Verifiable does not mean "we checked it ourselves." Verifiable means any independent party, using independent tools, on independent infrastructure, can reproduce the identical governance verdict. No vendor trust. No platform access. No API keys. The mathematics either confirms or it does not.
The word "verifiable" has been diluted by the AI industry to the point of meaninglessness. Platforms claim their AI actions are "verifiable" because they maintain audit logs. Governance tools claim "verifiable compliance" because they produce reports. Model providers claim "verifiable safety" because they run internal evaluations. None of these uses of "verifiable" meet the basic standard that the word implies.
Verifiable means independently reproducible. A verifiable AI action is one where any third party -- without trusting the platform operator, without accessing the original system, without special credentials or API keys, without network connectivity to any H33 server -- can cryptographically confirm that the action occurred as recorded, under the governance constraints claimed, within the scope boundaries documented, at the time stated. Verification is a mathematical operation that produces a deterministic boolean result: the attestation either verifies or it does not.
This is a strict definition. It excludes any system where the verifier must trust the entity being verified. It excludes any system where the evidence is stored in infrastructure controlled by the entity being evaluated. It excludes any system where verification requires connectivity to the original platform. It excludes any system where the verification result depends on which tool performs the check.
H33 adopts this strict definition because the use cases that demand verifiable AI actions -- regulatory compliance, insurance underwriting, litigation support, inter-organizational trust -- require evidence that survives adversarial scrutiny. When a regulator evaluates whether an AI system complied with the EU AI Act, when an insurer adjudicates a claim involving AI decision-making, when opposing counsel demands evidence of AI governance -- the evidence must be verifiable in the strong sense. Self-reported compliance is insufficient. Platform-controlled logs are insufficient. Only independently reproducible cryptographic verification meets the standard.
Every major AI platform today verifies its own actions. OpenAI evaluates OpenAI models. Google assesses Google AI safety. Anthropic audits Anthropic systems. This is not a criticism of these organizations. It is a structural observation about the trust model. When the entity producing AI actions is the same entity verifying those actions, the verification has zero probative value for any party that does not already trust the operator.
Consider the scenario concretely. An enterprise deploys an AI agent that processes insurance claims. The agent makes 100,000 decisions per month. When a disputed decision arises, the enterprise produces its internal logs showing the agent operated within policy. The insurer asks: how do we know these logs are complete? How do we know they have not been modified? How do we know the governance constraints you describe were actually active? The enterprise has no answer except "trust us." The logs are stored in the enterprise's database. The verification tools are the enterprise's tools. The evidence is entirely within the enterprise's control.
This vendor trust problem is not solved by third-party audits. An auditor who examines platform-controlled logs is verifying what the platform chose to show them. The auditor cannot independently confirm that the logs are complete, unmodified, and authentic. The audit is an assessment of claimed compliance, not a verification of actual compliance. For the cryptographic guardrails approach to this problem, the evidence must be structurally independent of the entity being evaluated.
H33 verification is governed by the HATS protocol (H33 Attestation and Trust Standard), a publicly available technical conformance standard that defines the complete verification semantics for AI governance attestations. HATS specifies field ordering, transcript construction, hash derivation, signature verification, replay logic, and expected outputs for every attestation type. The specification is sufficient for any developer to build a complete, independent verifier implementation from scratch.
The H33 reference verifier is implemented in Rust, but HATS is language-neutral. A verifier implemented in Go, Python, TypeScript, Java, or any other language that correctly implements the specification will produce identical results for the same attestation input. This is not a claim. It is a machine-testable property. The conformance testing framework provides 26 canonical test vectors with byte-identical expected outputs. Any implementation that passes all 26 vectors is provably equivalent to the reference implementation.
H33 verification requires no network connectivity. No API calls. No authentication tokens. No access to H33 infrastructure. An air-gapped machine running a HATS-conformant verifier can validate any attestation chain given two files: the attestation chain and the governance graph snapshot. These files contain all information necessary for complete verification -- every signature, every hash chain link, every scope boundary, every policy hash, every signer set.
This offline capability is not an edge case. It is the design constraint that forces genuine independence. If verification required platform access, the platform operator could deny access, rate-limit queries, or serve manipulated responses. Offline verification eliminates every dependency on the entity being verified.
The strongest form of verification is not just checking signatures and hash chains. It is deterministic replay -- taking the governance graph state referenced by an attestation, feeding the recorded action through the governance evaluation logic, and confirming that the replay produces the identical verdict. This is what the HATS protocol enables. Given the same governance graph, the same action parameters, and the same policy hash, any conformant verifier produces the identical governance decision. If the replay verdict differs from the recorded attestation, either the attestation was fabricated or the governance state was tampered with. Both cases are detectable, and the exact point of divergence is identifiable.
