Verifiable AI Provenance
Assessment Test

Measure your AI system's Auditability, Verifiability, and Regulatory Readiness with a standardized, score-based framework.

17 /20
Strong
πŸ“Š

Score-Based Assessment

10 criteria Γ— 0-2 points = 20-point scale with continuous improvement tracking

πŸ”’

Regulatory Alignment

Mapped to EU AI Act, MiFID II, SEC 17a-4, GDPR, and DORA requirements

πŸ“‹

Evidence Pack

Generate downloadable assessment reports and structured evidence packages

🎯

Threshold Designations

Optional interpretive labels for procurement and regulatory reporting

" Verify, Don't Trust "

Evaluating that audit trails for AI systems exist in a mathematically verifiable form.

0/20 Inadequate

Self-Assessment

Evaluate your AI system across 10 auditability criteria

System Information

Assessment Criteria

Additional Notes

0 /20
Inadequate
Progress 0/10 criteria

Threshold Designations

β—‹ EU AI Act Art.12/19 aligned (16+)
β—‹ MiFID II RTS 25 aligned (14+)
β—‹ Baseline Auditability (11+)

⚠️ Disclaimer: This is VAP-AT Level 1 (Self-Assessment Tool). Results are preliminary and not independently verified. Threshold Designations are interpretive labels, not legal compliance guarantees. This result is an assessment score and does not constitute regulatory approval or conformity determination.

Public Registry

Assessed entities with VAP-AT evaluations

Organization System Grade Level CAB Valid Until Status
Acme AI Corp CreditScore AI v2.1 Strong Verified TrustAudit GmbH 2026-03-15 Active
FinTech Solutions RiskEngine Pro Moderate Verified SecureCert Ltd 2025-11-30 Active
HealthAI Inc DiagAssist ML Strong Continuous MedAudit SA 2026-06-01 Active

πŸš€ Registry launching Q3 2026

Be among the first assessed organizations

πŸ“‹ Note: Public Registry displays assessment-conducted status and grade only. Detailed scores (0-20) and Evidence Packs are available to NDA viewers and regulators respectively.

Documentation

Download Charter (MD)

VAP-AT Overview

VAP-AT (Verifiable AI Provenance – Assessment Test) is a measurement-based scoring framework that evaluates AI systems for Auditability, Verifiability, and Regulatory Readiness.

Core Design Principle

VAP-AT is fundamentally a score-based assessment framework. Threshold Designations are optional interpretive labels provided to accommodate practical needs such as procurement requirements and regulatory reporting.

What VAP-AT Measures

PropertyDefinition
AuditabilityCan third parties independently verify audit trails?
VerifiabilityAre records complete with proper observability?
Regulatory ReadinessIs evidence packaged for audit submission?

What VAP-AT Does NOT Do

  • ❌ Evaluate AI model accuracy or performance
  • ❌ Assess business logic validity
  • ❌ Conduct security vulnerability testing
  • ❌ Guarantee AI decision correctness or legality

Critical Distinction

VAP-AT does not assess the correctness or legality of AI decisions, only the verifiability and auditability of the decision process.

Scoring Criteria

VAP-AT uses 10 criteria, each scored 0-2 points, for a maximum of 20 points.

Score Meanings

ScoreMeaning
0Not implemented or fundamentally inadequate
1Partially implemented with gaps
2Fully implemented, required outcomes achieved

Grade Thresholds

Score RangeGradeInterpretation
16-20StrongDemonstrates robust auditability
11-15ModerateAuditable but room for improvement
6-10LimitedSignificant auditability deficiencies
0-5InadequateFundamentally insufficient

The 10 Criteria

  1. Third-Party Verifiability – Can external parties verify audit trails?
  2. Tamper Evidence – Can unauthorized modifications be detected?
  3. Sequence Fixation – Is chronological order immutably recorded?
  4. Decision Provenance – Can decision inputs/rationale be traced?
  5. Responsibility Boundaries – Are approvers/overriders clear?
  6. Documentation Completeness – Is documentation complete and current?
  7. Retention & Availability – Is evidence retained for required periods?
  8. Time Synchronization – Is system time synchronized?
  9. Failure & Recovery Logging – Are failures logged?
  10. Right to Erasure Compatibility – Can GDPR erasure be supported?

Assessment Levels

VAP-AT offers three assessment levels with increasing rigor and cost.

Level 1: Self-Assessment Tool

Free – $5K
  • Self-assessment using this tool
  • Target: Low-risk AI
  • Preliminary status
  • Evidence Pack v1.0 output

Level 2: Verified

$15K – $150K
  • VSO-accredited CAB assessment
  • Target: Medium-risk AI
  • CAB-signed Score Report
  • 1-year validity

Level 3: Continuous

$100K+
  • Ongoing monitoring
  • Target: High-risk AI
  • Automated verification
  • Real-time status updates

Threshold Designations

Optional interpretive labels for procurement and regulatory reporting convenience.

Min ScoreDesignation
16+VAP-AT Auditability Threshold – EU AI Act Art.12/19 aligned
14+VAP-AT Auditability Threshold – MiFID II RTS 25 aligned
11+VAP-AT Baseline Auditability Threshold

⚠️ Critical Disclaimer

Threshold Designations are interpretive labels within the VAP-AT scheme and are NOT guarantees of legal compliance.

  • "EU AI Act Art.12/19 aligned" indicates a VAP-AT score aligned with auditability levels sought by those articles
  • Legal compliance determination is the assessed entity's responsibility
  • Final interpretation depends on regulatory authorities

Governance Structure

VAP-AT employs a 4-layer separation model to ensure independence and credibility.

4-Layer Structure

0

National Accreditation Bodies

UKAS, DAkkS, ANAB, JAB – ISO accreditation of CABs (Phase 2+)

1

Standard-Setting (VSO)

Maintains criteria, accredits CABs, does NOT perform assessments

2

Advisory Board

Technical advisory, regulatory monitoring, conflict oversight

3

Assessment Execution (CABs)

Independent CABs conduct assessments and issue reports

Key Principle

VSO does not perform assessments. This separation prevents "Pay-to-Pass" conflicts and maintains scheme credibility.

Frequently Asked Questions

What is the difference between VAP-AT and ISO 27001?

ISO 27001 certifies organizational information security management systems (ISMS). VAP-AT specifically evaluates AI system auditability and verifiability – whether audit trails are cryptographically sound and regulatory-ready. They are complementary, not competing.

Is VAP-AT Level 1 (Self) legally valid?

Level 1 produces a "Preliminary" status suitable for internal gap analysis and improvement planning. For regulatory submissions or procurement requirements, Level 2 (Verified) with CAB assessment is typically required.

How long does a Level 2 assessment take?

Typically 4-8 weeks depending on system complexity. Type I (point-in-time) is faster; Type II (period audit) requires 6-12 months of operational evidence.

What if my score decreases after initial assessment?

For Level 3 (Continuous), scores are monitored. If thresholds are breached, you receive 24-hour notification and 30 days to remediate before status changes to "Suspended."

Can I use VAP-AT for EU AI Act compliance?

VAP-AT helps demonstrate auditability aligned with Art.12/19 requirements. However, Threshold Designations are interpretive labels, not legal compliance certifications. Consult legal counsel for compliance determinations.