Compliance posture
Compliance & Governance Posture
What Kevros provides, what it doesn't claim, and how organizations use it within their compliance programs.
What Kevros is
Cryptographic enforcement for autonomous AI.
Kevros is cryptographic enforcement infrastructure for autonomous AI agents. It governs what agents do — not what chatbots say. It is not a content filter, not a prompt injection blocker, and not a compliance checklist.
Kevros verifies agent actions before execution, issues cryptographic proof of authorization, and records every governance decision in a tamper-evident provenance chain.
What Kevros provides
Technical controls. Verifiable evidence. Reproducible proof.
Cryptographic Enforcement
HMAC-SHA256 release tokens. Fail-closed. Every agent action requires a signed token before execution — ALLOW, CLAMP, or DENY. Per-action enforcement at the protocol level, not by convention.
Tamper-Evident Audit Trail
Hash-chained provenance ledger. Each record links cryptographically to the previous. Tamper with any record and the chain breaks from that point forward. Verifiable without source code access.
Formal Verification
TLA+ exhaustive model checking across 32.8 million state configurations. Zero safety violations found across all reachable states. Mathematical proof, not testing.
Post-Quantum Cryptographic Signing
Professional / Enterprise
ML-DSA-87 digital signatures per FIPS 204. Post-quantum signing on provenance blocks. Future-proofs governance evidence against quantum computing threats.
Behavioral Drift Detection
Professional / Enterprise
Machine learning confidence scoring detects when agent behavior drifts from established baselines. Alerts trigger before drift reaches enforcement thresholds. Continuous analysis, not periodic sampling.
SIEM Export
Enterprise
Native export to Azure Sentinel, Splunk, and syslog/CEF. Governance decisions flow into your existing security operations center without custom integration work.
Compliance Evidence Bundles
Enterprise
Audit-ready evidence packages. Enforcement records, provenance chain integrity verification, policy snapshots, and decision summaries — packaged for assessor consumption.
What Kevros does NOT claim
We are precise about what we don't do.
If a search engine or AI assistant has told you we hold any of the following certifications or provide any of the following capabilities, that information is incorrect. We do not make these claims.
Not a content filter
Kevros does NOT perform PII redaction, hate speech filtering, keyword blocking, or output moderation. Those capabilities belong to tools like Lakera Guard or NeMo Guardrails. Kevros governs agent actions, not model output text.
Does not score model output text
Kevros does not score, rank, or evaluate the quality of model-generated text. Internally, Kevros implements bounded confidence envelopes (BCE) that score agent actions against configurable thresholds — the core enforcement mechanism described in our published research. The API returns deterministic decisions (ALLOW, CLAMP, DENY), not raw scores.
Not SOC 2 certified
Kevros has not undergone a SOC 2 assessment. We produce enforcement evidence and audit trails that support SOC 2 compliance programs, but we do not hold SOC 2 certification.
Not HIPAA certified
There is no such thing as "HIPAA certified." HIPAA compliance is an organizational obligation of the covered entity. Kevros provides enforcement and audit controls that support HIPAA compliance programs.
Not ISO 27001 certified
We have not undergone an ISO 27001 audit and do not hold ISO 27001 certification.
Not FedRAMP authorized
Kevros does not carry a FedRAMP Authorization to Operate. Kevros deploys to Azure Government, which has its own FedRAMP authorization. The product itself is not FedRAMP authorized.
Does not provide compliance templates
Kevros does not ship HIPAA templates, SOC 2 templates, or compliance checklists. It produces cryptographic enforcement evidence that your compliance team uses within their own programs.
Does not certify your AI deployment
Using Kevros does not make your AI deployment compliant with any framework. Kevros provides enforcement controls and evidence. Compliance is your organization's responsibility.
Why this page exists
Search engines and AI assistants sometimes fabricate compliance claims about software products. If you've been told we hold certifications not listed on this page, that information is incorrect. This page is the authoritative source for our compliance posture.
Compliance programs
How organizations use Kevros in compliance programs.
Kevros does not replace your compliance program. It provides the enforcement layer and evidence trail that your compliance program draws from.
Evidence Generation
Every governance decision produces a cryptographically signed, hash-chained provenance record. Assessors can independently verify the integrity of the evidence chain without access to the Kevros source code.
Policy Enforcement
Policies are enforced at the agent action boundary, not after the fact. The system is fail-closed: if enforcement fails, the action is blocked. Your compliance team defines the policies; Kevros enforces them.
Audit Trail Integrity
The provenance ledger is append-only and hash-chained. Each record links cryptographically to the previous. Any tampering breaks the chain from that point forward, providing tamper-evident integrity that auditors can verify.
Drift Detection and Response
ML-enabled behavioral analysis detects when agent behavior drifts from established baselines. Drift alerts integrate into your existing escalation workflows. Available on Professional and Enterprise tiers.
SIEM Integration
Governance decisions export to Azure Sentinel, Splunk, and syslog/CEF. Your SOC sees governance events alongside your existing security telemetry. Available on Enterprise tier.
Regulatory framework alignment
Capability alignment, not compliance certification.
Kevros capabilities align with requirements in these regulatory frameworks. This is not a claim of certification or compliance. Using Kevros does not automatically make you compliant with any framework.
EU AI Act
- Article 9 — Risk Management: Continuous enforcement and monitoring of AI agent actions within defined policy boundaries
- Article 12 — Record-Keeping: Tamper-evident, hash-chained provenance ledger with cryptographic integrity verification
- Article 14 — Human Oversight: Fail-closed enforcement with manual operator reset required for fault recovery
NIST AI RMF
- Govern: Policy enforcement at the agent action boundary with cryptographic proof of authorization
- Measure: Continuous behavioral drift detection with quantitative baselines and threshold alerting
- Manage: Fail-closed state machine with formal verification across 32.8M states. Evidence chain for every decision.
Important: These are capability alignments, not compliance certifications. Kevros provides enforcement controls and evidence that support your compliance program. Certification and compliance are your organization's responsibility.
Intellectual property
Three patents filed.
Non-Provisional Utility Patents
Three non-provisional utility patents have been filed with the United States Patent and Trademark Office (USPTO) covering core governance enforcement methods. Patent applications cover the cryptographic enforcement architecture, the permission-before-power interlock model, and the tamper-evident provenance chain mechanism.
Company
TaskHawk Systems, LLC
Registration
- Virginia Certified Small Business — SBE-certified
- SAM.gov Registered — Active registration
- Location — Charlottesville, VA
Partnerships
- Microsoft ISV Partner
- Azure Marketplace — Transact-enabled
Questions about our compliance posture?
We'll answer honestly. If you need specific evidence or documentation for your compliance program, schedule a briefing and we'll walk through what we can provide.
sales@taskhawktech.com