AGTS transforms governance from periodic reporting into a cryptographic audit trail. Every gate decision is a normative evidence record. Every audit is a query against an append-only log.
Each authorized governance decision produces a canonical leaf that cryptographically binds:
What evidence justified the decision — five gate results with supporting data, four evidence hashes, system state snapshots, replay seed.
Who evaluated it — three or more of four independent validators voted ACCEPT with ECDSA P-256 signatures over a canonical representation of the proof bundle.
Who bears accountability — the Sovereign Authority key (hardware-backed, biometric-gated) signed the Governance Envelope.
Where the record lives — the canonical leaf hash, Merkle inclusion proof, and Signed Tree Head, independently verifiable by any party with the log_id.
The AGTS compliance report covers six claims (RTR-C001 through RTR-C006). Each claim maps to specific regulatory articles and is satisfied by specific gate evidence.
Gate: G1 — Semantic Validity (H ≥ 0.40)
Regulatory articles: EU AI Act Art. 15 (accuracy and robustness); ISO/IEC 42001 §6.1.2 (AI risk assessment)
What the gate proves: Decision entropy (H) meets the declared threshold. Scattered, uncertain, or incoherent reasoning is detected and blocked before execution.
Gate: G2 — C (coherence) ≥ 0.40
Regulatory articles: EU AI Act Art. 13 (transparency); DORA Art. 8 (ICT risk management framework)
What the gate proves: The coherence observable meets the declared threshold. The IEED observable framework captures entropy (H), coherence (C), and energy (E) — three orthogonal measures of system governance posture.
Architectural guarantee: Validator quorum with 3-of-4 threshold
Regulatory articles: EU AI Act Art. 14 (human oversight); DORA Art. 11 (ICT business continuity)
What this proves: No single validator can authorize a governance action. A single Byzantine node cannot forge a quorum certificate.
Gate: G3 — E (energy) ≤ 0.60
Regulatory articles: EU AI Act Art. 9 (risk management system); ISO/IEC 42001 §8.4 (AI system operation)
What the gate proves: Execution energy stays within the declared bound. No protected metric degraded beyond its threshold.
Architectural guarantee: Lifecycle controller — ACTIVE / QUARANTINE / LOCKBOX state management
Regulatory articles: EU AI Act Art. 15 (robustness); DORA Art. 25 (testing of ICT tools)
What this proves: Three consecutive BREACH classifications trigger QUARANTINE — autonomous authorization suspended until remediation.
Gate: G4 — Policy Admission with evidence classification and four-hash integrity proof
Regulatory articles: EU AI Act Art. 12 (record-keeping); Basel III Pillar 2 (governance of model risk)
What the gate proves: The evidence used to justify the decision was produced by an independent harness (HOOKED), an attested enclave (ATTESTED), or instrumented internal audit (INSTRUMENTED) — not self-reported.
Clearinghouse running, proof bundles generated. EU AI Act Art. 12 basic record-keeping.
Validator network with quorum. RTR-C003 and RTR-C005 satisfied. Insurance-relevant.
Transparency log, STH, inclusion proofs. Regulators can run their own monitor node.
Witness quorum, external monitor network, cross-institution mesh. No trust assumption on operator.
ENISA's "Cybersecurity of AI and Standardisation" (2021) identifies five gaps that existing frameworks cannot close. AGTS closes all five.
"The traceability of data and AI components throughout their life cycles remains largely unaddressed."
Every governance cycle commits dataset_provenance_hash and parent_bundle_hash. The hash chain is structural — the Merkle tree enforces it.
"No AI-specific standard defines what a governance log must contain."
Append-only Merkle tree with defined leaf format, Signed Tree Head, witness countersignatures, and consistency proofs.
"Existing standards lack conformity assessment methods with technical metrics."
Six-claim compliance report with explicit, machine-readable metrics per gate. One format covers all seven EU AI Act trustworthiness dimensions.
"Documentation alone doesn't make a decision replayable."
Every governance envelope contains a payload_uri. Replaying that evidence through the same gate logic produces the same verdicts. Deterministic and independent.
"No existing standard specifies how human oversight is recorded and made verifiable."
G5 is structurally mandatory — no leaf admitted without passing G5. The operator_id and ECDSA signature are committed into the proof bundle.
| Audit Question | Where to Look | Verification Method |
|---|---|---|
| Was this governance decision made? | Canonical leaf in transparency log | Inclusion proof from /agts/v1/log/proof/{leaf_index} |
| Was the log root honest? | STH covering the leaf | Consistency proof from /agts/v1/log/sth/consistency |
| Did witnesses agree? | witness_signatures on the STH | ECDSA P-256 / Ed25519 verification against published witness public keys |
| What evidence was used? | payload_uri in governance envelope | Fetch payload, replay through G1–G5 gate logic |
| Who authorised it? | gate_g5_authorization.operator_id | Identity committed in proof bundle, signed by Sovereign Authority |
| Was the model healthy? | gate_g2_drift.{h_score, c_score, e_score} | Compare against admission thresholds in Verification Policy Bundle |
| Was the training data clean? | gate_g4_evidence.classification | HOOKED or ATTESTED = passing; UNCLASSIFIED blocks admission |
| Was execution within bounds? | Leaf 3 variance record | omega_breach field; delta.{h,c,e} per observable |
All verification operations use SHA-256 and standard ECDSA/Ed25519 — no proprietary cryptographic libraries required.
If your organisation is standing up an EU AI Act regulatory sandbox under Articles 57–63, the AGTS clearinghouse provides the evidence layer that sandbox participants use to demonstrate governance during the sandbox period.
The governance chain produced during the sandbox period is cryptographically continuous with the chain after the sandbox concludes. Regulators running a monitor node can verify any leaf independently, without accessing the participant's systems.
Contact for sandbox pilot engagements: ops@obligationsign.com
Every gate decision is a normative evidence record. Every audit is a query
against an append-only log. See the evidence, verify the signatures, replay the decision.