ALCOA+ AGENTGUARD · Live since 2026-05-08

Every clinical-trial event becomes an FDA-grade receipt — ALCOA+ compliant, signed twice, valid the day a regulator asks.

$200B+ global clinical-trial spend in 2026. Veeva Vault, Medidata Rave, Pfizer, Roche, and Novartis already have eTMF, EDC, and validation systems — none give them a post-quantum durability layer that survives a 15-year FDA inspection in 2041 when classical Ed25519 is broken. AgentGuard sits underneath them — every protocol amendment, every consent capture, every adverse-event report, every CRO data transfer, every database lock — captured as a dual-signed (Ed25519 + ML-DSA-65) receipt anchored to Base 8453, ALCOA+ compliant by construction.

Reach Steve See a verification

protocol→consent→screening→enrollment→dosing→adverse_event→ePRO_capture→CRO_transfer→query_close→database_lock→submission

The ROI on a single Phase III oncology trial

AgentGuard ingests events from any eTMF, EDC, CTMS, IRT, ePRO, or CRO data-transfer pipeline already in place. Every state transition becomes a dual-signed receipt with a chain pointer to its predecessor and the full ALCOA+ attribute set encoded as named fields. The numbers a Head of Data Integrity, a VP of Regulatory Affairs, or a CRO QA Director presents to the steering committee are these.

Global trial spend

$200B+

Global clinical-trial spend in 2026 per industry tracking from the IQVIA Institute. The receipt rail underneath that spend is the unit that survives a 2041 inspection.

FDA retention

15 yr

21 CFR 312.62 requires investigators to retain trial records for two years after marketing approval — in practice 15+ years from first dose. Ed25519 alone will not last that long; ML-DSA-65 will.

Cost to FDA approval

$2.6B

Average capitalized cost to bring a new drug to FDA approval per the Tufts Center for the Study of Drug Development. A receipt-anchored data integrity layer is rounding error against that number and the only thing standing between it and a CRL.

Single Form 483 cost

$10M+

Average sponsor cost of a single Form 483 finding when remediation, re-monitoring, re-submission, and approval delay are priced in. AgentGuard prevents the data-integrity findings that drive the bulk of 483s in clinical trials.

PQ horizon

2041

Year a 2026-issued ML-DSA-65 (NIST FIPS 204) signature still verifies on a laptop with no internet — in front of an FDA inspector pulling records from a closed-out trial. Ed25519 alone does not make that bet.

ALCOA+ coverage

9 of 9

All nine ALCOA+ attributes — Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available — encoded as named fields in every receipt envelope per the FDA data integrity guidance and EMA Annex 11.

A sponsor running ten active Phase II/III programs with roughly 50,000 evaluable subjects spends on the order of $500K–$2M / year on AgentGuard receipts at the Sponsor tier — against a single Form 483 data-integrity finding that already costs an eight-figure remediation cycle and a six-month delay to approval. The unit math defends itself.

Contents

Receipt rail, not an EDC
A 2031 Form 483 averted in 90 seconds
Live verification — what an inspector sees
Standards — what AgentGuard adds
3-step integration path
The 11 MCP tools
The trial-event envelope
What this is not
Pricing
Field map

For sponsor data integrity, regulatory affairs, CRO QA, and FDA inspection-readiness

For sponsor data integrity teams, regulatory affairs, CRO QA leads, and FDA inspection-readiness officers. AgentGuard does not replace Veeva Vault or Medidata Rave. It runs as a horizontal receipt layer underneath them — every state transition becomes ALCOA+ evidence the FDA can self-verify under 21 CFR Part 11 without trusting the sponsor’s word.

Receipt rail, not an EDC

EDC vendors hold the case-report-form data and validate against the protocol. eTMF vendors hold the trial master file documents. CTMS vendors hold the operational state. AgentGuard does none of those. It produces the cryptographically-anchored ALCOA+ receipt that proves a recorded clinical-trial event happened the way the sponsor says it did — from the protocol amendment that authorized it, through every consent, screening, dosing, adverse-event report, ePRO capture, and CRO transfer that touched it, to the database lock and FDA submission. That separation is the point.

