← LearnAI governance

Verifiable AI governance: the four signed legs auditors actually accept

Map the four NIST AI RMF functions to four signed artifacts anyone can re-check — and know exactly where the proof stops.

“Governed” is a claim. Evidence is checkable.

Every AI vendor says its models are governed. In a questionnaire, that is a sentence. In an audit, a customer security review, or an EU AI Act technical-documentation request, a sentence is not evidence — someone has to be able to check that the inventory is real, the evaluation happened, the runtime behaved, and a named owner signed off. Screenshots and spreadsheets can all be edited after the fact, so they answer none of these.

Verifiable governance closes that gap the same way a verified AI answer does: not by asking you to trust the vendor, but by attaching cryptographic evidence that anyone can re-check independently. The unit of evidence is a small set of signed artifacts you can hand to an auditor with the public keys — and they re-derive the result themselves, offline.

The four questions every AI auditor asks

The NIST AI Risk Management Framework organizes AI governance into four functions, and each maps to one concrete, signable artifact. MAP — what is in this system? — is answered by a signed AI Bill of Materials: your model and training-data inventory, pinned to content hashes so a swapped component is detectable. MEASURE — how was it evaluated? — is a signed evaluation attestation, bound to that exact model version and earned from a named, registry-referenced suite rather than an ad-hoc one.

MANAGE — what did it actually do at runtime? — is a runner-attested, hash-chained execution trace whose first step commits the model and inventory it ran, so a deleted or edited entry breaks the chain. GOVERN — who signed off, and against what criteria? — is a compliance owner’s signed, versioned admission policy, so the criteria themselves become verifiable evidence rather than an unwritten understanding. Four questions, four signed legs.

What a signed governance pack proves — and what it does not

Bundled together, the four legs let anyone re-derive a single decision — ADMIT or BLOCK — from the signed artifacts under the parties’ public keys. That decision proves WHO signed WHAT: your declarant, evaluator, runner, and compliance owner each attested a specific thing about one identified model, and the policy’s own criteria admitted it. Change any leg, the policy, or the cross-binding, and a signature fails and it blocks.

It is just as important to say what this does not prove. Like a signature on an AI answer, it attests origin and integrity, not truth. It verifies the cryptography and the policy logic of the chain — it does not independently check the factual claims inside each leg (that the evaluation was really run, that the declared inventory is complete); those are trusted on their signers’ signatures. It is self-attested, not a certification, not a conformity assessment, and not an audit opinion. It supports EU AI Act and NIST AI RMF preparation; it does not make anyone “compliant.”

Why it must bind to one model, by distinct signers

The value is in the cross-binding. A signed evaluation is worth little if it can be silently re-pointed at a different model than the one in the inventory, and a policy is worth little if it can be applied to a system it never reviewed. A sound governance record binds MAP, MEASURE, MANAGE, and GOVERN to one identified model, and can require that the four legs be signed by distinct parties — so no single key can fabricate the whole chain.

That is also the honest limit of the mechanism: it proves the parties attested what they attested and that nobody altered it afterward. Whether the criteria the owner signed are strong enough is a separate, human judgment — but because the policy is authenticated, versioned, and bound into the decision, a weak policy is at least auditable rather than invisible.

How to check it yourself, today

The fastest way to understand this is to verify a real one. A demo AI-Governance Evidence Pack — signed over a deliberately fictional model — can be re-derived to ADMIT with an open-source command line in your own terminal; change a single byte and it blocks. No account, no upload, no trust in the vendor’s word: the math runs on your machine against published keys.

To see where your own systems stand, a short in-browser readiness check maps your answers to the four signed legs and shows which ones you can produce today — the gaps are the work. None of that leaves your browser. When you are ready to turn your signed legs into one verifiable deliverable an auditor can re-check, that is what an AI-Governance Evidence Pack is.

Check your AI-governance readiness — free

In-browser, no sign-in — see which of the four signed legs you can produce today.

Verification attests an answer’s origin and integrity, not its factual accuracy. Algorithm names denote the public standards the primitives are based on (ML-DSA-87 / FIPS 204, ML-KEM-1024 / FIPS 203; Falcon / FN-DSA, FIPS 206 forthcoming), not a FIPS-140 / CMVP validation.