Inspiration
Enterprise AI systems are rapidly gaining access to sensitive data such as medical records, payroll, financial transactions, and internal documents, creating a dangerous tradeoff: organizations must either trust AI with that data and hope compliance policies hold, or limit AI adoption altogether.
The risks are real. Meta faced internal data exposure from unpredictable AI agents. Samsung employees leaked confidential semiconductor data through ChatGPT. And regulators are increasingly demanding proof that AI systems achieves compliance like SOC 2, HIPAA, GDPR, and internal governance policies. Traditional controls like access controls and audit logs fall short. They can't provide tamper-proof, privacy-preserving evidence of what AI systems actually did.
TrustTrace offers a third path, built on Midnight blockchain's zero-knowledge infrastructure. Organizations can now cryptographically prove that their AI agents followed approved policies and accessed only authorized data, without exposing the underlying sensitive information itself.
What it does
TrustTrace lets enterprises cryptographically verify that AI agents achieve compliance, data governance and privacy policies, without exposing sensitive data. When an AI system retrieves HR records, queries financial systems, or accesses healthcare data, TrustTrace:
- Captures execution events and generates privacy-preserving compliance attestations
- Keeps sensitive logs encrypted and off-chain via Midnight's zero-knowledge proofs
- Verifies predefined policies such as least-privilege access, approved tool usage, GDPR/HIPAA/ISO/SOC 2
Separate dashboards serve each stakeholder:
- Enterprise Administrators: define policies and monitor activity in real time
- Auditors: receive cryptographic proof of compliance, no sensitive data exposed
Why Midnight matters
A normal blockchain is not the right place to store enterprise AI logs because AI logs can contain sensitive data. Midnight gives TrustTrace the correct architecture:
- Sensitive data stays encrypted and off chain.
- Proofs are anchored on chain.
- Auditors can verify compliance.
- Employees can get transparency.
- Companies do not expose confidential data.
This is the main reason TrustTrace is not just an audit log tool. It is a privacy preserving compliance proof layer.
How we built it
TrustTrace was built by a three-person team. One product manager and two engineers, each owning a distinct layer of the stack.
Frontend: Built with React, TypeScript, and Tailwind CSS, the UI surfaces three separate views tailored to each stakeholder: end users, enterprise admins, and auditors. Each dashboard exposes only the information relevant to that role.
Backend: A Node.js/Express API handles compliance analysis, processing AI agent execution events and coordinating between the frontend and the blockchain layer.
Blockchain: We integrated Midnight Protocol to generate and verify zero-knowledge proofs. When an AI agent performs a sensitive action, our ZK proof system validates whether the agent followed predefined compliance requirements without exposing the underlying data. This creates verifiable trust for users while ensuring the organization's software remains provably compliant for auditors and regulators.
Challenges we ran into
- Steep learning curve across two unfamiliar domains: Our team came in with limited experience in both cryptography and compliance. Before writing a single line of code, we had to invest significant time understanding the fundamentals of zero-knowledge proofs and how real-world GRC (Governance, Risk, and Compliance) practices actually work in enterprise environments.
- Bridging theory and practice: Understanding ZKP concepts at a theoretical level was one thing; figuring out how to apply them meaningfully to real compliance scenarios was another. Translating abstract cryptographic primitives into something that maps cleanly onto HIPAA, GDPR, and enterprise data compliance requirements required a lot of iteration.
- Designing for a problem we were still learning: Because we were new to both domains simultaneously, our understanding of the problem evolved as we built. This meant revisiting earlier design decisions as we developed a clearer picture of what auditors and compliance teams actually need.
Accomplishments that we're proud of
A real and growing problem. Gartner projects 40% of enterprise apps will include AI agents by end of 2026, with the market growing from ~$9B to $139B by 2034. TrustTrace is built exactly for this moment.
Compliance that works for everyone. Organizations spend enormous time manually collecting audit evidence. TrustTrace makes this cryptographically verifiable — reducing overhead for companies and giving regulators stronger proof.
Solving what existing systems can't. Incidents at Meta, Amazon, and Samsung showed that access control and audit logs often aren't enough. TrustTrace closes the trust gap without ever exposing sensitive data.
What we learned
Building TrustTrace taught us that AI compliance is not only about restricting access to sensitive data, but also about proving that AI systems behaved compliantly at runtime. We learned that traditional security measures alone are insufficient for autonomous AI agents, and that zero-knowledge proofs can provide a practical way to verify compliance while keeping sensitive enterprise data private and off-chain.
What's next for TrustTrace
We believe AI will soon require a trust layer as essential as cybersecurity itself, and TrustTrace aims to become that foundation! Our next step is to expand beyond chatbot monitoring into full enterprise AI agent compliance, enabling real-time, zero-knowledge verification of autonomous AI actions across healthcare, finance, HR, and government systems. Long term, we envision TrustTrace becoming the universal compliance and verification layer for the agentic AI era.
Built With
- blockchain
- docker
- express.js
- node.js
- react.js
- recharts
- tailwind
- typescript
- vite
Log in or sign up for Devpost to join the conversation.