Compliance Quickstart

Set up AI agent governance for your organization. No engineering degree required.

For: Compliance Officers, Risk Managers, CISOs

This guide is for you if your title includes words like Compliance, Risk, Audit, or Governance and someone just told you the company is deploying AI agents. You need to know what LockStock does, how to set it up, and what to tell the regulators.

You do not need to write code. You do need a web browser and about 30 minutes.

What You're Setting Up

LockStock creates an immutable, cryptographic audit trail for every action your AI agents take. Think of it as a tamper-evident flight recorder: every prompt sent, every response received, every tool invoked — all logged in a hash chain that cannot be rewritten after the fact.

When a regulator asks "how do you know what your AI did on Tuesday at 3pm?", the answer is: "We have a mathematically verifiable record. Here's the proof."

Setup

1Create Your Account 5 min You

  1. Go to d3cipher.ai/dashboard
  2. Click Sign Up
  3. Enter your work email and create a password
  4. You'll receive an API Key — save this somewhere secure (your password manager, not a sticky note)

What just happened: You created a tenant account. All agents you register will belong to this account, and all audit logs will be scoped to you. No one else can see your data.

2Register Your Agents 5 min per agent You

For each AI agent your organization runs, you'll create a registration in the dashboard:

  1. In the dashboard, click Provision Agent Card
  2. Give the agent a name that your team will recognize (e.g., customer-support-bot, document-classifier)
  3. Select which task types this agent is authorized to perform
  4. Click Create
  5. Copy the Genesis Token that appears

Important:

The genesis token expires in 24 hours and can only be used once. If it expires before your engineering team uses it, simply delete the agent and create a new one. This is a security feature, not a bug.

Send the genesis token and agent name to whoever manages the AI agent's infrastructure. They will use it in Step 4. You do not need to do Step 4 yourself (but you can if you want to).

3Hand Off to Engineering You → Engineering

Send your engineering team this message (copy and paste is fine): 

We need to add LockStock audit logging to [AGENT NAME].

Here's what you need:
- Gateway Key: [I'll send separately via secure channel]
- Account Key: [I'll send separately via secure channel]

Run one Docker container:
  docker run -d --name d3cipher-gateway \
    -e D3CIPHER_API_KEY=[gateway key] \
    -e UPSTREAM_URL=https://api.openai.com \
    -e ACCOUNT_KEY=[account key] \
    -p 4000:4000 \
    registry.gitlab.com/d3cipher/lockstock-images/gateway:v3.1.0

Then change one env var on each agent:
  OPENAI_BASE_URL=http://gateway-host:4000

Full guide: https://d3cipher.ai/docs-gateway-quickstart.html

No code changes. Should take about 20 minutes.

That's it. The engineering work is a configuration change, not a rewrite.

4What Engineers Do (For Your Awareness) 15 min Engineering

You don't have to do this step. This is what happens on the engineering side, so you know what to expect:

  1. Run the d3cipher Gateway Docker container (one command)
  2. Change one environment variable on each agent: 
    # Point agents at the gateway instead of directly at OpenAI
OPENAI_BASE_URL=http://gateway-host:4000
  3. Add an agent identity header: X-D3cipher-Agent: agent-name
  4. Every API call the agent makes is now stamped, encrypted, and logged

Zero code changes to the agent itself. The d3cipher Gateway sits between the agent and the AI provider (OpenAI, Anthropic, etc.) as a reverse proxy. The agent doesn't know it's being audited.

5Verify It's Working 5 min You

Once engineering confirms the agent is running with LockStock:

  1. Go back to your dashboard
  2. Click on the agent's card
  3. You should see:
    • Sequence number incrementing (each action advances the count)
    • Audit log entries appearing with timestamps and task types
    • Hash chain intact (green checkmark, no breaks)

If you see entries appearing, congratulations: you have a working audit trail.

6Prepare for Your First Audit 10 min You

Set up your Account Key for encrypted transcript access:

  1. In the dashboard, go to Settings
  2. Generate or enter your Account Key (64-character hex string)
  3. Save this key in your password manager. It never leaves your browser. We do not have it. If you lose it, encrypted transcripts cannot be recovered.
  4. Go to the Auditor tab in the dashboard
  5. Enter your Account Key
  6. You can now read the full content of every prompt and response your agents have processed

Why this matters: Transcripts are encrypted end-to-end. The LockStock server stores the ciphertext but cannot read it. Only someone with your Account Key can decrypt agent transcripts. This is how you prove to auditors that even your vendor cannot access your AI conversations.

What to Tell Regulators

When regulators ask about your AI governance framework, here's what you have:

Immutable Audit Trail

Every AI agent action is logged in a cryptographic hash chain. Each entry is linked to the previous one. Tampering with any entry breaks the chain and is immediately detectable. This is not a database log that someone with admin access can edit — it's a mathematical proof of sequence.

End-to-End Encryption

Full transcripts (prompts and responses) are encrypted before they leave your infrastructure. The audit service stores ciphertext it cannot decrypt. Decryption requires your Account Key, which only your team possesses. Your vendor cannot read your AI conversations.

Anomaly Detection

LockStock monitors agent behavior for anomalies: unusual request velocity, unexpected task types, sequence gaps. A circuit breaker can automatically halt an agent that exceeds defined thresholds. You can enable or disable ML-based anomaly scoring per tenant from the dashboard Settings.

Agent Identity and Authorization

Each agent has a unique cryptographic identity derived from its hash chain. Agents are authorized for specific task types only. An agent authorized for "customer support" cannot suddenly start executing "financial trades" — the system will reject the action and log the attempt.

What LockStock Does NOT Do

Transparency matters. Here's what falls outside LockStock's scope:

If Something Goes Wrong at 2 AM

Incident Response Checklist

  • Agent misbehaving? The circuit breaker may have already stopped it. Check the dashboard for "CIRCUIT_BREAKER_TRIPPED" entries in the audit log.
  • Need to stop an agent immediately? Click Lock on the agent in the dashboard. The gateway blocks all subsequent requests instantly. No restart needed.
  • Need to prove what happened? Open the Auditor tab, enter your Account Key, and export the decrypted transcript for the time range in question. The hash chain proves the transcript hasn't been modified.
  • Regulator requesting records? Export the audit log (JSON) from the dashboard. For encrypted transcripts, use the Auditor tab with your Account Key. Both are self-service.
  • Suspect the audit trail was tampered with? Run chain verification from the dashboard. Any break in the hash chain will be flagged. A verified chain is mathematical proof of integrity.

Glossary

Next Steps