Audit-grade AI infrastructure

The PROVE Stack

Five layers anchored in the standards regulators already trust, organising AI verifiability into one coherent framework.

The wave
A category is forming this quarter.
Binding 2 August 2026, high-risk AI
EU AI Act Article 12 (Record-keeping)
"High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system."
Art. 12(1) · Regulation (EU) 2024/1689. Applies to systems classified as high-risk under Annex III, including credit scoring, fraud detection, recruitment, and migration management.
Q1 2026, released
NIST IR 8596 Cyber AI Profile
First federal bridge between NIST CSF 2.0 and the NIST AI RMF. Cyber teams and AI teams finally use the same vocabulary.
In force since 17 January 2025
DORA, Digital Operational Resilience Act
Regulation (EU) 2022/2554. Every EU financial entity must manage ICT risk and document each ICT third-party arrangement. ZeroH meets the definition of ICT third-party service provider under Article 3(19).
1 May 2026, issued
CISA + NSA + Five Eyes
Joint guidance on secure adoption of agentic AI, first time six governments coordinate on AI risk. Specific recommendations on agent identity, signed action logs, and runtime authorisation.
The gap
Every AI vendor proves what the model said. None prove what it saw.
Today's AI infrastructure
Proves the output
AI gateways, DLP tools, vault providers, content-safety filters, all log prompts, responses, and detections. They tell you the model responded. None prove what data it was actually shown.
What a regulator asks
Prove the disclosure
What fields did the AI see? What was withheld, and why? Who authorised it? Can the workflow be reconstructed independently, without exposing the underlying data?
What ZeroH was designed to fill
Prove the disclosure cryptographically
Field-level, role-aware disclosure decisions, signed and chained. Verifiable by an external party using a public key, without ever seeing the underlying record.
Why these five letters
Each layer maps to one regulatory pressure point.
Layer Anchored in Regulatory pressure
P Policy enforcement DORA Art. 6 · ISO/IEC 42001 · CSA AICM v1.0.3 EU AI Act Art. 9, risk management
R Role-aware disclosure ISO 27701 · GDPR Art. 25 · W3C VC 2.0 GDPR Art. 5(1)(c), data minimisation
O Origin chain EU AI Act Art. 12 · DORA Art. 17 · ISO/IEC 42001 Binding 2 August 2026, high-risk AI
V Verifiable evidence EU AI Act Art. 13 · GDPR Art. 5(2) · DORA Art. 28(3) · W3C VC 2.0 + DataIntegrityProof Demonstrability to a third party
E Externally replayable ISO 42001 · EU AI Act Art. 12 · W3C VC 2.0 Supervisory reconstructability
A note on what this is
PROVE is not a new standard. It organizes EU AI Act Article 12, DORA, ISO/IEC 42001, ISO/IEC 27701, GDPR and CSA AICM v1.0.3 into one coherent framework, and aligns with the Zero Trust principles in NIST SP 800-207. Every layer below is anchored in the standards it narrates. PROVE makes no eIDAS-compatibility claim today.
Zero Trust × PROVE
Zero Trust says
"Never trust. Always verify."
The gap
Verification without proof is just a claim.
PROVE delivers
Cryptographic proof the verification actually happened.
Zero Trust without proof is still trust. PROVE turns Zero Trust from a principle into a practice.
Click any layer to expand
P
Policy enforcement
Anchored in
EU AI Act Art. 9 · risk management DORA Art. 6 · ICT risk management · in force ISO/IEC 42001 CSA AICM v1.0.3
Aligned with the Zero Trust principles in NIST SP 800-207.
Every operation passes through machine-checked gates. Rule violations are caught at every integration boundary, blocked before they enter the system. The Policy Engine enforces field-level disclosure rules on every operation, anchored to version-controlled policy bundles. At the AI gateway, every model request is authorised pre-execution against field-level rules.
R
Role-aware disclosure
Anchored in
ISO/IEC 27701 GDPR Art. 5(1)(c) · data minimisation GDPR Art. 25 W3C VC 2.0
Each user, and the AI itself, sees only the slice of a record their role permits. Field-level. Deterministic. Worked example: one ISO 20022 payment record, three projections, Branch Teller, Sanctions Analyst, Marketing Analyst, each seeing only their authorised fields. Per-role render decisions are produced as W3C Verifiable Credentials 2.0 with DataIntegrityProof, signed by the customer's KMS and verifiable offline by anyone with the customer's public key.
O
Origin chain
Anchored in
EU AI Act Art. 12 · binding 2026-08-02 (high-risk) DORA Art. 17 · ICT incident management · in force ISO/IEC 42001
Every operation gets a tamper-detectable fingerprint and an immutable audit anchor. Edit it after the fact, the system sees it instantly. SHA-256 fingerprints on every operation. Cryptographically chained signed event log on append-only Object Lock storage (S3 / GCS / Azure / MinIO). Retention enforced against root.
V
Verifiable evidence
Anchored in
EU AI Act Art. 13 · Transparency GDPR Art. 5(2) · Accountability DORA Art. 28(3) · third-party register · in force W3C VC 2.0 + DataIntegrityProof
