AI Governance Readiness

What your auditor will ask about your AI — and how you'll prove it

The same four questions keep coming up from auditors, customers, and regulators: what's in this AI system, how was it evaluated, what did it do at runtime, and who signed off? Run the free readiness self-check below — it stays in your browser, no sign-in — to see where you stand against the four NIST AI RMF functions and which signed evidence you're missing. Then download a real, DEMO-signed AI-Governance Evidence Pack and verify it yourself, so you can see exactly what a provable answer looks like.

Readiness indicator, not a legal determination. This self-check reflects your own self-reported readiness — it is not a certification, not a conformity assessment, not an audit opinion, and not legal advice, and it says nothing about whether your AI is safe, accurate, or compliant. Which obligations actually apply, and to whom, is for you and qualified counsel to determine; it supports NIST AI RMF and EU AI Act preparation only.
MAP — do you know what's in the system?
Satisfied by a signed AI Bill of Materials.
  • Do you have a written inventory of every model and dataset in this AI system?
  • Is that inventory pinned to content hashes, so a swapped model or dataset is detectable?
  • Is the inventory signed by a named declarant who is accountable for it?
MEASURE — can you show how it was evaluated?
Satisfied by a signed evaluation attestation.
  • Have you run a documented evaluation (capability + safety) on this exact model?
  • Are the eval results signed and bound to the specific model version they measured?
  • Was the evaluation run against a named, registry-referenced suite rather than an ad-hoc one?
MANAGE — can you prove what it did at runtime?
Satisfied by a signed execution trace.
  • Do you keep a tamper-evident log of this system's runtime decisions?
  • Is that log cryptographically chained, so a deleted or edited entry is detectable?
  • Does the log commit which model + inventory version actually ran?
GOVERN — is there a signed policy that admitted it?
Satisfied by a signed signed admission policy.
  • Is there a written policy defining the criteria this AI must meet before release?
  • Is that policy signed by an accountable compliance owner and versioned?
  • Is release gated on the policy re-deriving a pass over the signed MAP/MEASURE/MANAGE legs?
0/12 answered · stays in your browser
See a provable answer: verify a real signed pack yourself

This is a real, cryptographically DEMO-signed AI-Governance Evidence Pack over a fictional model ("SAMPLE — TRELYAN DEMO, not a real client"). Download the four files, then re-derive the verdict offline with the open-source tools. Its ADMIT verdict is about the demo record only — it says nothing about your AI.

node pqgovern-cli.mjs evidence-pack.json config.json

Exit 0 = ADMIT. Now flip a single byte in evidence-pack.jsonand run it again — a signature breaks and it exits 1 = BLOCK. That is the whole point: the grade can't be altered without breaking the signature. The govern tools ship in the MIT repo github.com/brandonjsellam-Releone/verify-pqc (clone it — these modules aren't in the published npm tarball yet). See VERIFY.md for the pin-confirmation step. ML-DSA-87 ∧ Ed25519 via the @noble libraries (not independently audited); names denote the public standards the primitives are based on, not a CMVP/FIPS-140 validation.

Close the gaps — get a signed AI-Governance Evidence Pack

You sign your governance legs; TRELYAN cryptographically verifies their signatures and packages them into a self-verifiable Evidence Pack bound to one model, with a Declaration-Assurance grade — the same shape as the demo above, over your own system. Self-attested; supports NIST AI RMF / EU AI Act preparation; not a certification.

Close the gaps — get a signed AI-Governance Evidence Pack
What this is — and is not

A self-verifiable AI-Governance Evidence Pack. It cryptographically proves WHO signed WHAT — your declarant, evaluator, runner, and compliance owner over ONE identified model — and that the packaged artifacts re-derive to a consistent verdict under your parties' public-key pins. It does NOT assert that the model is safe, accurate, unbiased, adequate, or compliant. TRELYAN cryptographically verifies the SIGNATURES on your own governance legs and packages them — TRELYAN does not sign them and does not validate the truth of the claims they contain. This is not a certification, not an audit opinion, not a conformity assessment, and not legal or regulatory advice. It supports NIST AI RMF and EU AI Act preparation only — consult your compliance officer.

Ready to turn your signed legs into one verifiable deliverable? The AI-Governance Evidence Pack packages your own AI Bill of Materials, evaluation, trace, and signed policy — bound to one model — into a pack anyone can re-derive offline. Also migrating cryptography? See the PQC-migration Evidence Pack.