AI Compliance Evidence

Cryptographic records for EU AI Act, NIST AI RMF, federal AI executive orders, and state-level AI laws.

AI regulatory compliance is shifting from policy promises to verifiable evidence. Regulators no longer accept "we have controls" as proof; they require evidence that controls were applied to specific decisions. H33 produces cryptographically-signed compliance evidence for every AI decision in scope — tamper-evident, replayable, and verifiable by regulators without contacting the regulated entity.

What AI compliance evidence is now required

The regulatory landscape for AI is converging on a small set of evidentiary requirements. EU AI Act (in force 2024) classifies AI by risk and imposes record-keeping, transparency, conformity-assessment, and post-market-monitoring requirements. Article 12 specifically requires automatic logging sufficient to enable traceability. Article 13 requires transparency. Article 17 requires risk management documentation. NIST AI Risk Management Framework defines four functions and emphasizes documented evidence of risk management throughout the AI lifecycle. Federal AI Executive Order 14110 requires federal agencies to document AI usage, conduct impact assessments, and provide evidence of safety and rights protections. State-level laws impose sector-specific AI documentation. The common pattern: compliance is no longer "we have an AI policy." Compliance is "we have evidence that our AI policy was applied to this specific decision, and the evidence is verifiable by someone who does not trust our internal records."

How H33 maps to AI compliance frameworks

Each evidence control object in an H33 bundle maps to specific compliance requirements. PolicyBind documents the policy in force (EU AI Act Article 17, NIST AI RMF Govern). ModelFingerprint documents the model identity (EU AI Act Article 12, NIST AI RMF Map). AuthorityBind documents the principal authorized (governance requirements). CalibratedAbstention documents confidence and abstention (EU AI Act Article 14, NIST AI RMF Measure). PipelineDag documents execution stages (traceability). CorpusBind documents the data corpus (EU AI Act Article 10). EvidenceAttestation documents the evidence rows (traceability). ResultCitationBind documents answer-citation binding (transparency).

Why compliance evidence is harder than compliance policy

Most compliance programs produce policies, procedures, and control matrices. Those are necessary but no longer sufficient. The shift in regulatory expectation is from "show us your policy" to "show us evidence the policy was applied to this decision." Standard logging systems struggle here. H33 evidence satisfies the new standard. Each bundle is a specific decision's record. The bundle is verifiable by the regulator offline, without trusting the entity.

Use cases

EU AI Act high-risk system compliance. An AI system in a high-risk category produces H33 evidence bundles for every decision. The conformity-assessment body verifies the bundles as part of conformity assessment. NIST AI RMF profile compliance. A federal agency implements the AI RMF Profile. The H33 bundles provide the evidence base for each of the four RMF functions. Federal AI usage reporting. A federal agency's AI inventory and reporting under EO 14110 is supported by H33 bundles that document each AI use case. State insurance regulator review. A state insurance department investigates a carrier's use of AI in coverage decisions. The carrier provides H33 bundles. The regulator verifies them offline. Healthcare AI compliance. A clinical decision support AI must satisfy state medical board oversight and federal CMS requirements. The H33 bundles produce the evidence base for both.

Common questions

Does H33 produce a compliance certificate?
No. H33 produces the evidence. Compliance determinations are made by regulators, auditors, or conformity assessment bodies.

Is H33 a substitute for our compliance program?
No. Compliance programs remain necessary. H33 provides the evidence that the program was applied to specific decisions.

Will regulators accept H33 evidence?
The bundles are open canonical JSON with an open-source verifier. Any regulator can verify them.

What about evolving frameworks?
The bundle's schema is versioned. New EC objects can be added as compliance requirements evolve.

What about international regulators with different requirements?
The bundles are interpretable by any party with the open-source verifier.

Related: AI Compliance Infrastructure · AI Governance Evidence · AI Governance for Government · Regulatory Crosswalks · Regulatory Submission Integrity