HATS v1.0 — H33 AI Trust Standard | AI Certification Framework

1 Purpose and Scope

1.1 Purpose

HATS defines what it means for an AI system to be certified as trustworthy. It provides a machine-verifiable, cryptographically grounded specification that enables organizations to demonstrate -- and third parties to independently confirm -- that an AI system meets defined trustworthiness requirements on a continuous basis.

HATS certifies trustworthiness across three layers:

Governance Proof. Every inference executed by the AI system is governed by a valid, versioned, cryptographically signed policy, and every decision is recorded with a zero-knowledge proof binding the policy, the decision, and the time of execution.
Data Separation. Sensitive data is cryptographically protected before it reaches the AI model. The system can prove, via zero-knowledge attestation, that no plaintext sensitive data was accessible to the model at inference time.
Audit Permanence. The evidentiary record of the system's behavior is cryptographically signed, Merkle-compressed, and retained for a period sufficient to satisfy legal and regulatory requirements, including under post-quantum cryptographic assumptions where required.

1.2 Scope

This standard applies to any AI system that satisfies one or more of the following conditions:

Processes personally identifiable information (PII), protected health information (PHI), financial data, or legally privileged information.
Makes or materially contributes to decisions affecting individuals' rights, access to services, employment, credit, insurance, healthcare, or legal standing.
Operates in an industry subject to regulatory oversight, including healthcare, financial services, insurance, legal services, government, defense, and critical infrastructure.
Is deployed as a component in a multi-agent or agentic AI workflow where intermediate reasoning steps are not directly observable by a human operator.

This standard does not certify model accuracy, output quality, fairness, or bias. HATS certifies the operational trustworthiness of the system in which a model operates -- the governance, privacy, and evidentiary integrity of the system's behavior over time.

1.3 Relationship to Existing Standards

Standard	Relationship to HATS
NIST AI RMF 1.0	HATS implements the GOVERN, MAP, MEASURE, and MANAGE functions with concrete cryptographic requirements.
ISO/IEC 42001:2023	HATS provides auditable evidence artifacts that satisfy ISO 42001 Annex A controls.
EU AI Act (2024/1689)	HATS Tier 2+ satisfies transparency, data governance, and record-keeping obligations for high-risk AI systems.
SOC 2 TSC	HATS evidence artifacts map to CC6 (Logical and Physical Access), CC7 (System Operations), CC8 (Change Management), and the Privacy criteria.
HIPAA	HATS Tier 2+ satisfies the technical safeguard requirements of 45 CFR 164.312.

1.4 Normative Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

2 Normative References

NIST AI 100-1: Artificial Intelligence Risk Management Framework (AI RMF 1.0), January 2023
NIST FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM), August 2024
NIST FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA), August 2024
NIST FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, August 2015
ISO/IEC 42001:2023: Information technology -- Artificial intelligence -- Management system
Regulation (EU) 2024/1689: Artificial Intelligence Act
RFC 2119: Key words for use in RFCs to Indicate Requirement Levels
AICPA SOC 2 Trust Services Criteria (2017, updated 2022)
Fan, J. and Vercauteren, F.: Somewhat Practical Fully Homomorphic Encryption, IACR ePrint 2012/144
Ben-Sasson, E. et al.: Scalable, transparent, and post-quantum secure computational integrity (STARKs), IACR ePrint 2018/046

