Agentic compliance · Authority Blue grade

AEGIS
the agentic
compliance agent.

AEGIS probes every control, hashes canonical state with SHA3-256, applies dual signatures (Ed25519 classical, ML-DSA-65 post-quantum), and anchors each audit receipt on Base L2 — all in under 7 milliseconds per control.

Seven components. One STM32N6 hardware target. Twelve compliance frameworks cross-mapped. 2.32x average cross-framework leverage on a single control implementation.

Run a free audit See the live score TACHYON architecture
96.2
Overall compliance score
last scanned 2026-06-01 00:00 UTC
controls audited 158 controls
machine-verified 32.9%
frameworks 12
cross-framework leverage 2.32x
per-control audit latency 6.5 ms
chain anchor Base L2 (8453)
signature stack Ed25519 + ML-DSA-65
Self-audit loop

Probe. Hash. Sign. Anchor.

Every audit cycle runs a deterministic five-stage pipeline. The canonical state of a control is captured, hashed, dual-signed with classical and post-quantum algorithms, and written to the Base L2 ledger. No human touches the evidence chain.

Stage 1 — Probe
< 1.5 ms
Control state collection via API probe or config read
Stage 2 — SHA3-256
< 0.2 ms
Hardware-accelerated on STM32N6; software path on server
Stage 3 — Ed25519
< 0.8 ms
Curve25519 classical ECDSA sign; constant-time implementation
Stage 4 — ML-DSA-65
< 3.5 ms
FIPS 204 lattice signature; dominant step in pipeline
Stage 5 — Anchor
async
Base L2 calldata write; does not block audit response
End-to-end: 6.5 ms typical per control (target <500 ms). Full fleet of 158 controls in 460 ms (target <30 s). Anchoring to Base L2 is asynchronous and does not contribute to the synchronous audit latency reported in the response envelope.
Seven components

The AEGIS product family.

Each component is independently deployable. Together they form a closed compliance loop: probe, score, report, bridge, forecast, and seal — all anchored on the same cryptographic evidence chain.

AEGIS-Core
Self-audit loop
The central engine. Orchestrates the five-stage pipeline: control probe, SHA3-256 canonical hashing, Ed25519 classical signing, ML-DSA-65 post-quantum signing, and async Base L2 anchoring. Issues the signed evidence envelope returned by every /v1/aegis/control/audit call.
Target: STM32N6 · Arm Cortex-M55 + NPU · HW-AES-256 · HW-SHA-256 · TRNG
AEGIS-Scan
Full-fleet probe runner
Executes parallel control audits across all 158 controls in the live registry (65 SOC 2 TSC 2017 controls + 93 ISO 27001:2022 Annex A controls). Dispatches POST /v1/aegis/scan. Full-fleet completion: 460 ms (target <30 s). Produces a batch envelope set, one signed receipt per control.
Target: STM32N6 · 4.2 MB SRAM · low-power profile · LoRaWAN or NB-IoT egress
AEGIS-Score
Live framework rollup
Aggregates per-control pass/fail states across all 12 frameworks into a single normalized score. Current score: 96.2. Cross-framework leverage: 2.32x — one implementation satisfies an average of 2.32 framework requirements. Exposed at GET /v1/aegis/score.
Target: STM32N6 · Arm Cortex-M55 · 4.2 MB SRAM · dedicated TRNG
AEGIS-Report
Auditor-ready evidence bundle
Compiles a structured evidence bundle containing every signed audit envelope, SHA3-256 digests, Ed25519 and ML-DSA-65 signatures, Base L2 transaction hashes, and human-readable control narratives. The bundle is what an external auditor reads to prepare a SOC 2 Type II or ISO 27001 certification report. No manual assembly required.
Target: STM32N6 · hardware AES-256 for bundle encryption · 4.2 MB SRAM
AEGIS-Bridge
External GRC connector
Translates AEGIS evidence envelopes into formats consumable by external Governance, Risk, and Compliance platforms. Supports export via POST /v1/hivecomply/bundle/export and verification via POST /v1/hivecomply/bundle/verify. Bridges classical-to-PQ signature formats for legacy GRC tooling.
Target: STM32N6 · T-BRIDGE integration · classical-to-PQ adapter layer
AEGIS-Forecast
Score trend by framework
Tracks per-framework score history over time. Surfaces deteriorating controls before they become audit failures. Identifies which control families (CC1–CC9, A.5–A.8) carry the highest failure risk based on historical probe variance. Trend data is signed with the same Ed25519 + ML-DSA-65 pipeline and anchored on Base L2.
Target: STM32N6 · Arm Cortex-M55 NPU · on-device ML inference · 4.2 MB SRAM
AEGIS-Seal
Base L2 on-chain anchor
Writes audit receipt calldata to Base L2 (chain ID 8453) via the TACHYON T-SEAL confidential-compute attestation layer. Each receipt embeds the SHA3-256 digest, truncated Ed25519 and ML-DSA-65 signatures, control identifier, and Unix timestamp. On-chain anchoring is asynchronous and does not affect audit response latency. Receipts are permanently verifiable without trusting Hive infrastructure.
Target: STM32N6 · T-SEAL TEE · Base L2 (8453) · ML-DSA-65 post-quantum anchor
Target hardware

