One signed package. Generated, not written.
# Legation Audit Package 1. Live attestation — the sealed bag verifies against its key (YES/NO) 2. Frameworks covered — controls in-scope / satisfied, all 31 frameworks at once 3. Technology & cryptography disclosure 4. Lethal-trifecta structural defense — the four hard boundaries 5. Insurance readiness — the underwriter checklist + liability attestation 6. Verifiable AIBOM — the AI bill of materials, bound to the seal 7. Control implementation — every control → the exact mechanism
Because the controls live in the envelope (fixed, disclosed) and not the application (variable), this package is the same every deployment. One dial — Bolt-on → Regulated → Sovereign — sets the bar: a commercial Bolt-on/Regulated node inherits the same core envelope controls as a Sovereign node (CNSA 2.0 SHA-384 seal, in-VPC treaty enforcement, dual Recall, metadata-only audit); the Sovereign tier additionally adds TEE-backed confidentiality and post-quantum cryptography. Your assessment is a review of evidence, not an investigation.
It ingests where you already work.
OSCAL
NIST OSCAL component-definition — continuous, machine-readable controls for your GRC platform.legation oscal --bag
AIBOM
Verifiable AI Bill of Materials — every component bound to the sealed Merkle root.legation aibom --bag
Decision replay
Every agent decision — including the ones it blocked. The Art. 11/12 explainability requirement.
Insurance readiness
The underwriter checklist, addressed item by item, with a liability-allocation attestation.legation insurance --bag
Every claim is independently checkable, offline.
| Claim | How you verify it (no operator trust required) |
|---|---|
| Integrity — nothing was altered | Recompute the SHA-384 Merkle root from the landed artifacts; compare to the bag. |
| Authenticity — it's from the operator | Verify the Ed25519 signature against the published accreditation key. |
| Identity — each agent is scoped | Verify each agent's SPIFFE-aligned credential: signature, expiry, scope, revocation, and per-call proof-of-possession — a leaked credential alone is not identity. |
| Confidentiality — the hub can't read | The routing hub holds no key; sealed-box decryption is mathematically impossible for it. |
| Behavior — what the agents did | Replay the metadata audit chain — every approved and every blocked action, hash-chained. |
The strongest evidence is the kind you don't have to take on faith. Recompute the hashes; check the signatures. It holds — or it doesn't.
What Legation covers — stated plainly.
Credibility means drawing the line precisely. Legation makes the deployment's data boundary, control enforcement, and auditability tightly defined and machine-verifiable and bounds the blast radius. It does not claim more than it delivers, and it states what remains the customer's under the shared-responsibility model:
✓ What it enforces
Data-flow control (only governed projections cross) · enforced treaty · dual kill switch · tamper-evident metadata audit · per-agent scoped identity · cryptographic integrity + authenticity. The operator and the routing hub cannot read the data, at every tier. This is the in-scope technical control set Legation carries: AC, AU, IA, SC, SI.
⚠ Stated limits & POA&M
Host visibility: protection of the operator's IP from a malicious host is cryptographic only at the TEE (Sovereign) tier; below it, obfuscation + contract. Containment ≠ correctness: within the treaty, a flawed agent can still err (covered by the insurance layer). POA&M items: where a control requires a FIPS 140-3 validated cryptographic module or operator PIV/CAC-backed MFA, Legation surfaces it as an open POA&M item rather than asserting it satisfied. Customer-owned: physical and personnel controls at the customer boundary remain the customer's.
One evidence set, mapped to 31 frameworks — flip the framework, the same evidence re-maps.
CMMC Level 2 is the 110 controls of NIST SP 800-171 Rev 2, assessed by a C3PAO; FedRAMP maps to NIST SP 800-53. Legation enforces the in-scope technical control families it owns — Access Control, Audit & Accountability, Identification & Authentication, System & Communications Protection, and System & Information Integrity (AC, AU, IA, SC, SI) — and legation evidence emits the assessment artifacts directly: SSP, SPRS score, POA&M, STIG checklist (CKL), and SBOM/AIBOM. It does not make you compliant wholesale; it carries its share of the shared-responsibility split with machine-checkable evidence and names what remains yours.