3 Definitions

Term	Definition
AI System	A machine-based system that infers from input how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments (EU AI Act Article 3(1)).
AI Trustworthiness	The property whereby an AI system's governance, data handling, and evidentiary record can be independently verified by a third party using cryptographic proofs.
Behavioral Fingerprint	A statistical characterization of an AI model's behavior (response length, latency, semantic consistency, edge case behavior), hashed using SHA3-256, used as a baseline for drift detection.
Bypass	Any event where plaintext sensitive data reaches the AI model's input layer without required encryption/redaction/enclave processing. Immediate compliance violation.
Certificate	A digitally signed attestation that a specific AI system satisfies the requirements of a specified HATS tier, subject to continuous monitoring.
Compliance Oracle	A cryptographic attestation service evaluating each step in agentic AI workflows against governing policy, producing a ZKP of compliance per step. Required for Tier 3.
Compliance Score	Numerical value (0-100) computed from governance proof completeness, data separation coverage, monitoring continuity, and remediation timeliness.
Data Blindness	The property whereby the AI model never has access to plaintext sensitive data, achieved through FHE, proxy redaction, or TEE processing.
Decision Record	A structured evidence artifact documenting a single AI inference: input hash, output hash, governing policy hash, timestamp, and zero-knowledge proof.
Drift Score	Numerical value (0.0-1.0) computed as a weighted combination of statistical divergences across behavioral fingerprint dimensions.
Evidence Artifact	Any cryptographic proof, signature, hash, Merkle root, or structured data record produced by the monitoring system to attest to a compliance property.
Governance Proof	A zero-knowledge proof demonstrating that a specific AI decision was executed under authority of a specific, versioned, signed policy.
Post-Quantum	Resistant to cryptanalysis by both classical and quantum computers. Limited to NIST-standardized algorithms: ML-DSA (FIPS 204) and ML-KEM (FIPS 203).
Proof Bundle	A structured data object containing all evidence artifacts for a defined time period, formatted per Appendix A schema.
Proof Chain	Ordered sequence of ZKPs for multi-step AI workflows, aggregated into a Merkle tree signed with ML-DSA.
Sensitive Data	SSN, email, phone, DOB, medical codes, financial account numbers, legal privilege markers, biometric identifiers, or operator-designated sensitive fields.

4.1 Tier 1 -- Governed AI

4.1.1 Policy Binding

REQ-1.1

Every AI inference MUST be governed by a valid, versioned, cryptographically signed policy. The policy MUST be signed by an authorized policy administrator using a digital signature algorithm with a minimum security level of 128 bits.

REQ-1.2

The policy version and policy hash MUST be bound to each decision record at inference time. The binding MUST be performed before the inference result is returned to the caller.

REQ-1.3

Policy versions MUST be monotonically increasing. A policy with a lower version number MUST NOT be applied after a policy with a higher version number has been activated.

REQ-1.4

Policy updates MUST be logged as distinct evidence artifacts, including the old policy hash, the new policy hash, the update timestamp, and the authorizing administrator's signature.

4.1.2 Decision Records

REQ-1.5

A decision record MUST be created for every production inference. Statistical sampling is not permitted. Each record must contain: unique decision ID, SHA3-256 hash of input, SHA3-256 hash of output, SHA3-256 hash of governing policy, millisecond-precision timestamp (NTP stratum 2+), and a zero-knowledge proof.

REQ-1.6

Each decision record MUST include a zero-knowledge proof: ZKP = STARK_prove(H(policy_hash || decision_hash || timestamp)) where H is SHA3-256. The proof MUST be verifiable by any party possessing the public verification parameters.

REQ-1.7

Decision records MUST be compressed into a SHA3-256 Merkle tree, recomputed at intervals not exceeding 60 seconds. The Merkle root MUST be signed by the monitoring system.

4.1.3 Monitoring and Detection

REQ-1.8 through REQ-1.10

100% of production inferences MUST be processed. Maximum detection gap: 60 seconds. Alert generation within 5 minutes of any governance violation.

4.1.4 Evidence Retention

REQ-1.11 / REQ-1.12

All evidence artifacts MUST be retained for a minimum of 7 years, integrity-protected using SHA3-256 hash chains. Any tampering MUST be detectable.

4.1.5 Remediation

REQ-1.13 through REQ-1.16

Policy gaps MUST be remediated within 72 hours. Active violations within 24 hours. All remediation actions recorded as evidence artifacts. Certificate suspended if compliance score < 70 for 48+ continuous hours.