STM32N6 — purpose-built for cryptographic compliance.

AEGIS targets the STMicroelectronics STM32N6 microcontroller. The combination of an Arm Cortex-M55 core with a dedicated NPU, hardware AES-256, hardware SHA-256, and a true random number generator makes it the appropriate platform for signing compliance evidence at the edge without external compute dependencies.

Hardware AES-256
Dedicated hardware accelerator for AES-256 encryption and decryption. Audit evidence bundles are encrypted at rest before transmission, with no software-side key exposure. Hardware-enforced constant-time execution eliminates timing side channels.
Hardware SHA-256 + TRNG
SHA-256 acceleration via dedicated coprocessor. True random number generator seeded from physical entropy sources. The TRNG output feeds the nonce generation for Ed25519 and ML-DSA-65 signing, eliminating PRNG-based entropy risks that have historically compromised ECDSA implementations.
Arm Cortex-M55 + NPU
The M55 core includes Helium (MVE) vector extensions, accelerating the polynomial arithmetic required by ML-DSA-65 lattice operations. The integrated NPU handles AEGIS-Forecast trend inference without cloud dependency, preserving the low-power envelope needed for always-on compliance monitoring.
STM32N6 — spec sheet AEGIS target MCU
Core Arm Cortex-M55
Neural Processing Unit Dedicated NPU
Vector extensions Helium (MVE)
SRAM 4.2 MB
Hardware encryption AES-256 HW accelerator
Hardware hashing SHA-256 HW coprocessor
True RNG Dedicated TRNG
Power profile Low-power
Security extensions TrustZone-M
Connectivity LoRaWAN / NB-IoT / USB
AEGIS components hosted All seven
The STM32N6 hardware SHA-256 accelerator serves the inner hash loop. SHA3-256 for canonical state hashing runs in optimized software on the M55 core with Helium acceleration. The hardware SHA-256 path handles bundle integrity checks and AES key derivation.
TACHYON integration
AEGIS on STM32N6 integrates with the TACHYON T-ACCEL hardware acceleration module and T-SHIELD side-channel hardening layer. All cryptographic operations run in constant time. Masked implementations prevent power-analysis attacks on ML-DSA-65 key material.
Verified performance

Numbers from the live system.

All values below are derived from live endpoint calls to https://hivemorph.onrender.com. No synthetic benchmarks. No inflated projections.

