Technical Deep-Dive

Runtime Attestation
for AI Compliance

Cryptographic proof that your AI safety controls executed—
not just that they were configured.

Ed25519 Signatures

RFC 6962 Merkle Tree

DPRF Sampling

The Problem

Configuration State ≠ Runtime State

What GRC Platforms Prove

✓ Controls are documented

✓ Policies are configured

✓ Changes are tracked

✓ Assessments completed

What AI Systems Need to Prove

◆ PHI redaction ran on request_id:0x4a3

◆ Consent verified before recording

◆ Bias check completed on inference

◆ Guardrail executed at t=1702456789

The gap: Logs show you have a guardrail. They don't prove it ran on a specific inference. When an AI prescribes a treatment, you need cryptographic proof—not log assertions.

Architecture

Zero-Egress Attestation Layer

AI Request

→

GLACIS Sidecar

Your VPC / Customer Boundary

→

AI Model

↓ Attestation only (no payload)

Witness Network

Third-Party Verification

→

Transparency Log

RFC 6962 Merkle Tree

→

GRC Platform

OSCAL Evidence Import

0

PHI/PII Egress

<5ms

Latency Overhead

100%

Verifiable

Cryptographic Foundations

Production-Grade Primitives

Ed

Ed25519 Signatures

Each attestation signed with customer-held private key. Non-repudiable proof of execution.

pub fn ed25519_sign(
    signing_key: &SigningKey,
    message: &[u8]
) -> [u8; 64]
                            

Σ

DPRF Sampling

Deterministic Pseudo-Random Function for auditable sampling. Prove decisions weren't manipulated.

// HMAC-SHA256 based
pub fn run_sampling(
    dprf_key: &DprfKey,
    request_hash: &[u8],
    threshold: u64
) -> SamplingDecision
                            

⊕

RFC 6962 Merkle Tree

Certificate Transparency-style append-only log. Tamper-evident with inclusion proofs.

// Leaf: 0x00 || SHA256(data)
// Node: 0x01 || SHA256(L||R)
export function verifyInclusionProof(
    leafHash, proof, expectedRoot
): boolean
                            

Chain-of-custody guarantee: Every attestation is signed at creation, witnessed by independent network, anchored to append-only log. Mathematical proof of "what happened when"—analogous to NNSA material tracking.

Data Structures

Attestation Anatomy

// Attestation generated per-request
struct AttestationResult {
    // Unique identifier
    attestation_id: String,    // UUID v4
    
    // What was checked
    path_type: PathType,       // Passthrough|Transformed
    
    // Sampling decision (DPRF output)
    sampling_decision: SamplingDecision,
    
    // PII/PHI scan result (0-100)
    nonconformity_score: Option<u8>,
    
    // Request fingerprint (no payload)
    request_hash: [u8; 32],
    
    // Ed25519 signature over above
    signature: String,          // Base64
}
                            

What Gets Transmitted

Hash of request—not the request itself
Boolean results—did checks pass/fail
Timestamps—when execution occurred
Signature—cryptographic proof of origin

What Never Leaves

Request/response payloads
PHI/PII content
Model inputs/outputs
Any identifiable patient data

No BAA Required with GLACIS

Audit Innovation

DPRF: Verifiable Sampling

Auditing 100% of AI inferences is impractical. But random sampling creates trust gaps: "How do we know you didn't cherry-pick?"

Deterministic Pseudo-Random Function

// Key held jointly: auditor + org
let tag = hmac_sha256(dprf_key, request_hash);
let value = u64::from_be_bytes(tag[0..8]);

// Deterministic: same input → same decision
if value < threshold {
    SamplingDecision::Sampled
} else {
    SamplingDecision::NotSampled
}
                            

Key insight: Given the DPRF key, anyone can independently verify that sampling decisions were mathematically correct—without accessing underlying data.

Audit Properties

Verifiable

Auditor can re-run DPRF on any request hash to confirm sampling decision was correct.

