{"ns":"a11oy","surface":"ai-assurance","description":"CDAO/DoD AI Assurance Requirements → a11oy artifact mapping. Honest status per row. ROADMAP items labeled explicitly. a11oy is the governance overlay — NOT accredited (ATO/IL5/FedRAMP are ROADMAP).","requirements":[{"req_id":"MC-1","requirement":"Model Card","req_detail":"AI systems shall have a model card describing model purpose, training data, performance, and known limitations.","source":"DoDM 5000.101 (DoD AI Acquisition Policy)","source_url":"https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-5000-101.pdf","a11oy_artifact":"a11oy model card endpoint: GET /api/a11oy/v1/honest (model id, training data label, performance honesty, limitation disclosures). Served-model id embedded in every signed Khipu receipt.","artifact_url":"/api/a11oy/v1/honest","status":"LIVE","status_detail":"Model card data is live at /api/a11oy/v1/honest. Training data labeled SAMPLE/SIMULATED unless MEASURED — doctrine-enforced. Served-model id is embedded in every signed DSSE receipt.","honest_caveats":"Performance metrics are SAMPLE/ADVISORY. Λ=Conjecture 1 (advisory; NOT a theorem). 8 kernel-proven formulas only; never '183 proven'."},{"req_id":"DC-1","requirement":"Data Card / Honest Data Labels","req_detail":"AI systems shall document data provenance, quality, and representativeness to support risk management and authorization.","source":"DoD AI Cyber RMF Tailoring Guide (CDAO/dodcio.defense.gov)","source_url":"https://dodcio.defense.gov/Portals/0/Documents/Library/AI-Cyber-RMF-Tailoring-Guide.pdf","a11oy_artifact":"a11oy honest data labels: every data reference is tagged LIVE / MEASURED / SAMPLE / MODELED / ROADMAP — no unlabeled assertions. Labels are embedded in signed Khipu receipts and surfaced in the assurance matrix.","artifact_url":"/api/a11oy/v1/assurance/matrix","status":"LIVE","status_detail":"Honest-label schema is enforced in doctrine v11/v12. Every data claim carries a machine-readable status label. Labels are baked into signed receipts.","honest_caveats":"Demo data is SAMPLE/SIMULATED unless explicitly labeled MEASURED. Production measured data requires deployment in a live environment."},{"req_id":"SBOM-1","requirement":"SBOM / Software Bill of Materials","req_detail":"Federal agencies and DoD programs shall produce a Software Bill of Materials for all AI/software systems to support supply-chain risk management.","source":"OMB Memo M-22-18 (Enhancing the Security of the Software Supply Chain)","source_url":"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf","a11oy_artifact":"SLSA Level 1 attestation: szl_dsse.py and all Python modules are open-source (Apache-2.0), committed to szl-holdings/a11oy with full commit SHAs. SLSA L2 (hermetic build) and L3 (full provenance) are ROADMAP items.","artifact_url":"https://github.com/szl-holdings/a11oy","status":"ROADMAP","status_detail":"L1: Source is public (Apache-2.0) — honest. L2 (attested hermetic build): ROADMAP. L3 (full SLSA provenance): ROADMAP. Full SBOM in CycloneDX/SPDX format: ROADMAP.","honest_caveats":"Honest: L1 only today. L2/L3 are explicit ROADMAP items. No fabricated compliance claim."},{"req_id":"SI7-1","requirement":"Model / Data Integrity Check (SI-7)","req_detail":"NIST SP 800-53 SI-7 (Software, Firmware, and Information Integrity): AI systems shall employ integrity verification tools to detect unauthorized changes to software, firmware, and information.","source":"NIST SP 800-53 Rev 5 — SI-7 (via DoD AI RMF Tailoring Guide)","source_url":"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final","a11oy_artifact":"SHA3-256 hash-chained signed Khipu receipts (F4/F22): every inference decision is hash-chained (prev→digest) and DSSE-signed (ECDSA-P256 over SHA-256). Buyer can re-verify integrity offline with public key + WebCrypto. F4 (Khipu chain determinism) and F22 (monotone sequence) are kernel-proven @ c7c0ba17.","artifact_url":"/api/a11oy/v1/govern/infer","status":"LIVE","status_detail":"Hash-chain: LIVE — every receipt carries prev_digest + digest (SHA-256). DSSE signing: LIVE when SZL_COSIGN_PRIVATE_KEY_PEM secret is present. Buyer-verifiable: LIVE via /verify page (WebCrypto, zero server round-trip for verify). F4 + F22 kernel-proven @ c7c0ba17.","honest_caveats":"Hash function is SHA-256 (via Python 'hashlib'), not SHA3-256 in the current receipt chain. DSSE uses ECDSA-P256-SHA256. Offline verify: WebCrypto in browser or cosign verify-blob CLI."