FREQUENTLY ASKED
Questions, answered plainly.
If your question isn't here, book a 30-minute working session and we'll show you the proof on your own machine.
- What is ByteVerity?
- ByteVerity is accountability infrastructure for AI agents. It sits at the agent boundary and turns every action into a signed receipt you can re-verify offline — answering who acted, what data it touched, under what rule, and where it failed. Governance that proves itself.
- What does "verify offline, without trusting you" mean?
- Hand an auditor the exported bundle and a public key. They recompute a SHA-256 over the record's content and compare it to the signed manifest root — entirely on their own machine, with the ByteVerity engine absent and zero network calls. If one byte was tampered, the recomputed hash diverges and the verdict turns RED, naming the break. The proof depends on cryptography, not on trusting the vendor.
- What is the difference between "proven" and "asserted"?
- A proven plane is content-addressed and cryptographically verifiable — it re-derives from signed bytes and counts toward the verdict. An asserted plane is uncounted context that the record carries but does not vouch for. ByteVerity renders the two differently and never lets an asserted claim masquerade as proven. That honesty boundary is the point: forged blame never renders 'proven'.
- How does ByteVerity ride Okta, SPIFFE, and SPIRE?
- It doesn't stand up a parallel identity system. Your IdP already issues the grants — Okta ID-JAG, SPIFFE/SPIRE — and ByteVerity binds every agent action to the identity your IdP already issued, then proves what that identity did. Revoke the grant in Okta and every past action under it turns RED, re-derived offline from a signed status list, with no call back to the issuer. Demonstrated on a live Okta dev tenant.
- What happens when I revoke a compromised agent?
- Its next action fails closed, and every past action under the revoked grant re-derives RED offline — with the issuer and the engine absent. Revocation binds to proof, not to a live policy lookup, so it holds even when the IdP is unreachable.
- Which compliance frameworks does it cover?
- EU AI Act (Art. 12 record-keeping and traceability, plus Art. 9, 10, 11, 14), AI-BOM (CycloneDX 1.6 ML-BOM + SPDX 3.0 AI Profile), NIST (SP 800-207 Zero Trust and SP 800-218A Secure SDLC for AI), SOC 2 (CC-6.1, CC-7.1, CC-8.1), and GDPR (Art. 25, 32, 44–49). Each mapping derives from the signed record, so the answers are evidence, not estimates.
- Is ByteVerity an SPA, an observability tool, or a dashboard?
- No. It is a technical control, not a dashboard. Observability tools collect mutable, unsigned logs that are believable only to those who already trust them. ByteVerity produces tamper-evident, offline-verifiable evidence as a byproduct of governing the action — the same receipt that governs the action is the audit evidence.
- Do I have to rewrite my agent or change my model?
- No. ByteVerity sits at the boundary — no rewrite, no model change. Governance runs at agent speed and produces proof as a byproduct. You adopt one product, then the next; the proof carries over because every product emits the same Kernel-shape receipts and one verifier checks them all.
- Does ByteVerity see or store the data inside a record?
- The browser verifier runs entirely in your tab — we never see the record you paste. A record cites the upstream receipts it composes, so it can carry the data it attests to; secrets are masked on display, but an exported bundle should be classified and shared under the same controls as the data it describes. ByteVerity adds no secrets of its own, but it does not strip what an upstream system already signed.
- Is this real today, or a roadmap?
- It's built and it runs today. Each scenario is a shipped binary over real signed artifacts, and every 'tamper → RED' is a genuine cryptographic failure. You can verify a sample record in your browser right now from the verify portal.