Audit Guide

For auditors, compliance officers, and GRC teams evaluating Primust Evidence Packs.

The Fundamental Claim

When an organization presents a Primust Evidence Pack, they are making a specific, bounded claim:

  1. Defined governance checks ran on their systems.
  2. The checks ran at the stated proof level.
  3. The evidence was committed cryptographically before this audit occurred.
  4. Nothing in the evidence chain has been altered since it was committed.

These are mathematical claims. You verify them with math, not trust.

Critical disclosure — read before proceeding
Primust proves what was declared should run, not that everything was declared. An organization could omit pipeline stages from their governance declaration. Primust's Gap Taxonomy identifies and labels known omission categories, but the declaration boundary is set by the organization. Auditors must independently assess declaration completeness.

Five-Minute Verification

Install the open-source verifier. No account. No login. Free forever.

pip install primust-verify
# Verify a single VPEC
primust verify vpec.json

# Verify an Evidence Pack
primust pack verify evidence_pack.json

# Fully offline — zero network dependency
curl https://primust.com/.well-known/primust-pubkey.pem > key.pem
primust verify vpec.json --trust-root key.pem
✓ Signature valid     (Ed25519, key_id: primust-signing-key-2026-01)
✓ Chain intact        (12 check records, hash chain unbroken)
✓ ZK proofs valid     (3 mathematical claims verified)
✓ Timestamp authentic (existed before 2026-03-17T14:30:00Z, DigiCert RFC 3161)
✓ No governance gaps  (0 unresolved)
✓ Profile consistent  (primust/distilbert-class/v1.2.0 · A10G)  ← Bounded Inference VPECs only

proof_level_floor:   operator_bound
provable_surface:    0.87
  mathematical:      0.52
  bounded_inference: 0.18
  execution:         0.12
  witnessed:         0.05

VPEC: vpec_abc123
Environment: production

What the Verification Checks Prove

CheckWhat it provesFailure means
Signature validCredential was issued by the declared key and has not been modified since issuanceTampering or unrecognized key
Chain intactEvery record links to the previous via cryptographic hash — none inserted, removed, or reorderedRecords altered after the fact
ZK proofs validFor Mathematical and Verifiable Inference claims, the zero-knowledge proof is mathematically validClaimed computation did not occur as described
Timestamp authenticEvidence existed before the claimed anchor time, confirmed by DigiCert RFC 3161 — an external third party, not PrimustTimeline manipulated
No governance gapsNo unresolved failures — all check failures were remediated or waived with a signed, time-limited waiverUndisclosed or unresolved governance failures
Profile consistent (Bounded Inference only)Committed Merkle root is physically consistent with running the declared model on the declared GPU class, as measured by the Primust-signed drift profileINVALID — PROFILE MISMATCH — trace inconsistent with declared model

Six Proof Levels — What Each Means for Audit

LevelEnumMechanismAudit guidance
Mathematical mathematical ZK circuit (Noir/UltraHonk) Strongest evidence. Cite as "mathematically proven." Appropriate for: regex, threshold, OPA/Cedar/Drools rules, decision tree classifiers (XGBoost, RandomForest), statistical tests, Ed25519 verification.
Verifiable Inference verifiable_inference ONNX-to-circuit (EZKL), Modal GPU Strong evidence. ZK circuit proves ML output. Currently limited to small MLP heads (<263K params) — full transformers use Bounded Inference. Cite as "verifiably proven with auditable model weights." Confirm onnx_model_hash is present.
Bounded Inference operator_bound Per-operator Merkle commitment + Primust-signed drift profile Moderate-strong evidence. Stronger than Execution because primust verify checks the committed trace against the signed profile — not just the signature. The profile is offline-verifiable against Primust's public key. Cite as "bounded-inference proven — trace verified against Primust-signed model profile." Confirm profile_id and gpu_class are present and the verification output shows VALID (BOUNDED INFERENCE).
Execution execution Model-hash-binding circuit Moderate evidence. Named version committed. primust verify confirms signature, timestamp, schema — but cannot verify output came from the declared model. Cite as "execution-level proof with committed model version."
Witnessed witnessed Two RFC 3161 timestamps + Ed25519 sig (or OAuth identity + single RFC 3161 for acknowledged) Equivalent to a witnessed signature. Cite as "witnessed review with cryptographic evidence." Verify reviewer credentials in org JWKS. Check min_review_seconds delta between the two RFC 3161 timestamps. For acknowledged stage type: OAuth identity hash is present, single RFC 3161.
Attestation attestation Invocation-binding circuit Weakest evidence. Equivalent to a log entry. Supporting evidence only. Do not accept as sole evidence of a governance control for regulated operations.

Reading a Provable Surface Report

provable_surface: 0.87
provable_surface_breakdown:
  mathematical:         0.52    ← OPA rules, regex, decision trees, threshold checks
  bounded_inference:    0.18    ← HuggingFace transformer trace verified against profile
  verifiable_inference: 0.00    ← ZK circuit ML (Tier 2, if triggered)
  execution:            0.12    ← Hash-bound model/tool calls
  witnessed:            0.05    ← Human review with Ed25519
  attestation:          0.00

proof_level_floor: operator_bound   ← weakest-link scalar across all records
Coverage Basis: P2 — Primust Baseline-Aligned (EU AI Act Art 12 v1.0)

Coverage basis labels:

P1 is not audit-acceptable
Require P2 or P3. A P1 Evidence Pack means the organization self-declared their scope without independent baseline alignment.