4.2 Tier 2 -- Privacy-Protected AI

4.2.1 Data Encryption

REQ-2.1 / REQ-2.2

ALL sensitive data fields MUST be encrypted or redacted before reaching the AI model. Acceptable mechanisms: (a) Fully Homomorphic Encryption (BFV, N≥4096, t≡1 mod 2N, Q≥2^56), (b) Proxy Redaction with Dilithium-signed attestation, (c) Trusted Execution Environment with hardware attestation renewed every 24 hours.

4.2.2 FHE Wrapper Integrity

REQ-2.4 / REQ-2.5

FHE wrapper MUST be continuously monitored for integrity. Any detected or suspected bypass triggers immediate certificate suspension. Suspension is automatic; no manual intervention required.

4.2.3 Data Blindness Attestation

REQ-2.6 through REQ-2.8

A data blindness attestation MUST be produced for every inference, signed using ML-DSA-65 or higher. Must include: inference identifier, encryption mechanism, hash of encrypted input, ZKP of data separation, timestamp, and signing key ID.

4.2.4 Sensitive Field Detection

REQ-2.9 / REQ-2.10

Automated detection of SSN, email, phone, DOB, medical codes, financial account numbers, and legal privilege markers. Minimum 99.5% detection rate per category, tested every 30 days.

4.2.5 Differential Privacy

REQ-2.11 through REQ-2.13

Systems performing aggregate analytics MUST establish an (epsilon, delta) privacy budget. When exhausted, further queries MUST be blocked at the data access layer, not just the application layer.

4.3 Tier 3 -- Quantum-Secured AI

4.3.1 Post-Quantum Cryptography

REQ-3.1 through REQ-3.3

ALL signatures MUST use ML-DSA (FIPS 204), minimum ML-DSA-65 (Level 3). ALL key encapsulation MUST use ML-KEM (FIPS 203), minimum ML-KEM-768. Classical-only algorithms (RSA, ECDSA, ECDH, X25519) MUST NOT be used as sole protection. Hybrid schemes permitted during 24-month transition period.

4.3.2 Evidentiary Validity

REQ-3.4 / REQ-3.5

All evidence artifacts MUST provide minimum 30-year evidentiary validity. Evidence for legal proceedings MUST include complete proof bundle, signing algorithm, public key, timestamp, and sufficient context for independent verification.

4.3.3 Model Behavioral Fingerprinting

REQ-3.6 through REQ-3.9

Behavioral fingerprint MUST be captured at certification time. Drift score computed hourly. Thresholds: 0.00-0.14 (normal), 0.15-0.29 (warning), 0.30-0.49 (suspended), 0.50-1.00 (revoked). Any model change without re-certification triggers immediate suspension.

Drift Score	Action
`0.00 - 0.14`	No action required. Normal operational variance.
`0.15 - 0.29`	Warning state. Investigation required within 72 hours.
`0.30 - 0.49`	Suspended. Immediate investigation required.
`0.50 - 1.00`	Revoked. Re-certification required.

4.3.4 Compliance Oracle for Agentic Workflows

REQ-3.10 through REQ-3.13

Multi-step/agentic AI workflows MUST deploy a Compliance Oracle. Each step evaluated against policy with ZKP of compliance before proceeding. Per-step proofs aggregated into a Proof Chain (Merkle tree signed with ML-DSA). Failed steps halt the workflow.

4.3.5 On-Chain Audit Trail

REQ-3.14 through REQ-3.16

Merkle roots MUST be anchored to a public Layer 1 blockchain (Solana recommended) at intervals not exceeding 1 hour. Records must be independently verifiable by any party with blockchain access and the H33 public verification key.

5 Monitoring Requirements

5.1 Sampling Rate

100% of production inferences across all tiers. Statistical sampling is prohibited. If the monitoring system is unable to process an inference, the event must be flagged. Unmonitored inferences exceeding 0.1% in any 24-hour period reduce compliance score by at least 10 points.

