Certification programme · KYE Conformant · KYE Certified

Conformance you can replay with public keys alone.

Five tiers, 41 black-box fixtures, 266 control mappings across 13 frameworks. Every claim at every tier is a signed artefact a regulator or auditor can verify offline. The protocol is Apache 2.0; certification is the only commercial layer.

flag Why certify stairs The ladder science 40 fixtures rule 266 mappings verified_user Audit firms refresh Maintain play_arrow Start
Why certify

Three pressures, one artefact.

gavelRegulatoryEU AI Act, DORA, PSD3, NIS2, FedRAMP and 9 more frameworks ask for evidence the protocol already produces. Certification is the bridge.
business_centerProcurementRegulated buyers' procurement teams ask: "show us a signed conformance report you didn't write yourself." L3 / L4 are exactly that.
verifiedTrustPublic-key-verifiable claims defeat the "trust us" failure mode. Anyone can replay a certification artefact end-to-end.
The ladder

Five tiers, each one a public claim.

  • L0Declared — you publish a profile statement. No verification, no listing. The honest baseline; useful for early-stage integrations and roadmaps.
  • L1KYE Self-Tested — run the 41-fixture conformance pack locally and self-declare. Available today.
  • L2KYE Self-Attested — signed self-attestation (Ed25519, JWS) bundled with fixture results. Available today; programme verifies the signature.
  • L3KYE Conformant — programme review of schema + endpoint + behaviour + evidence shape + error codes + edge cases. Programme in development; opens with v1.1.
  • L4KYE Certified — third-party-audited certification by an approved audit firm; annual revalidation. Programme in development; first audit firms onboarding with v1.1.

Capability-scoped Conformance badges

Within each tier, an implementation can carry capability-scoped marks. Each badge attests to a defined slice of the conformance pack — not the whole thing — so an implementation can grow its claims one capability at a time.

KYE Core Conformant Core authority, delegation, scope, state, audit, decision-code conformance against the Core fixture set. Programme in development
KYE Authority Conformant Authority Finality binding — actor · on-behalf-of · capability · scope · state · audit — tested end-to-end. Programme in development
KYE Capability Conformant Capability registry, grant, invocation, quarantine and cascade fixtures all pass. Programme in development
KYE Evidence Conformant Evidence Pack generation, signing, replay and OSCAL projection conformance. Programme in development
Capability-scoped badges are still in development. They become live once the public conformance programme opens registration and the per-capability fixture pack is frozen. Until then, only the five tiers above are issued. Capability badges, when issued, will be versioned, time-limited, and link to a public verification record at /badges/{badge_id}/verify showing implementation, profile version, test-suite version, issued / expires dates, and revocation status.
126 conformance fixtures

Black-box, deterministic, replayable.

The conformance pack is 41 black-box fixtures grouped into seven families. Each fixture takes a signed input, expects a deterministic output, and is replayable offline using the published key set. No fixture depends on hosted infrastructure; conformance is reproducible on a laptop.

  • Identity & URN — entity creation, URN parsing, class taxonomy, alias resolution, trust-domain assertions.
  • Delegation chain — chain construction, attenuation rules, parent ⊇ child enforcement, SCA-at-the-edge propagation.
  • Authority grants — capability binding, scope predicate evaluation, revocation, time-bound expiry.
  • State & lifecycle — state transitions, quarantine, suspension, replay, recovery.
  • Decision & runtime/v1/runtime/authorize contract, decision codes, constraint emission, latency envelope.
  • Evidence & audit — append-only chain integrity, evidence-pack composition, OSCAL projection, public-key replay.
  • Cascade & recovery — cascade propagation properties (timing assertions only; mechanism is in the patent track).
266 control mappings

13 frameworks, one rail.

Conformance projects through the KYE Compliance Mapping Rail into 266 named controls across 13 frameworks. The same evidence pack satisfies multiple frameworks; you do not run separate audits for the same artefact.

  • SOC 2 (TSC 2017) · ISO 27001:2022 · ISO 42001 · PCI DSS 4.0
  • PSD2 / PSD3 · DORA · NIS2 · EU AI Act
  • NIST AI RMF · NIST CSF 2.0 · NIST 800-207 (Zero Trust)
  • GDPR · FedRAMP Moderate / High · HIPAA · MiCA · IEC 62443 · 42 CFR Part 2
fact_check Per-framework reference → integration_instructions OSCAL projection badge AI System Compliance Card
Approved audit firms

L4 audits, by firms a regulator already accepts.

L4 audits are run by independent firms approved by the KYE Protocol programme. Approval criteria: SOC 2 / ISO 27001 / EU AI Act-notified-body credentials, prior regulated-sector audit experience, and a signed audit-firm agreement that aligns scope, evidence handling, and report format. Audit firms do not pay to be listed; partners and end customers select from the published list.

The approved-audit-firm roster opens with the v1.1 release. Firms interested in joining should contact the programme via the link below.

verified_user Audit firm enquiry → fact_check Auditor view of the protocol
Maintaining certification

Cadence + change-notification.

  1. M1L1 / L2 self-tiers. Re-run fixtures whenever your integration changes; resubmit signed report. No fixed cadence.
  2. M2L3 KYE Conformant. Notify the programme on any breaking change. Programme spot-checks 10% of L3 partners per quarter. Listing flagged if checks fail.
  3. M3L4 KYE Certified. Annual revalidation by your audit firm. Listing carries the last-revalidation date. Lapsed certifications drop to L3 status until refreshed.
  4. M4Spec version bumps. Major-version bumps (v1 → v2) require re-certification within 12 months. Minor bumps are additive; no re-cert.
Start

Begin certification.

For most teams, the path is L1 first (run fixtures, find gaps), then L2 (sign + submit), then L3 (programme review). L4 is the destination, not the starting point.

code Get the conformance pack → forum Talk to the programme handshake Partner programme checklist Readiness self-test first
Adjacent reading

Where to go next.

rule Conformance & mappings → fact_check Per-framework school Training groups Working groups

Ready to see your AI agents flagged?

Start in shadow mode. We’ll deliver your first Evidence Pack in 4–8 weeks.

rocket_launch Apply for pilot → science Try the sandbox →