Overall score
96.2
out of 100
158 controls · 12 frameworks
Per-control audit latency
6.5
ms typical
Target <500 ms — 76x faster
Full-fleet scan
460 ms
158 controls
Target <30 s — 65x faster
Machine-verified controls
32.9%
of 158 controls
Remainder self-attested — disclosed
Cross-framework leverage
2.32x
avg framework requirements / impl
12 frameworks mapped
Total controls
158
controls in registry
65 SOC 2 TSC + 93 ISO 27001:2022
Metric Live value Target Notes
Per-control audit latency 6.5 ms < 500 ms Includes probe, SHA3-256, Ed25519, ML-DSA-65; excludes async anchor
Full-fleet scan time 460 ms < 30 s 158 controls, parallel execution, single POST /v1/aegis/scan
Overall compliance score 96.2 ≥ 95.0 Normalized across all passing controls in both frameworks
Machine-verified controls 32.9% Increasing Remaining 67.1% are self-attested; fully disclosed in evidence bundles
Cross-framework leverage 2.32x ≥ 2.0x One implementation satisfies 2.32 framework requirements on average
Frameworks cross-mapped 12 14 by Q4 2026 SOC 2, ISO 27001, 27017, 27018, 27701, 27036, 42001, EU AI Act, GDPR, eIDAS 2.0, NIS2, DORA
SOC 2 TSC 2017 controls 65 65 All five Trust Service Criteria: CC, A, PI, C, P
ISO 27001:2022 Annex A controls 93 93 All four control domains: A.5 Organizational, A.6 People, A.7 Physical, A.8 Technological

Machine-verified controls are audited entirely by AEGIS-Core without human assertion. Self-attested controls reflect internal review and policy documentation. The proportion machine-verified vs self-attested is disclosed in every evidence bundle and on the live compliance dashboard.

API reference

How to consume AEGIS.

The production backend is live at https://hivemorph.onrender.com. No API key required for read-only endpoints. Submit a single control audit with one curl command and receive a fully signed, cryptographically verifiable evidence envelope.

Request — POST /v1/aegis/control/audit 
curl -X POST \
  https://hivemorph.onrender.com/v1/aegis/control/audit \
  -H 'Content-Type: application/json' \
  -d '{"control_id":"CC6.1"}'
Other AEGIS endpoints
GET /v1/aegis/health
POST /v1/aegis/scan
GET /v1/aegis/score
GET /v1/aegis/control/{id}
GET /v1/aegis/matrix
GET /v1/hivecomply/framework/map
GET /v1/hivecomply/control/status
POST /v1/hivecomply/bundle/export
POST /v1/hivecomply/bundle/verify
Response — signed audit envelope 
{
  "envelope_id": "env_4f8a1c9d2e3b7f05",
  "control_id": "CC6.1",
  "framework": "soc2",
  "family": "CC6",
  "title": "Logical and Physical Access Controls",
  "auditor": "aegis-core/v1",
  "audited_at": "2026-06-01T00:00:06.530Z",
  "pass": true,
  "score": 1.0,
  "evidence": {
    "access_policy_present": true,
    "mfa_enforced": true,
    "least_privilege_review": "2026-05-15",
    "sso_configured": true
  },
  "notes": "Access controls verified against policy CC6.1-v2. SSO and MFA active on all production systems.",
  "sha3_256": "99f432dd70f9cd54a8e3b1c7f2d04518...",
  "ed25519_signature": "MEQCIHx3Kp2...base64truncated...",
  "mldsa65_signature": "7f3a1b9c2d...base64truncated...",
  "satisfies": [
    "soc2:CC6.1",
    "iso27001:A.9.1.1",
    "iso27001:A.9.4.1",
    "gdpr:Art.32",
    "nis2:Art.21.2"
  ],
  "duration_ms": 6.53
}
Envelope field glossary
envelope_id Unique identifier for this audit receipt instance
control_id Framework control identifier (e.g., CC6.1, A.9.1.1)
sha3_256 SHA3-256 hash of the canonical control state snapshot
ed25519_signature Classical EdDSA signature over the SHA3-256 digest
mldsa65_signature FIPS 204 ML-DSA-65 post-quantum lattice signature
satisfies All framework requirements satisfied by this one control
duration_ms Wall-clock milliseconds for the synchronous audit pipeline
pass / score Boolean pass flag and normalized score (0.0 – 1.0)
Health check — GET /v1/aegis/health 
curl -s https://hivemorph.onrender.com/v1/aegis/health
Live score — GET /v1/aegis/score 
curl -s https://hivemorph.onrender.com/v1/aegis/score
Compliance mapping

SOC 2 and ISO 27001 — cross-mapped at the control level.

AEGIS maintains a live cross-reference matrix linking every SOC 2 TSC 2017 control to its ISO 27001:2022 Annex A counterparts and to the ten additional frameworks in scope. The matrix is the source of the 2.32x leverage figure: one implementation, multiple frameworks satisfied.

