Verify that systems operate within their declared boundaries. Continuously.
Not whether your code is secure. That is what HICS does. OIS measures whether the running system's operational behavior matches its governance declarations.
Configuration drift. Policy enforcement continuity. Access control adherence. AI agent behavioral bounds. Key rotation compliance. The gap between what your governance policy says and what your infrastructure actually does — measured continuously, backed by cryptographic attestation.
Logs record what the system claims happened. They are self-reported, mutable, and trivially forgeable. A compromised system writes compromised logs.
OIS verifies what actually happened by consuming attestation records from HICS, H33-74, and runtime signals. The evidence is external, cryptographically sealed, and post-quantum signed. You don't trust the system to report on itself. You verify it from the outside.
Policies enforced as declared. Declared governance controls verified against runtime behavior through attested operational evidence.
No unauthorized drift. Infrastructure configuration continuously compared against attested baselines. Deviations detected and scored.
Permissions match policy. Access grants, role assignments, and privilege escalations verified against declared access control matrices.
AI agents operating within declared scope. Autonomous actions, tool usage, and decision boundaries verified against governance declarations.
Cryptographic hygiene maintained. Key rotation schedules, certificate renewals, and credential lifecycle events verified on cadence.
Recovery procedures attested. Runbooks tested, backup integrity verified, and failover capabilities proven through cryptographic evidence.
Application integrity feeds operational verification. HICS scores the code. OIS scores the operation. Together they close the gap between what was built and how it runs.
Operational integrity posture drives continuous risk scoring for cyber insurance and regulatory compliance. OIS provides the attested operational evidence that CRV consumes to produce insurability scores.