Log-based compliance is a liability. Logs are claims, not evidence. H33 replaces log entries with post-quantum signed receipts that are tamper-evident, independently verifiable, and deterministically replayable. Every event becomes a cryptographic proof.
Every major compliance framework -- SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS -- requires audit trails. The implicit assumption is that logs provide this capability. They do not.
A log entry is a claim made by the system about itself. When a server writes "User X accessed file Y at time Z" to a log file, it is the server making that assertion. If the server is compromised, it can write any log entry it wants. If a database administrator has SIEM access, they can modify entries after the fact. If a backup process fails silently, log entries are lost forever. The fundamental problem is that logs have no cryptographic binding to the events they describe. They are self-reported data from unverified sources.
This creates three failure modes that every compliance officer has encountered. First, tamper vulnerability: a sophisticated attacker who compromises a system also compromises its logs, meaning the logs of the attack are controlled by the attacker. Second, reconstruction gaps: when an auditor asks for evidence of a specific event, the organization must reconstruct the event from distributed logs, often across multiple systems with different time sources, different retention policies, and different access controls. Third, the inability to prove negatives: a HIPAA auditor asks "was this patient's PHI accessed by unauthorized personnel?" and the only honest answer from a log-based system is "our logs do not show unauthorized access" -- which is categorically different from "unauthorized access did not occur."
SOC 2 Trust Services Criteria require that organizations monitor system components and evaluate the design and operating effectiveness of controls. CC6 (logical and physical access controls) requires evidence that access was authorized. CC7 (system operations) requires evidence that changes were authorized and tested. CC8 (change management) requires evidence of the change control process. In each case, the requirement is evidence -- not logs, not screenshots, not narrative descriptions. Cryptographic audit trails produce this evidence automatically at the moment of each event.
ISO 27001 Annex A specifies controls for information security management. A.12.4 (logging and monitoring) requires that event logs are produced, protected, and regularly reviewed. A.16.1 (management of information security incidents) requires that incidents are responded to and evidence is preserved. A.18.1 (compliance with legal and contractual requirements) requires evidence of compliance with applicable requirements. H33's cryptographic receipts satisfy all three controls with receipts that are cryptographically protected (not just access-controlled), permanently bound to the events they describe, and independently verifiable by external auditors.
HIPAA 45 CFR 164.312 requires audit controls (record and examine activity in information systems containing PHI), access controls (restrict access to authorized personnel), and integrity controls (protect ePHI from improper alteration or destruction). The critical gap in HIPAA compliance is the "minimum necessary" standard: organizations must ensure that workforce members access only the minimum necessary PHI for their role. Proving this with logs requires proving a negative. Proving it with cryptographic governance requires a scope enforcement receipt showing that access was bounded and a negative authority proof showing the boundary was not exceeded.
GDPR Articles 5 (principles of processing), 25 (data protection by design), 30 (records of processing activities), and 32 (security of processing) all require evidence that personal data was processed lawfully, with appropriate safeguards, and with documented processing activities. Cryptographic audit trails provide this evidence at the individual processing operation level. Every access to personal data produces a PQ-signed receipt. Every data subject request (access, erasure, portability) produces verifiable evidence of fulfillment. Every cross-border transfer produces an attestation binding the transfer to the legal basis and safeguards in effect.
H33's continuous control monitoring system produces a cryptographic receipt for every event that has compliance significance. The receipt structure is consistent across all event types: event identifier, event type, actor identity (post-quantum key commitment), timestamp (trusted clock), data hash (SHA3-256 of the relevant data, never the plaintext), scope boundary in effect, governance version, and a post-quantum signature over the entire structure using three independent hardness assumptions.
These receipts are not stored in a traditional log store. They are organized into receipt chains -- ordered sequences where each receipt references the hash of the previous receipt, creating a tamper-evident chain. Modifying any receipt in the chain breaks the hash linkage, making tampering detectable by any party with access to the chain. The chains are periodically anchored to public blockchains through H33-74 attestations, providing an independent temporal proof that the chain existed at a specific point in time.
