An independent, third-party signed-record and machine-readable provenance layer that comes alongside Cisco AI Defense, Cloud Control and AgenticOps, Zero Trust for agents, the Secure AI Factory with NVIDIA, AI-Aware SASE, and Splunk. Cisco builds, inspects, decides, and enforces; Hive turns selected inspection and enforcement events into a signed, portable proof object that survives outside the runtime — searchable and exportable in the Hive Ledger, groupable into a case-level proof vector, and independently verifiable offline. Hive comes alongside as the independent third party, so the proof carries the weight that only an outside signature can.
ML-DSA-65 · NIST FIPS 204 · machine-readable provenance · Hive Ledger · R3Pv case vectors · signing overhead measured separately from enforcement latency
Cisco Cloud Control, AgenticOps, the Deep Network Model, AI Defense, and Zero Trust for agents are a complete operating stack for running and defending agents. Hive slots in underneath it as the neutral, third-party layer that signs what each agent saw and decided — so the proof a regulator, a court, or a counterparty will accept comes from an independent source. It is the same principle behind every audited business: the strongest evidence is issued by a party that does not build, host, or profit from the decision it attests. That independence is exactly what Hive brings, and it is what lets Cisco hand a customer a clean, verifiable record without changing a line of its own stack.
Hive sits outside Cisco's stack with no stake in any verdict. We sign what the agent saw and decided, and our signature carries weight precisely because it comes from a separate party. That independence is something Cisco can offer its customers through us — a receipt that counts as evidence because the layer issuing it has nothing to gain from the answer. Cisco keeps the agent, the platform, and the customer; Hive supplies the impartial proof alongside it.
The same ML-DSA-65 receipt covers Cisco's Deep Network Model, a frontier model from OpenAI or Anthropic, or any third-party tool reached through the Cloud Control Marketplace. The receipt does not care who built the model — it binds the decision to its inputs and is verifiable offline against one published key. One independent layer, every vendor in the marketplace.
Cisco's own customers say they will give autonomous agents control only as they see consistent, verifiable results over time — not telemetry they have to take on faith. An independent, post-quantum receipt on every agent decision is what turns "trust it slowly" into "verify it instantly." Hive supplies that independent proof so Cisco can move customers off faith and onto evidence, faster.
The receipt layer is modality-agnostic. As Cisco's agents move from chat into documents, voice, video, and the network itself, the same independent attestation comes alongside — proving what happened, signed by a party with nothing to gain from the answer.
Every model response — provably from this model, unaltered.
Every extracted field, bound to its source, tamper-evident.
Every call signed as it streams, verifiable end to end.
Every frame-level inference, attributable and untampered.
Every policy and access decision on the fabric, independently attested.
Every third-party tool call through Cloud Control, signed on one receipt.
Certified third-party receipts
When an agent's work is signed by Hive, that work carries an independent, third-party certification of its receipts, verifiable offline against one published key. Cisco can expose a verification mark where it chooses — a visible signal the proof came from outside the stack, the same way an audited-financials seal tells the market the books were checked by an outside party.
Cisco keeps the control plane and the customer relationship: inspection, enforcement, AI Defense, identity and Duo, AI-Aware SASE, Splunk and the customer console and workflow. Nothing about how Cisco inspects, decides, or enforces has to change. Hive only signs the independent evidence boundary around what Cisco sees, decides, and enforces — so a selected event becomes a portable proof object. Cisco/Splunk logs stay the operational record; Hive receipts make selected events portable proof.
Cisco is rolling full-stack PQC onto its routing stack to protect the transport. Hive signs every AI inference with ML-DSA-65 — the same NIST FIPS 204 post-quantum signature standard — today. Cisco protects the packet. Hive protects the decision. Together that is end-to-end post-quantum: the wire and the judgment, both provable against a quantum adversary.
Industry-first full-stack post-quantum cryptography protecting the transport layer across the network — the packets agents send and receive.
Every model decision signed with ML-DSA-65 before the agent acts — the exact state the model saw, captured and sealed.
