Operational integrity is not uptime. It is not availability. It is the ability to cryptographically prove that every organizational control exists, is configured as claimed, and was active at the moment in question. Not asserted. Proven. Independently verifiable by any third party with a public key.
Every organization claims to have security controls. Firewalls are configured. MFA is enforced. Data is encrypted at rest. Keys are rotated on schedule. Access reviews happen quarterly. These claims appear in compliance reports, insurance applications, vendor security questionnaires, and board presentations.
The problem is not that these claims are false. The problem is that they are unverifiable. When a bank tells its regulator that encryption at rest is enforced across all production databases, the regulator has no mechanism to independently verify this claim. When a healthcare organization tells its insurer that PHI access is restricted by role-based access controls, the insurer has no way to confirm that those controls were active at the time of the breach. When a government contractor tells an auditor that key rotation occurs every 90 days, the auditor relies on the contractor's own logs to validate the claim.
Operational integrity replaces unverifiable claims with cryptographic proof. Every control state change is attested with a post-quantum signed receipt. Every governance decision is recorded in a tamper-evident chain. Every compliance posture is independently verifiable at any historical timestamp. The organization does not claim that controls are in place. The organization proves it.
This is an important distinction. An organization can have excellent operational security and zero operational integrity. The controls work. The firewalls block traffic. The encryption protects data. But there is no independent evidence that any of these controls exist, that they are configured as described, or that they were active at the time that matters. Security is the mechanism. Integrity is the evidence. Without integrity, security claims are assertions. With integrity, they are proofs.
The integrity gap is the distance between what an organization claims about its control posture and what it can prove. This gap exists in every organization, and it widens with scale, complexity, and time.
Controls are configured by humans. Humans make mistakes, respond to operational pressure, and create exceptions. A firewall rule is modified to resolve a production incident and never reverted. An MFA bypass is granted to an executive and forgotten. An encryption configuration is downgraded during a migration and left in the degraded state. These are not security failures in the traditional sense. They are integrity failures: the organization's actual control state has diverged from its documented control state, and no mechanism exists to detect the divergence.
Traditional compliance processes attempt to close this gap through periodic verification: annual audits, quarterly reviews, monthly scans. But periodic verification only proves control state at the moment of verification. The 364 days between annual audits are a black box. An insurer evaluating a claim cannot determine whether controls were active during the 11 months between the last audit and the breach. A regulator investigating a violation cannot reconstruct the control state at the time of the incident. A board evaluating cyber risk cannot distinguish between a well-controlled organization and one that passes audits while operating in a degraded state between them.
The integrity gap has concrete financial consequences. Insurance claims are disputed because neither party can prove control state at the time of loss. Regulatory fines are assessed because organizations cannot demonstrate continuous compliance. M&A due diligence fails because acquirers cannot verify the target's security posture. Vendor assessments consume thousands of hours annually because every questionnaire answer is an assertion rather than a proof.
H33 closes the integrity gap by making control state continuously provable. Not periodically checked. Not self-reported. Cryptographically proven, at every moment, for every control, with evidence that any third party can verify independently.
H33 constructs operational integrity from three foundational capabilities: a governance graph that models every organizational control and its relationships, post-quantum attestation that produces signed receipts for every state transition, and deterministic replay that reconstructs exact organizational state at any historical timestamp.
Traditional compliance treats controls as independent items on a checklist. H33 models controls as nodes in a governance graph where relationships between controls are explicit and attested. An MFA policy is connected to the identity provider configuration that enforces it, which is connected to the access policies that depend on it, which are connected to the data classification rules that determine what those access policies protect. When any node in the graph changes state, the change is attested and the downstream implications are computed and recorded.
This graph structure is what makes operational integrity provable rather than claimed. An organization does not merely assert that MFA is enforced. The governance graph proves that the MFA policy exists, that it is bound to the identity provider, that the identity provider is configured to enforce it, that the enforcement was active at the time in question, and that no downstream control was in a state that would have bypassed the enforcement.
Every state transition in the governance graph generates an H33-74 attestation receipt: 74 bytes of post-quantum signed proof. The receipt is signed with three independent signature families backed by three independent hardness assumptions. An adversary attempting to forge an attestation would need to simultaneously break lattice problems, NTRU structures, and stateless hash functions. The receipts are designed to remain valid for decades, long past the anticipated arrival of cryptographically relevant quantum computers.
Governance replay reads the attested governance chain and reconstructs the exact organizational state at any historical timestamp. The reconstruction is deterministic: any independent party who replays the same chain to the same timestamp will produce identical outputs. This property is what makes operational integrity independently verifiable. The organization does not present a report claiming its control state. It presents a governance chain that any verifier can replay to confirm the claim.
They are not the same. Security is the mechanism. Integrity is the proof that the mechanism is in place.
| Dimension | Operational Security | Operational Integrity (H33) |
|---|---|---|
| Core Question | Are our systems protected? | Can we prove our systems are protected? |
| Evidence Type | Logs, configs, scan results | PQ-signed cryptographic receipts |
| Verification Model | Trust the organization | Independent verification by any party |
| Temporal Coverage | Point-in-time snapshots | Continuous, every state change |
| Tamper Resistance | Logs can be modified | Governance chain is tamper-evident |
| Historical Reconstruction | Depends on retention policies | Deterministic replay to any timestamp |
| Quantum Resistance | Classical signatures only | Three independent hardness assumptions |
| Control Relationships | Flat checklist model | Governance graph with attested edges |
| Compliance Evidence | Self-reported assertions | Machine-verifiable proofs |
| Insurance Claims | Forensic reconstruction | Replay the governance chain |
Operational integrity is built from four layers, each independently verifiable, each post-quantum secured.