The most powerful property of cryptographic audit trails is deterministic replay. Given the complete sequence of attestation receipts for a system, an auditor can independently reconstruct the exact governance state at any historical point. The same receipts, processed in the same order, produce byte-identical outputs -- regardless of when or where the replay is performed.
This capability transforms the audit process. Instead of requesting log exports, scheduling walkthrough meetings, and accepting narrative explanations of control effectiveness, an auditor can perform governance replay: process the receipt chain and verify that every control produced the expected evidence at every point in time. The replay is deterministic, meaning two auditors performing the same replay will reach the same conclusion. There is no interpretation gap, no sampling risk, and no reliance on the organization's representation of its own compliance state.
HATS is a publicly available technical conformance standard for continuous AI trustworthiness; certification under HATS provides independently verifiable evidence that a system satisfies the standard's defined controls. For compliance, HATS defines mappings between regulatory requirements and cryptographic evidence types.
Each HATS control specifies the evidence artifact it requires (receipt type, required fields, signature scheme), the verification procedure (how to check the receipt), and the regulatory mapping (which SOC 2 criteria, ISO clauses, or HIPAA safeguards the control satisfies). This creates a machine-verifiable compliance framework: instead of auditor judgment about whether a control is "effective," compliance is a binary -- either the cryptographic evidence exists and verifies, or it does not.
| Property | Traditional Audit Trails | H33 Cryptographic Evidence |
|---|---|---|
| Evidence type | Log entries, screenshots, narrative reports | Post-quantum signed receipts |
| Tamper resistance | Access controls on SIEM (bypassable) | Cryptographic (detectable by any verifier) |
| Timestamp integrity | System clock (manipulable) | Trusted clock + blockchain anchor |
| Negative proofs | Not possible ("logs don't show...") | Structured rejection semantics ("did not happen") |
| Audit methodology | Sampling, walkthroughs, inquiry | Deterministic replay (100% coverage) |
| Auditor independence | Relies on org's representations | Verifiable from receipts alone |
| Quantum durability | None (classical signatures) | Three hardness assumptions |
| Compliance coverage | Point-in-time (annual audit) | Continuous (every operation attested) |
| Cross-framework | Separate evidence per framework | One receipt chain, multiple compliance mappings |
| Cost of audit | $50K-$500K per engagement | Machine verification (automated) |
The shift from log-based to cryptographic audit trails is not incremental. It is a category change: from claims to evidence, from sampling to complete coverage, from trust to verification.
Logs are claims made by the system about itself. A compromised system writes false logs. Insiders with SIEM access can modify entries. Logs cannot prove negatives. Regulatory standards increasingly require evidence that systems operated within authorized boundaries, which logs cannot provide.
Every event produces a post-quantum signed receipt containing event details, a data hash (never plaintext), and a signature from three independent mathematical families. Receipts are tamper-evident, independently verifiable, and deterministically replayable.
An auditor reconstructs the exact system state at any historical point using only attestation receipts. Same receipts, same order, byte-identical outputs. Eliminates the reconstruction gap where auditors must trust that the system accurately represents its historical state.
Cryptographic audit trails map to SOC 2 Trust Services Criteria, ISO 27001 Annex A controls, HIPAA audit/access/integrity controls, and GDPR processing evidence requirements. Each control produces machine-verifiable evidence rather than narrative documentation.
HATS is a publicly available technical conformance standard that maps regulatory requirements to cryptographic evidence types. Each HATS control specifies the evidence artifact required, the verification procedure, and the regulatory mapping -- making compliance a binary verification, not an auditor judgment.
See cryptographic audit trails in action. Every event produces a PQ-signed receipt. Every receipt is independently verifiable. Every audit is deterministically replayable.