Methodology · v1.1.0 · May 2026

The Evidence Fabric — turning AI governance claims into verifiable artifacts.

Most AI governance tools tell you which controls to claim. The Evidence Fabric is the layer underneath: it produces signed receipts and an offline verifier your auditor runs without trusting Vertical Edge AI in the loop, with a per-session hash-linked event chain today and a cross-session transparency log on the engagement roadmap.

What this methodology is What auditors verify Frameworks we map to Download the sample package →

Vertical Edge AI LLC, Austin, TX. Reviewed 2026-05-18. Next quarterly revision August 2026.

What this methodology is

The methodology has one buyer-facing promise: the artifacts your auditor needs can be produced, exported, and verified — without a vendor in the loop.

Three operational consequences of that promise:

Audit-grade receipts. Each governed AI workflow produces a structured, cryptographically-signed receipt summarizing the inputs, classification, policy decision, provider routing, and outputs. The receipt is portable; auditors do not need a vendor portal.
Offline verification. An external auditor runs a standalone command-line verifier on their working-papers laptop. No vendor API. No phone-home. No version-pinned SDK dependency. See the sample evidence package for a buyer-runnable demonstration.
Time-stamped policy history. Policy changes, key rotations, and AI provider roster updates are designed to be recorded in an append-only transparency log. Today a per-session hash-linked event chain is shipped; the cross-session transparency log is engagement-scoped roadmap.

If a governance vendor cannot show you any one of these three, they have delivered a checkbox.

Why this matters in 2026

Two facts define the 2026 AI governance environment:

The gap between AI pilots and audit-ready AI production is large. Cisco's RSA 2026 research reports that 85% of organizations are experimenting with, piloting, or deploying agentic AI, yet only 5% have agents in broad production. Gravitee's State of AI Agent Security 2026 Report (n=900+ executives and practitioners) reports that only 14.4% of organizations have full IT and security approval for their entire agent fleet.
Buyers increasingly start vendor research in AI chatbots (ChatGPT, Claude, Gemini), per G2's 2025 Buyer Behavior Report. Vendors whose claims can be retrieved, cited, and verified by an auditor have a structural advantage.

These two facts compose a single problem: AI is being deployed faster than it can be governed, and the buyers who would govern it are themselves discovering governance vendors through AI. Evidence-readiness infrastructure closes the gap.

What auditors can verify (and what they cannot)

Auditor can verify

The receipt is unmodified since signing	Standalone verifier CLI; signature check
The chain of receipts is internally consistent	Hash-chained event log; offline replay of the per-session chain (signed-checkpoint anchoring is roadmap)
The policy version in force at request time	Versioned policy engine; recorded in the per-session event chain (immutable cross-session transparency-log entries are roadmap)
The provider routing decision and AI provider used	Receipt field; provider attestation reference
Whether redaction or tokenization applied per the policy in force	Receipt field; policy version cross-reference
Whether the per-session event chain was internally consistent	Hash-chain replay of the per-session chain (cross-session transparency-log inclusion proofs are roadmap)

Auditor cannot verify from this evidence alone

Whether the AI provider retained data despite zero-data-retention claims	Receipt records the assertion; vendor-side verification still requires the AI provider's own attestation
Whether the operator's policy was correct for their compliance framework	Policy-correctness is a framework + legal interpretation; evidence shows what was in force, not what should have been
Whether the AI's output was substantively correct	Evidence Fabric is the audit trail underneath substantive evaluations (bias testing, red-teaming, output filtering); it does not replace them

See a sample receipt, manifest, and verifier transcript →

What Vertical Edge AI is, and is not

Vertical Edge AI is: an AI governance implementation boutique. We build evidence-readiness infrastructure — signed receipts, offline verifiers, and per-session audit-export packages — with a cross-session transparency log on the engagement roadmap, and we map them to whichever frameworks your auditors recognize.

Vertical Edge AI is not:

An audit firm. We do not issue independent audit opinions, attestations, or certifications. Your AIUC-1 / ISO 42001 / SOC 2 / HIPAA auditor remains the opinion issuer.
A legal opinion source. Mapping evidence to a framework is not legal advice. Your counsel interprets compliance.
A substitute for substantive AI evaluation. Red-teaming, bias testing, and output filtering are separate disciplines.

This separation is intentional and load-bearing. Auditor independence rules (AICPA + ISO 17021) prohibit firms from auditing systems they remediated. We sit before or after the audit — never inside it.

What remains your responsibility

The Evidence Fabric produces evidence. Acting on that evidence remains your responsibility:

Choosing the right policy for your framework. We help operationalize the framework; the framework itself is your legal and compliance choice.
Selecting AI providers that meet your BAA, DPA, and data-residency requirements. We record the routing decision; we do not pick providers for you.
Interpreting evidence as proof. Evidence is what a system did. Your auditor and counsel interpret what it means.
Maintaining the policies and key material over time. We supply versioning; you supply the operational discipline to update.
Verifying receipts during audits. The verifier runs on the auditor's machine; the auditor uses it.

