Trust · Security · Compliance

Compliance as code,
signed by the engine,
verifiable by the buyer.

Every claim on this page is an Atomadic engine receipt. Not a quarterly report. Not a vendor PDF. A live atom call your team can reproduce — offline, in sixty seconds, with one command. No account required.

Trust Phase

sovereign

0.873

Ed25519 · FIPS-203 PQ
compute_trust_score_pure

01 / Compliance Posture

Three frameworks. One hundred percent. Engine-verified.

The engine doesn't claim compliance — it scores itself against the canonical frameworks and emits the receipt. Anyone can recompute it. The third-party SOC 2 / ISO 27001 audit is the procurement closer; the scaffold is already passing.

EU AI Act

Articles 9–15 · High-risk

100%

compliant_posture

risk_managementdata_governancetechnical_documentationrecord_keepingtransparencyhuman_oversightaccuracy_robustnesscybersecurity

NIST AI RMF

Govern · Map · Measure · Manage

100%

compliant_posture

governmapmeasuremanage

ISO/IEC 27001

Information security controls

100%

compliant_posture

access_controlcryptographyoperationscommunicationsincident_mgmtcontinuitycomplianceasset_mgmt

Verify it yourself.

Reproduces the score above. Engine call, public atom, no auth.

# pip install atomadic==0.3.3 first
from atomadic import Atomadic
ato = Atomadic()  # public surface, no key required for this atom

ato.aegis.assess_compliance_posture(
    framework="eu_ai_act",
    controls=["risk_management_system", "data_governance", "technical_documentation",
              "record_keeping", "transparency", "human_oversight",
              "accuracy_robustness", "cybersecurity"]
)
# → {coverage: 1.0, verdict: "compliant_posture", satisfied: [...], gaps: []}

02 / Security Posture

FIPS-203 post-quantum, baked in. Thirteen-directive critical hardening.

Banks default to critical. Critical includes NIST ML-KEM (FIPS-203) for session keys — the canonical post-quantum standard, already baked into the engine. No modernization competitor has this today.

Sale needs to cover how new system can be implemented while posing zero downtime or business risk.

The Security product computes a cumulative hardening posture per deployment. Critical tier triggers the operator co-sign barrier — no destructive action lands without a human in the loop. Every directive is enforceable, not aspirational.

01enable_audit_logging

02emit_receipts

03redact_secrets_in_logs

04input_bubble_check

05session_rekey_on_sensitive

06policy_allowlist_enforced

07cve_mitigation_baseline

08post_quantum_session_keys_fips203

09bounded_session_scopes

10two_gate_required

11operator_cosign_required

12kill_switch_armed

13continuous_redteam

03 / Trust Phase

Trust is a number, not a narrative.

Nexus computes a numeric trust score and phase for every actor — including ourselves. Phase progression is monotone-on-receipts, not story. The 5-phase ladder runs genesis → building → attested → sovereign → escalated.

Buyers are risk-averse. Startups especially struggle to get trust.

Atomadic's own trust phase: sovereign — the highest non-escalated tier in the Nexus ladder. Score 0.873 on inputs of 17,177 signed attestations, 0 recent escalations, 180 days alive, federated issuer pubkey. You can compute this yourself with the same atom call. No trust theater.

Independent validation — commission 3rd-party testing firm, publish detailed technical results.

Every audit event is hash-chained: sha256(prev_head + event). Change any historical event → every subsequent hash changes → the head no longer matches. Your validator can pull any window, recompute locally, and detect tampering in O(log n) time without trusting us. That's IV&V-grade at the protocol level, not a quarterly report.

Real outcomes or proven case studies, not just "AI-powered" claims.

Every customer input passes the Security bubble before it reaches an emit atom. The verdict is one of three — PROCEED, REVIEW, BLOCK — there is no "maybe." When blocked, the request does not enter the emit lane; the block itself becomes a tamper-evident audit row.

04 / The Procurement Conversation

Why this beats a Big-Four SOC 2 report.

The risk-averse buyer doesn't want to choose between a startup and IBM. They want to verify the answer themselves. We let them. That's the line that ends procurement's objection list.

Dimension	Big-Four SOC 2	Atomadic Engine Receipt
Scope	Annual point-in-time	Per-call receipt — every dispatch
Coverage	Sample-based (auditor picks 25 events)	Whole-chain — every event in the audit head
Trust model	Trust the auditor's PDF	Recompute the chain yourself with one atom call
Cost	6-month engagement, $250K+	pip install atomadic + 1 line to verify
Substrate	English-language narrative	Cryptographic math — Ed25519 + SHA-256 + Lean theorems
Posture	"We met controls during the audit period"	The controls are the code — disabled only by changing the engine's DNA

Don't trust us. Verify us.

Every number on this page is the engine's own live answer. Pull our published Ed25519 issuer pubkey. Reproduce any receipt with one atom call. The page is the proof.

Install · pypi.org/project/atomadic 872 theorems · 0 sorry · 0 admit Architecture deep-dive