Third-party AI safety certification

How a Forge Certified Audit works

Every Forge Certified Audit produces a cryptographic artifact that any third party can verify — offline, in any language, without trusting Forge NC at all. This page explains what that means, how we do it, and why it matters for your compliance team, your board, and your customers.

Same protocol behind every paid audit, regardless of tier. The difference between Startup, Enterprise, and Deployment Assessment is what gets audited and how the delivery is packaged — not the cryptographic rigor.

161

scenarios

Which audit do I need?

Three paid products. All three use the same underlying Forge Crucible Assurance Protocol (161 scenarios across 16 categories). The difference is what they audit and how the delivery is packaged.

Forge Certified Audit — Startup $7,500 per model

You built an LLM. You want a credentialed third-party certification you can show to buyers, investors, regulators, or insurers. One model, full Parallax dual attestation, Origin-signed, transparency-logged. Choose between forge-hosted (we run it on our RunPod infrastructure) or self-hosted (you run it in your own Forge install so your model weights never leave your network).

Forge Certified Audit — Enterprise $30,000 · up to 5 models

Same certification, designed for larger LLM creators with multiple model variants or fine-tunes. Priority turnaround. Same cryptographic guarantees as Startup — Enterprise differs only in scope and SLA, not in rigor.

Deployment Assessment $3,000

You are not the LLM creator — you are building a product on top of someone else’s LLM (OpenAI, Anthropic, or an open-source model you fine-tuned or wrapped). You want to know if your specific deployment, with your system prompt, your tool bindings, and your compliance obligations, actually behaves the way you claim. Choose forge-hosted (we hit your public endpoint) or in-VPC (our Docker runner inside your network audits your internal endpoint without ever exposing credentials externally).

Continuous Monitoring $1,500 / month

For organizations already running AI in production. Automated periodic audits against your live endpoints with alerts when scores drop or certification tiers change. Pairs naturally with a one-time Deployment Assessment as the baseline.

The six trust pillars

These are the mechanisms that make a Forge Certified Audit different from a PDF any audit firm can email you. Every one of these is implemented in public code you can inspect.

1Origin Root Key & Child Keys. Every audit is signed with an Ed25519 keypair derived from our root seed via HKDF-SHA512. Each job gets a unique child key scoped to that one audit. A leaked child key compromises only that one audit; root key integrity is unaffected.

2Sealed Bundles. For self-hosted and in-VPC audits we deliver the job’s signing material encrypted to your one-time X25519 public key. Only your runner can open it. Bundles are single-use; replay is rejected server-side.

3Merkle Transparency Log. Every certified audit is appended to a public append-only Merkle tree and the root hash is signed by Origin. We cannot silently alter or hide a report without breaking the tree — anyone monitoring the log notices immediately.

4Offline Verifiability. Any third party with the Origin public key can verify your report in Python, JavaScript, Go, Rust, anything with Ed25519. No call home. No proprietary tool. No subscription to a verifier service.

5Open-Source Runner. The Docker container that executes in-VPC assessments lives in a public GitHub repo. The image is Sigstore keyless-signed. Your security team can audit every line before running it.

6Standards Compatibility. Attestation envelopes use the same DSSE + in-toto shape as Sigstore, SCITT, SLSA, and GitHub Artifact Attestations. If your team already uses cosign, your existing tooling reads our reports.

For your security team

Not running a security review? Skip this section. The short version: every report is cryptographically signed and anyone can verify it offline, with no trust in Forge required. The detail below is for teams who want to check exactly how.

Cryptographic primitives

Ed25519 for all signatures (Origin root, per-job child keys, report signing, tree-head signing).
HKDF-SHA512 (RFC 5869) for deriving per-job child keys from the Origin seed.
X25519 sealed box (libsodium crypto_box_seal) for bundle encryption.
SHA-512 for scenario hash chains, target-hash bindings, and Merkle tree nodes.
SHA-512 HMAC for runner-to-server upload authentication.

What the attestation envelope binds

Every signed report carries an envelope that makes the following cryptographically provable:

Who authorized the job (Origin signature over the envelope)
What customer it was for (order_id, passport_id)
What was being audited (target_hash = SHA-512 of endpoint + model)
Which scenario pack ran (scenario_pack_version, scenario_pack_hash)
How long the key was valid (issued_at, expires_at)
What runner kind (self-hosted FCA or in-VPC Deployment Assessment)

Spec

Full technical specification with signature payloads, canonical JSON rules, golden test vectors, and verification order: Forge Protocol Specification. Reference implementations in Python and PHP.

