Certification programme · KYE Conformant · KYE Certified

Conformance you can replay with public keys alone.

Five tiers, 38 black-box fixtures, 266 control mappings across 13 frameworks. Every claim at every tier is a signed artefact a regulator or auditor can verify offline. The protocol is Apache 2.0; certification is the only commercial layer.

flag Why certify stairs The ladder science 38 fixtures rule 266 mappings verified_user Audit firms refresh Maintain play_arrow Start
Why certify

Three pressures, one artefact.

gavelRegulatoryEU AI Act, DORA, PSD3, NIS2, FedRAMP and 9 more frameworks ask for evidence the protocol already produces. Certification is the bridge.
business_centerProcurementRegulated buyers' procurement teams ask: "show us a signed conformance report you didn't write yourself." L3 / L4 are exactly that.
verifiedTrustPublic-key-verifiable claims defeat the "trust us" failure mode. Anyone can replay a certification artefact end-to-end.
The ladder

Five tiers, each one a public claim.

  • L0Declared — you publish a profile statement. No verification, no listing. The honest baseline; useful for early-stage integrations and roadmaps.
  • L1KYE Self-Tested — you run the 38-fixture conformance pack locally and self-declare results. Listed in the registry as “self-tested” with a link to your fixture report.
  • L2KYE Self-Attested — signed self-attestation (Ed25519, JWS) bundled with fixture results. Programme verifies the signature; the claim itself is yours.
  • L3KYE Conformant — full programme review of schema + endpoint + behaviour + evidence shape + error codes + edge cases. Badge issued; registry listing upgraded; co-marketing eligible.
  • L4KYE Certified — third-party-audited certification by an approved audit firm. Annual revalidation. The mark a regulated buyer can put in front of their supervisor.
38 conformance fixtures

Black-box, deterministic, replayable.

The conformance pack is 38 black-box fixtures grouped into seven families. Each fixture takes a signed input, expects a deterministic output, and is replayable offline using the published key set. No fixture depends on hosted infrastructure; conformance is reproducible on a laptop.

  • Identity & URN — entity creation, URN parsing, class taxonomy, alias resolution, trust-domain assertions.
  • Delegation chain — chain construction, attenuation rules, parent ⊇ child enforcement, SCA-at-the-edge propagation.
  • Authority grants — capability binding, scope predicate evaluation, revocation, time-bound expiry.
  • State & lifecycle — state transitions, quarantine, suspension, replay, recovery.
  • Decision & runtime/v1/runtime/authorize contract, decision codes, constraint emission, latency envelope.
  • Evidence & audit — append-only chain integrity, evidence-pack composition, OSCAL projection, public-key replay.
  • Cascade & recovery — cascade propagation properties (timing assertions only; mechanism is in the patent track).
266 control mappings

13 frameworks, one rail.

Conformance projects through the KYE Compliance Mapping Rail into 266 named controls across 13 frameworks. The same evidence pack satisfies multiple frameworks; you do not run separate audits for the same artefact.

  • SOC 2 (TSC 2017) · ISO 27001:2022 · ISO 42001 · PCI DSS 4.0
  • PSD2 / PSD3 · DORA · NIS2 · EU AI Act
  • NIST AI RMF · NIST CSF 2.0 · NIST 800-207 (Zero Trust)
  • GDPR · FedRAMP Moderate / High · HIPAA · MiCA · IEC 62443 · 42 CFR Part 2
fact_check Per-framework reference → integration_instructions OSCAL projection badge AI System Compliance Card
Approved audit firms

L4 audits, by firms a regulator already accepts.

L4 audits are run by independent firms approved by the KYE Protocol programme. Approval criteria: SOC 2 / ISO 27001 / EU AI Act-notified-body credentials, prior regulated-sector audit experience, and a signed audit-firm agreement that aligns scope, evidence handling, and report format. Audit firms do not pay to be listed; partners and end customers select from the published list.

The approved-audit-firm roster opens with the v1.1 release. Firms interested in joining should contact the programme via the link below.

verified_user Audit firm enquiry → fact_check Auditor view of the protocol
Maintaining certification

Cadence + change-notification.

  1. M1L1 / L2 self-tiers. Re-run fixtures whenever your integration changes; resubmit signed report. No fixed cadence.
  2. M2L3 KYE Conformant. Notify the programme on any breaking change. Programme spot-checks 10% of L3 partners per quarter. Listing flagged if checks fail.
  3. M3L4 KYE Certified. Annual revalidation by your audit firm. Listing carries the last-revalidation date. Lapsed certifications drop to L3 status until refreshed.
  4. M4Spec version bumps. Major-version bumps (v1 → v2) require re-certification within 12 months. Minor bumps are additive; no re-cert.
Start

Begin certification.

For most teams, the path is L1 first (run fixtures, find gaps), then L2 (sign + submit), then L3 (programme review). L4 is the destination, not the starting point.

code Get the conformance pack → forum Talk to the programme handshake Partner programme checklist Readiness self-test first
Adjacent reading

Where to go next.

rule Conformance & mappings → fact_check Per-framework school Training groups Working groups