5.2 Evidence Artifact Types

Artifact Type	Description	Tier
Decision Record	Structured record of a single inference	1+
Governance ZKP	ZKP binding policy, decision, and timestamp	1+
Merkle Root	SHA3-256 root of decision record tree	1+
Policy Record	Signed record of policy version, hash, activation	1+
Alert Record	Detected violation, severity, and timestamp	1+
Remediation Record	Corrective action taken	1+
Data Blindness Attestation	ML-DSA-signed attestation of data separation	2+
Data Separation ZKP	ZKP that model input has no plaintext sensitive data	2+
FHE Integrity Record	Monitoring record of FHE wrapper status	2+
Privacy Budget Record	Cumulative differential privacy budget consumption	2+
Behavioral Fingerprint	Baseline and periodic model behavior characterization	3
Drift Score Record	Periodic drift measurement result	3
Proof Chain	Merkle tree of per-step ZKPs for agentic workflows	3
On-Chain Anchor	Transaction hash and block reference for anchoring	3

5.3 Detection Latency

Tier	Max Detection Gap	Max Alert Latency
Tier 1	60 seconds	5 minutes
Tier 2	30 seconds	2 minutes
Tier 3	15 seconds	1 minute

5.5 Compliance Score Computation

Score = w_g * G + w_d * D + w_m * M + w_r * R

Where G = governance completeness (0-100), D = data separation coverage (0-100), M = monitoring continuity (0-100), R = remediation timeliness (0-100).

Tier	w_g	w_d	w_m	w_r
Tier 1	0.50	0.00	0.30	0.20
Tier 2	0.30	0.30	0.25	0.15
Tier 3	0.25	0.25	0.30	0.20

6 Data Blindness Technical Specification

6.1 FHE Parameter Requirements

Parameter	Minimum	Recommended
Scheme	BFV	BFV
Polynomial degree (N)	4,096	4,096 or 8,192
Plaintext modulus (t)	t ≡ 1 (mod 2N)	t = 65537 (for N = 4096)
Ciphertext modulus (Q)	≥ 2^56 (single)	CRT, product ≥ 2^110
Security level	≥ 128 bits (classical)	≥ 128 bits classical + quantum (Tier 3)

6.2 ZKP Requirements for Data Separation

REQ-6.3 / REQ-6.4

Acceptable constructions: (a) STARK proofs using SHA3-256 (recommended for Tier 3), (b) SNARK proofs (Groth16, PLONK) with MPC ceremony of 100+ participants (acceptable for Tier 1/2). ZKP MUST be verifiable in under 10 milliseconds on commodity hardware.

6.3 Proxy Redaction Requirements

Synthetic tokens must be same data type and approximate length as originals, not derivable from originals, consistent within a single inference, and reversible only by the redaction service. Mapping stored in encrypted key-value store inaccessible to the AI model.

6.4 TEE Requirements

Acceptable technologies: Intel SGX with DCAP, AWS Nitro Enclaves, ARM TrustZone. Enclave measurement verified against known-good reference at startup and every 24 hours. Attestation documents included in evidence bundle.

7 Model Integrity Specification

7.1 Behavioral Fingerprint Components

Dimension	Description	Weight	Saturation
Response Length Distribution	Statistical distribution of output token counts over reference input set	0.15	0.5
Latency Profile	Distribution of inference latency over reference input set	0.10	0.5
Semantic Consistency	Cosine similarity of outputs at certification time vs. measurement time	0.50	0.2
Edge Case Behavior	Behavior on curated edge case inputs probing boundary conditions	0.25	0.3

7.2 Fingerprint Hash Construction

                    fingerprint_hash = SHA3-256(
  normalize(dim1_stats) ||
  normalize(dim2_stats) ||
  normalize(dim3_stats) ||
  normalize(dim4_stats)
)
                

7.3 Drift Measurement

drift_score = sum(w_i * sigmoid(d_i / s_i)) for i in {1,2,3,4}

Where d_i is the raw divergence for dimension i, s_i is the saturation parameter, w_i is the weight, and sigmoid(x) = 1 / (1 + exp(-x)). Drift score normalized to [0.0, 1.0].