Red Flags

ConditionWhat it may indicate
P1 coverage basisSelf-declared scope. Insufficient for compliance. Reject.
All records at Attestation levelEquivalent to logs only. No cryptographic proof of execution.
Unresolved Critical gapsGovernance failures not remediated or waived.
Gaps with expired waiversMax 90 days. Expired = gap re-opened and unresolved. Check expires_at.
Waivers without risk_treatment fieldPre-schema waivers. Request updated waiver with declared risk treatment (accept | mitigate | transfer | avoid).
provable_surface < 0.70 with P2/P3 basisLow coverage against declared policy. Request explanation.
activity_log_present: falseAI domain pack not instrumented. Activity chain unavailable for Tier 2 audit.
environment: "sandbox" on any VPECSandbox credential. Not audit-acceptable.
archetype: custom_check with compliance_mapping_status: pending_reviewCheck not yet classified by compliance officer. Governance claim at Attestation floor until mapped.
actor_id: null on records requiring ALCOA attributionAttribution gap. May be pre-existing (pre-schema) or active compliance gap.
Bounded Inference VPEC with INVALID — PROFILE MISMATCHCommitted trace inconsistent with declared model class. Serious integrity concern.
model_profile_missing gap openHuggingFace model check issuing at Execution rather than Bounded Inference — profile not yet calibrated. Lower assurance than possible.
operator_bound floor with no profile_id fieldData integrity concern — Bounded Inference VPEC missing required field.

Incident Packages

Organizations can assemble a pre-packaged incident response artifact for any specific run:

# Organization assembles — Primust signs and timestamps
primust pack incident --run-id <run_id>

# You verify offline
primust verify-package incident_package.zip

The package contains: VPEC, pre-run verification output, config epoch at time of run (derived from credential chain — not mutable audit logs), all gaps for this run, signed waiver artifacts, exact CLI verification commands, plain-language README.

The package is signed by Ed25519 and RFC 3161 timestamped. Config epoch is derived from the VPEC credential chain itself — proving exactly what governance configuration was active at the time of the run without relying on audit logs that could be modified.

The package does NOT contain: raw inputs/outputs, individual AgentActivityRecords, reviewer rationale text, PII or matched content values.

Tier 2 Audit — Activity Verification

# Organization exports their activity store — Primust has zero access
primust export-activity <run_id> --store <their-connection-string> --output export.json

# You verify — recomputes chain_root and compares against VPEC
primust verify-activity vpec.json export.json
# Mismatch → tampering detected

EU AI Act

Articles 9, 12, and 17 require risk management documentation, logging of automatic decisions, and quality management systems. Look for:

HIPAA

Security Rule §164.312 requires audit controls and integrity controls. Look for:

Primust never transits PHI. ZK proofs and Bounded Inference traces confirm computation integrity without exposing underlying health data.

SOC 2

Trust Services Criteria CC7.1 and CC8.1. Look for:

AIUC-1

Primust implements the AIUC-1 schema natively. Fields to check:

Enterprise BYOK

At Enterprise tier, VPECs are signed with the organization's own key:

curl https://customer.com/.well-known/primust-pubkey.pem > org-pubkey.pem
primust verify vpec.json --trust-root org-pubkey.pem

Zero Primust dependency for verification. Model Profile Registry profiles for Bounded Inference VPECs are also verifiable offline against Primust's public key.

Standard Audit Procedure

from primust_verify import verify_vpec, verify_pack
import json

def audit_evidence_pack(org_id, evidence_pack_path, sample_vpecs):
    with open(evidence_pack_path) as f:
        pack = json.load(f)

    pack_result = verify_pack(pack)
    assert pack_result.valid, f"Pack verification failed: {pack_result.error}"
    assert pack_result.coverage_basis in ["P2", "P3"], \
        f"Coverage basis is {pack_result.coverage_basis} — P1 not audit-acceptable"
    assert pack_result.unresolved_critical_gaps == 0, \
        f"{pack_result.unresolved_critical_gaps} unresolved Critical gaps"

    sample_results = []
    for vpec_path in sample_vpecs:
        with open(vpec_path) as f:
            vpec = json.load(f)
        result = verify_vpec(vpec)
        sample_results.append({
            "vpec_id": vpec["vpec_id"],
            "valid": result.valid,
            "proof_level_floor": result.proof_level_floor,
            "provable_surface": result.provable_surface,
            "environment": result.environment,
            "bounded_inference_valid": result.bounded_inference_valid  # None if not applicable
        })

    assert all(r["environment"] == "production" for r in sample_results), \
        "Sandbox VPECs found — not audit-acceptable"

    bi_invalid = [r for r in sample_results if r["bounded_inference_valid"] is False]
    assert len(bi_invalid) == 0, \
        f"{len(bi_invalid)} Bounded Inference VPECs failed profile consistency check"

    return {
        "pack_valid": pack_result.valid,
        "provable_surface_aggregate": pack_result.provable_surface_aggregate,
        "proof_level_floor_minimum": pack_result.proof_level_floor_minimum,
        "coverage_basis": pack_result.coverage_basis,
        "result": "PASS"
    }

Audit Reports — Signed PDF

primust verify-report audit_report.pdf
# Exit 0: valid — PDF unmodified since signing
# Exit 1: invalid
# Exit 2: derived from sandbox Evidence Pack — not audit-acceptable
# Exit 3: signing key revoked

The report contains: governance summary, six-level proof distribution, per-VPEC verification results (including Bounded Inference profile check), framework control mapping, gaps and waivers table, verification CLI instructions.

The report does NOT contain: raw inputs/outputs, reviewer rationale text, matched PII, individual AgentActivityRecords, per-operator ML outputs (for Bounded Inference — only merkle_root in VPEC).