VeriCore: Deterministic Compliance Layer for AI Systems

A cryptographic audit infrastructure that makes every AI decision traceable, verifiable, and EU AI Act defensible.

1. System Overview

VeriCore is a deterministic governance engine that intercepts AI decisions in real-time, evaluates them against configurable compliance rules, and seals every verdict into a tamper-evident cryptographic chain. Unlike probabilistic LLM guardrails, VeriCore uses a mathematical scoring model with hard binary gates — no AI is used in the decision loop itself.

Key Differentiator: The LLM serves as advisor only. The rule engine is the sole authority. This architectural wall (enforced via Pydantic extra="forbid") satisfies EU AI Act Article 14 human oversight requirements by design.

2. Architecture

Input → [PII Scanner] → [Risk Classifier] → [Hard Gates] → [5-Axis Sigma] → [Verdict] → [Witness Seal] │ │ │ │ │ └ TCKN/SSN/IBAN └ Keyword-based └ Binary └ Weighted └ SHA-256 Email/Phone/MRN risk level pass/fail composite chain append ICD-10 codes (σ < τ → REJECT) score (0-1) (WORM)

3. Core Components

🔒 GOVERNOR Kernel

Deterministic rule engine with configurable thresholds per risk class (LOW → CRITICAL). Computes a composite Sigma score from 5 ethical-operational axes.

⛔ Hard-Gate Interceptor

Binary safety checks (PII detection, malicious patterns, contract violations) that override Sigma scoring. If any gate fires, the decision is REJECTED regardless of score.

🔐 Witness Chain

SHA-256 cryptographic ledger. Each block references the previous block's hash, creating a tamper-evident, append-only chain. Independently verifiable via /api/v1/verify.

🛡️ PII Masking Layer

Isolated endpoint that detects and redacts 8 PII/PHI pattern categories before data enters any third-party context window.

4. Sigma Scoring Engine — 5-Axis Model

Axis	Weight	EU AI Act Reference	Description
Benefit (fayda)	28%	Art. 9 — Risk Mgmt	Value delivered to user/system
Transparency (şeffaflık)	22%	Art. 13 — Transparency	Decision explainability
Compliance (sözleşme)	20%	Art. 9 — RM System	Contract/legal adherence
Resilience (mücbir sebep)	18%	Art. 15 — Robustness	Safe execution capacity
Waste (israf)	12%	—	Resource waste (inverted)

Decision Bands (risk-class dependent)

Risk Class	APPROVED (σ ≥)	ESCALATE (σ ≥)	REJECTED (σ <)
LOW	0.60	0.35	< 0.35
MEDIUM	0.68	0.42	< 0.42
HIGH	0.75	0.50	< 0.50
CRITICAL	0.82	0.60	< 0.60

5. Witness Chain — Cryptographic Structure

Genesis Block (index: 0) hash: 1f04a680a1bd9448c5d9a488fe26e56ce21eb934217f9e8539b5299304603039 prev: 0000000000000000000000000000000000000000000000000000000000000000 data: {"engine":"FEAM GOVERNOR v1.2.1","patent":"TR 2024 121973"} Block N hash = SHA-256( JSON.stringify({ index, timestamp, event, data, prev_hash }) ) prev = Block[N-1].hash event = "AUDIT:APPROVED" | "AUDIT:REJECTED" | "AUDIT:ESCALATE" | "MASK_SCAN"

Verification: The /api/v1/verify endpoint recomputes every hash from Genesis to HEAD without requiring any internal system access. Any single-bit tampering breaks the chain — result: "integrity": "COMPROMISED".

6. Live API Endpoints (Frankfurt EU Region)

Method	Path	Purpose	Latency
GET	`/`	Service status + genesis hash	<5ms
GET	`/api/v1/genesis`	Constitutional genesis block	<5ms
POST	`/api/v1/audit`	Full audit pipeline (PII → Sigma → Seal)	<10ms
POST	`/api/v1/mask`	PII/PHI detection and masking	<5ms
GET	`/api/v1/chain`	Full audit chain (last 100 blocks)	<10ms
GET	`/api/v1/verify`	Independent chain integrity check	<50ms
GET	`/docs`	Interactive Swagger UI	—

Live endpoint: https://feam-audit-api-final.onrender.com — Source: github.com/feam-co/audit-api (public)

7. EU AI Act Compliance Mapping

EU AI Act Article	Requirement	VeriCore Implementation
Art. 9	Risk Management	5-axis Sigma with risk-class thresholds
Art. 12	Record-Keeping	SHA-256 WORM chain — append-only
Art. 13	Transparency	Full decision breakdown in every response
Art. 14	Human Oversight	ESCALATE verdict → human review queue
Art. 15	Accuracy & Robustness	Deterministic rules, no probabilistic drift
GDPR/KVKK	Data Protection	Zero PII storage — only hashes retained

8. Fraunhofer AISEC — Collaboration Opportunity

We have built the TRL 4 foundation. We seek Fraunhofer AISEC's expertise to elevate this to TRL 6/7 through:

Area	Current State	AISEC Contribution (WP3)
Hash Algorithm	SHA-256	Post-quantum migration (CRYSTALS-Dilithium)
Chain Verification	Single-node, in-memory	Multi-party validation, distributed witnessing
Adversarial Testing	Functional tests only	Red-team attack simulation, formal verification
Storage	In-memory (volatile)	Persistent WORM with cryptographic attestation

Proposed Role: Fraunhofer AISEC as WP3 Lead — Cryptographic Security & Verification in a Horizon Europe CL4-2026 consortium. Full technical ownership of the Witness Chain hardening and formal verification workpackage.

Contact: Erdem Özcan — erdem@feam.co | Patent: TR 2024 121973 (Class 42)