Platform Demonstration

Governed agent workflow,
step by step

This walkthrough uses ThetaZero's own governance infrastructure to show exactly what happens when an AI agent runs under compliance monitoring — from first execution to auditor-ready evidence package.

Real platform, real artifacts
Evidence pack available to download
Scenario: KYC exception review
KYC Exception Review Agent
EU AI Act  SOC 2  GDPR
Cryptographic ZIP export
1
Step 1 of 4
Compliance monitor configured
Before the agent runs, a compliance monitor is attached. It defines which frameworks to map, what evidence to capture, and whether human-in-the-loop approval is required.
🛡️
KYC Exception Review — Compliance Monitor
monitor_id: TZ-MON-20260411-001
ACTIVE
Agent type High-risk (EU AI Act Annex III)
Frameworks EU AI Act  SOC 2  GDPR
Evidence capture Input · Output · Token count · Model version · Duration · Compute source
Human oversight HITL enabled — Art. 14 EU AI Act
Execution isolation TEE attestation (HMAC-SHA256) · Worker thread sandbox
PII handling Redaction layer active — names, IDs, account numbers stripped from logs
Evidence export Signed ZIP · SHA-256 Merkle root · RSA-4096 signature on manifest
2
Step 2 of 4
Agent executes — every event captured
The agent runs inside an isolated sandbox. ThetaZero records every step: tool calls, data access events, policy checks, and the final decision — all with timestamps and cryptographic hashes.
ThetaZero Execution Log — TZ-EXEC-20260411-004821
10:48:21.002[INIT]Execution context created · sandbox: worker_thread · policy: enforce
10:48:21.118[TEE]Attestation issued · att_id: tee_att_20260411_004821_a1b2c3d4
10:48:21.201[POLICY]Pre-flight check passed · frameworks: EU_AI_ACT, SOC2, GDPR
10:48:21.334[INPUT]Prompt received · hash: a3f8b2d1… · tokens: 847 · PII: redacted
 
10:48:21.450[AUDIT]DATA_ACCESS · source: kyc_database · purpose: sanctions_screening
10:48:22.103[AUDIT]DATA_ACCESS · source: watchlist_api · fields: name, dob, nationality · consent_basis: legal_obligation
10:48:23.871[AUDIT]RISK_ASSESSMENT · method: rules_engine · score: 0.23 · threshold: 0.35 · outcome: below_threshold
10:48:24.102[HITL]Human oversight notification sent · reviewer: [email protected] · ttl: 15min
10:48:38.445[HITL]Reviewer approval received · reviewer_id: usr_9f2k · decision: APPROVE_WITH_CONDITIONS
 
