The signed report
One object your buyer can check, not a PDF they have to trust.
When a deal stalls in security review, the buyer's group will not take your word, or a slide. A kolm report is a single canonical (one fixed byte ordering)A canonical object is written one fixed way - keys sorted, no stray whitespace - so the same report always produces the same exact bytes and the signature can cover them. object: a scope, content hashes, an Ed25519 signature over the exact bytes, and an append-only inclusion proof. Here is the object, line by line, then a real one you can verify in this browser.
One object, fully self-describing.
The report carries its own scope, its own content hashes, its own signature, and the public key needed to check it. Nothing about verifying it depends on kolm being online, or even existing.
01 · payload
Canonical payload
Key-sorted, whitespace-free JSON in a fixed field order. The signature covers these exact bytes, so a downgraded finding or an inflated score is self-evident the moment a reviewer re-checks.
02 · signature
Ed25519 signature, embedded key
The signature and the public key it was made with travel together. Your buyer needs nothing from us: the verifier runs offline against the key inside the report.
03 · inclusion
Append-only inclusion proof
A Merkle inclusion proof from an RFC 6962 style log confirms the report was recorded when it claims and was never quietly replaced. Not a chain, an append-only transparency log.
Sealedverifies offline
Every line above is part of the signed bytes. Edit one character and the signature, and the seal, stop matching. The byte-level format is public in the signed report spec.
Every finding maps to a control they already cite.
A reviewer should not have to learn our vocabulary. Each control on the report points to the framework clause their questionnaire already references, so they trace a result to a standard in one step.
| Control | What it checks | Maps to |
|---|---|---|
| ASR-1 Least privilege | Scopes the agent holds versus the scopes it uses | SOC 2 CC6 · OWASP ASI03 · NIST MANAGE-1 |
| ASR-2 Audit trail | Append-only, hash-chained, retained activity log | EU AI Act Art.12 · SOC 2 CC7 |
| ASR-3 Data egress | Destinations, approved sub-processors, redaction | OWASP LLM02 · EU AI Act Art.10 |
| ASR-4 Injection | Instruction hijack, indirect injection, guardrail bypass | OWASP LLM01 · MITRE ATLAS |
| ASR-5 Provenance | Model and dependency provenance | ISO 42001 · NIST MAP-1 |
| ASR-6 Evidence | Signed, logged, offline-verifiable report | SOC 2 CC7 · ISO 42001 |
Scope is contractual. Permission posture, redaction and audit-trail integrity are assessed. Injection is tested and reported, not warranted.
Do not take the diagram's word for it.
Below is a real, signed report produced by the same signing core, verified entirely in this browser. Inflate the score or forge a rogue key, and the seal reads VOID, every time. The check needs only the report file and the key inside it.
Load the file
The reviewer drops the one report file into the verifier. No account, no upload to us.
1 file, self-containedRebuild the bytes
The verifier re-derives the canonical bytes from the report, the same way every time.
SHA-256 content digestTest the signature
Ed25519 confirms the bytes match the signature, using the public key inside the report.
WebCrypto in the browserVALID or VOID
A clean match reads VALID. One altered byte reads VOID, in front of the reviewer.
VALID or VOID, no greyWhat you are seeing
The full signed report, sealed by the signing core
This is the complete sample report: canonicalized, signed with Ed25519, and verified against the pinned issuer keyring right here. Verify it in place, or open the dedicated verifier to paste your own.
Get a report like this for your application.
A scoped audit that ends in one signed object your buyer verifies in their own browser. The four to eight week review compresses to days.
kolm.ai/verify · drop report.json · seal: VALID
Caveats: Scope is contractual. Permission posture, redaction and audit-trail integrity are assessed. Injection is tested and reported, not warranted.