Pre-Audit Compliance Documentation
AI Governance
Compliance Evidence Pack
Formal proofs, WORM audit trail evidence, 2173 automated test assertions, CCVS v1.2 evidence chain, EU AI Act Annex IV mapping, and ISO 42001 control references — structured for pre-audit submission to your board, compliance team, or procurement review.
certificationClaim = false · independentAuditClaim = false · For pre-audit internal use only
What's Inside
Six sections of verifiable evidence
Every claim references a specific source file and test. Nothing is hand-wavy.
Formal Verification
8 Z3 theorems proved UNSAT (5 core policy + 3 DeFi constraints) — policy invariants, revenue model, and billing logic. Every theorem verified by asserting its negation: UNSAT means no counterexample exists for any possible input.
WORM Audit Trail
Write-Once SHA-256 hash chain: requestHash → decisionHash → recordHash → bundleHash. Optional HMAC-SHA256 signing. Tamper-evident — any field change cascades to all downstream hashes.
Automated Test Evidence
2173 tests across 229 files covering gateway invariants, WORM idempotency, evidence bundle signing, approval lifecycle, security primitives, and provider dispatch. Mutation score 72.08% (191/265 killed) verified by Stryker.
EU AI Act Mapping
Art. 9 (Risk Management), Art. 12 (Record Keeping), Art. 14 (Human Oversight), Annex IV (9-item technical documentation checklist) — each mapped to DSG ONE controls with test evidence. Live at GET /api/compliance-evidence-pack/annex4.
ISO/IEC 42001 Controls
AI Management System alignment: A.6.1.1 (AI Policy), A.6.2.2 (Risk Assessment), A.6.2.3 (High-Risk Approval), A.9.1 (Monitoring), A.9.3 (Audit Logging), A.10.1 (Continual Improvement).
Evidence Boundary
certificationClaim = false · independentAuditClaim = false. This pack is for internal pre-audit preparation only. All source code and tests are reproducible from the public repository.
Use Cases
Who uses this pack
Procurement Teams
Download and share with your InfoSec or compliance reviewers when evaluating AI governance tooling. Pack answers: "How is policy enforced?" and "How is audit evidence produced?"
Compliance Officers
Map DSG ONE controls against your EU AI Act Article 12/14 obligations or ISO 42001 implementation. Pack provides pre-mapped control references with test evidence citations.
Board / Audit Committee
One-page executive summary format: formal proofs, test pass rate, hash-chain architecture, and regulatory mapping — without requiring technical expertise to interpret.
Methodology
Why "formally verified" is specific here
Most tools use "formally verified" loosely. DSG ONE is specific:
SMT-LIB 2 / Z3 — structural policy invariants
Gateway policy is encoded as a satisfiability problem in SMT-LIB 2 format and checked by the Z3 solver. Each of the 8 policy theorems is proved by asserting its negation — if Z3 returns UNSAT, no input combination can violate the invariant. This is not testing; it is exhaustive over all possible inputs.
2173 automated tests · 72.08% mutation score
Tests cover the gap between what Z3 proves (structural properties) and what runs in production (database interactions, authentication, HTTP routing, hash chain construction). Every WORM transition, approval lifecycle step, and security primitive has explicit assertions. Stryker mutation testing verified 191/265 mutants killed (72.08%) — gate at ≥70%.
WORM hash chain — tamper-evident by construction
requestHash → decisionHash → recordHash is not a database flag — it is a cryptographic chain. Altering any input field changes the hash, which changes all downstream hashes, which invalidates the bundleHash. This structure satisfies EU AI Act Art. 12 logging requirements by construction, not by policy.
Academic publication
Zenodo DOI
10.5281/zenodo.18225586
DSG ONE methodology is published on Zenodo (CERN/OpenAIRE open-access repository) and citable as peer-referenced research. The cryptographic evidence chain design, CCVS evidence severity levels, and policy theorem approach are documented with DOI — independently referenceable by auditors.
View on Zenodo (doi.org) →DSG MCP Server
Gate AI actions before they run — inside Claude or Cursor
DSG ONE exposes a Model Context Protocol (MCP) server. Any MCP-compatible AI tool (Claude, Cursor) can route commands through the policy gate before execution. Every call produces an evidence envelope — auditable, hash-chained, and exportable. This is governance applied before the AI acts, not after.
Ready to generate your evidence pack?
Opens a printable HTML report with all six sections. Use browser "Print → Save as PDF" or click the PDF button.
certificationClaim = false · independentAuditClaim = false