Frequently Asked Questions

ByteVerity is deterministic trust infrastructure for AI systems. It governs what AI can do, what AI can see, and what AI can act upon — with cryptographic proof produced as a byproduct of operation. It is not a scanner, not a dashboard, and not AI governing AI. It is a live control plane.

Governance decisions are made by structured rules in configuration, not by AI models evaluating AI output. When a file is blocked, you can read exactly why — the zone, the constraint, the policy reference. No confidence scores. No probabilistic interpretation. An auditor can trace every decision.

Compliance evidence is generated at the moment of enforcement, not assembled retrospectively. Every governance decision produces a signed attestation bundle mapped to specific compliance controls (SOC 2 CC-6.1, NIST AC-3, GDPR Art. 44, etc.). No screenshots. No interview-based evidence. Structured, machine-verifiable proof.

Avarion governs what AI can do (capability governance — zone-based policy enforcement at pre-commit). Vault governs what AI can see (visibility governance — progressive disclosure from metadata to full access). Meridian governs what AI can act on (execution governance — jurisdiction-aware data access). Governor governs what AI can do over time (temporal governance — cooldowns, prerequisites, approval gates).

GitHub, GitLab, Bitbucket Cloud, and Azure DevOps. Each has native integration for commit statuses, PR reviews, and webhook-based feedback.

Go, TypeScript, JavaScript, Python, Rust, Java, C, C++, C#, Ruby, PHP, and Swift. Language-specific module detection is available for Go (go.mod) and npm (package.json) ecosystems.

The thin hook binary (avarion-hook) runs at pre-commit and as a CI/CD gate. Results are posted back to your SCM platform as commit statuses, check runs, or PR comments. It also works as a standalone CLI in any pipeline.

Yes. Policy bundles can be downloaded and cached locally. The hook evaluates governance rules against the cached policy without requiring API connectivity. When connectivity is restored, results sync to the control plane.

Source code analysis happens on your machine or in your CI runner. The thin hook binary analyzes staged files locally. Only governance decisions and structured evidence (not source code) are sent to the control plane. You can run fully self-hosted if zero data leaves your network.

Under 50 milliseconds per 100-file commit at P99. Governance evaluation is deterministic and does not depend on model inference. It runs in the path of git commit without meaningfully slowing developer workflow.

Time-boxed exceptions with approval workflows. Exception scope is bounded by zone type — sandbox zones allow 7-day exceptions with auto-approval, while critical zones require dual approval (security + platform owner) with a 2-hour maximum. All exceptions auto-expire. Usage is tracked (commits, files, lines changed under exception).

SOC 2 Type II, ISO 27001, NIST 800-53, HIPAA, PCI DSS, FedRAMP, EU AI Act, and SLSA. Compliance mappings are embedded in attestation bundles — each governance decision references the specific control it satisfies.

Three options. SaaS: thin hook binary on your machines connects to the ByteVerity control plane. Hybrid: your own API server with fallback to the cloud control plane. Self-hosted: everything runs in your network. The thin hook binary is under 5MB and has zero heavy dependencies.

Policy bundles are signed and versioned. In production, you can require signed bundles only — the system will reject unsigned local configuration. Bundle integrity is verified before every enforcement decision.