# Overview As AI becomes embedded in critical business workflows, organizations need more than runtime security controls. They need the ability to demonstrate what AI systems decided, why, and under what policies — to internal auditors, compliance teams, regulators, and leadership. Highflame's Governance & Reporting capabilities are built on a single principle: every decision the system makes should be explainable, provable, and auditable without manual log collection. This is possible because governance evidence is a by-product of how Highflame enforces policy — not a separate reporting layer bolted on afterwards. *** ## What this section covers | Page | What it covers | | ----------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | [Audit Archive & Reporting](/governance-and-reporting/audit-archive.md) | Immutable traffic records, data warehouse export, usage reports, access controls, and how to configure them | | [Agent Identity & Audit Trail](/governance-and-reporting/agent-identity-audit.md) | Cryptographic agent identity via ZeroID — who acted, under what delegation, with what authorization; how identity claims propagate into every audit record | | [Compliance Framework Coverage](/governance-and-reporting/compliance-frameworks.md) | How Highflame's detectors and Cedar policies map to OWASP, MITRE, NIST, and regulatory frameworks; exporting evidence | *** ## Governance capabilities ### Audit Archive For regulated environments, Highflame can capture a complete, immutable record of every AI interaction routed through the Gateway. Archiving is enabled at the route level — teams can selectively preserve traffic for sensitive applications without capturing everything. Each archive record includes model inputs, outputs, guardrail evaluation results, and policy decisions. Archive data can be exported automatically to Snowflake or Redshift, enabling AI audit records to flow into existing compliance pipelines and data retention systems. ### Reporting Highflame transforms raw observability and audit data into structured summaries of AI usage, security posture, and compliance status. Reports are designed for both technical teams and non-technical stakeholders — covering which applications generate the most traffic, where policies are being enforced, how frequently violations occur, and how risk is trending over time. ### Access Controls Governance is reinforced through role-based access controls that determine who can modify routes, policies, or providers. Provider credentials (API keys, tokens) are stored in the Secrets Vault and never exposed to applications. Routing controls allow administrators to restrict which models and capabilities are available to specific applications or users, scoping high-risk capabilities to authorized workloads. ### Cryptographic Agent Identity Audit records are only as strong as the identity claims behind them. Highflame uses [ZeroID](/agent-identity-zeroid/introduction.md) to issue short-lived, RS256-signed JWTs to every agent, service, and application. Each token carries a SPIFFE URI identifying the agent, its operational role and trust level, the scopes it was granted, and — for delegated deployments — the full chain of principals that authorized it (`act.sub`, `delegation_depth`). Every request through the Gateway carries this token. Claims are validated cryptographically at request time and propagated into every Observatory trace, threat event, and Audit Archive record. The result is an audit trail where "which agent did this, and who authorized it?" is answerable from the event record itself — not from cross-referencing application logs. For multi-agent systems, the delegation chain is preserved end-to-end: a tool call is traceable back through orchestrator to the human session that initiated it. See [Agent Identity & Audit Trail](/governance-and-reporting/agent-identity-audit.md) for the full details on token claims, delegation chains, cryptographic verification, and ZeroID's Continuous Access Evaluation signals. ### Policy-Backed Governance Governance controls in Highflame are expressed as Cedar policies rather than configuration flags. Policies are versioned, scoped to projects, and validated against service-specific schemas in Highflame Studio before deployment. Because policies are enforced against rich runtime context — tool type, environment, detector scores, trust level, session history — rules can encode nuanced access decisions that static role checks cannot capture. Changes to policies are reviewed and deployed explicitly, creating an auditable change history for every enforcement rule in production. *** ## Governance evidence Governance is only useful if you can prove what the system decided. Highflame captures that evidence automatically: * **ZeroID tokens** cryptographically bind every action to a specific agent identity — `sub` (the acting agent), `act.sub` (the delegating principal), `trust_level`, and `delegation_depth` are verified at request time and embedded in every downstream record * **Shield** returns the determining policies and policy reasons for every enforcement decision — the specific Cedar policy IDs and their `@reject_message` annotations * **Observatory events** retain the agent identity claims, detector signals, and policy metadata that contributed to each decision * **Traces** preserve the surrounding execution context — what the agent was doing before and after a block — for later review, with full identity attribution in every span * **Sessions** surface cumulative risk signals and lifecycle metrics across multi-turn conversations * **ZeroID CAE signals** record trust events (revocation, anomalous behavior, policy violation, credential rotation) as a durable audit timeline against each agent identity This gives security, platform, and compliance teams a concrete path from a policy definition to the runtime event it produced — without screenshots, manual log queries, or reconstruction after the fact. *** ## Compliance framework coverage Highflame's detectors and Cedar policy profiles are mapped to the major AI security threat frameworks: OWASP LLM Top 10, OWASP AI Security Initiative, OWASP MCP Security, MITRE ATLAS, MITRE ATT\&CK, NIST AI RMF, NIST SP 800-53, and key regulatory requirements (GDPR, HIPAA, PCI-DSS, SOC 2, EU AI Act). Each Cedar policy in the built-in library carries `@tags` annotations referencing the framework controls it addresses. These are surfaced in Observatory and available for export in audit reports. See [Compliance Framework Coverage](/governance-and-reporting/compliance-frameworks.md) for the full mapping tables and evidence export instructions. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.highflame.ai/governance-and-reporting/governance-and-reporting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.