Early Access

Stop auditing AI code
by hand

Sentrik scans every commit against 22 regulatory frameworks, blocks non-compliant code in CI, and generates audit evidence automatically. Works in VS Code, Cursor, and CI/CD pipelines — one tool, zero config.

Get Early Access

The Problem

AI writes code faster than humans can review it. Compliance can't keep up.

$3B

fine for TD Bank in 2024 — 70,000 unreviewed compliance alerts. Manual review doesn’t scale [Reuters]

$40B/yr

spent on compliance labor in the US alone — 400,000 workers — and outcomes are still failing [a16z]

36%

of AI-generated code contains security vulnerabilities [Stanford]

526

rules across 22 regulatory frameworks, ready out of the box

The assumption that broke compliance

Every compliance framework, every audit process, every security review was designed around one thing: a human touched every line of code.

That assumption is now false for most teams. AI coding assistants write an ever-growing share of production code — on some teams the majority. Developers review at high speed under pressure to merge fast. A developer staring at 400 lines of AI-generated code doesn’t know whether it violates HIPAA clause 164.312 or IEC 62304 section 5.5.3 — and doesn’t have time to find out.

The result: organizations are running compliance risk they can’t see. Not because they’re negligent, but because the tools they have weren’t designed for this world. Semgrep, Snyk, SonarQube — they scan for issues. They don’t govern AI agents. They don’t know that Claude Code wrote the code, that the agent declared a scope of app/db/**, that it actually touched app/auth/login.py, and that this is a scope violation that should be surfaced immediately and logged permanently.

Sentrik is the governance layer built for this world. The AI writes the code. Sentrik enforces the rules, catches violations in real time, and generates the cryptographically signed audit evidence — automatically, at every commit, without slowing anyone down.
“For the first time, the risk of an enterprise not modernizing its compliance stack outweighs the risk of change.” — Andreessen Horowitz, Everything, Everywhere is Compliance (May 2026)

Three Commands. Full Compliance.

1

Scan

sentrik scan

526 rules check your code against IEC 62304, HIPAA, SOC2, OWASP, GDPR, EU AI Act, NIST 800-53, and 15 more frameworks. Findings map to specific regulatory clauses.

2

Gate

sentrik gate

Block non-compliant code in CI. PR comments show exactly which regulation you're violating.

- name: Compliance Gate
  run: sentrik gate
    --git-range origin/main...HEAD
    --decorate-pr
3

Ship

sentrik attest

Generate cryptographically signed attestations, per-framework compliance reports, and audit-ready evidence bundles. No more 6-week evidence sprints.

Two agents. One project. One that stays in bounds.

This is what AI governance looks like in practice — not a policy document, but a live enforcement layer that catches problems before they reach main.

Gate Passed

Agent 1 — Fix SQL Injection

sentrik task-bind "Fix SQL injection in patient endpoint" --path "app/routes/patients.py" "app/db/**"

Agent declares its intent and authorized file scope. Works within app/db/**. Query parameterized. Gate passes. A signed attestation is generated: “IEC 62304 §5.5.3 evaluated. SQL injection finding remediated at commit c28a5d.”

Gate Blocked

Agent 2 — Patch Logging Module

sentrik task-bind "Patch logging module" --path "app/logging/**"

Agent declares scope: app/logging/**. Actually touches app/auth/login.py, app/billing/invoice.py, app/secrets/keys.py, and six more files. Sentrik catches it the moment it writes outside its declared scope.

Anomaly score: 0.92  •  Status: VIOLATED
9 unauthorized files  •  New zones: auth, billing, crypto, secrets
Gate blocked  •  Rollback available  •  Signed incident record created

The security lead sees the violation in the dashboard, reviews the exact out-of-scope files, rolls back with one click, and creates a work item for investigation — all before any unauthorized code reaches main. The entire incident is logged in a signed, tamper-evident audit record. This is what human-in-the-loop AI governance actually looks like.

See It In Action

sentrik
Get Early Access

Your AI Agents Fly.
You Stay in Command.

AI coding agents write the code. Sentrik monitors every move, enforces your compliance boundaries, and produces the signed audit record — without slowing the agents down.

Monitor

Every file touched, every rule evaluated, every agent action logged in a tamper-evident audit trail — in real time.

Enforce

Gate boundaries are set by your team, not the AI. Non-compliant code is blocked before it reaches main — automatically.

