The artifact

From runtime controls to customer-ready proof.

Glacis generates signed receipts when controls execute. Those receipts can be assembled into evidence packs for enterprise security reviews, audits, customer trust, insurance, regulatory evidence, and internal assurance.

Receipts are generated at runtime. Evidence packs are assembled from receipts. Receipts prove control execution without exposing the underlying sensitive content.

Book the Agent Runtime Security Sprint See a sample receipt

Workflow

Control

Decision

Receipt

Evidence Pack

Clinical summary, agent action, or model update

PHI boundary, tool permission, drift rule

Allowed, blocked, escalated, redacted, sent for review

Signed: policy hash, model version, timestamp, OVERT-compatible verification metadata

Customer security review, regulatory evidence, audit trail, internal incident review

Runtime

Receipts prove what ran.

Each consequential event can carry control-execution evidence, policy hash, model version, decision, timestamp, and signature metadata.

Assembly

Packs answer the buyer question.

Signed runtime receipts are grouped into regulator, customer security, audit, incident-response, and internal review artifacts.

Verification

Zero sensitive-data egress.

Sensitive payloads stay local while OVERT-compatible verification metadata, hashes, signatures, receipts, and evidence artifacts can be inspected externally.

Sample receipt anatomy

Receipts prove the moment.

A receipt proves the workflow, control, decision, timestamp, and verification metadata that ran — without exposing the underlying sensitive content.

Workflow

The named AI workflow, model call, tool call, agent step, or control evaluation.

Control

PHI boundary, tool permission, jailbreak guard, drift rule, escalation policy, or review gate.

Decision

Allowed, blocked, escalated, redacted, or sent for review.

Receipt (signed)

Policy hash, model version, timestamp, signature, receipt ID, and OVERT-compatible verification metadata.

Evidence pack

Customer security review artifact, regulatory evidence, audit trail, or internal incident review.

Evidence pack anatomy

Evidence packs tell the defensible story.

An evidence pack assembles many receipts into one review-ready artifact: what was assessed, what controls exist, what ran, what was blocked or escalated, and what remains to improve.

What was assessed

The named AI workflow, agent boundary, tool surface, and delegated authority.

What controls exist

The control inventory wired into the workflow at runtime.

What ran

Sampled receipts, run counts, and verification metadata for the assessed window.

What was blocked or escalated

Blocked events, escalations, redactions, and review decisions with their receipts.

What remains to improve

Open control gaps, evidence gaps, and the next improvements queued for the workflow.

Verification metadata

Anyone can verify the receipt without seeing the payload.

Each receipt carries OVERT-compatible verification metadata so a third party — an enterprise customer, an auditor, an insurer, a regulator — can confirm the receipt is genuine, the policy version is current, and the control actually executed at the moment claimed.

Policy hash & version — pins the rule that was in force.
Model or tool version — pins what the agent was at that moment.
Timestamp & epoch — pins when the decision sealed.
Signature & receipt ID — pins authorship and identity.
OVERT verification — an open standard a third party can check.

Zero sensitive-data egress

Sensitive content stays inside your infrastructure.

Glacis runs inside your infrastructure. Local runtime controls evaluate the workflow, the receipt is signed locally, and only the receipt — never the prompt, output, PHI, customer data, code, or proprietary context — is what gets shared with reviewers.

Local runtime controls — evaluation happens in your environment.
Signed evidence receipts — produced where the workflow runs.
Hashed commitments only — payloads stay where they belong.
Reviewer-ready proof — receipts are inspectable; sensitive content is not.

Where evidence packs are used

One evidence base. Six review surfaces.

The same receipts assemble into the artifact each reviewer expects.

Customer security review

Answer the procurement questionnaire.

Hand the enterprise security team a signed evidence pack that proves the AI workflow ran inside boundary, with which controls, on which model versions — without shipping prompts or outputs.

Audit

Show controls executed, not just configured.

Receipts give SOC 2, ISO 42001, and HITRUST auditors run-level evidence: which controls fired, on which decisions, against which policy version.

Regulatory evidence

Defensible proof for AI regulators.

Map signed receipts to EU AI Act, Colorado AI Act, FDA, and state-level AI rules — one evidence base, multiple regulatory surfaces.

Insurance

Underwriter-grade AI evidence.

Carriers and brokers see attested controls and run-level receipts — the basis for insurable AI risk instead of self-attested checklists.

Internal assurance

Brief your board on real coverage.

Coverage summaries, blocked events, and escalation rates — the AI evidence the audit committee, the CISO, and the board actually want to see.

Internal incident review

Rebuild what happened, with proof.

When an AI incident is investigated, signed receipts pin the workflow, the controls, the decision, and the model version at the moment of the event.

The artifact, in one line

Receipts prove the moment. Evidence packs tell the defensible story.

Glacis runs inside your infrastructure. Receipts are produced when controls execute. Evidence packs are assembled from those receipts — review-ready, signed, OVERT-verifiable, with zero sensitive-data egress.