This level of verification is unique to cryptographic governance infrastructure. No logging system, no dashboard, no audit report can provide deterministic replay of governance decisions. Only a system that captures the complete governance context at execution time -- and compresses it into an independently verifiable attestation -- can support this form of verification. The governance replay demo demonstrates this capability in action.
H33 maintains an open standing challenge to the security research community, the AI governance community, and any interested party: implement the HATS specification, reproduce the canonical test vectors, and demonstrate that your independent verifier produces identical results to the H33 reference implementation.
This challenge serves multiple purposes. First, it proves that H33 verification is genuinely deterministic -- if independent implementations produce identical results, the verification semantics are unambiguous. Second, it creates a network of independent verifiers, ensuring that no single implementation is a gatekeeper for verification. Third, it demonstrates that the guarantees H33 makes about independent verification are testable, not theoretical.
The canonical test vectors are publicly available. The HATS specification is published. The reference verifier is open for inspection. The challenge is not to break the cryptography. It is to build an independent implementation that produces identical results. If you can, you have proven that H33 verification is independently reproducible. If you cannot, the specification needs to be improved, and we want to know about it.
$ hats-verify conformance path/to/canonical-vectors/
Vector 01 (basic_attestation): PASS
Vector 02 (chain_integrity): PASS
Vector 03 (scope_boundary): PASS
Vector 04 (negative_authority): PASS
Vector 05 (policy_transition): PASS
...
Vector 26 (full_governance_replay): PASS
Result: 26/26 vectors passing
Status: CONFORMANT
Contact standard@h33.ai to register your independent implementation.
A structural comparison of self-verification models versus independently reproducible cryptographic verification.
| Dimension | Vendor-Verified (Current Standard) | Independently Verifiable (H33/HATS) |
|---|---|---|
| Who performs verification | The platform operator or their appointed auditor | Any party, using any HATS-conformant verifier |
| Evidence custody | Platform-controlled databases and logging infrastructure | Attestation chain files, portable, self-contained |
| Network requirement | Requires platform access, API keys, or auditor credentials | Fully offline -- air-gapped verification supported |
| Determinism | Non-deterministic -- depends on audit methodology | Deterministic -- same input always produces same verdict |
| Tamper detection | Administrative controls (bypassable by privileged users) | Hash chain + PQ signatures (mathematically unforgeable) |
| Replay capability | Log review -- subjective interpretation of records | Deterministic replay -- identical outputs from identical inputs |
| Trust model | Trust the operator, trust the auditor, trust the tools | Trust only mathematics -- no entity trust required |
| Multi-party disputes | Competing interpretations of the same logs | Single deterministic verdict from any conformant verifier |
| Regulatory value | Compliance claim supported by audit opinion | Machine-verifiable conformance evidence |
| Long-term validity | Degrades as audit methodologies change | Mathematically valid indefinitely (PQ-resistant) |
A HATS-conformant verifier performs four operations in sequence: signature verification, hash chain validation, scope consistency checking, and deterministic replay. Each operation is specified with byte-level precision in the HATS protocol.
Signature verification validates the three post-quantum signatures (ML-DSA, FALCON, SLH-DSA) on each attestation. The verifier must confirm that all three signatures are valid, that they were produced by the claimed signer set, and that the signed content matches the attestation body.
Hash chain validation confirms that each attestation's previous-hash field matches the SHA3-256 hash of the preceding attestation. Any break in the chain indicates tampering or deletion.
Scope consistency checking verifies that the action recorded in each attestation falls within the scope boundaries defined by the governance graph for the agent that performed it. This requires traversing the governance graph from root to the agent's node and computing the intersection of all delegations.
Deterministic replay re-evaluates the governance decision using the recorded governance graph state and action parameters, confirming that the replay produces the same verdict as the recorded attestation.
The EU AI Act, NIST AI Risk Management Framework, and emerging corporate AI mandates all require demonstrable governance. Independently verifiable attestations provide regulators with evidence they can check using their own tools, on their own infrastructure, without relying on the regulated entity's cooperation or infrastructure. The compliance infrastructure documentation maps specific regulatory requirements to H33 verification capabilities.
Cyber insurance for AI systems requires evidence that governance was in place during the policy period. Independently verifiable attestation chains give insurers the ability to adjudicate claims using mathematical verification rather than forensic investigation of platform-controlled logs. See the AI guardrails documentation for the insurance evidence model.
Organizations deploying third-party AI systems need assurance that governance constraints are enforced as claimed. Vendor assertions are insufficient for high-stakes deployments. Independent verification lets enterprise buyers validate AI governance without trusting the vendor's self-reported compliance. The operational integrity framework provides continuous verification for enterprise AI deployments.
When AI decisions become the subject of legal disputes, the evidence must survive adversarial examination. Attestation chains verified by independent tools provide evidence that no party controls, that any expert witness can reproduce, and that produces the same result regardless of which side performs the verification.
Download the canonical test vectors. Build your own verifier. Or use ours. The point is that you do not have to trust anyone -- the mathematics is the proof.