Compliance · conformance · certification

From runtime decision to framework control — one rail.

KYE Compliance Mapping Rail binds every runtime control to the obligations frameworks impose. 173+ mappings across 13 frameworks, signed evidence packs an auditor verifies with public keys alone, and a 5-tier KYE Conformant / KYE Certified badge ladder.

Compliance frameworks

From AI governance to sector-grade authority control.

KYE Protocol provides a protocol-level evidence layer for regulated AI and automation. Use KYE Compliance Mapping Rail profiles to bind runtime controls and signed evidence packs to the specific obligations every framework imposes. KYE does not replace these frameworks — it produces the evidence they consume.

EU AI Act

KYE EU AI Act Profile

Maps KYE entity, authority, capability, state, human oversight, and audit controls to EU AI Act obligations (Art. 9–18, 26, 50, 72, 73, 79).

  • KYE-EUAIACT-001 Entity accountability mapping
  • KYE-EUAIACT-002 AI system & AI agent registry
  • KYE-EUAIACT-003 Capability manifest + risk classification
  • KYE-EUAIACT-004 Human oversight decision gates
  • KYE-EUAIACT-005 Runtime authority decision logs
  • KYE-EUAIACT-006 Technical documentation evidence pack
  • KYE-EUAIACT-007 Corrective action & revocation trail
  • KYE-EUAIACT-008 Provider / deployer / operator role mapping
  • KYE-EUAIACT-009 High-risk workflow profile
  • KYE-EUAIACT-010 Post-market monitoring evidence hooks
Horizontal frameworks

10 frameworks. One evidence model.

  • ISO/IEC 42001 — AI management system inventory, responsibility mapping, risk/impact, lifecycle controls, oversight logs.
  • NIST AI RMF — Govern / Map / Measure / Manage evidence around actors, risks, controls, decisions, lifecycle.
  • ISO 27001:2022 — Access control, asset/entity inventory, privileged access, logging, incident evidence.
  • SOC 2 — Security, availability, confidentiality, change management, access reviews, audit evidence.
  • GDPR / UK GDPR — Role mapping, lawful authority trail, data access, automated decision governance, audit.
  • DORA — ICT third-party authority, operational resilience, incident response, auditability.
  • NIS2 — Cybersecurity governance, incident traceability, supply-chain controls, access authority.
  • PCI DSS 4.0 — Payment capability restrictions, credential state, wallet/payment authority, audit logs.
  • HIPAA — Healthcare entity access, minimum-necessary, emergency/break-glass, audit trails.
  • NIST 800-207 — Zero-Trust Architecture: identity, device, network, application, data telemetry.

All ten exposed via the KYE Compliance Mapping Rail schema (schemas/compliance-mapping.json) — one document binds a control to the KYE runtime events that produce its evidence.

KYE produces evidence; certifications remain the customer’s. KYE does not replace legal counsel, regulatory filings, conformity assessments, or notified-body involvement.

Conformance & Certification

Trust, but verify.

KYE implementations can be tested against open conformance suites and verified through the public KYE Certification Registry. Earn badges that prove protocol alignment across entity authority, state, delegation, decisions, audit trails, and evidence packs — with annual renewal, signed records, and public-key verification.

KYE Self-Tested

Run the open conformance pack locally.

Free, vendor-published. Backed by a passing run of conformance-run.json.

KYE Self-Attested

Sign + publish a declaration of conformance.

Self-audit + signed self-attestation.json. Quarterly renewal. Not equivalent to certified.

KYE Conformant

Programme-verified test run.

Variants: Core / Authority / Capability / Evidence / Recovery / Payments / Healthcare / EU AI Act. Annual renewal.

KYE Certified

Reviewed by KYE programme + listed in registry.

Signed certification-record.json · public verification URL · revocation tracking · 12-month renewal.

Govern the governance layer. KYE Self-Audit & Attestation Profile lets implementations continuously verify their own engines, decisions, audit trails, evidence packs, and Decision Maps — via Engine Health, Decision Replay, Audit-Trail Integrity Check, Evidence Completeness Check, and Policy Coverage Report.

Trust & assurance

Built to be handed to your audit team on day one.

Open spec. Reference implementation. Conformance fixture pack. Cryptographic proof bundles. Nine-framework control mapping. RFC 7807 error envelope. Quantitative SLA tiers. The artefacts a Tier-1 bank’s GRC team needs are in the repo, not in a sales deck.

Endpoints
87
Routed in the reference Gateway. Every state-changing endpoint accepts Idempotency-Key and emits an audit event with a shared correlation_id.
Profiles · normative
15
Core, Gateway, Federation, Credentials, Attestation, Signals, Transparency, Conformance, Treasury, Custody, Healthcare, Telemetry, Capability, Recovery, Payments — plus 3 payment overlays.
Conformance fixtures
37
Each fixture is a deterministic black-box test the auditor replays against any conformant Gateway. conformance-report.json emits machine-readable evidence.
Control mappings
173
SOC 2 · ISO 27001:2022 · PCI DSS 4.0 · PSD2/PSD3 · DORA · NIS2 · EU AI Act · NIST 800-207 · HIPAA. Each row cites the KYE artefact + the Gateway endpoint that produces it.
SLA tiers
3
Tier-1 Bank (p99 ≤ 50 ms, 1k rps), Tier-2 Mid-market, Tier-3 Reference. Quantitative claims backed by signed conformance reports.
Tests · all green
220+
Reference Gateway · ePDP · PEP · TS / Python / Go SDKs · webhook vectors · schema validations · 22 OPA Rego + Cerbos policy fixtures at parity.
Mapped to SOC 2 · ISO 27001:2022 · PCI DSS 4.0 · PSD2/PSD3 · DORA · NIS2 · EU AI Act · NIST 800-207 · HIPAA

KYE produces evidence; certifications are the customer’s. The repo ships a complete control-mapping document showing which KYE artefact — entity record, delegation, scope, credential, attestation, audit event, proof bundle, signal, transparency receipt, capability grant, recovery proof, break-glass grant, compromise report, state transition — satisfies which control, with the exact endpoint to extract it.

Banking-grade

Production posture

  • Append-only audit chain with point-in-time replay (POST /v1/audit/point-in-time)
  • Ed25519-signed proof bundles — verifiable with public keys alone
  • Cascading stop signals (entity → delegations → payment authorities → access rights → capability grants — in milliseconds)
  • Break-glass authority with mandatory post-hoc review and time-cap
  • Key rotation gated by break-glass grant (POST /v1/keys:rotate)
  • Idempotency keys + signed webhooks + replay window + dead-letter
  • Fail-closed PEP for high-risk actions on PDP unreachable
  • Reference Rego sPDPs (22/22 passing)
Open governance

What ships open

  • Vocabulary, ID format, schemas, OpenAPI — Apache 2.0
  • Reference Gateway, three SDKs, conformance fixtures — Apache 2.0
  • Reason-codes registry, control mappings, threat model — in the repo
  • Patent track is separate — the open contract is and will remain royalty-free for any conformant implementation
  • Trademark policy lets you say “KYE Protocol-compatible” once you pass the conformance pack
  • Discussions repo for RFCs, profile proposals, integration patterns