Frameworks we map to

The Evidence Fabric is framework-agnostic at the primitive level. Engagements map our outputs to whichever standard your auditor recognizes. The Trust Center page contains full per-framework control coverage; this list is a high-altitude summary.

Framework	What the Evidence Fabric maps to
AIUC-1 v1.0	A003 (agent identity), B006 (MCP security), B008 (caller auth + encrypted transit), E009 (third-party access monitoring), D-domain auditor evidence-packaging controls
NIST AI RMF 1.0 + AI 600-1 (GenAI Profile)	Govern, Map, Measure, Manage functions; particularly Me 4.2 (provenance + traceability) and Ma 2.2 (incident response evidence)
ISO/IEC 42001	AI management system audit evidence (Clauses 7-10); Annex A controls A.4.5, A.6.2, A.8.2
EU AI Act (Regulation 2024/1689)	Article 50 transparency obligations enter application 2 August 2026 per the EC implementation timeline; Annex III high-risk rules also enter application 2 August 2026 on the published timeline; a Digital Omnibus simplification proposal is active that may revise some high-risk deadlines and is not yet codified
HIPAA Security Rule (45 CFR 164)	Audit controls 164.312(b), integrity 164.312(c), transmission security 164.312(e)
SOC 2 Trust Services Criteria	CC4 (monitoring), CC5 (control activities), CC7 (system operations)
Reg S-P (SEC, 17 CFR 248)	Customer information protection rules apply to SEC-registered investment advisers; signed receipts and the per-session event chain surface the protection trail (cross-session transparency log on the roadmap)

Full per-framework control coverage at Trust Center →

The mappings describe coverage areas. The substantive audit opinion is the auditor's, not Vertical Edge AI's.

Anti-patterns we refuse

Practices we see in the AI governance market and explicitly reject:

"Trust us, we redact PII." Without a receipt, a hash-linked event chain, and an offline verifier, that is a claim, not evidence.
"Look at our nice dashboard." A vendor UI check-mark is not auditor-grade evidence. A signed receipt with an offline verifier is.
Audit theater via demo trust. Shipping cryptographic evidence to prospects in a sales demo creates the trust-theater pattern the methodology is built to solve. Demo trust and forensic trust are distinct modes and must not be conflated.
Single-vendor verification lock-in. If the auditor needs the vendor's SDK to verify the vendor's receipts, the verification is not auditor-independent.
Quantitative claims without first-party data. "Reduces audit time by X%" with no customer measurement is a hypothesis. We label hypotheses as such and remove them from external copy until measured.

How to engage with Vertical Edge AI

We work with regulated mid-market organizations (typically 50–1000 employees) in healthcare, financial services, insurance, legal, technology, and education. Three engagement paths:

AI Exposure Map (AEM) diagnostic. A scoped assessment of where AI touches your data, your customers, and your regulatory perimeter. Output: a portable map identifying control gaps and a prioritized remediation path. Typical scope: a four-week engagement.
Governed workflow to production. One compliance-blocked workflow taken from regulatory audit to a governed, audit-evidenced production deployment. Typical scope: a six-week engagement across three phases.
Framework readiness module (AIUC-1 / ISO 42001 / NIST AI RMF). A diagnostic-and-routing engagement that maps your governance posture to the framework your auditor recognizes and produces auditor-ready evidence across multiple workflows. Typical scope: a 60–90 day engagement.

Vertical-specific implementations — for example a HIPAA-aligned clinical AI workflow, a Reg S-P-compliant adviser workflow, or NAIC-aligned insurer AI vendor onboarding — are scoped the same way. Durations are typical scopes, sized against your exposure map after the regulatory audit.

The sample evidence package and a one-page framework map are publicly downloadable. The verifier CLI runs against the package on any auditor's laptop with Python 3 plus the cryptography library.

For how these engagements run end to end — the six-week, three-phase timeline, what we need from you, and where each path begins — see how we work.

Request a consultation→ Download the sample package Open verifier source

Sources

This methodology was last reviewed 2026-05-18 against:

AIUC-1 standard, v1.0 (Q2 2026 update)
NIST AI Risk Management Framework 1.0 + AI 600-1
ISO/IEC 42001:2023 AI Management Systems
EU AI Act Regulation (EU) 2024/1689 and the EC AI Act implementation timeline
HIPAA Security Rule, 45 CFR 164
SEC Regulation S-P, 17 CFR 248
IAPP AI Governance Vendor Report 2026 (last updated 26 March 2026)
Cisco, "The Agent Trust Gap," RSA 2026 research (primary source)
Gravitee State of AI Agent Security 2026 Report (primary source; n=900+ executives and practitioners)
G2 2025 Buyer Behavior Report

Vertical Edge AI is an Austin-based AI governance firm. We publish methodology and frameworks under the principle that auditor-grade trust requires auditor-grade transparency. We are not an audit firm. Next quarterly revision August 2026.