📄 Published Research — Peer-reviewed paper published on arXiv.
Full paper: arxiv.org/abs/2604.04749
The accelerating adoption of large language models, retrieval-augmented generation pipelines, and multi-agent AI workflows has created a structural governance crisis. Organisations cannot govern what they cannot see — and existing compliance methodologies, built for deterministic web applications, provide no mechanism for discovering or continuously validating AI systems that emerge across engineering teams without formal oversight.
The Core Problem: Point-in-Time Compliance Doesn't Work for AI
Traditional compliance frameworks were designed for static, deterministic systems. An AI system is neither. A large language model deployment changes behaviour with every model update, every prompt change, every new retrieval corpus. A point-in-time audit that captures one configuration snapshot tells regulators almost nothing about how the system behaved across the other 364 days of the year.
The paper argues that telemetry-first AI governance represents a categorical architectural shift — from organisational self-report to empirical machine observation.
Four Principles of AI Trust OS
- Proactive discovery — AI systems are found through observability signals, not organisational self-declaration. If a team deploys a model without registering it, the system finds it anyway.
- Telemetry evidence over manual attestation — Control assertions are collected by automated probes, not human-completed questionnaires. Evidence is machine-generated, timestamped, and cryptographically verifiable.
- Continuous posture over point-in-time audit — Compliance is an always-on operating layer, not an annual event. The trust posture of every AI system is known at all times.
- Architecture-backed proof over policy-document trust — Regulators receive structural evidence derived from the system itself, not policy documents that assert what the system should do.
The Zero-Trust Telemetry Boundary
The framework operates through a zero-trust telemetry boundary in which ephemeral, read-only probes validate structural metadata without ingressing source code or payload-level PII. This means AI Trust OS can validate AI system governance without itself becoming a data privacy risk — critical for healthcare, financial services, and government deployments.
The AI Observability Extractor Agent
A core component is the AI Observability Extractor Agent, which scans LangSmith and Datadog LLM telemetry streams to automatically register undocumented AI systems. This shifts governance from organisational self-report — where systems go dark if teams forget to register them — to empirical machine observation.
Framework Coverage
The paper evaluates AI Trust OS against five major regulatory frameworks: ISO 42001, EU AI Act, SOC 2, GDPR, and HIPAA. The governance architecture is designed to produce audit-ready evidence across all five simultaneously — eliminating the traditional compliance silo problem where teams maintain separate evidence programmes for each framework.
Why This Matters Now
The EU AI Act's GPAI obligations take effect in August 2025. ISO 42001 certification is becoming a procurement requirement for enterprise AI vendors. The governance gap is not theoretical — it is a live regulatory and commercial risk for any organisation that has deployed AI systems without a formal governance layer.
Read the full paper: arxiv.org/abs/2604.04749