Wire plus decision, both post-quantum. A quantum-resilient record of not just what moved across the network, but what the AI actually decided.
Each item below is a published, measured fact. Together they make Cisco AI provable, faster, cheaper, and post-quantum native — without changing how Cisco builds or sells.
Every inference call cryptographically signed with ML-DSA-65 — the exact state the model saw, sealed before it acted. An audit-ready, portable evidence artifact, verifiable years later.
A lighter tier: sign the decision envelope and critical fields only, for ultra-high-volume paths where full-payload signing is overkill. A cost and coverage dial Cisco controls.
Signed first token at 112ms median, 145ms p90. Perceived first byte 59ms. Signing adds only 7ms.
Approximately $0.0000732 per signed call — roughly 8× cheaper than Together for the equivalent signed path. At Cisco scale the cost reads as noise.
Hive is designed to run beside the critical path, so signing overhead is measured separately from enforcement and runtime latency. On Hive's own benchmark the signing step adds about 7ms (see the canonical numbers) — provenance the end user or agent is not meant to feel.
ML-DSA-65 (NIST FIPS 204) for signatures, ML-KEM-768 (NIST FIPS 203) for key exchange — the NIST post-quantum standards behind Cisco's full-stack PQC, running on every Hive signature today.
AFiR-ARSC is the adaptive settlement controller on top of AFiR-S. It signs the high-risk evidence inline and settles everything else off the critical path, so provenance costs the user nothing they can feel. For Cisco it is two things at once: every regulated customer governing agents now has a forensic artifact they can take to court, and Cisco gets a usage-metered provable-citation tier to sell above the base signed path. Measured on the live ML-DSA-65 signer.
On a 9-fragment RAG query, only the grounding evidence signs inline. The rest settles off-path. Critical-path signing falls 77.8% — from 67.1ms to 14.9ms.
Off-path fragments aggregate under a Merkle root and anchor once per super-batch instead of once per query. On-chain anchor cost drops 99.8% at batch 500. Aggregation pays for itself.
Every retrieval→claim binding is signed before the answer ships, and load can never demote it. When a regulated customer is challenged, the citation guarantee already exists as an audit-ready, portable evidence artifact — no weeks-long reconstruction.
High-risk grounding and actions. Signed on the critical path before the model acts. $0.00008 per binding — the sue-proofing artifact.
Mid-risk fragments commit inline, sign off the critical path, anchor in the batch. $0.00002 per fragment — below the base AFiR-S rate.
Low-risk context and absence-of-evidence. Hash committed, anchor deferred to the next super-batch. Same $0.00002 aggregated rate — adoption no-brainer.
When we first walked through Cisco × Hive, the story was a single ML-DSA-65 receipt on each AI decision. In the weeks since, we extended the same signing core to the surfaces Cisco actually defends: real-time voice and call centers, document extraction, royalty and content provenance, and a pre-attestation gate that refuses an uncleared call before the model fires. Each of these is built, deployed, and signs live in a browser today. Each one attaches to a stated Cisco strategy.
Microsecond-class Ed25519 receipts off the hot path, PQ-finalized with ML-DSA-65 on session close. 11.59us measured control overhead against a 100us SLO — provenance the caller never hears. Built for HIPAA voice and PCI call centers, where PCI and PHI never land in the receipt. This is the missing record for Cisco's AI-aware SASE and contact-center estate.
Sign each extracted document field to its source region, model, and confidence. Wraps any OCR engine — Mistral OCR, AWS Textract. Move a bounding box one pixel and verification fails. One ML-DSA-65 receipt per document, redaction-compatible. For Cisco's regulated customers, the document-extraction step in any agentic workflow becomes audit-ready by default.
Signed Royalty-Provenance Receipt. Bind a fraud or AI-origin determination to its pro-rata pool effect before a royalty dollar moves. Independent, post-quantum, cross-platform — mint a live receipt in a browser. For Cisco's media and platform customers, this is the content-authenticity record their auditors and partners can verify offline.
