Glacis generates signed runtime receipts for consequential AI events, then assembles those receipts into evidence packs your team, auditors, customers, and regulators can inspect.
Receipts are generated at runtime. Evidence packs are assembled from receipts.
A signed runtime receipt, captured when a consequential AI decision executes. Every field is immutable once signed.
OVERT 1.1.0 · signed with Ed25519 · countersigned by an independent witness
{
"receipt_version": "2.0",
"overt_version": "1.1.0",
"id": "glc_receipt_019765f0-3a1c-7d42-9e08-c2b4d6a8f135",
"timestamp": "2026-06-11T09:14:02.317Z",
"methodology_version": "1.0.0",
"demonstration_note": "Demonstration workflow data. The cryptography is real: every signature and hash in this receipt verifies in your browser.",
"subject": {
"organization_id": "org_example_health",
"deployment_id": "dep_clinical_scribe_prod",
"workflow": "ambient-scribe-draft-note",
"model": "claude-sonnet-4-6",
"provider": "anthropic"
},
"evidence": {
"input_hash": "31ee69bf5bd68b21a89872cbd319f4d71860c23d31da5aa75b39cf77ae248981",
"output_hash": "157cf56f011961904304e359a0f9779152de75d97eaf540f4cd4c8e6beb3a161"
},
"signals": {
"binary_hash": "8445ef214d71984f41f6fad9199b2dc41d036804df5fe75bbc1e94e0fb32913f",
"network_state_hash": "02d0770849f806acc045ab5ce99c81938c3ca276c779bed0f2977416f4a5be42",
"epoch_token": "1781082842317",
"context_window_hash": "ed1f4f976b6013e321979922351ee454c6dfb077019981b6bb022acbfdbe9d7e",
"composite_hash": "64a74d744d8af6fe0805a438556209eeaa3b62c31810f52a538f4ccc98ee2626"
},
"controls": {
"guardrail_action": "allow",
"nonconformity_score": 0,
"rules_evaluated": 14,
"rules_triggered": 0,
"policy_mode": "enforce",
"phi_egress_check": "pass"
},
"attestation": {
"operator_signature": "10caced1f9ca157495eacdc5fd018ab0369c20e543c10c0403e9a80532531931b6e58c450555327eecef7f8dc683300c0d6dafd115a103efbe0932fef4f3150b",
"operator_public_key": "9c8eb1b83a59662ff76b84075dcb7f8c6b391e2e018666675211d93fc94723d8",
"witness_signature": "999464e4c04c22744519cd01e3f7b14cb876954d8765bcc2c579c20aad0acee4d8a29d97316c689ac026419c3379bd9021f5b40317dfbb770302486998354901",
"witness_public_key": "7c038b40b8c6183c749c92079709a32e19b0d4572befcc23e0a348e7e4df39a5",
"previous_receipt_hash": "genesis",
"chain_position": 1
}
}
Verify this receipt yourself. The workflow data is a demonstration; the cryptography is real, and the checks run in your browser.
Verify a receiptEvery field in the receipt exists for a reason. Here’s what your compliance team and auditors care about.
“Did the AI follow the rules?” The guardrail action, the policy mode it ran under, and every rule evaluated before the output was allowed through.
“What guardrails were active?” Rules evaluated and triggered, the PHI egress check, and a nonconformity score: proof each control executed, not just that it was configured.
“Which AI made this decision?” Exact model version, provider, and configuration — captured at the moment of inference, not reconstructed from logs.
“Can anyone tamper with this?” Signed with Ed25519. Hashed. Countersigned by an independent witness. Chained to the receipt before it, so history can’t be rewritten.
“Did any plaintext leave?” By design, only HMAC’d commitments and signatures cross the trust boundary: prompts, responses, and PHI stay inside your environment. The receipt records that the egress check executed, and what it returned.
“When exactly?” Millisecond precision. Bound to system state at the time of the decision. Not a log entry written after the fact — a commitment sealed at runtime.
Individual receipts aggregate into a single, structured deliverable your auditors and regulators can consume without calling a meeting.
X decisions attested across Y AI systems over Z days. One number that tells the board how much of your AI estate is covered.
Every safety control, every execution, pass/fail rates. Not a policy document saying controls exist — proof they ran.
How receipts map to ISO 42001, NIST AI RMF, and EU AI Act controls. One evidence base, multiple frameworks; the mapping is informational for reviewer reference, not a certification claim.
Queryable log of every decision — searchable by date, system, outcome, or control. Your auditors don’t wait for you to pull reports.
Machine-readable format for auditors and downstream compliance tools. No more spreadsheets — structured data that feeds directly into GRC platforms.
Full visibility for your team inside your environment. Zero sensitive-data exposure to us. That’s what zero sensitive-data egress actually means.
Logging this costs less than your current observability stack. Every receipt is structured, queryable, and stored in your environment.
Walk through a live Evidence Pack with our team. We’ll show you exactly how receipts map to your frameworks, your audit requirements, and your procurement checklist.
Get runtime coverage