Vs. traditional AI audit firms

Control	Traditional AI audit firm	Forge Certified Audit
Report is a signed cryptographic artifact	No (PDF)	Yes (Ed25519 + DSSE)
Third party can verify offline without vendor	No	Yes (open protocol)
Public transparency log	No	Yes (append-only Merkle tree)
Runner source code public	No	Yes (GitHub + Sigstore-signed)
Model weights / API key never leave your network	Varies	Yes (self-hosted / in-VPC)
Compliance framework mapping (EU AI Act, NIST, ISO 42001)	Yes	Yes
Artifact remains verifiable after vendor ceases	No	Planned (perpetuity reserves)

Compliance mappings

Every scenario in the 161-scenario Forge Crucible Assurance Protocol is tagged with the regulatory framework controls it exercises:

EU AI Act — Articles 5, 9, 10, 13, 14, 15
NIST AI RMF — GOVERN, MAP, MEASURE, MANAGE functions
ISO/IEC 42001 (AI Management Systems) — clauses 6, 7, 8
SOC 2 — Security, Availability, Processing Integrity, Confidentiality, Privacy
HIPAA — Security Rule §164.308 administrative safeguards, §164.312 technical safeguards (Power-tier scenarios)
NIST 800-53, CMMC 2.0, FedRAMP — federal + defense mappings (in progress)

The mapping is embedded in code at forge/assurance.py — not a marketing claim, it’s a per-scenario attribute that appears in the signed report.

Verify a report yourself

Two paths. Pick the one that matches your trust model:

On Forge (convenient): paste a signed report into the in-browser verifier. Forge runs Ed25519 verification on its server using libsodium and returns the result — so this path requires trusting Forge to verify honestly. For zero-trust verification, use the offline option below instead.
Off Forge (trustless): run the verification recipes locally. Copy-pasteable code in Python (cryptography), Node.js (built-in crypto), and OpenSSL CLI is published at /verify — the same page hosts both the online verifier and the offline recipes side-by-side. Pull the Origin public key once from /.well-known/forge-origin.json, archive it, and you can verify any Forge-signed report forever without contacting us again.

Want to see this in action on a real report? Open the sample audit — both halves of the pair are Origin-certified and ready to verify.

FAQ

What happens if Forge NC ceases operations?

Every Forge Certified Audit report remains verifiable indefinitely, because: (a) verification needs only the Origin public key + an Ed25519 library — no Forge-specific infrastructure; (b) we pin the Origin public key, protocol spec, transparency log archive, and reference verification scripts to a decentralized permanent-storage layer (Arweave). Artifacts from our transparency log survive us.

Can a customer revoke a certification later?

Yes — two kinds of revocation exist. Pre-publish revocation kills a job’s child key before a report is uploaded (if a bundle leaks or the audit is cancelled mid-flight). Post-publish revocation flags an existing certified report as no longer valid (if fraud is later proven, or the model is materially changed after the audit). Both go through a two-person approval process: an admin requests, Origin approves. Both are recorded in an Origin-signed public revocation feed at /.well-known/forge-revocations.json.

How often is the Origin key rotated?

Origin key rotation is announced explicitly at /.well-known/forge-origin.json with cross-signing during the grace window. Rotations are rare by design — the entire point of deriving per-job child keys is that the root key doesn’t need to move.

Is there a license for the Forge Crucible Assurance Protocol?

The 161-scenario protocol and associated tooling are proprietary. The verifier scripts and the open-source runner are published under a source-available license that allows security review and offline verification but restricts commercial redistribution. See the LICENSE file in each repo.

How does Forge differ from CredoAI, HiddenLayer, Robust Intelligence?

Those firms deliver valuable audit work, but their reports are dashboards or PDFs that require trusting their platform. A Forge Certified Audit artifact is a cryptographic object anyone can verify without our involvement. In the event of a dispute — in front of a regulator, an insurer, or a court — the Forge report is mathematically checkable. Their reports are not.

Request an audit → See a sample audit Try the live verifier Read the protocol spec