A flight recorder proves what crashed. A clearance stops the takeoff. Four pre-conditions are checked and Ed25519-signed before the inference runs; an uncleared call is refused. Every other Hive primitive is a receipt after the fact — this is the control before it. It asserts policy, never legality. For Cisco AI Defense, this is the enforcement point its guardrails already want: not a verdict logged, a call that never ran.
Content-aware signed audio routing. Classify each segment, route silence and noise away from the frontier model, and sign the routing decision into the segment receipt. 60% of audio routed away from the expensive path — and provable that the compliant model handled every sensitive segment. This is the receipt Cisco's SASE inspection layer can attach to every routed tool call.
The same signing core drops onto Cisco's own access fabric: every DLP verdict, MCP tool call, and policy decision at the edge signed with ML-DSA-65 in 7ms — no added stack, audit-ready and offline-verifiable. Cisco's AI-aware SASE permits and routes the traffic; Hive turns each of those edge decisions into a signed, tamper-evident record native to the access layer.
Cisco inspects, decides, and enforces. Hive turns selected inspection and enforcement events into a signed, portable proof object — then makes it searchable, groupable into a case, and independently verifiable outside the runtime.
Every receipt lands in the Hive Ledger — a searchable, exportable, independently verifiable record of the Cisco AI and security events you choose to receipt. Cisco and Splunk stay the operational log; the Ledger is the portable proof of the events that matter.
Each receipt carries structured provenance: prompt, model, MCP tool, policy, decision, reason, response, identity, evidence pointer, and proof boundary. Not a screenshot of a log line — a machine-readable object your auditors, downstream tools, and customers can parse and verify.
Related inspection and enforcement events roll up into an R3Pv case-level proof vector — one bundle for incident response, audit, customer evidence, or regulated review. It carries verification depth, the weakest proof boundary in the case, healing state, and permitted next actions.
For enforcement events, Protected Flow emits a signed decision bound to the policy that produced it, the permitted next actions, and an evidence bundle. It quotes, it never settles — overrides can only be stricter, and it never reverses a finalized chain.
Where an AI or security event touches a payment, a tool call, or a cross-party handoff, Receipt Relay carries the receipt across boundaries with its proof-state intact — self-attested, relay-observed, or chain-verified.
Logs are the operational record inside Cisco. Receipts make selected events portable proof objects that survive outside the runtime — verifiable by a party who never had access to your Cisco console. Read the distinction →
A user, agent, or MCP tool call enters the Cisco-governed path.
→AI Defense, SASE, and identity inspect the request and reach a decision.
→The decision, the reason, and the policy that produced it are captured.
→Cisco permits, blocks, reroutes, or holds — the control plane stays Cisco's.
→Hive signs the inspection, decision, and proof boundary into one ML-DSA-65 receipt.
→The receipt lands in the Hive Ledger and rolls up into a case-level proof vector.
A receipt never over-claims. Each one carries an explicit proof-state, and a case carries forward the weakest proof boundary inside it — so a reviewer sees the true floor, not the best link. Why proof-state matters →
The event is signed where it happened. Authentic and tamper-evident, but attested by the party that produced it — the honest floor.
Cisco's inspection or relay path observed the event independently of the actor — a stronger boundary than self-attestation alone.
The receipt verifies offline against the signed record — a party who never had Cisco access can confirm it. The strongest boundary.
Each is a single, scoped path that produces a buyer-verifiable proof artifact. None requires a finalized integration or a change to Cisco's control plane.
Pick one inspection decision and emit a signed receipt with full machine-readable provenance for every verdict on that path.
Receipt a single MCP tool call — prompt, tool, policy, decision, reason, and response — as a portable proof object.
Export the receipts for one incident as an R3Pv case bundle that a reviewer can verify alongside the Splunk record.
Hand a customer or auditor a single receipt they can verify offline, without access to your Cisco console — proof that the whole model works end to end. See the sidecar control loop in AFiR as a sidecar →
The receipt is not paperwork — it is infrastructure. Once every high-risk decision carries independent proof, that proof-state becomes a surface Cisco can package, price, and sell: a premium trust tier, a compliance export, an insurer-grade evidence layer, and a machine-readable substrate other systems can query. This is where the primitive turns into revenue and a durable audit/trust moat.
