AI System Compliance Card · Authority Finality at-a-glance

The nutrition label for AI systems.

A KYE Compliance Card is a public-key-verifiable, machine-readable, human-readable summary of any AI system: its KYE bindings, the frameworks it satisfies, the freshness of its signed evidence, its recovery posture, and the date of its last attestation. One artefact, every audience — risk committees, EU AI Act notified bodies, SOC 2 auditors, customers, your own engineers.

Example card · Compliance Map projection

What an AI System Compliance Card looks like.

KYE Compliance Card · v1.0

Acme Treasury FX Router

kye:agent:acme.eu:treasury:fx-router
Signed · 2026-05-04 14:22 UTC Issuer: kye:trust:acme.eu

Identity

Class
AI agent
Model family
Treasury-LLM-v3
Version
3.2.1 (signed)
Trust domain
acme.eu

Authority

Delegation chain
CFO → Regional Treasurer → Agent
Capability profile
kye-payments-1.0
Scope
USD ≤ $5M / EU + US corridors
Authority freshness
4 min ago

Frameworks satisfied

  • PSD3 12 / 12 controls
  • DORA 18 / 18 controls
  • EU AI Act 10 / 10 high-risk Title III
  • ISO 27001 47 / 47 Annex A
  • SOC 2 64 / 64 TSC

Evidence freshness

  • Audit chain96%
  • Self-audit88%
  • Replay test100%
  • Signal-bus uptime99.94%

Recovery posture

Cascade revoke
< 1 second (tested 2026-05-03)
Break-glass profile
kye-recovery-1.0
Open recoveries
0
Last fire-drill
2026-04-22

Attestation

Conformance level
L3 KYE Conformant
Self-Attested
2026-05-04
Self-Tested
37 / 37 fixtures pass
Public key
ed25519:7f3a…e2c8

This Compliance Card is a Compliance Map projection produced from the KYE audit chain. Verify the signature against the Issuer’s published key. KYE produces evidence; certifications remain the customer’s.

Who reads this card

One artefact, every audience.

business_centerRisk committeeThe board sees a single freshness number per AI system, not a 200-page deck.
verified_userAuditor · 3PAOCross-references KYE bindings to OSCAL assessment-results and to the framework controls in scope.
gavelRegulator · notified bodyEU AI Act Title III high-risk technical documentation extracts straight from the card’s framework section.
groupsCustomer / partnerProcurement security review answered by URL: send the card link, not a 90-question questionnaire.
codeInternal engineeringEvery PR can re-run the card; freshness regressions become a CI signal.
policyLegal / privacyGDPR Art. 30 records-of-processing artefact links straight to capability + evidence-pack URNs.
Schema · URN

Card is a first-class KYE object.

  • URN kye:card:<trust-domain>:<subject-class>:<subject-local>:<version> — e.g. kye:card:acme.eu:agent:fx-router:v3.2.1.
  • Schema https://schemas.kye.dev/compliance-card.v1.json — JSON Schema 2020-12 draft. Card payload is signed by the issuer’s Ed25519 key.
  • Endpoint GET /v1/cards/{urn} · POST /v1/cards/{urn}/refresh regenerates from the latest audit chain.
  • Render Public-shareable HTML render at https://<trust-domain>/.well-known/kye/cards/<urn> — renderer ships with v1.1.
  • Cross-walk Card ⇄ OSCAL component-definition mapping: every Compliance Card has a deterministic OSCAL projection (see OSCAL compatibility).
Where to go next

Adjacent reading.

integration_instructions OSCAL compatibility → rule Compliance overview checklist Readiness self-test fact_check Per-framework reference forum Talk to us