness proof. |
| Integrity | Signed policy bundles, Terraform-managed changes, audit hash-chain verification. | policy.change, policy digest, offline verification transcript. |
| Person or entity authentication | Human SSO/MFA and agent workload identity through SPIFFE/JWT claims. | Login events, workload identity samples, trust-tier review. |
| Transmission security | mTLS, encrypted SIEM/archive export, egress allowlist, customer-managed key option. | TLS attestation, egress decisions, key rotation records. |
Production traffic should use metadata-only or redacted payload logging for ePHI. External model and tool destinations are denied unless BAA status, region, retention, and redaction controls are documented.
FedRAMP Moderate Blueprint
The FedRAMP Moderate package is scoped to customer-operated or dedicated deployments in an approved federal authorization boundary.
| Family | MeshGuard implementation | Evidence |
|---|---|---|
| AC | Tenant isolation, RBAC, trust tiers, policy bindings, break-glass approvals. | Access review, identity.assignment, agent.lifecycle, policy.decision. |
| AU | Unified audit schema, signed export, SIEM egress, audit failure alerts. | agent.decision, operator.action, system.alert, evidence manifest. |
| CM | Terraform-managed configuration, policy-as-code review, signed bundles, rollback metadata. | Terraform plan/apply logs, policy.change, bundle digest. |
| IA | SSO/MFA, SCIM lifecycle, workload identity, token rotation. | Login events, SCIM records, SPIFFE/JWT samples, key rotation evidence. |
| SC | FIPS cryptographic path where required, encrypted transport, CMK option, egress proxy, region pinning. | FIPS/TLS attestation, egress decisions, key records. |
| SI | Streaming inspection, sidecar heartbeat, bypass detection, anomaly alerting. | inspection.result, sidecar.heartbeat, alert disposition. |
The monthly continuous-monitoring package should include policy changes, access deltas, vulnerability/configuration drift findings, SIEM delivery reports, POA&M linkage, and offline evidence verification.
FINRA And SEC 17a-4 Blueprint
The FINRA package is scoped to broker-dealer and capital-markets agents involved in research, recommendations, customer communications, orders, and account operations.
| Control area | MeshGuard implementation | Evidence |
|---|---|---|
| Books and records | Audit every governed agent action, approval, policy change, and evidence export. | agent.decision, approval.action, policy.change, evidence.export. |
| Retention posture | Export signed bundles to a WORM-compatible firm archive with indexing and retrieval proof. | Evidence manifest, archive receipt, witness proof, retrieval test transcript. |
| Supervision | Human approval for restricted customer communications, recommendations, order staging, cancellation, execution, and account actions. | Approval event with approver role, supervision ticket, trace ID, and disposition. |
| Communications surveillance | Export customer-facing communication metadata and content according to firm policy. | Surveillance delivery report and alert disposition. |
| Change control | Terraform-managed policies with compliance and platform-security approval. | Terraform plan/apply logs, change ticket, policy digest. |
Agents may draft recommendations or customer messages, but execution and delivery paths should fail closed unless supervision, archive, and surveillance IDs are present.
Evidence Bundle Requirements
Every regulated bundle should include:
- Period, tenant, blueprint, deployment mode, and evidence profile.
- Agent decisions, policy changes, identity events, operator actions, alerts, approvals, and evidence exports.
- Policy digests, rule IDs, trace IDs, destination trust, data classification, and redaction mode.
- Root hash, detached signature, witness proof, and offline verification transcript.
- Control owner attestation and exception register.
Reference Links
- HIPAA Security Rule: https://www.hhs.gov/hipaa/for-professionals/security/index.html
- FedRAMP baselines: https://www.fedramp.gov/baselines/
- SEC 17 CFR 240.17a-4: https://www.ecfr.gov/current/title-17/section-240.17a-4
- FINRA Rule 4511: https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511