One signed decision — inspection, verdict, or tool call — with full machine-readable provenance. The indivisible unit.
Related receipts grouped into a queryable vector — verification depth, weakest proof boundary, healing state, permitted next actions carried together. R3Pv →
A whole workflow held as a signed, policy-bound proof-state object — decision, permitted next actions, evidence bundle. Protected Flow →
Protected flows organized at estate scale — by geography, branch, jurisdiction, business unit, product line, site, agent class, SASE domain, payment rail, or regulatory perimeter.
Offer independent proof-state as a paid trust tier on top of enterprise security products — the customers who need to prove, not just log, opt in. Cisco keeps the control plane; the receipt layer is the upsell.
Group the receipts for an incident into an R3Pv bundle a SOC analyst — or an outside reviewer — can verify offline. The incident record stops being "our logs show" and becomes portable, independent evidence.
Receipt agent and MCP tool calls, SASE/network-policy decisions, and cloud-workflow verdicts. Every governed surface Cisco already inspects can emit a signed, portable proof object without changing enforcement.
Export a fleet's proof-state as an audit-ready bundle for cyber-insurers, regulators, or a customer's own auditors — verifiable without trusting Cisco's console. A recurring compliance-export surface, not a one-off report.
Expose a ledger-backed verification API so partners and downstream systems can check proof-state programmatically. The Hive Ledger becomes a trust substrate other agents and platforms query — a defensible position self-attested logs cannot hold.
Organize fleets by customer, geography, policy domain, agent class, or protected workflow — each a unit you can meter, govern, and attach a trust tier to. The organizing model is the packaging model.
A protected flow records the recovery path the system can genuinely offer, given the rail and where the event sits: a pre-broadcast stop or revoke; an escrow or quarantine hold; an issuer or custodian freeze where that integration exists; a counter-transfer; or evidence-only once settlement is final. It never implies a finalized public-chain transaction can always be reversed — the proof-state says exactly what is and is not recoverable.
Model your own fleet in the Proof-State Fleet calculator — enter scale and vertical, see receipt volume, R3Pv coverage, and the evidence bundles you can export. See also the independent record layer in Hive Ledger, cross-boundary carriage in Receipt Relay, and the reasoning in Proof-state for AI systems and Logs vs receipts.
This one is not a new signature — it is an orchestration enhancement that composes primitives Cisco already has on the page. While a governed call waits in queue, AFiR-Hayes runs that call's own Imprimatur clearance, finds its structural-reuse match, and pre-warms its route. When the scheduler legitimately re-orders — a batch boundary, a routing decision, a fault window — the calls that are already ready take the open lane. The gain scales with congestion: it helps Cisco's estate most exactly when it is most stressed, and every advancement is signed and attributable to that call's own productive wait. It never delays or alters another call.
At-gate latency drops ~6% at low load and up to ~76% under heavy congestion (measured over 5,000 calls, ~86% pre-clear hit rate). The win comes from cleared calls no longer waiting in line — not from touching the model or the compute. We come alongside Cisco's serving layer and remove governance latency from the critical path.
A call advances because it was ready — never because another was held back. The variance touches only a call's own readiness, and the wasted-speculation cost is reported in the receipt so it is provable, not hidden. Good actors get speed, provably, which composes with Imprimatur's reputation asset. This keeps Hive a provenance provider, not a scheduler exploit.
AFiR-Hayes adds nothing to the signed-primitive family. It is an orchestration layer over Imprimatur (pre-run clearance), Structural Lateration (pre-found match), Stream-Route (pre-warmed path), and AFiR-RCm (legitimate re-order). Hive does not make electrons faster or own the compute — it removes waiting from the critical path, alongside Cisco's stack.
Cisco's agentic security stack will govern billions of AI agent decisions across thousands of enterprise customers. When one goes wrong, reconstruction takes weeks and can carry seven-to-nine-figure liability. Hive makes each decision provable at the moment it happened. Model it below.
