SOX-for-AI — Sarbanes-Oxley Controls for AI-Mediated Financial Actions
This mapping adapts the Sarbanes-Oxley ITGC (IT General Controls) expectations to AI-mediated financial actions. It covers signing authority, change management, audit-trail completeness, non-repudiation, segregation of duties via human-in-the-loop overrides, and ongoing monitoring. Ledgix's cryptographic ledger plus the policy lifecycle cover every control.
Status: Full — every control resolves to an artifact Ledgix produces today. Pair with the SOX Extended mapping for the §302/§906 officer attestation coverage.
Scope
SOX applies to public companies subject to SEC jurisdiction. This mapping translates the ITGC expectations (access controls, change management, operations, monitoring) into AI-specific controls suitable for financial-action-mediating agents. Coverage spans access controls over AI signing authority, change management of decision policies, completeness and non-repudiation of the audit trail, segregation-of-duties via HITL, and ongoing monitoring.
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| SOX-AI-ITGC-01 | key_history / events_jsonl | Access Controls — AI Signing Authority | Full signing-key history plus per-event receipt metadata tying each action to an authorised key. |
| SOX-AI-ITGC-02 | policy_snapshots | Change Management — Policy Version Control | Versioned policy snapshots with content hashes, immutably referenced by governed events. |
| SOX-AI-AC-01 | events_jsonl / checkpoint_chain / proof_index | Audit Trail Completeness | Complete record of all AI tool calls, Merkle chain for gap analysis, per-event leaf index. |
| SOX-AI-AC-02 | events_jsonl / signatures | Non-Repudiation | Ed25519 receipt signature per event plus export-level signature over manifest and Merkle root. |
| SOX-AI-AC-03 | events_jsonl | Segregation of Duties — Human-in-the-Loop Override | Denied events and low-confidence approvals surface cases where human review was required. |
| SOX-AI-MON-01 | events_jsonl / framework_mapping | Ongoing Monitoring of AI Controls | Time-series operational data plus the mapping document for management review. |
Evidence types referenced
- key_history — full key version history including algorithm, active_from, retired_at.
- events_jsonl — complete record of AI tool calls with receipt metadata.
- policy_snapshots — versioned policy snapshots with content hashes.
- checkpoint_chain — Merkle checkpoint chain for gap analysis via tree_size progression.
- proof_index — per-event Merkle leaf index for spot-check verification.
- signatures — export-level Ed25519 signature over manifest hash and Merkle root.
- framework_mapping — mapping document demonstrating control-to-evidence traceability.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting SOX-for-AI — Sarbanes-Oxley Controls for AI-Mediated Financial Actions and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/sox_ai.json - Canonical source: Sarbanes-Oxley Act of 2002 — sec.gov