Compliance evidence is not a
spreadsheet you fill before an audit.
Incomplete AI inventory. Basic evidence trail. Ten engineering teams running AI in production. Mima scans your codebase, maps every AI call site to four frameworks, and gives you a readiness score to show your CISO in minutes.
For your GRC team: no terminal required.
For your engineers: a CI test they already understand.
You walked in on day one to gaps.
Incomplete AI inventory. Basic evidence trail. You opened a spreadsheet and started asking engineering managers to fill in columns. Two weeks later you still don't know how many AI systems are in production or what any of them do with user data.
There is no screenshot that proves oversight happened.
For human oversight decisions, pre-approval gates, prompt version changes — there is no screenshot you could take of those. Code-native evidence is the only kind possible. An email thread doesn't satisfy Article 13. A meeting note doesn't satisfy ISO 42001 A.6.2.
The right answer: a number, a gate, and a chain of custody.
With Mima, you say: EU AI Act 67%, gates passing, last evidence record 2 hours ago. Here is the signed audit pack. The chain is cryptographically verifiable. The auditor can dispute the findings; they cannot dispute the maths.
High-risk AI system obligations: December 2027.
Article 5 prohibited practices — enforceable since February 2025. Articles 9–15 for high-risk AI systems — December 2027 (extended 16 months from the original August 2026 date). Annex III full scope also December 2027. The right time to build the evidence chain is before the auditor arrives.
Three steps. No configuration.
Connect GitHub. We scan. You get a readiness score to show your CISO in 30 minutes.
Connect
GitHub OAuth. Two clicks. Read-only access — nothing written to your repo.
Scan
Every AI library call mapped to compliance controls across EU AI Act, ISO 42001, SOC 2, and NIST AI RMF. Time scales with repo size.
Score
Readiness percentage. Real data from your codebase. Share the link with your CISO.
For human oversight decisions —
there is no screenshot you could take.
Code-native evidence is the only kind possible for those controls. An email thread doesn't satisfy Article 13. A meeting note doesn't satisfy ISO 42001 A.6.2.
"Hi team, we reviewed the model on June 15 and it looked fine. No issues found."
{
record_type: "human_oversight",
system_name: "inference-service",
payload: {
reviewer: "alice@company.com",
decision: "approved",
reviewed_at: "2026-06-21T14:32:07Z"
},
mapped_controls: [
"EUAIA_ART13", "EUAIA_ART14",
"ISO42001_A6_2"
],
merkle_hash: "0x7fa3b...d2c1",
signed: true
}One is evidence. One is a screenshot.
Works with the tools you already use.
Fills the gaps they can't.
process exists.
actually followed it.
Three kinds of coverage.
Clearly labelled.
The dashboard never conflates what an auditor will accept with what's indicative. That distinction is the product's integrity.
Evidence from code
Produced by your instrumentation. Earns controls. Highest compliance weight. This is what an auditor signs off on.
Estate scan signal
Derived from AST discovery. Gives you day-1 visibility. Labelled "indicative only" — upgrade with SDK calls to earn the control.
Out of scope
Access reviews, HR training, physical security controls. These belong in your existing GRC tool. Mima works alongside it — doesn't replace it.
Why this matters: Most compliance tools silently treat all three categories as equivalent. A GRC manager who submits an inferred score as if it were attested evidence is exposed the moment an auditor asks for the underlying records. Mima's three-way split makes that distinction visible and unavoidable.
One evidence record.
Multiple frameworks satisfied.
Every record maps across whichever frameworks it's relevant to, automatically. No manual framework-by-framework work.
| RECORD TYPE | EU AI ACT | ISO 42001 | SOC 2 | NIST AI RMF |
|---|---|---|---|---|
| ai_risk_assessment | ART9ART11 | A.6.1A.9.1 | CC3.1CC3.2 | GOV.1MAP.1 |
| human_oversight | ART13ART14 | A.6.2A.6.6 | — | GOV.1 |
| model_evaluation | ART9ART15 | A.6.3A.9.2 | CC3.2 | MEA.1 |
| training_data_governance | ART10 | A.5.4A.6.5 | — | MAP.1 |
| incident_report | ART73 | A.3.2 | CC7.3CC7.4 | MNG.1 |
| model_drift_event | ART9ART72 | A.6.4 | CC4.1CC4.2 | MEA.2 |
Governance becomes a green/red test.
Your trust lead sent you here. Here's what they need from you — and why it's not overhead.
from mima_governance import MimaGovernance from mima_governance.integrations import LangfuseAdapter mima = MimaGovernance(api_key="mima_ext_...") # One decorator = one evidence record @mima.attest("human_oversight", system_name="inference-service") def run_inference(prompt: str): return client.chat.completions.create(...) # Langfuse/DeepEval traces → compliance evidence adapter = LangfuseAdapter(mima_client=mima) # Every eval run maps to controls automatically
Same mechanic as a failing test.
7 days free to try
Starter covers evidence writes and CI gates for small teams. Pro adds questionnaire automation (DDQ, SIG, CAIQ, ISO 42001), gap reports, pre-approvals, and signed audit packs — everything a compliance team needs to close the loop.
Evidence writes and CI gates for small teams. Up to 3 AI systems, 10 repos.
Evidence ledger, required CI gates, pre-approvals, and audit automation. Everything to close the loop.
Dedicated tenant. SAML. Custom frameworks. SLA.
A compliance consultant charges €350/hour. Mima Pro is €299/month. Cancel anytime.
Compliance evidence as a log line.
Not a spreadsheet you fill before an audit.
Articles 9–15 high-risk obligations: December 2027. Build the evidence chain now, before the auditor arrives.
Get my readiness score →