Regulated-industry posture, stated carefully#
The regulated-industry tier is the agent-governance layer for teams that need cryptographic evidence, policy-gated execution, operator sign-off, residency proof, and reproducible audit bundles.
It is not a certification claim. Do not say LumenFlow is SOC2 Type II certified, HIPAA certified, or procurement-ready for SAML/SCIM until the corresponding live controls and external evidence exist.
Live or shipped substrate#
| Area | Current posture |
|---|---|
| Control map | The initiative carries explicit claims guardrails; SAML/SCIM are not procurement-ready until the enterprise-auth phase lands |
| Cryptographic evidence | Evidence receipts are anchored with a Merkle-style chain so historical tampering can be detected |
| Compliance gates | GDPR, HIPAA, and finserv packs can fail closed through the gate-resolver path with auditable decline events |
| Operator sign-off | Mid-execution pause/resume/reject flows compose with dispatch leases and checkpoint events |
In progress or planned#
| Area | Boundary |
|---|---|
| Audit bundles | Scheduled bundle generation is in progress; generated bundles are evidence packages, not attestations |
| Data residency | Key-region, storage-region, and evidence-bound routing controls are in progress; labels alone are not enforcement |
| Enterprise auth | RBAC/action audit foundation is in progress; real SAML IdP flow, SCIM bearer-token provisioning, MFA/admin policy, and procurement readiness remain planned |
| SOC 2 drill | The SOC 2 Type II external audit drill is planned after P1-P7 evidence exists; public claims require security/legal approval |
Public wording#
Use "regulated-industry agent governance tier" or "regulated trust posture." Avoid "certified", "attested", or "procurement-ready" unless a specific live control and evidence package supports that sentence.