Evidence isn't just stored, it's queryable, structured, and shaped for an auditor. Each time-window of audit events is packaged as a W3C Verifiable Credential 2.0 wrapping the Merkle root of the audit chain, signed by the customer's own KMS with a DataIntegrityProof. An auditor verifies the signature offline against the customer's public key, no live dependency on ZeroH. Auditor-reviewable on request, anchored to schema and policy bundle signatures.
E
Externally replayable
Anchored in
ISO/IEC 42001 · lifecycle EU AI Act Art. 12 W3C VC 2.0 · KMS public-key verification
Same input, same output, every time. Yesterday's decision can be reproduced today. Deterministic operations. Trace IDs that let an investigator follow any decision step by step. On request by request_id or date, the system returns an inclusion proof, the signed Merkle root, and the W3C VC 2.0 attestation. An auditor verifies offline against the customer's KMS public key, no vendor in the loop, no data leaves the bank.
PROVE × CSA AI Controls Matrix (AICM)
AICM is the controls catalogue. PROVE answers it with signed evidence.
CSA AICM v1.0.3 sets the AI-controls bar. PROVE produces audit events that map to specific AICM control questions, so a Proof Pack is the answer to the control, not a narrative about it.
The controls catalogue
CSA AI Controls Matrix v1.0.3
AI-specific controls, organised by family
"What does a regulator or auditor expect to see for an AI system?"
What it defines, control families
  • DSP, data security and privacy (classification, masking, transfer)
  • AIS, AI system security (input/output validation, sandboxing, prompt differentiation)
  • IAM, identity and access management (unique IDs, least privilege, agent boundaries)
  • LOG, logging (audit records, protection, output monitoring)
  • GRC, A&A, SEF, CEK, STA, governance, audit, incident, key management, third-party
What it asks
For each control, AICM poses a CAIQ question, "Are processes, procedures and technical measures in place to ...", that an auditor expects the AI provider to answer with evidence.
AICM names the controls and asks the questions. It is silent on how the evidence is produced or carried, that is the provider's job.
The signed-evidence answer
PROVE Stack
Each layer answers a control with a signed audit event
"How do we hand the auditor evidence that stands on its own?"
Layer → AICM family
  • P, policy enforced at every operation → DSP / AIS / GRC
  • R, role-aware, field-level disclosure → DSP / IAM
  • O, tamper-evident origin chain → LOG / CEK
  • V, VC-2.0 attestation per time window → LOG / CEK / A&A
  • E, auditor-verifiable offline against KMS → A&A / LOG
Anchored in
EU AI Act Art. 12 · DORA · ISO/IEC 42001 · ISO/IEC 27701 · GDPR · CSA AICM v1.0.3. Aligned with the Zero Trust principles in NIST SP 800-207.
Every layer's deliverable is a signed audit event, packaged for the auditor as a Proof Pack mapped to specific AICM controls, signed by the customer's KMS and verifiable offline. The pack is the answer; no parallel narrative needed.
AICM asks the controls. PROVE produces the signed evidence that answers them, independently verifiable, no vendor in the loop.
"ZeroH proves what your AI saw, what it was permitted to do, and what it actually did, to any auditor, without ever seeing your data."
ZeroH · Blade Labs · Audit-grade AI infrastructure · 2026
A morning at the bank
PROVE in one user journey.
The persona
Sara · Branch Teller at a Gulf bank
A customer is at her counter, asking about a recent international payment that landed in their account. Sara turns to her AI-assisted CRM and types her question.
"What was the source and amount of customer M's last incoming international payment?"
Behind the answer Sara sees in 200 milliseconds, five things happen inside the gateway.
1
P Policy enforcement
Should this happen?
The system checks Sara's role. Branch Tellers are authorised to look up customer payments. The request proceeds.
2
R Role-aware disclosure
What does the AI actually get to see?
The payment record has dozens of fields. The system shows the AI only four, counterparty name, amount, purpose code, date. Routing details, screening flags, and counterparty address stay withheld.
3
O Origin chain
What gets recorded?
Every disclosure is signed and appended to an unchangeable log. "Sara, Branch Teller, queried customer M's payment at 10:42. Four fields shown, eleven withheld." Edit the record later, the chain breaks visibly.
4
V Verifiable evidence
Can someone check?
Compliance can query: "All Branch Teller queries on customer M's records this month." Structured, signed evidence in seconds. No spreadsheets, no audit-season panic.
5
E Externally replayable
Can we reproduce it months later?
Six months on, an auditor asks: "Replay what Sara saw at 10:42 AM on 12 May." Same input + same policy = same masked output + same proof. Deterministic. Reproducible.
"Sara gets her answer. The customer is served. The bank holds a cryptographic receipt of exactly what was disclosed, when, to whom, and why."