The hero number. For a trivial signing cost, Cisco makes enterprise-scale agent exposure provable.
Framing: for the signing cost on the right, Cisco makes the full annual exposure provable at the moment each decision happens.
Provable AI becomes a premium SKU Cisco attaches to AI Defense, Secure AI Factory, and Duo. A new revenue stream, not a cost line.
Honest split: Cisco keeps the lion's share. Hive's cut is small by design — we win when Cisco wins.
On Hive's own benchmark the signing step adds a fixed ~7ms, measured separately from enforcement and runtime latency. Set a model inference time and watch signing's share of total latency shrink.
Signing runs beside the critical path. On Hive's benchmark it is a fixed ~7ms regardless of model time.
For each Cisco initiative: the stated goal, the gap Hive fills, exactly how Hive ties in, and which value-stack items apply. Cisco is genuinely strong here — Hive completes the chain.
Cisco Cloud Control + AgenticOps
Humans and trusted agents act on the same evidence. Hive makes that evidence provable.
Cloud Control is the unified platform where humans and trusted AI agents manage, monitor, and defend critical infrastructure — the foundation of the AgenticOps operating model. Trusted agents spot trouble, diagnose, fix, test, and confirm recovery autonomously, working from the same live evidence in AI Canvas.
When a trusted agent acts on critical infrastructure, the record of what it saw and decided lives in Cisco's own telemetry. Hive comes alongside to add an independent, signed proof on top of that telemetry — the outside attestation an auditor or court accepts as evidence.
Hive signs each trusted-agent decision with an independent, post-quantum receipt — the exact state the agent saw, its action, and the policy applied. Cisco runs the agent; Hive issues the third-party receipt. The same evidence AgenticOps acts on becomes provable by an outside party.
Cisco AI Defense
Turn a runtime decision into a legal artifact.
Bring AI supply chain governance and runtime protections to agentic tool use. AI BOM and the MCP Catalog secure the supply chain; real-time agentic guardrails inspect every interaction; runtime protections integrate NVIDIA NeMo Guardrails.
When a real-time agentic guardrail allows or blocks, the verdict lives in telemetry — not in a cryptographic record that holds up later.
Hive signs every guarded decision: the exact input the model saw, the verdict, and the policy applied. A runtime allow or block becomes a signed legal artifact, reconstructable on demand.
Agentic Identity — Cisco Identity Intelligence, Duo, Astrix
Identity proves who. Hive proves what.
Secure non-human identities (NHIs). Cisco's intent to acquire Astrix Security folds NHI governance into Cisco Identity Intelligence, Secure Access, and Duo IAM, with Active Directory Defense extending Duo to on-prem identity.
Knowing the identity does not capture what that identity decided and did — the actions remain unsigned.
Astrix secures the non-human identity inside Cisco; Hive signs that identity's actions. Identity plus provenance equals a complete, non-repudiable chain of custody from who to what.
Cisco Secure AI Factory with NVIDIA
Standardized blueprint, standardized provenance.
Run AI at scale from central data centers to the factory floor. Cisco AI Defense secures NVIDIA's OpenShell runtimes in the NVIDIA Agent Toolkit, integrates NVIDIA NeMo Guardrails, and the Cisco Hybrid Mesh Firewall enforces policy on NVIDIA BlueField DPUs.
Tokens leave the factory at scale with no portable, signed proof of what produced them.
Hive drops into the Secure AI Factory blueprint as the provenance layer: every guardrail verdict and token carries a signed, post-quantum receipt. NVIDIA is the substrate; Hive makes the output provable by default.
AI-Aware Secure Access Service Edge (SASE)
Provenance becomes part of the access fabric.
AI-aware SASE with AI traffic optimization, MCP visibility, logging, and policy control, intent-aware inspection of interactions and tool requests, and unified policy enforcement across SD-WAN and SSE.
Each tool call and policy decision at the edge is permitted but not signed — no evidence trail at the access layer.
Hive signs each MCP tool call and policy decision at the edge as agents move through SASE. Provenance becomes a native property of access, not an afterthought.