7.4 Re-certification After Model Update

After any model change, re-certification requires submission of a new behavioral fingerprint. If drift score exceeds 0.50: full re-certification. Between 0.15 and 0.50: expedited re-certification. Below 0.15: administrative update only.

8 Evidence Format and Retention

8.1 Proof Bundle Format

All evidence packaged in Proof Bundles conforming to the JSON schema (Appendix A). Contains: HATS version, bundle ID (UUID v4), certificate ID, tier, time range, Merkle root (hex SHA3-256), signature (algorithm + key ID + base64 value), artifacts array, and optional on-chain anchor.

8.2 Retention Periods

Tier	Minimum Retention
Tier 1	7 years
Tier 2	10 years
Tier 3	30 years

8.3 Export Formats

JSON Proof Bundle: Canonical format as specified in Section 8.1.
Signed PDF: Human-readable report with embedded digital signature, Merkle root, certificate status, and independent verification instructions. Tier 3 uses PQ-signed hash reference.
SIEM-Compatible Event Stream: Structured events in CEF, LEEF, or JSON over syslog RFC 5424 format.

REQ-8.1 through REQ-8.3

For Tier 3, all retained evidence MUST be protected with post-quantum signatures. Evidence MUST be stored in at least two geographically distinct locations with integrity verification at the storage layer.

9 Certificate Lifecycle

9.1 Certificate States

State	Description
Active	All requirements satisfied. Certificate valid and presentable to third parties.
Warning	One or more warning conditions triggered. Certificate remains valid but warning state visible to verifiers.
Suspended	One or more suspension conditions triggered. Certificate NOT valid. System must not represent itself as HATS-certified.
Revoked	Certificate permanently invalidated. Re-certification from the beginning required.

9.2 Key State Transitions

Active to Warning: Compliance score 70-80 for 24+ hours, single policy gap detected, drift score >0.15 (Tier 3), or monitoring gap exceeding threshold.

Warning to Active: All warning conditions resolved, compliance score above 80 for 24+ hours, all remediation records filed.

To Suspended: Compliance score <70 for 48+ hours, FHE bypass detected (Tier 2+), drift score >0.30 (Tier 3), model change without re-certification, unresolved violation >72 hours, or privacy budget exhaustion failure.

Suspended to Active: Root cause analysis, evidence of remediation, 30-day observation period (score >80), Issuing Authority approval.

To Revoked: Compliance score <50 for 7+ days, confirmed data exposure, or certificate fraud.

9.3 Expiration and Renewal

REQ-9.1 through REQ-9.3

Certificates expire 90 days from issuance or last renewal. Automatic renewal if: Active state, score never below 80 in preceding 90 days, all monitoring operational, no unresolved violations. Otherwise, renewal application required (expedited re-certification).

9.4 Appeals Process

System operators may appeal suspension/revocation within 15 business days. Independent review panel (3+ members not involved in original decision) issues a binding decision within 30 business days. Certificate remains in current state during appeal.

10 Verification Protocol

REQ-10.1

Any third party MUST be able to verify a HATS certificate without access to the Issuing Authority's internal systems, without an account or API key, and without the cooperation of the certificate holder.

Verification Inputs

The certificate identifier (unique string assigned at issuance)
The H33 public verification key (published at well-known URL and on blockchain registry)
Access to the on-chain registry (Tier 3) or public verification API (all tiers)

Verification Procedure

Retrieve certificate record from public verification API or on-chain registry
Verify ML-DSA signature using H33 public verification key
Check expiration against current date
Check revocation via revocation registry
Verify on-chain state (Tier 3): confirm Merkle root anchor on blockchain

Verification API

Unauthenticated, rate-limited (100 req/min per IP), 99.9% uptime SLA, JSON response format. Response includes: certificate ID, status, tier, system name, holder, issue/expiry dates, frameworks covered, last audit event, compliance score, on-chain hash (Tier 3), and ML-DSA signature.