Framework coverage — AEGIS control matrix
SOC 2 TSC 2017 ISO 27001:2022 +10 frameworks
SOC 2 TSC 2017
65 controls
The five Trust Service Criteria cover all principal aspects of a SOC 2 examination: security, availability, processing integrity, confidentiality, and privacy. AEGIS audits each control in the CC (Common Criteria), A (Availability), PI (Processing Integrity), C (Confidentiality), and P (Privacy) families.
CC1–CC2 Control environment and communication. Policies, risk assessment frameworks, board oversight.
CC3–CC4 Risk assessment and monitoring. Continuous risk identification, anomaly detection.
CC5–CC6 Control activities and logical access. Change management, access provisioning, MFA, SSO.
CC7–CC9 System operations, change management, risk mitigation. Incident response, vendor management.
A / PI / C / P Availability, processing integrity, confidentiality, and privacy additional criteria.
ISO 27001:2022 Annex A
93 controls
The 2022 revision restructured Annex A into four control domains, adding eleven new controls around threat intelligence, cloud security, data masking, and ICT continuity. AEGIS covers all 93 controls across the four domains.
A.5 Organizational controls (37 controls). Policies, roles, threat intelligence, access control policy, information classification.
A.6 People controls (8 controls). Screening, employment terms, disciplinary process, remote working.
A.7 Physical controls (14 controls). Secure areas, physical entry controls, clear desk, physical security monitoring.
A.8 Technological controls (34 controls). Access rights, malware protection, logging, cryptography, secure coding, vulnerability management.
All 12 frameworks in scope
SOC 2 TSC 2017 ISO 27001:2022 ISO 27017 ISO 27018 ISO 27701 ISO 27036 ISO 42001 EU AI Act GDPR eIDAS 2.0 NIS2 DORA

Cross-framework leverage: a single control implementation satisfies 2.32 framework requirements on average across all 12 frameworks. The HIVECOMPLY matrix at GET /v1/hivecomply/framework/map returns the full mapping in machine-readable form.

Honest disclosure

32.9 percent of the 158 controls are machine-verified by AEGIS-Core with no human assertion. The remaining 67.1 percent are self-attested: an internal reviewer has documented evidence and asserted compliance, but the assertion is not independently machine-executable at this time. Every evidence bundle labels each control as machine or self. No bundle claims more machine coverage than exists. The proportion machine-verified is increasing; AEGIS-Forecast tracks the trajectory.

Get started

Run a free audit.

The AEGIS backend is live and open. Submit any SOC 2 or ISO 27001 control identifier and receive a cryptographically signed audit envelope in under 10 milliseconds. No account required.

The live compliance dashboard at /compliance/ shows the real-time score, per-framework breakdown, and the full evidence bundle for the most recent fleet scan.

See the live score Agentic compliance TACHYON architecture
Run a free audit — curl 
# Audit a single control — no auth required
curl -X POST \
  https://hivemorph.onrender.com/v1/aegis/control/audit \
  -H 'Content-Type: application/json' \
  -d '{"control_id":"CC6.1"}'

# View the live score
curl -s https://hivemorph.onrender.com/v1/aegis/score

# Run the full fleet scan
curl -X POST \
  https://hivemorph.onrender.com/v1/aegis/scan

Response includes sha3_256, ed25519_signature, mldsa65_signature, and the list of framework requirements satisfied by the control. Verify the envelope without trusting Hive infrastructure.

Explore TACHYON Agentic Compliance Live Score SOC 2 Self-Attestation ISO 27001 Self-Attestation Loess-Lattice
THE HIVE FAMILY

CRE is one surface. Here's the family it belongs to.

Every Hive surface signs its own evidence with the same primitives: SHA3-256 canonical hashing, Ed25519 + ML-DSA-65 dual signatures, and a published Merkle Mountain Range root. The receipt is the audit evidence. The envelope is the universal generalization — every transaction, every framework, every surface.

CRE — Compliance Receipt Envelope AEGIS — agentic compliance Tachyon — PQ stack Agentic Compliance Compliance Settlement Wave-Lattice Loess-Lattice Rogue-Wave-Lattice A2A x402-Builders Clearing-Agency Prove-Birth Vault Pulse HiveComply