LAYER 3

Sponsor and CRO operations — Veeva Vault eTMF, Medidata Rave EDC, Oracle InForm, IQVIA, Parexel, ICON, Labcorp, Pfizer, Roche, Novartis, Merck, AstraZeneca. Protocol design, site management, monitoring, statistical programming, submission.

LAYER 2

AgentGuard receipt rail. Dual-signed lifecycle receipts — protocol, consent, screening, enrollment, dosing, adverse_event, ePRO_capture, CRO_transfer, query_close, database_lock, submission — aligned to ALCOA+, 21 CFR Part 11, ICH E6(R3) GCP, ICH E2B(R3), CDISC SDTM / ADaM, HL7 FHIR R5, EU AI Act Article 26.

LAYER 1

Base 8453 anchoring · Ed25519 (RFC 8032) + ML-DSA-65 (NIST FIPS 204) · USDC settlement via x402 · CBOR-canonical envelopes.

Every sponsor, CRO, and academic medical center produces the same kind of evidence under different vendor names. The evidence is platform-neutral — that is what makes it defensible to an FDA inspector under 21 CFR Part 11, to an EMA inspector under Annex 11, or to an MHRA inspector with no network access in 2041.

How a Form 483 finding gets prevented in a 2031 FDA inspection

A specific, narrated example. A 2026 Phase III oncology trial enrolls patient #847 at a community oncology site. Five years later, in 2031, the FDA arrives for a pre-approval inspection. The inspector picks one subject at random and asks: prove this patient consented to the v3.2 protocol amendment that was active on the day of consent. The clock is the only thing that matters now.

2026 enrollment. A 2026 Phase III oncology trial enrolls patient #847 at a community oncology site. The site is using an AI-assisted eligibility-screening agent integrated into the EDC.

Consent captured by AI agent at the site. The agent walks the patient through the v3.2 protocol consent form. Patient signs the e-consent. agentguard_consent_attest fires with the patient DID, IRB version hash, AI agent DID, and the site investigator DID. Dual signatures applied. Anchor on Base 8453.

AgentGuard records the consent_attest. Receipt binds patient DID + IRB version hash (v3.2) + IRB approval date + AI agent DID + investigator DID + protocol_amendment_effective_date. ALCOA+ envelope is fully populated. chain_length threads to the screening event.

2031 FDA inspection. Inspector picks subject #847 at random and asks the sponsor to prove the patient consented to the v3.2 protocol on the day of consent. The sponsor opens AgentGuard.

Inspector pulls chain_verify. AgentGuard returns the consent receipt and the full chain back to the protocol amendment receipt. ML-DSA-65 still verifies in 2031 against the issuer’s archived public key. ALCOA+ envelope shows Attributable (patient + investigator + AI agent DID), Contemporaneous (Base 8453 anchor block timestamp matching the day-of-consent), Original (no rewrite history on the chain), Accurate (IRB version hash matches v3.2), Complete (all 9 attributes present), Consistent (schema version locked), Enduring (PQ signature still valid), Available (endpoint live).

Form 483 averted. Inspector accepts the receipt as primary evidence under 21 CFR Part 11. No data-integrity finding. No Form 483. No remediation cycle. $10M+ cost avoided. Same chain answers a future EMA inspection, MHRA inspection, or product-liability discovery without re-collection — the receipt is the evidence.

Live verification — what an inspector sees

The envelope is CBOR-canonical and verifies offline against the issuer’s published public keys — no Hive call required at verification time. The panel below is the same shape every FDA, EMA, MHRA, or PMDA inspector renders, with the full ALCOA+ attribute grid encoded as named fields.

agentguard_chain_verify · trial_id = NCT0X-2026-ONC-PIII · subject = 847 VERIFIED

