Compliance · Evidence outputs · Control alignment
Evidence outputs mapped to controls.
CEYO provides deterministic, integrity-sealed artifacts that support verification and audit workflows under explicit policy scope. This page describes functional correspondence only. It does not certify compliance or provide legal advice.
Summary
- Operators define capture scope and disclosure tiers before artifacts are generated.
- Artifacts are canonicalized and sealed to make tampering detectable and provenance verifiable.
- Auditors verify integrity mechanically through canonicalization, hashing, signature validation, and policy alignment review.
Compliance matrix
The mappings below describe how CEYO artifacts can support common integrity-oriented control expectations. Sufficiency is determined by the deploying institution and relevant authority.
| Control expectation | CEYO output | Verification method | Notes / boundary |
|---|---|---|---|
| Record-keeping | Canonical artifact with policy ID/version and timestamp. | Recompute canonical bytes and hash; validate signature. | Integrity of record, not correctness of decision. |
| Integrity | Digest + signature over canonical payload. | PASS / FAIL outcome from deterministic procedure. | Tamper-evidence from seal time forward. |
| Provenance | Public key reference / KMS key ID and signature metadata. | Signature validation using referenced public key chain. | Key custody is operator responsibility in the non-custodial model. |
| Scope discipline | Policy identifier and version embedded in artifact, with policy hash where used. | Policy alignment check against expected ID / version / hash. | Confirms declared scope, not whether scope was appropriate. |
| Constrained disclosure | Disclosure tier designation such as public, redacted, or controlled review. | Review within tier boundaries without default exposure of proprietary internals. | Tier sufficiency is proceeding-specific. |
| Auditability | Stable schema and canonicalization version for repeatable validation. | Re-run verification across environments with the same artifact and declared policy scope. | Does not guarantee inference reproducibility beyond scope. |
| Availability | Fail-open posture with seal failures logged or flagged. | Operational log review plus artifact sealing status review. | Availability posture is operator-configured. |
Boundary
CEYO produces integrity-sealed records. It does not certify compliance, legality, or decision correctness. Verification confirms integrity and provenance under declared policy scope — not correctness of model output.