11 Regulatory Framework Mapping

HATS maps to 8 regulatory frameworks. The following consolidated cross-reference shows coverage per tier.

Regulatory Framework	Provision	HATS Coverage	Min. Tier
NIST AI RMF	GOVERN (Policies, Accountability)	REQ-1.1 through REQ-1.4: cryptographically signed, versioned policies bound to every inference	Tier 1
NIST AI RMF	MEASURE (Metrics, Evaluation)	REQ-3.6 through REQ-3.8, REQ-7.1: behavioral fingerprinting with continuous drift monitoring	Tier 3
EU AI Act	Art. 9 (Risk management)	Tiers 1-3: continuous risk monitoring with defined thresholds and escalation	Tier 1
EU AI Act	Art. 10 (Data governance)	Tier 2+: data blindness with cryptographic attestation	Tier 2
EU AI Act	Art. 13 (Transparency)	Public, unauthenticated certificate verification (REQ-10.1 through REQ-10.3)	Tier 1
HIPAA	164.312(a) Access Control	FHE/redaction/TEE prevents model access to PHI	Tier 2
HIPAA	164.312(b) Audit Controls	100% inference monitoring, decision records, Merkle-compressed audit trail	Tier 1
HIPAA	164.312(e) Transmission Security	ML-KEM key encapsulation for all key exchange operations	Tier 3
SOX 404	Internal controls, evidence	Every AI decision governance-bound, continuous compliance scoring, defined retention	Tier 1
GDPR	Art. 22 (Automated decisions)	Decision records provide evidentiary basis for explaining/contesting automated decisions	Tier 1
GDPR	Art. 25 (Data protection by design)	Data blindness as architectural requirement, not policy overlay	Tier 2
CCPA/CPRA	Right to know, automated decisions	Decision records, governance proofs support opt-out and access rights for profiling	Tier 1
FDA 21 CFR 11	Audit trail, signature linking	SHA3-256 Merkle trees with digital signatures, 100% coverage, signer ID + timestamp	Tier 1
FCA UK	Principles 3, 6, 11; Consumer Duty	Policy governance, data blindness, public verification, auditable decision records	Tier 1

12 Conformance and Auditing

Assessment Methods by Tier

Tier	Self-Assessment	Independent Verification
Tier 1	Permitted	Recommended
Tier 2	Permitted with restrictions	Recommended
Tier 3	Not permitted	Required

REQ-12.2

Tier 3 independent verification MUST be performed by an auditor with no financial interest in the system operator, demonstrated competence in cryptographic verification (including PQ signature verification and ZKP validation), and approval by the Issuing Authority or recognized audit body.

Evidence Exportability

REQ-12.3 through REQ-12.5

All evidence artifacts exportable at any time without cooperation from the Issuing Authority. Exported evidence MUST be self-contained: verifiable using only the exported data, the H33 public verification key, and (for Tier 3) blockchain access.

Continuous Monitoring Obligation

HATS certification is continuous, not point-in-time. Maximum permissible monitoring maintenance window: 4 hours. All inferences during maintenance logged locally and retroactively processed. Exceeding 4 hours transitions certificate to Warning state.

13 Version History and Amendment Process

Version History

Version	Effective Date	Description
`1.0`	2026-03-17	Initial publication

Amendment Process

Proposed amendments require a minimum 60-day public comment period, review by a 5-member expert board (AI governance, cryptography, regulatory compliance, enterprise security), and 90-day implementation notice before taking effect.

Backwards Compatibility

Existing certificates maintain validity for 180 calendar days after a new version takes effect. Extensions of up to 12 months may be granted case-by-case for technically infeasible requirements.