// CBOR-canonical clinical-trial consent_attest envelope, JSON-rendered { "receipt_id": "01J5K-AG-CONSENT-847C2A", "trial_id": "NCT0X-2026-ONC-PIII", "event_kind": "consent_attest", "subject": { "usubji_d": "NCT0X-2026-ONC-PIII-847", "did": "did:hive:subject:0xa19c…7d41" }, "investigator_did": "did:hive:investigator:0x88f3…c104", "ai_agent_did": "did:hive:agent:eligibility:0x4e21…b8c0", "protocol_version": "v3.2", "irb_version_hash": "sha256:9b2f7c…a14d", "alcoa": { "attributable_did": "did:hive:subject:0xa19c…7d41", "legible_format": "cbor-canonical/json-rendered", "contemporaneous_anchor_ts": "2026-05-08T14:11:42Z", "original_payload_hash": "sha256:71d3ea…ff04", "accurate_validation": "irb_version_hash == v3.2", "complete_required_fields": 9, "consistent_schema": "agentguard.consent.v1", "enduring_signature": "ml-dsa-65 + ed25519", "available_endpoint": "https://hivemorph.onrender.com/v1/alcoa-agentguard/chain_verify" }, "prior_attestation_id": "01J5K-AG-PROTOCOL-v3.2", "chain_length": 3, "anchor_chain": "base-8453", "anchor_txid": "0xb7e1…9c40", "sig_ed25519": "4c7d…e211", // RFC 8032 "sig_mldsa65": "f9a1…3d04" // NIST FIPS 204 }

[ok] Ed25519 signature valid · issuer key fingerprint k1:8c2a…

[ok] ML-DSA-65 signature valid · issuer key fingerprint kq:b71d…

[ok] Chain reconciled · protocol → consent verified offline · ALCOA+ 9 / 9 attributes present

[ok] VERIFIED · OFFLINE · ALCOA+ COMPLETE · 21 CFR Part 11 evidentiary record

That panel is the entire product surface an FDA inspector or a 21 CFR Part 11 compliance officer needs. No demo. No login. The evidence is its own proof, and the proof works in fifteen years on a laptop with no internet.

Standards — what AgentGuard adds

Every existing clinical-trial standard answers a different question. AgentGuard does not replace any of them — it adds the cryptographic binding that makes each one defensible after the fact, including against quantum-capable adversaries in 2041.

Standard	Coverage	What AgentGuard adds
21 CFR Part 11	FDA electronic records and electronic signatures	Cryptographic non-repudiation per record, not per system login
ALCOA+ (FDA + EMA + MHRA)	Data integrity attributes — Attributable, Legible, Contemporaneous, Original, Accurate + Complete, Consistent, Enduring, Available	All 9 attributes encoded as named fields in the receipt envelope
ICH E6(R3) GCP	Good Clinical Practice — sponsor, investigator, IRB, monitoring obligations	Per-event consent and amendment receipts with effective-date clock-start
ICH E2B(R3)	Adverse event reporting transmission standard	Native receipt for SUSAR / SAE / IRB notification
21 CFR 312.62	Investigator records retention — two years post-approval, in practice 15+ years	15-year durability via ML-DSA-65 anchor on Base 8453
CDISC SDTM / ADaM	FDA submission data tabulation and analysis dataset standards	Receipt-anchored audit trail per dataset, per domain, per row hash
HL7 FHIR R5	Healthcare data exchange resources, including clinical-trial extensions	Native FHIR Provenance + AuditEvent mapping for every receipt
EU AI Act Article 26	High-risk AI system obligations, including AI in medical devices	Decision-level provenance for AI-assisted enrollment, eligibility, and AE coding

3-step integration path

Send the webhook. Send Veeva Vault, Medidata Rave, or Oracle InForm webhook to https://hivemorph.onrender.com/v1/alcoa-agentguard/[event]_attest. One sidecar per environment. No protocol amendments, no SDV changes, no monitor-visit changes.

Store the returned receipt_id in the eTMF as a 21 CFR Part 11 audit record. Veeva Vault, Florence eBinders, MasterControl, or any eTMF that already accepts a Part 11 audit field. The receipt id round-trips with the source event without changing the source schema.

Verify any time via https://hivemorph.onrender.com/v1/alcoa-agentguard/chain_verify?trial_id=… — FDA inspectors, EMA inspectors, MHRA inspectors, sponsor QA, and CRO QA all run the same call. Both signatures verify offline against the issuer’s published public keys. ALCOA+ obligations resolve from the same chain without re-collection.