Full-Stack Post-Quantum Cryptography on routing
Cisco protects the wire. Hive protects the decision. End to end.
IOS XE 26 on the Cisco 8000 Series Secure Routers and C9000 Series Smart Switches brings industry-first full-stack post-quantum cryptography (PQC) protections for the enterprise — protecting the transport against a quantum adversary.
PQC on the wire protects packets in motion, but the AI decision itself is not signed with a quantum-resilient scheme.
Hive already signs every inference with ML-DSA-65, the same NIST FIPS 204 standard. Cisco protects the transport; Hive protects the decision with identical post-quantum math. Wire plus decision, end-to-end post-quantum.
Digital Resilience + Splunk
Logs become court-grade evidence, not just telemetry.
Observe, log, and build digital resilience across the estate with Splunk — with Astrix agentic telemetry feeding Splunk for machine-speed detection and response.
Logs are observable but mutable — they are telemetry, not tamper-evident proof a regulator or court will accept.
Hive makes those logs cryptographically provable and tamper-evident. Signed receipts feed Splunk as court-grade evidence — the same data, now admissible.
Real-Time Voice, Contact Center, and AI-Aware SASE
Provenance the caller never hears — 11.59us off the hot path.
Cisco runs the enterprise voice and contact-center estate (Webex, contact center AI) and is building AI-aware SASE that inspects and routes agentic traffic in real time. Latency budgets here are microseconds, and the traffic carries PCI and PHI.
There is no signed record of a real-time voice decision or a routed segment — and any naive signing scheme adds latency a call cannot absorb, while risking PCI/PHI landing in the receipt.
AFiR-Stream signs voice and streaming with microsecond-class Ed25519 off the hot path (11.59us measured, 100us SLO), PQ-finalized on session close, with PCI and PHI structurally excluded from the receipt. AFiR-Stream-Route signs each routing decision and proves the compliant model handled every sensitive segment. Real-time provenance becomes native to the call.
Deep Network Model + Frontier Models
Cisco's model or anyone's model. The receipt is the same, and it is independent.
Cloud Control reasons with a mix of purpose-built and frontier models, led by Cisco's Deep Network Model grounded in 40 years of operational data, alongside frontier models from OpenAI and Anthropic and 50-plus third-party tools reachable through the Cloud Control Marketplace and MCP.
Across a mix of Cisco's own model, frontier models, and third-party tools, there is no single, model-agnostic record of what each one decided. Hive supplies one independent receipt that spans every model and vendor — the impartial source of proof that comes from outside the stack.
One ML-DSA-65 receipt format binds the decision to its inputs regardless of which model produced it — Deep Network Model, an OpenAI or Anthropic frontier model, or any Marketplace tool. Independent of every vendor, verifiable offline against one published key. The proof does not change when the model does.
The button below sends a Cisco-contextual decision to a live Hive signer and renders the real ML-DSA-65 envelope it returns. A working endpoint producing genuine NIST FIPS 204 signatures — watch the decision travel from agent to anchored, provable forever.
First call may take a few seconds to wake the endpoint from idle.
An honest read: Cisco genuinely owns identity and runtime protection. Hive completes the chain with the signed, post-quantum, audit-ready record.
| Agent identity | Runtime protection | Signed decision record | Audit-ready | Post-quantum decision layer | Provable years later | Signing overhead | |
|---|---|---|---|---|---|---|---|
| Cisco alone | Yes | Yes | — | — | — | — | — |
| Cisco + Hive | Yes | Yes | Yes | Yes | Yes | Yes | 7ms |
A Cisco-governed agent reaches a decision; Hive captures the exact state the model saw.
→Sealed with ML-DSA-65 in 7ms — the input, verdict, and policy, post-quantum.
→The receipt is anchored to Base Mainnet and settled in USDC. Tamper-evident.
→Reconstruct any decision in seconds — audit-ready years later, against a quantum adversary.
→I will bring the live signer, the canonical numbers, and a concrete map of where Hive drops into your roadmap. No deck theater — a working session on a real integration path.