A Appendix A: Proof Bundle Schema

The canonical Proof Bundle format is defined as a JSON Schema. Key fields:

                    {

  "hats_version": "1.0",

  "bundle_id": "<UUID v4>",

  "certificate_id": "<certificate identifier>",

  "tier": 1|2|3,

  "time_range": { "start": "<ISO 8601>", "end": "<ISO 8601>" },

  "merkle_root": "<hex SHA3-256>",

  "signature": {

    "algorithm": "ML-DSA-65|ML-DSA-87|Ed25519",

    "key_id": "<key identifier>",

    "value": "<base64 signature>"

  },

  "artifacts": [...],

  "on_chain": { "chain": "...", "tx_hash": "...", "block": "...", "timestamp": "..." }

}

The on_chain field is REQUIRED for Tier 3, OPTIONAL for Tiers 1 and 2. Artifact types enumerated: decision_record, governance_zkp, merkle_root, policy_record, alert_record, remediation_record, data_blindness_attestation, data_separation_zkp, fhe_integrity_record, privacy_budget_record, behavioral_fingerprint, drift_score_record, proof_chain, on_chain_anchor.

B Appendix B: Regulatory Mapping Tables

Consolidated cross-reference between HATS requirements and regulatory provisions. See Section 11 for detailed mapping by framework. Each cell indicates the HATS requirement(s) that address the regulatory provision.

Regulatory Provision	Tier 1 Requirements	Tier 2 Requirements	Tier 3 Requirements
NIST AI RMF GOVERN	REQ-1.1 to REQ-1.4	(inherits Tier 1)	(inherits Tier 2)
NIST AI RMF MEASURE	Section 5.5	(inherits Tier 1)	REQ-3.6 to REQ-3.8, REQ-7.1
EU AI Act Art. 9	REQ-1.8 to REQ-1.10	REQ-2.4, REQ-2.5	REQ-3.6 to REQ-3.9
EU AI Act Art. 10	--	REQ-2.1 to REQ-2.3	(inherits Tier 2)
EU AI Act Art. 12	REQ-1.5 to REQ-1.7	REQ-2.6 to REQ-2.8	REQ-3.14 to REQ-3.16
HIPAA 164.312(a)	--	REQ-2.1 to REQ-2.3	(inherits Tier 2)
HIPAA 164.312(b)	REQ-1.5, REQ-1.8	(inherits Tier 1)	(inherits Tier 2)
HIPAA 164.312(e)	--	--	REQ-3.1, REQ-3.2
SOX 404	REQ-1.1 to REQ-1.7, Sec 5.5	(inherits Tier 1)	(inherits Tier 2)
GDPR Art. 22	REQ-1.5	(inherits Tier 1)	(inherits Tier 2)
GDPR Art. 25	--	REQ-2.1	(inherits Tier 2)
FDA 21 CFR 11.10(e)	REQ-1.5 to REQ-1.7	(inherits Tier 1)	REQ-3.14 to REQ-3.16
CCPA 1798.100	REQ-1.5	REQ-2.1	(inherits Tier 2)

C Appendix C: Drift Score Computation

The drift score is computed as:

drift_score = sum(w_i * sigmoid(d_i / s_i)) for i in {1, 2, 3, 4}

Where:

d_i = raw divergence for dimension i (KL divergence for distributions, 1 - cosine similarity for semantic consistency, 1 - edge case pass rate for edge cases)
s_i = saturation parameter (prevents any single dimension from dominating)
w_i = weight for dimension i
sigmoid(x) = 1 / (1 + exp(-x))

Dimension	Weight (w_i)	Saturation (s_i)	Divergence Metric
Response Length	0.15	0.5	KL divergence
Latency	0.10	0.5	KL divergence
Semantic Consistency	0.50	0.2	1 - cosine similarity
Edge Case Behavior	0.25	0.3	1 - pass rate

The drift score is normalized to the range [0.0, 1.0]. Sigmoid saturation prevents outlier divergence in a single dimension from triggering false positives.

H33 AI Trust Standard (HATS) v1.0

Three Levels of AI Trustworthiness

Governed AI

Privacy-Protected AI

Quantum-Secured AI

Complete Specification