The 11 MCP tools

Tool	Purpose
`agentguard_protocol_attest`	Attest a protocol or protocol-amendment event with sponsor DID and IRB version hash.
`agentguard_consent_attest`	Attest an e-consent event with subject DID, investigator DID, and IRB version hash.
`agentguard_enrollment_attest`	Attest enrollment / randomization with eligibility-class hash and AI agent DID if applicable.
`agentguard_dosing_attest`	Attest a dosing event with kit id, lot id, and administration timestamp.
`agentguard_adverse_event_attest`	Attest a SAE / SUSAR / AE per ICH E2B(R3) with MedDRA preferred-term binding.
`agentguard_data_transfer_attest`	Attest a CRO ↔ sponsor data transfer with payload hash and recipient DID.
`agentguard_database_lock_attest`	Attest a database-lock event with full SDTM dataset hash set.
`agentguard_chain_verify`	Verify the full lifecycle chain for a trial / subject — protocol through submission.
`agentguard_alcoa_audit`	Return the 9-attribute ALCOA+ audit grid for any receipt.
`agentguard_pricing`	Read live pricing surface.
`agentguard_health`	Health probe.

Eleven tools, all live in production. Contact for MCP integration credentials and the full well-known manifest.

The trial-event envelope

Every agentguard_*_attest call returns an envelope containing receipt id, trial id, event kind, subject (USUBJID + DID), investigator DID, AI agent DID where applicable, protocol version, IRB version hash, the full nine-field ALCOA+ attribute grid, prior-attestation id, Base 8453 anchor txid, and dual signatures (Ed25519 + ML-DSA-65). The signatures bind every field. Any tamper attempt invalidates verification.

The envelope is CBOR-canonical. Verification works offline against the issuer’s published public keys. ML-DSA-65 (NIST FIPS 204) is the post-quantum signature; Ed25519 (RFC 8032) provides classical assurance. Both must verify for the receipt to be valid. Receipts remain valid through key rotation via signed key history, so a 2026 consent is still defensible in a 2041 FDA inspection.

What this is not

Calibrated expectations are part of the product. AgentGuard is narrow on purpose.

NOT

An EDC. Case-report-form data and protocol validation belong to Medidata Rave, Oracle InForm, Veeva CDMS, Castor, and Clinical Conductor.

NOT

An eTMF. Trial master file documents and Part 11 e-signature workflow belong to Veeva Vault, Florence eBinders, and MasterControl.

NOT

A CTMS. Site management, enrollment forecasting, monitoring visit tracking, and budget reconciliation belong to Veeva CTMS, Medidata, and Oracle Siebel CTMS.

NOT

An IRB system. Ethics review, expedited review, and continuing review belong to Advarra, WCG, and academic IRB-of-record systems.

NOT

Medical advice. AgentGuard is data integrity infrastructure. Clinical decisions belong to the investigator and the medical monitor.

NOT

A regulatory filing service. eCTD assembly, gateway submission, and Module 2 / 5 authoring belong to the regulatory operations team.

The horizontal ALCOA+ receipt rail underneath the entire clinical-trial data graph. Sponsors, CROs, sites, IRBs, eTMF, EDC, CTMS, IRT, ePRO, and AI-assisted clinical-operations agents all run cleaner with a dual-signed receipt under each lifecycle transition.

Pricing

Tier	Unit	Annual band	Fit
Per-event	$0.50 / receipt	metered	Pilot trials and adaptive Phase I
Site	$25,000 / yr / site	flat	Unlimited receipts, dedicated sub-account
Sponsor	$500,000 / yr	flat	Multi-trial, multi-site, dedicated FDA liaison
Big Pharma	$5,000,000 / yr	flat	Global portfolio, 21 CFR Part 11 inspection-readiness affidavit on file

Per-event pricing fits adaptive Phase I and pilot programs. The $25K Site tier fits academic medical centers and community oncology networks. The $500K Sponsor tier fits mid-cap biotech and regional pharma. The $5M Big Pharma tier fits Pfizer, Roche, Novartis, Merck, AstraZeneca, J&J, Sanofi, GSK, and AbbVie portfolio scope and includes a 21 CFR Part 11 inspection-readiness affidavit on file. Settlement: USDC on Base 8453 via x402. Treasury 0x15184Bf50B3d3F52b60434f8942b7D52F2eB436E exists. Receipts settle in seconds; invoicing is monthly net-30 by default.