Certify

Cryptographically signed attestations and per-framework evidence bundles, generated at every commit. Audit-ready on demand.

One platform. Every stakeholder.

Different people. Different problems. One governance layer that connects them all.

Developer

Compliance as a fast feedback loop, not a blocker

Findings appear inline in VS Code before you push. AI agents check compliance during code generation via MCP — so generated code passes the gate on the first try. The gate rarely blocks because it already ran during development.

“My first commit is already compliant.”
Engineering Manager

Structural guarantees instead of manual oversight

Non-compliant code structurally cannot merge without a human decision. Scope violations are caught the moment they happen — not in a post-mortem. Work item traceability maps findings to sprints so compliance has a home in your process.

“The gate is always on. I don’t have to remember to check.”
CISO / Security Lead

A signed audit trail for every AI action

Cryptographically signed attestations at every commit. Human-in-the-loop approvals for every gated action. Every agent session tracked — what it intended, what it touched, whether it stayed in scope, and what happened when it didn’t.

“When the auditor asks, I have the evidence ready.”
Compliance Officer / Auditor

Positive evidence of compliance — not just a list of violations

The Evidence Map shows where in the code each regulatory requirement is satisfied — with file, line, and matched pattern. Per-framework compliance reports generated in seconds. Audit prep is a download, not a sprint.

“Six weeks of evidence gathering became a five-minute export.”

The regulatory window is closing

Regulators are catching up to AI development. Organizations that establish governance now will have processes and evidence in place before enforcement begins — those that don’t will scramble to reconstruct it.

Enforcement Active

EU AI Act

High-risk AI systems require human oversight documentation, audit trails, and risk management evidence. AI that assists in developing safety-critical software qualifies. Non-compliance carries fines up to 3% of global revenue.

Active & Escalating

HIPAA Enforcement

Healthcare compliance frameworks are increasingly scrutinizing how AI-generated code is governed in systems that handle ePHI. “We review it manually” is not a scalable answer when AI generates thousands of lines daily.

FDA Guidance Issued

FDA / IEC 62304

21 CFR Part 11 and IEC 62304 compliance must be demonstrated across the full development lifecycle — including AI-assisted code generation. The evidence requirement doesn’t stop at the output.

Questions Now Standard

SOC 2 & NIST AI RMF

SOC 2 auditors are adding AI governance questions to standard assessments. NIST AI RMF requires organizations to demonstrate governance of AI systems. “How do you govern AI-generated code?” needs a real answer.

A Compliance Dashboard That Actually Helps

Real-time compliance scores, findings browser, AI-powered fixes, and one-click audit evidence — all in the browser.

Compliance Overview

See your compliance score, finding counts by severity, gate status, and scan duration at a glance. Governance banners flag when human review is required before merge.

AI Agent Governance

Sentrik auto-detects AI agents (Claude Code, Cursor, Copilot) and enforces declared task scope. When an agent touches files outside its declared intent, the violation is flagged immediately — with the full list of unauthorized files, rollback controls, and a pending approval that blocks the gate until a human signs off.

Compliance Evidence Map

Most tools only show what's wrong. Sentrik also shows what's right. The Evidence Map pinpoints exactly where your code satisfies each regulatory requirement — with file, line number, and matched pattern. Auditors see proof of compliance, not just a list of violations.

Findings with Code Context

Every finding shows the exact file, line number, regulatory clause, and code snippet. Filter by severity, rule, or framework. Export to CSV for auditors.

Requirement Drift Detection

Sentrik compares your code against documented requirements and flags when they diverge. When drift is detected, work items are automatically created in GitHub Issues, Azure DevOps, or Jira — assigned, labeled, and linked to the finding. No manual triage.

Fix with AI

Click any finding, chat with an LLM, and apply the fix — all from the browser. Compliance officers triage findings without touching an IDE.

STRIDE Threat Modeling

An LLM analyses your code for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege threats. Filter by STRIDE category or severity, discuss mitigations with AI, and track remediation status.

AI-Assisted Code Generation

Claude Code, Cursor, and VS Code call Sentrik via MCP. The AI checks compliance rules before writing code — so generated code passes the gate on the first try. The VS Code extension scans on every save with inline diagnostics.

Code Intelligence

Sentrik understands your codebase — it scores quality, profiles your stack, and knows who should review what.

Quality Gradient Scoring

A 0–100 quality score across six dimensions: compliance, complexity, test coverage, documentation, consistency, and dependency health. Track trends over time and set minimum thresholds in your gate.