Unpredictable

Organization cannot predict which requests will be sampled without the key.

Privacy-Preserving

Verification requires only request hashes—never the actual content.

Similar to Time Travel's chain-of-custody tracking, but applied at the individual inference level rather than configuration snapshots.

Integration Layer

Complementing GRC Platforms

Policy documentation

CONFIG

Policy execution proof

Control implementation status

CONFIG

Control runtime attestation

Point-in-time assessments

RUNTIME

Continuous execution evidence

Change tracking (Time Travel)

RUNTIME

Per-request chain-of-custody

OSCAL Export

Native OSCAL format for direct import into RegScale, Xacta, or any CCM platform.

{
  "assessment-results": {
    "results": [{
      "findings": [{
        "target": "AC-6(9)",
        "implementation-status": "implemented",
        "attestation-evidence": {
          "signature": "base64...",
          "merkle-proof": "..."
        }
      }]
    }]
  }
}
                            

Evidence Collection API

Real-time attestation feed for continuous controls monitoring integration.

GET /api/v1/attestations
  ?control_id=AC-6(9)
  &after=2025-12-19T00:00:00Z
  &include_proof=true

// Returns cryptographically verifiable
// evidence of control execution
                            

Market Timing

Regulatory Forcing Functions

Now

NIST AI RMF

voluntary

Jun 2026

Colorado AI Act

enforcement begins

Aug 2026

EU AI Act

general application

Jan 2027

California AI

regulations

New Control Requirements

AI-specific controls that don't exist in traditional frameworks:

Algorithmic impact assessments
Bias testing documentation
Human-in-loop verification
Automated decision explanations
Proof of safety measure execution

The Evidence Bar

What regulators and insurers will expect:

Third-party verification (not self-attestation)
Tamper-evident audit trails
Per-inference accountability
Mathematical proof over log assertions
Continuous evidence, not point-in-time

Standard of care precedes law. NIST AI RMF and ISO 42001 are becoming the de facto duty of care for AI systems—creating legal exposure even without formal regulation.

Defensibility

Patent Portfolio

70+

Patent Claims

4 patent families filed November 2025

4

Core Innovations

DPRF, Witness Protocol, Edge Attestation, Transparency Log

0

Blocking Prior Art

Novel combination of CT logs + AI compliance

Key Claims

Zero-egress attestation architecture
DPRF-based audit sampling
Edge-native policy enforcement

Witness network coordination protocol
OSCAL evidence generation from attestations
Multi-model governance abstraction

Fenwick & West IP counsel. Provisional filings convert to full applications Q1 2026.

Configuration + Execution
= Complete Compliance

GRC platforms prove you have controls. GLACIS proves they ran.
Together: continuous, cryptographic compliance evidence.

$1.25M

Pre-Seed Round

18mo

Regulatory Runway

AI2

Incubator Backed

witness.glacis.io • Production deployment live

Joe Braidwood • [email protected] • 415-215-3209

Runtime Attestationfor AI Compliance

The Problem

Configuration State ≠ Runtime State

What GRC Platforms Prove

What AI Systems Need to Prove

Architecture

Zero-Egress Attestation Layer

Cryptographic Foundations

Production-Grade Primitives

Ed25519 Signatures

DPRF Sampling

RFC 6962 Merkle Tree

Data Structures

Attestation Anatomy

What Gets Transmitted

What Never Leaves

Audit Innovation

DPRF: Verifiable Sampling

Deterministic Pseudo-Random Function

Audit Properties

Integration Layer

Complementing GRC Platforms

OSCAL Export

Evidence Collection API

Market Timing

Regulatory Forcing Functions

New Control Requirements

The Evidence Bar

Defensibility

Patent Portfolio

Key Claims

Configuration + Execution= Complete Compliance

Runtime Attestation
for AI Compliance

Configuration + Execution
= Complete Compliance