This document maps HATS (H33 Attestation and Trustworthiness Standard) capabilities to nine regulatory and compliance frameworks. The mapping identifies which HATS features produce evidence relevant to each framework's control objectives.
This matrix is a technical compatibility reference. It does not constitute legal advice, certification, or a compliance guarantee. Organizations should evaluate the applicability of HATS-generated evidence within their specific regulatory context and jurisdictional requirements.
HATS is a publicly available technical conformance standard for continuous AI trustworthiness; certification under HATS provides independently verifiable evidence that a system satisfies the standard's defined controls.
The following HATS capabilities are evaluated against each compliance framework:
| Framework | Continuous Attestation | Governance Replay | Evidence Chains | Independent Verification | Encrypted Computation | Agent Attestation |
|---|---|---|---|---|---|---|
| SOC 2 Type II | Full | Full | Full | Full | Partial | Full |
| ISO 27001:2022 | Full | Full | Full | Full | Partial | Partial |
| HIPAA Security Rule | Full | Partial | Full | Full | Full | Partial |
| GDPR | Partial | Full | Full | Full | Full | Indirect |
| PCI DSS 4.0 | Full | Partial | Full | Full | Full | Indirect |
| NIST CSF 2.0 | Full | Full | Full | Full | Partial | Full |
| EU AI Act | Full | Full | Full | Full | Indirect | Full |
| DORA | Full | Full | Full | Full | Partial | Partial |
| FedRAMP | Full | Partial | Full | Full | Partial | Indirect |
HATS attestation receipts map to SOC 2 Trust Service Criteria across all five categories (Security, Availability, Processing Integrity, Confidentiality, Privacy). Continuous attestation directly addresses the "operating effectiveness over a period of time" requirement that distinguishes Type II from Type I. Evidence chains provide the continuous monitoring artifacts that SOC 2 auditors evaluate. See the HATS-SOC 2 Crosswalk for per-criterion mappings.
HATS capabilities align with Annex A controls in the areas of cryptography (A.8.24), logging and monitoring (A.8.15, A.8.16), and information security event management (A.5.25). Governance replay supports the management review and continual improvement processes specified in Clauses 9 and 10. Agent attestation coverage is partial because ISO 27001 does not yet include AI-specific controls in the 2022 revision.
Encrypted computation via FHE directly addresses the HIPAA requirement that ePHI be rendered unusable and unreadable during processing (45 CFR 164.312(a)(2)(iv)). Evidence chains satisfy audit control requirements (45 CFR 164.312(b)). HATS attestation receipts serve as the access log artifacts required by the Security Rule's audit provisions.
HATS governance replay provides the decision-traceability required by GDPR Articles 13-15 (right to information about automated decision-making). Encrypted computation supports Article 25 (data protection by design) and Article 32 (security of processing). HATS does not address organizational obligations such as data subject access request (DSAR) workflow or data protection officer (DPO) appointment.
HATS evidence chains satisfy PCI DSS Requirement 10 (log and monitor all access). Encrypted computation addresses Requirement 3 (protect stored account data) when cardholder data is processed under FHE. Continuous attestation supports Requirement 12.4 (formal security awareness program) by providing continuous evidence of control effectiveness.
HATS provides coverage across all six NIST CSF functions (Govern, Identify, Protect, Detect, Respond, Recover). See the HATS-NIST CSF 2.0 Crosswalk for per-category mappings.
Agent attestation directly addresses Article 14 (human oversight), Article 12 (record-keeping), and Article 13 (transparency) requirements for high-risk AI systems. Governance replay provides the decision auditability required by Article 9(8). Continuous attestation supports the post-market monitoring obligations in Article 72.
HATS evidence chains address DORA Article 12 (ICT-related incident management) by providing tamper-evident records of all system operations. Continuous attestation supports Article 8 (digital operational resilience testing). Governance replay supports Article 6 (ICT risk management framework) by enabling deterministic reconstruction of risk-relevant decisions. See the HATS-DORA Crosswalk.
HATS capabilities map to NIST SP 800-53 controls referenced by FedRAMP, particularly AU (Audit and Accountability), SC (System and Communications Protection), and SI (System and Information Integrity) control families. FedRAMP authorization requires additional organizational and operational controls beyond the scope of HATS technical capabilities.