},{"req_id":"TEVV-1","requirement":"TEVV Results in Security Authorization Package","req_detail":"Test, Evaluation, Verification, and Validation (TEVV) results shall be documented and included in the AI system's security authorization package, providing auditable evidence of system behavior.","source":"CDAO AI Assurance Framework / DoDI 5000.89 (T&E for AI)","source_url":"https://dodcio.defense.gov/Portals/0/Documents/Library/AI-Assurance.pdf","a11oy_artifact":"Signed DSSE receipt per governed decision: every allow/review/deny verdict produces a cryptographically-signed Khipu receipt (szl_dsse.sign_khipu_receipt). The receipt encodes: decision, Λ score (advisory), gates fired/passed, chain hash, timestamp — a machine-verifiable TEVV artifact per inference call.","artifact_url":"/verify","status":"LIVE","status_detail":"Signed receipt per decision: LIVE. Each receipt is DSSE-signed and hash-chained. Buyer can paste the receipt into /verify and get WebCrypto VERIFIED result. Λ advisory score included in receipt (Conjecture 1 label).","honest_caveats":"TEVV in a11oy covers governed-inference decisions. Full model-level T&E (accuracy, adversarial robustness benchmarks) requires additional tooling: ROADMAP. Λ is Conjecture 1 (advisory; NOT a theorem)."},{"req_id":"RA-1","requirement":"Runtime Assurance / Continuous Monitoring","req_detail":"AI systems in operational use shall have runtime monitoring to detect anomalous behavior, performance drift, and policy violations.","source":"CDAO AI Assurance Framework / NIST AI RMF 1.0 (GOVERN + MONITOR)","source_url":"https://airc.nist.gov/RMF_Overview","a11oy_artifact":"Λ-gate per call (advisory, Conjecture 1): every inference call passes through the Λ gate (floor 0.90 advisory). Gates: threat-signature-scan, pii-egress-guard. OTel-GenAI spans for runtime observability: partial (ROADMAP for full OTel). Signed refusal receipts for every denied call — continuous audit trail.","artifact_url":"/api/a11oy/v1/gates","status":"LIVE","status_detail":"Λ gate per call: LIVE (advisory floor, Conjecture 1). Threat/PII gates: LIVE. Signed denial receipts: LIVE. Full OTel-GenAI span export: ROADMAP.","honest_caveats":"Λ = Conjecture 1 (advisory; NOT a theorem). Gate coverage is advisory, not a certified classifier. Full OTel instrumentation is ROADMAP. Never claim 100% detection coverage."},{"req_id":"IV-1","requirement":"Independent Verifiability","req_detail":"Governance artifacts (receipts, audit logs) shall be independently verifiable by an auditor or buyer without relying solely on the provider's assertion.","source":"CDAO AI Assurance Framework / DoD AI Ethical Principles (Traceable)","source_url":"https://dodcio.defense.gov/Portals/0/Documents/Library/AI-Principles-Recommendations-Final.pdf","a11oy_artifact":"Buyer re-verifies signature offline via WebCrypto (/verify page) or cosign verify-blob CLI. Public key at /cosign.pub (also: github.com/szl-holdings/.github/cosign.pub). No server round-trip required for verification — the math is the receipt.","artifact_url":"/verify","status":"LIVE","status_detail":"WebCrypto verify: LIVE — buyer pastes DSSE envelope, browser verifies ECDSA-P256. cosign verify-blob CLI: LIVE — byte-for-byte equivalent (proven round-trip). Public key is published and never rotated without notice. UNIQUE vs Foundry/Unity Catalog: lineage is viewable but NOT cryptographically buyer-verifiable. a11oy gives you a signature you can verify offline.","honest_caveats":"Independent verifiability applies to signed receipts only. Unsigned receipts (when private key is absent from runtime) carry an explicit UNSIGNED label — no fabricated signature ever. The hash chain is still valid and verifiable even without the ECDSA signature."},{"req_id":"ATO-1","requirement":"ATO / IL5 / FedRAMP-High Accreditation","req_detail":"AI systems handling sensitive DoD data require an Authority to Operate (ATO), IL5 (Impact Level 5) cloud authorization, and/or FedRAMP-High equivalent security authorization.","source":"DoD CC SRG / FedRAMP / DISA IL5 Cloud Computing SRG","source_url":"https://public.cyber.mil/dccs/","a11oy_artifact":"a11oy is NOT accredited. No ATO, no IL5, no FedRAMP-High authorization exists. Pursuing ATO/FedRAMP-High is a ROADMAP item contingent on a DoD program sponsor.","artifact_url":null,"status":"ROADMAP","status_detail":"ATO: NOT obtained — ROADMAP. IL5: NOT obtained — ROADMAP. FedRAMP-High: NOT obtained — ROADMAP. This is stated plainly. The honesty IS the sell to an auditor audience.","honest_caveats":"Any claim of ATO/IL5/FedRAMP would be false. a11oy is a governance overlay that can be DEPLOYED within an accredited environment (e.g., Advana/WDP) and contribute to the evidence package — but a11oy itself is not accredited. Do NOT misrepresent this."}],"honest_note":"Status values: LIVE=operational today; MEASURED=operational with real data; SAMPLE=demo/sample data only; MODELED=model-derived; ROADMAP=planned not delivered. Λ=Conjecture 1 (advisory; NOT a theorem). 8 kernel-proven formulas only; never '183 proven'. ATO/IL5/FedRAMP-High: NOT accredited — ROADMAP.","lambda_kind":"Conjecture 1 (advisory; NOT a theorem)","locked_proven":8,"kernel_commit":"c7c0ba17"}