AIR
Proof Lab
StartEcosystem
Explore (579)Live Systems (52)Pricing
Log InGet API Key✓ Verify It Yourself
H33 H33-74 ← All one-pagers Screen-shot the card · Cmd+Shift+4 · paste to LinkedIn
H33
H33-74Chain-Portable Evidence
For CCOs

"Every audit cycle requires reconstructing controls from systems we no longer run."

Each control's evidence is a self-verifying cryptographic object the auditor verifies directly.

Related · tier-1 reading. For what a portable artifact actually is, see Portable Artifact.

01

Crosswalks to ten regulatory frameworks

SOX, DORA, EU AI Act, OSFI B-13, HIPAA, PCI-DSS, GDPR, NIS2, FedRAMP, CMMC 2.0. Each control's evidence maps to specific framework requirements.

02

Auditor verifies any control's evidence directly

Pull the receipt, verify the three PQ signatures, confirm the anchor. No reliance on the operator's current log integrity.

03

Evidence survives vendor and platform changes

The GRC platform replacement, the SIEM migration, the cloud transition — none of them create evidence gaps.

04

Regulator inquiry answered with original PQ-signed proofs

Four-year-old controls produce the original proof. No reconstruction. No operator cooperation required.

The asset may move.
The evidence remains.
h33.ai/h33-74
H33-74 · Post-Quantum Evidence

H33-74 in brief — for the CCO

H33-74 is the portable 74-byte post-quantum evidence primitive — a 32-byte on-chain commitment plus a 42-byte off-chain receipt, signed under three independent NIST post-quantum signature families (ML-DSA, FALCON, SLH-DSA) — that produces and anchors a self-contained proof for each control activity. For a CCO it turns compliance evidence into self-verifying objects an auditor checks directly, instead of records that must be reconstructed from systems you no longer run.

What it is not. H33-74 is a primitive, not a service. It is not continuous control monitoring (that is HATS), not the pass/fail verdict on a control (that is Verification), and not policy or agent governance (that is Agent-008). It supplies durable evidence; it is not itself a certification.

Why does a CCO care?

Control evidence stops depending on the platform that produced it. Audits and regulator inquiries are answered with the original PQ-signed proofs — no reconstruction, no operator cooperation required.

How is it different from a GRC evidence store?

A GRC store must still be running and trusted at audit time. H33-74 proofs are self-verifying against an independent verifier, so evidence survives a GRC, SIEM, or cloud change without gaps.

What proves it?

Every claim resolves to a reproducible artifact — byte-exact wire format at /schemas/h33-74/ and reproducible timings at /benchmarks/.

Which frameworks does it map to?

Each control's proof crosswalks to specific requirements across SOX, DORA, EU AI Act, OSFI B-13, HIPAA, PCI-DSS, GDPR, NIS2, FedRAMP, and CMMC 2.0.