Project Profile & Expertise Tracking

Auto-detects languages, frameworks, architecture patterns, and conventions. Builds developer expertise profiles from git history. When a PR touches code outside someone's expertise, it flags it for senior review.

One Tool. Full Compliance Lifecycle.

Scan in Seconds

526 rules across 22 frameworks. SQL injection, hardcoded secrets, AI model security, supply chain risks — mapped to specific regulatory clauses.

Gate Every PR

Block non-compliant code in CI/CD. GitHub Actions, Azure Pipelines, GitLab CI. PR comments show exactly which rule was violated.

📋

Audit Evidence

Per-framework compliance reports, trust center pages, signed attestations, and audit-ready ZIP bundles. Generated in seconds.

📦

Supply Chain Security

SBOM generation, CVE scanning against OSV.dev, license compliance, and secrets detection. Auto-fix vulnerable deps and create PRs.

🧠

Code Intelligence

Quality scoring, project profiling, expertise-gap detection, and design decision auditing with AI-powered review.

🔗

Full Traceability

Requirements → code → tests → work items → audit evidence. Detect requirement drift automatically and create work items in GitHub, Azure DevOps, or Jira.

Works With Your Stack

CI/CD
GitHub Actions Azure Pipelines GitLab CI
Work Items
GitHub Issues Azure DevOps Jira
AI Agents (MCP)
Claude Code Cursor Cline
Editors
VS Code Cursor LSP (any editor)
Distribution
npm Docker pip
Output
SARIF JUnit XML CycloneDX

Built for Regulated Industries

From medical devices to aviation software — Sentrik is designed for teams where compliance isn't optional.

🔒

Air-Gapped Ready

Offline license validation via HMAC. No phone-home, no cloud dependency. Works in classified and air-gapped environments.

🧑‍⚖️

Auditor Portal

Dedicated read-only portal for compliance auditors. Generate access tokens, share evidence bundles, and export audit-ready ZIPs.

🛡

Governance Profiles

Three profiles — strict, standard, permissive — control human review gates, auto-patching, and gate thresholds per software safety class.

Signed Attestations

Cryptographic HMAC-SHA256 signatures on every compliance attestation. Tamper-evident audit trails with per-entry integrity verification.

22 Regulatory Frameworks. Built In.

Medical devices, fintech, healthcare, automotive, aviation, embedded systems.

OWASP Top 10

Web application security

SOC 2

Trust services criteria

HIPAA

Healthcare data protection

PCI DSS

Payment card security

ISO 27001

Information security

GDPR

Data protection & privacy

IEC 62304

Medical device software

EU AI Act

AI system governance

NIST 800-53

Federal security controls

CMMC 2.0

Defense contractor security

Supply Chain

SLSA, SBOM, dependency integrity

NIST AI RMF

AI risk management

Plus DO-178C, ISO 26262, MISRA C/C++, ISO 14971, IEC 81001-5-1, 21 CFR Part 11, and language-specific packs for Python, Go, PHP, and Kotlin

Choose Your Plan

Start free. Upgrade when you need more frameworks or enterprise features.

Free

Free

  • 5 standards packs (158 rules)
  • OWASP Top 10, SOC 2, Python, Go, Supply Chain
  • CLI scanning & gate
  • Dashboard & Evidence Map
  • VS Code extension
  • GitHub Action
  • Risk scoring on findings
  • SBOM, CVE scanning, secrets detection
Get Free Access

Team

Contact us

  • Everything in Free
  • 16 standards packs (368+ rules)
  • HIPAA, PCI-DSS, ISO 27001, GDPR
  • FDA IEC 62304, NIST, CMMC, EU AI Act
  • Work item reconciliation
  • Auto-fix vulnerable dependencies
  • MCP server for AI agents
Get Early Access

Organization

Contact us

  • Everything in Team
  • 22 standards packs (526 rules)
  • MISRA-C, DO-178C, ISO 26262
  • ISO 14971, IEC 81001-5-1, 21 CFR Part 11
  • Parallel scanning
  • Custom rule packs
  • Governance profiles & audit log
Get Early Access

Enterprise

Contact us

  • Everything in Organization
  • Seat management & SSO
  • Async approval workflows
  • Auditor portal with token access
  • GRC platform integration
  • Dedicated support
  • Custom SLA
Get Early Access

Get Free Access

Request access and we'll be in touch. 5 packs, 158 rules, free forever.