HATS is a publicly available technical conformance standard for continuous AI trustworthiness; certification under HATS provides independently verifiable evidence that a system satisfies the standard's defined controls. HATS defines the encoding rules, verification procedures, error semantics, and conformance vectors that make attestations independently reproducible. 147 requirements. 26 canonical test vectors. Frozen semantics. Any independent implementation that passes the conformance vectors produces identical attestation outputs.
Every control state change produces a 74-byte attestation receipt signed with three independent post-quantum signature families. The receipt contains hash commitments to the prior and new state, the authority chain, the governing policy reference, and the chain position. 74 bytes. Any computation. Post-quantum attested. The distillation is irreversible: receipts can be verified but not reverse-engineered.
The governance chain is an append-only sequence of attested records. Deterministic replay reads the chain forward and reconstructs exact organizational state at any historical timestamp. Replay is independent: any party can perform it. Replay is deterministic: identical inputs produce identical outputs. Replay is the mechanism that transforms a collection of attestation receipts into provable organizational history.
The H33 public verifier allows any party to independently validate attestation receipts, replay governance chains, and confirm organizational state without trusting H33 infrastructure. The verifier is open for independent reimplementation. Any conformant implementation that passes the HATS test vectors can serve as an independent verifier. Trust is in the mathematics, not in the vendor.
Regulators examine banks on a cyclical basis. Between examinations, the bank's control state is self-reported. Operational integrity gives examiners the ability to independently verify control state at any moment, not just during the examination window. Key rotation compliance, access control enforcement, encryption state, and transaction authorization policies become continuously provable. OCC, FDIC, and Federal Reserve examination processes can shift from trust-based to evidence-based.
HIPAA requires covered entities to maintain safeguards for protected health information. When a breach occurs, the organization must demonstrate that safeguards were in place. Without operational integrity, this demonstration depends on log analysis and forensic reconstruction. With operational integrity, every access control change, every encryption configuration modification, and every PHI handling event is attested and replayable. The governance chain is the evidence that HIPAA requires.
Federal agencies operating under FedRAMP must maintain continuous authorization. Operational integrity provides the evidentiary infrastructure for continuous authorization: machine-verifiable proof that security controls are active at every moment, not just during the annual assessment. For agencies managing classified or controlled unclassified information, operational integrity provides cryptographic proof of data handling compliance that survives quantum threats through three independent hardness assumptions.
Cyber insurers underwrite risk based on policyholder assertions. Claim verification is adversarial because neither party can independently confirm control state at the time of loss. Operational integrity transforms underwriting from assertion-based to evidence-based. Policyholders provide governance chains that underwriters verify independently. Claims are resolved by replaying the chain to the incident timestamp. The evidence is mathematical, not testimonial.
The EU AI Act and NIST AI RMF require AI operators to demonstrate that their systems operate within defined boundaries. Continuous AI governance extends operational integrity to AI agent actions, model deployments, and scope changes. Every agent action is attested. Every authority boundary is provable. Every governance decision is replayable. AI companies that deploy operational integrity satisfy regulatory requirements with cryptographic evidence rather than compliance documentation.
Operational integrity is the ability to cryptographically prove the state of every organizational control, every governance decision, and every policy enforcement action at any point in time. It is not uptime or availability. It is provable organizational state: the mathematical certainty that controls exist, that they are configured as claimed, and that they were active at the moment in question.
Operational security focuses on preventing unauthorized access and protecting systems from threats. Operational integrity focuses on proving that security controls are actually in place. An organization can have strong operational security and zero operational integrity: the controls work, but there is no independent evidence that they exist. Integrity is the evidentiary layer that makes security claims verifiable.
The integrity gap is the difference between the controls an organization claims to have and the controls it can prove exist at any given moment. Every organization has security policies. Few can prove those policies are actively enforced. Fewer still can prove enforcement at a specific historical timestamp. This gap is what makes self-reported compliance unreliable and what drives disputes in insurance claims, regulatory investigations, and breach litigation.
H33 constructs a governance graph of every organizational control and its state transitions. Every change to any control generates a post-quantum signed attestation receipt. These receipts are ordered in a tamper-evident governance chain. Deterministic replay can reconstruct the exact organizational state at any historical timestamp. Independent verifiers can validate the entire chain without trusting H33 infrastructure.
HATS is a publicly available technical conformance standard for continuous AI trustworthiness; certification under HATS provides independently verifiable evidence that a system satisfies the standard's defined controls. HATS defines the encoding rules, verification procedures, error semantics, and conformance vectors for operational integrity attestation. It is the protocol layer that makes H33 attestations independently reproducible.
Any industry where the claim "our controls are in place" must be independently verifiable benefits from operational integrity. Banking and financial services need it for regulatory examinations. Healthcare needs it for HIPAA and patient data governance. Government agencies need it for FedRAMP and continuous authorization. Insurance companies need it to verify policyholder control postures. AI companies need it to satisfy EU AI Act and NIST AI RMF requirements.
Stop claiming controls are in place. Start proving it. Cryptographically attested. Independently verifiable. Replay-grade evidence for every control, every moment.