Field map

AgentGuard binds every clinical-trial lifecycle transition to a dual-signed receipt that drops cleanly into existing CDISC SDTM, HL7 FHIR R5, Veeva Vault API, and Medidata Rave API pipelines. Each call accepts the correlation fields below; the envelope round-trips through standard JSON / CBOR transports via the Hive Receipt primitive.

Source field	Source standard	Maps to AgentGuard receipt field
`USUBJID`	CDISC SDTM DM domain	`receipt.subject.usubji_d` + `receipt.subject.did`
`STUDYID`	CDISC SDTM TS domain	`receipt.trial_id`
`IECAT`	CDISC SDTM IE domain	`receipt.eligibility_class`
`AEDECOD`	CDISC SDTM AE domain	`receipt.event.meddra_pt`
`EXTRT` + `EXDOSE` + `EXSTDTC`	CDISC SDTM EX domain	`receipt.dosing.{kit_id, dose, administered_at}`
`Provenance.recorded`	HL7 FHIR R5 Provenance	`receipt.alcoa.contemporaneous_anchor_ts`
`AuditEvent.agent.who`	HL7 FHIR R5 AuditEvent	`receipt.alcoa.attributable_did`
`Consent.policyRule`	HL7 FHIR R5 Consent	`receipt.irb_version_hash`
`vault__v.api.binder.id`	Veeva Vault Clinical API	`receipt.etmf_binder_id`
`rave.api.subject.audit_uuid`	Medidata Rave Web Services	`receipt.edc_audit_uuid`
`inform.api.transaction_id`	Oracle InForm RWS	`receipt.edc_audit_uuid`
`prior_attestation_id`	AgentGuard chain primitive	`receipt.prior_attestation_id`

Cross with HiveComply when SOC 2, HIPAA, GxP, or EU AI Act audits are in scope — HiveComply ingests AgentGuard receipts natively. Cross with Atticus when a product-liability or DOJ False Claims Act case escalates to litigation.

A real conversation, not a demo black hole

If you are a Head of Data Integrity, VP of Regulatory Affairs, CRO QA Director, or FDA Inspection-Readiness Officer who has already done the math on the cost of a single Form 483 finding and the 15-year retention horizon, the fastest path is a direct note. No qualification gate, no SDR. Steve reads them.

Reach Steve See a verification

Live since 2026-05-08 · 11 MCP tools · ALCOA+ / 21 CFR Part 11 / ICH E6(R3) / ICH E2B(R3) / CDISC / FHIR R5 / FIPS 204 compatible · Dual-signed (Ed25519 + ML-DSA-65) · Settles USDC on Base 8453

Frequently asked

Questions buyers actually ask

What does AgentGuard attest?

Every clinical-trial state — protocol, consent, screening, enrollment, dosing, adverse_event, ePRO_capture, CRO_transfer, query_close, database_lock, submission — is bound to a dual-signed (Ed25519 + ML-DSA-65) post-quantum-ready receipt that an FDA inspector can verify offline.

What is ALCOA+ compliance?

ALCOA+ is the FDA's data integrity standard: Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, Available. AgentGuard receipts are designed so that every attestation satisfies all nine attributes by construction.

Does AgentGuard replace Veeva Vault or Medidata Rave?

No. AgentGuard is the post-quantum durability layer underneath Veeva Vault, Medidata Rave, and Oracle InForm. Existing eTMF and EDC workflows continue unchanged; every state transition is additionally bound to a dual-signed receipt.

Is AgentGuard 21 CFR Part 11 ready?

Yes. 21 CFR Part 11 requires electronic records and signatures to be trustworthy, reliable, and equivalent to paper records. Dual-signed (Ed25519 + ML-DSA-65) AgentGuard receipts are designed to meet that standard with explicit chain-of-custody enforcement.

How long are signatures valid?

ML-DSA-65 (NIST FIPS 204) is the post-quantum signature; Ed25519 (RFC 8032) provides classical assurance. Both must verify for the receipt to be valid. Receipts remain verifiable for the regulatory retention life of the trial record.

What does AgentGuard cost?

Per-event pricing for ALCOA+-grade clinical trial receipts. Annual contract pricing for sponsors and CROs. Settlement is in USDC on Base 8453 via x402.

Hive runs the receipt rail underneath the broader A2A · agent-to-agent commerce category.