10:48:38.501[OUTPUT]Decision: APPROVED WITH CONDITIONS · hash: 9c4e1a7f… · tokens: 312
10:48:38.612[AUDIT]NOTIFICATION_SENT · channel: compliance_system · recipient: case_management
10:48:38.701[INTEGRITY]Hash chain updated · block: 847 · Merkle root: d4e9f1a2b3c0…
10:48:38.803[COMPLETE]Execution finished · duration: 17.3s · violations: 0 · evidence: generatingCLEAN
3
Step 3 of 4
Evidence package auto-generated
Immediately after execution, ThetaZero assembles a cryptographically signed evidence package. Six files, all ready for your auditor, legal team, or regulator — no manual documentation required.
📋
execution_logs.json
Full execution record: input hash, output, model version, token counts, duration, compute source, and HITL approval chain.
~4.2 KB · JSON
🗺️
control_mapping.json
Maps this run to EU AI Act Art. 9, 10, 13, 14, 17 + SOC 2 CC6/CC7 + GDPR Art. 5/22. Each control: status, evidence artifact, deadline.
~3.8 KB · JSON
🔗
audit_trail.json
Timestamped, SHA-256 hashed event log. Every data access, risk assessment, HITL interaction, and decision — immutable and tamper-evident.
~5.1 KB · JSON
🔐
tee_attestation.json
TEE isolation record: attestation ID, HMAC-SHA256 signature, hardware platform, compute source, and per-record coverage verification instructions.
~2.9 KB · JSON
manifest.json
SHA-256 checksums and byte sizes for every file in the package. Your auditor can verify file integrity without contacting ThetaZero.
~0.9 KB · JSON
📄
README.txt
Human-readable walkthrough: scenario overview, file descriptions, step-by-step verification instructions for auditors and legal reviewers.
~1.4 KB · TXT
audit_trail.json — excerpt SHA-256: 9c4e1a7f… 
// Audit record 3 of 6 — RISK_ASSESSMENT event
{
  "record_id": "tz_audit_20260411_004821_003",
  "execution_id": "TZ-EXEC-20260411-004821",
  "timestamp": "2026-04-11T10:48:23.871Z",
  "event_type": "RISK_ASSESSMENT",
  "actor": "kyc_exception_review_agent",
  "details": {
    "method": "rules_engine",
    "risk_score": 0.23,
    "threshold": 0.35,
    "outcome": "below_threshold",
    "escalated": false,
    "human_review_required": true  // Art. 14 policy override
  },
  "integrity": {
    "input_hash": "sha256:a3f8b2d1e4c9f7a2b6d8e1c3f5a7b9d2e4f6a8c0b2d4f6a8c0b2d4f6a8c0b2",
    "output_hash": "sha256:9c4e1a7fb3d2e8f1c4a6b8d0e2f4a6b8d0e2f4a6b8d0e2f4a6b8d0e2f4a6b8",
    "tee_att_id": "tee_att_20260411_004821_a1b2c3d4"
  }
}
4
Step 4 of 4
Reviewer downloads and verifies
The auditor, legal team, or regulator downloads the signed ZIP. Verification requires no ThetaZero account — just the public key and the files.
ℹ️
Platform demonstration. The evidence pack below uses the same real production format, with sample data. Every field, hash structure, and verification step reflects exactly what a real execution produces. The scenario data is illustrative, not from a live customer.
Verify step 1
Confirm manifest integrity
Run SHA-256 on each file in the ZIP. Compare against manifest.json. Any mismatch means the file was altered after signing.
sha256sum execution_logs.json
Verify step 2
Check the hash chain
The audit trail's Merkle root links every event. Recompute it from the individual record hashes to confirm no events were deleted or reordered.
node verify-hash-chain.js audit_trail.json
Verify step 3
Confirm TEE attestation
Each audit record includes a TEE attestation ID. The tee_attestation.json file contains HMAC-SHA256 verification instructions for independent confirmation.
See: tee_attestation.json → verification_instructions
Verify step 4
Confirm EU AI Act control mapping
The control_mapping.json maps each run to specific articles. Review the linked evidence artifacts for each control to confirm compliance coverage.
See: control_mapping.json → controls[*].evidence_artifacts
Download the evidence pack
Real format, real structure — the exact same ZIP your auditor would receive from a live ThetaZero execution. No signup required.
↓ Download Evidence ZIP
What was covered
11 controls mapped across 3 frameworks
From a single 17-second agent run.
EU AI Act
Art. 9 — Risk management system
Art. 10 — Data governance
Art. 13 — Transparency
Art. 14 — Human oversight
Art. 17 — Quality management
Art. 26 — Deployer obligations
SOC 2
CC6.1 — Logical access controls
CC6.7 — Transmission of data
CC7.2 — System monitoring
A1.1 — System availability
PI1.1 — Processing integrity
GDPR
Art. 5 — Principles for processing
Art. 22 — Automated decision-making
Art. 30 — Records of processing
Art. 35 — Data protection impact
What's real in this demonstration
Evidence package format is identical to production output
SHA-256 hash chain structure and verification steps are real
EU AI Act article mapping covers the same real articles
TEE attestation format and HMAC-SHA256 signing are production-grade
HITL approval flow mirrors the live dashboard approval queue
All 11 control mappings reflect active platform capabilities
The agent scenario (KYC exception review) and all data values are illustrative. No customer data is used or represented.
Ready to govern your agents?
See this running on your
actual agents

We'll walk through your specific AI use cases, map them to your compliance obligations, and show you what your evidence packages look like — before you sign anything.

Book a scoping call → ↓ Download evidence pack