HATS records which surrogate models were selected, why they were selected, which attacks transferred, what risk estimate was produced, and whether the result can be independently verified years later. Stronger than "AI security testing" — audit-grade adversarial resilience evidence.
adversarial_resilience). The full eight-layer schema, field-by-field invariants, and verification protocol are documented in HATS Record v1.
The methodology HATS implements is the CKA-based surrogate selection framework proposed by Cox & Bunzel (OWASP AI Exchange / Fraunhofer SIT / ATHENE, 2025). The paper observes that exhaustive coverage of adversarial subspaces is computationally infeasible (NP-complete; high-dimensional input spaces), so resilience testing must instead deliberately span the space of surrogate models. The framework selects surrogates at both high and low Centered Kernel Alignment similarity to the target model, then evaluates transferred attack success rates across that bounded but representative set.
The framework is sound. What it does not address: how the regulator, auditor, or downstream consumer of the result independently verifies that the testing was done as claimed.
HATS produces a cryptographically signed record of every decision the framework requires, plus the inputs, the outputs, and the verifier configuration. The record is anchored to one or more public chains for independent notarization, and the entire testing decision is reproducible by anyone with the open-source HATS verifier.
A regulator, auditor, or downstream consumer with only the HATS record and the open-source verifier can independently reproduce the testing decision. The replay does not require H33's infrastructure, the original testing vendor, or the AI provider's continued cooperation.
Pull the HATS record from any of the chain anchors or from the customer's preservation store. Verify the three post-quantum signatures.
Recompute CKA similarity between each surrogate and the target model using the recorded weight hashes. Confirm each surrogate met its threshold (M_1 ≥ r_1, M_2 ≤ r_2).
Using the recorded RNG seed, attack parameters, and surrogate weights, deterministically regenerate the AutoAttack corpus. Confirm the attack set matches what was evaluated.
Run the recorded regression model with the recorded prior on the recorded transfer outcomes. Confirm the produced risk estimate (0.196 ± 0.041) is reproducible.
Verify the chain anchors on Polygon, Bitcoin, and Ethereum reference the same record hash. Independent notarization confirms the record existed by the recorded block timestamps.
The testing decision is cryptographically reproducible. The surrogate selection was sound under the framework. Risk estimate is defensible. Replay succeeds without operator infrastructure.
Article 15 requires high-risk AI systems to be designed and developed with appropriate levels of accuracy, robustness, and cybersecurity, including resilience to attempts by unauthorized third parties to alter the use or performance through exploiting system vulnerabilities. HATS records demonstrate the robustness testing methodology, the surrogate coverage, and the produced risk estimate to the national competent authority and the AI Office.
Article 12 requires automatic logging of AI system activity. HATS records each adversarial test event as one log entry with structural metadata. Logging compliance becomes cryptographically verifiable. See the EU AI Act crosswalk.
The NIST AI RMF (AI 100-1) emphasizes test, evaluation, validation, and verification (TEVV) as a continuous lifecycle activity. HATS records make TEVV provable rather than asserted, supporting the Measure and Manage functions of the framework.
The OWASP AI Exchange community advocates for measurable AI security controls. HATS records implement the Cox & Bunzel framework as a cryptographically verifiable layer that the broader community can adopt as the audit-grade extension of the methodology.
Wrap the testing pipeline with the HATS recorder. Every surrogate selection decision, every attack run, every regression step emits a structured field that composes into the final record. Adds milliseconds to the testing pipeline. The output is one cryptographically signed record per pre-production model evaluation.
Request HATS records as part of vendor due diligence. Run the open-source HATS verifier to confirm the testing claims independently. Anchor the records to your own preservation chain so the evidence does not depend on the vendor's continued operation.
Verify any HATS record directly using the open-source verifier. The record reproduces the testing decision deterministically. The verification does not require the AI provider, the testing vendor, or H33 to be operational.
The Cox & Bunzel methodology gives you bounded coverage. HATS makes the result cryptographically replayable.
HATS Standard H33-74 for AI Decisions