Audit & evidence layer for AI agents

The flight recorder for AI agents.

Your organisation is deploying AI that makes decisions and takes actions on your behalf. When an auditor, regulator, or client asks what it decided and why, right now, you cannot answer that. aoax records every agent action and turns it into evidence packs built for auditors, not developers.

Become a founding partner Get a readiness Snapshot: £495

no infrastructure to provision · evidence packs on demand · UK/EU hosted or self-host

audit_events: tenant:demo REC

The questionnaire is already in the post

Three questions every regulated client will ask about your AI.

The pressure is coming from three directions at once. Sector regulators are already asking: FCA SYSC, the SRA and ISO 42001 certification audits all expect AI decision logs in 2026, not 2027. Enterprise procurement is moving faster than regulation: AI audit trail requirements are appearing in supplier questionnaires right now. And every new AI deployment adds surface area: ten agents means ten places where accountability breaks.

DD-Q14

"What did your AI system actually do, step by step?"

DD-Q15

"Who reviewed and approved its consequential actions?"

DD-Q16

"How do we know those records haven't been altered?"

If you sell AI into law, financial services or accountancy, these arrive in vendor due-diligence questionnaires, driven by the FCA, the SRA, the ICO and your clients' own customers. Screenshots and application logs don't answer them. A chained audit trail with control-mapped evidence does.

Start here

Understand your gaps before you fix them.

The AI Readiness Snapshot: answer 20 questions about your current AI deployments. We return a scored gap analysis and a prioritised 30/60/90-day action list, in 48 hours. No infrastructure. No commitment. £495 fixed.

Book a Snapshot: £495

async · report in 48 hours · assessed by a practitioner, not a bot

How it works

One endpoint in. Evidence out.

aoax sits beside whatever agent framework you already run. It never touches your agent logic: it just witnesses it.

stage 1: ingest

Log every action

One POST per agent event: tool calls, LLM calls, decisions, human checkpoints, data access, errors. The Node SDK is ~300 lines and takes about an hour to wire in.

aoax.log({ event_type: "hitl_checkpoint", agent_id:
                "drafting-agent", payload: { approved_by: "j.smith" } })

stage 2: chain

Seal the record

Each event is written append-only and hash-chained to the one before it. Chain heads are independently timestamped daily with a third-party authority, so integrity is verifiable, including against us.

hash = sha256(prev_hash + canonical(payload) + ts) → RFC 3161
                anchor

stage 3: evidence

Answer the auditor

Pick a date range. Get a pack, PDF and JSON, with every event mapped to named controls drawn from ISO 42001, NIST AI RMF and UK GDPR obligations. Built for the person auditing you, not the person debugging you.

GET /packs?from=2026-05-01 → evidence-pack.pdf →
                evidence-pack.json

Integrity, stated precisely

Append-only. Hash-chained. Independently verifiable.

Compliance products live or die on the precision of their claims. Here are ours, in the same words our documentation uses.

Why we don't say "tamper-proof" Nothing is. What we provide is tamper-evidence: any alteration to a sealed record, by anyone, including us, breaks a hash chain that is anchored daily with an independent timestamping authority. You can verify it yourself with the open-source SDK.

[✓]
Append-only by constructionThe application can insert and read audit events. It cannot update or delete them.
[✓]
Hash-chained per tenantEvery event carries the fingerprint of the one before it. Verification replays the chain.
[✓]
Externally anchored dailyChain heads are timestamped via RFC 3161 with an independent authority: integrity holds even against the operator.
[✓]
Your data, your jurisdictionHosted in the UK/EU with full export on demand, or run the self-host edition and your audit data never leaves your infrastructure.
[✓]
Retention without contradictionGDPR retention deletes payloads via tombstoning: the chain stays intact and the deletion is itself an audited event.

UK GDPRISO/IEC 42001-alignedNIST AI RMFEU AI Act principlesOWASP Agentic Top 10

Two ways in

Founding rates, while they last.

For teams building agents

Founding partner

£750 / first year · then £1,800/yr

→Hosted aoax for one tenant: ingest, chain, dashboard
→Evidence packs mapped to named controls, included
→A direct line to the builder and a real vote on the v1 roadmap
→Founding rate honoured at renewal

Claim a founding slot

3 slots · pre-launch

For firms adopting AI

AI Readiness Snapshot

£495 fixed · report in 48 hours

→Structured questionnaire: 45–60 minutes, fully async
→Scored against ISO 42001, NIST AI RMF and UK GDPR obligations
→Your top 5 gaps, prioritised, with a 30/60/90-day plan
→Assessed by a practitioner, not a checklist bot

Book a Snapshot

Who's behind it

Built by the person who'd otherwise be your consultant.

aoax is built by Dave, a fractional CTO and AI-governance practitioner who has spent years on both sides of this problem: shipping production systems, and writing the ISO 42001, UK GDPR and EU AI Act documentation that regulated firms run on. The product is that judgment, packaged.

It's deliberately a small company, which is why the self-host edition exists, why exports are one click, and why a written continuity commitment is published rather than promised. Your audit trail shouldn't depend on anyone's headcount, including ours.