AI-Governance Evidence Pack

Cryptographic proof of who signed what about your AI model

Auditors, customers, and regulators are asking the same question: who attested what about this AI system, and can you prove it wasn't changed? An AI-Governance Evidence Pack answers it with a signed, independently-verifiable artifact — your own AI Bill of Materials, evaluation, execution trace, and signed policy, cross-bound to one model. You sign your legs; TRELYAN cryptographically verifies their signatures and packages them into a pack anyone can re-derive offline.

Not sure where you stand yet? Take the free AI-governance readiness check first — it stays in your browser and shows which signed evidence you're missing.

AI Bill of Materials (MAP)

Your signed inventory of the model + training data (CycloneDX 1.6 ML-BOM), with a Declaration-Assurance grade.

Evaluation attestation (MEASURE)

Your signed evaluation, bound to the AIBOM's model, with a posture grade earned from a registry-validated suite.

Execution trace (MANAGE)

Your runner-attested, hash-chained provenance log, committing the model + inventory.

Signed policy (GOVERN)

Your compliance owner's signed, versioned admission policy — the criteria themselves become verifiable evidence.

Governance-record binding

MAP ∧ MEASURE ∧ MANAGE ∧ GOVERN cross-bound to ONE model by distinct signers; the admission is re-derived, never asserted.

Offline verification kit

REPORT.md + VERIFY.md: the buyer re-derives ADMIT/BLOCK offline under the parties' public-key pins with the MIT @trelyan/verify-pqc toolkit.

Sign-in required. Payment settles through a hosted NOWPayments invoice (BTC, ETH, SOL, ALGO + 300 more). You provide your signed governance legs (AIBOM, evaluation, trace, policy); we cryptographically verify their signatures and package them.

Enterprise / portfolio, fiat invoicing & procurement terms, or an annual re-attestation cadence? Contact sales.

What this is — and is not

A self-verifiable AI-Governance Evidence Pack. It cryptographically proves WHO signed WHAT — your declarant, evaluator, runner, and compliance owner over ONE identified model — and that the packaged artifacts re-derive to a consistent verdict under your parties' public-key pins. It does NOT assert that the model is safe, accurate, unbiased, adequate, or compliant. TRELYAN cryptographically verifies the SIGNATURES on your own governance legs and packages them — TRELYAN does not sign them and does not validate the truth of the claims they contain. This is not a certification, not an audit opinion, not a conformity assessment, and not legal or regulatory advice. It supports NIST AI RMF and EU AI Act preparation only — consult your compliance officer.

Also migrating cryptography? The PQC-migration Evidence Pack proves where your stack stands on post-quantum readiness — the two together are a full-stack evidence posture.