The AEGIS autonomous audit engine ran across all 158 active controls and 12 regulatory frameworks, producing cryptographically signed evidence envelopes in 460 ms. The number above is a live rollup, not a marketing estimate.
Each row reflects the live AEGIS rollup for that framework. Scores are weighted by control criticality. Machine column = controls verified by automated auditor. Self column = operator-attested controls. Color coding: green 95 or above, gold 90–94, amber below 90.
| Framework | Total | Passing | Machine | Self-attested | Score |
|---|---|---|---|---|---|
| SOC 2 (TSC 2017) | 158 | 152 | 52 | 106 | 96.2 |
| ISO 27001:2022 | 136 | 130 | 51 | 85 | 95.6 |
| ISO 27017:2015 | 2 | 2 | 2 | 0 | 100.0 |
| ISO 27018:2019 | 2 | 2 | 1 | 1 | 100.0 |
| ISO 27701:2019 | 25 | 23 | 3 | 22 | 92.0 |
| ISO 27036:2023 | 5 | 5 | 5 | 0 | 100.0 |
| ISO 42001:2023 | 1 | 1 | 1 | 0 | 100.0 |
| EU AI Act | — | — | — | — | pending mapping |
| GDPR | 26 | 23 | 4 | 22 | 88.5 |
| eIDAS 2.0 | 1 | 1 | 1 | 0 | 100.0 |
| NIS2 | 5 | 5 | 5 | 0 | 100.0 |
| DORA | 6 | 6 | 5 | 1 | 100.0 |
Score is a passing-control ratio weighted by control family. EU AI Act controls are mapped in HIVECOMPLY but scoring is pending framework-level guidance on quantitative metrics. All other frameworks are fully scored. Machine = automated; Self = operator-attested.
Horizontal bars represent the ratio of passing controls within each family. SOC 2 common-criteria families CC1 through CC9. ISO 27001 Annex A clauses A.5 through A.8.
SOC 2 — Common Criteria families
SOC 2 TSC 2017 common-criteria families. CC6 gap: one logical-access control is in-progress and recorded as partially implemented in the HIVECOMPLY attestation log.
ISO 27001:2022 — Annex A clauses
ISO 27001:2022 Annex A has 93 controls across 4 clauses. A.6 and A.8 account for the 6 failing controls, primarily around formal third-party assessment procedures and cryptographic key lifecycle documentation. These are on the roadmap for Q3 2026.
ISO 27701:2019 — Privacy extension
GDPR
GDPR and ISO 27701 share substantial overlap. Three GDPR articles (data subject rights automation, cross-border transfer documentation, and DPO formal designation) remain partially attested at the operator-self-attestation level.
Every control audit produces a signed envelope. The envelope contains the raw evidence, a SHA3-256 fingerprint, an Ed25519 signature, and a parallel ML-DSA-65 post-quantum signature. The example below is a real envelope for control CC6.1 from the 2026-05-08 scan.
Envelopes are retrievable via the AEGIS API. The Ed25519 signature provides classical cryptographic proof. The ML-DSA-65 signature provides post-quantum assurance under NIST FIPS 204. Both signatures cover the same SHA3-256 digest of the evidence payload. See TACHYON for the full cryptographic architecture.
The AEGIS API is publicly accessible. You do not need an account to read the live score or to trigger a per-control audit. The responses are signed — you can verify them with the public Ed25519 key published at /security/.
# Retrieve the current aggregate compliance score across all frameworks curl -s https://hivemorph.onrender.com/v1/aegis/score | jq
# Run a live audit for control CC6.1 and receive a signed evidence envelope curl -X POST https://hivemorph.onrender.com/v1/aegis/control/audit \ -H 'Content-Type: application/json' \ -d '{"control_id":"CC6.1"}'
# Retrieve the full cross-framework control mapping matrix curl -s https://hivemorph.onrender.com/v1/aegis/matrix | jq '.frameworks'
# Verify a HIVECOMPLY evidence bundle (supply your bundle JSON as input) curl -X POST https://hivemorph.onrender.com/v1/hivecomply/bundle/verify \ -H 'Content-Type: application/json' \ -d @bundle.json
All API responses include a signed envelope. Verify the Ed25519 signature against the public key at hivemorph.onrender.com/v1/aegis/health . The production base URL is https://hivemorph.onrender.com. Rate limits apply: 60 requests per minute per IP for the audit endpoint, 600 per minute for read endpoints.
Machine-audited and operator-attested controls are not the same thing, and it matters that you understand the difference.
Of the 158 active controls, 52 are verified by the AEGIS automated audit engine on every scan. The auditor reads a live signal — a TLS handshake grade, a header inspection, a cryptographic primitive check, an API health response — and issues a pass or fail against a binary criterion. These controls are machine-verified in the strict sense: no human judgment is involved in the pass/fail decision.
The remaining 106 controls are operator-attested. That means a human at Hive Civilization reviewed the control requirement, documented the implementation, and self-certified compliance. AEGIS signs the attestation and timestamps it cryptographically, but it does not independently verify the claim. The signature proves the attestation was made at a specific time and has not been altered. It does not prove the underlying fact is true.
This is a standard constraint for any compliance program at this stage. Vanta, Drata, and Secureframe also rely on operator attestation for the majority of SOC 2 controls. What distinguishes HIVECOMPLY is that the attestations are post-quantum signed, timestamped, and cryptographically anchored — so they cannot be retroactively altered. The fraction of machine-verified controls is expected to grow as additional automated auditors are deployed.
The table below shows the breakdown by framework, so you can see where automated verification is densest and where attestation carries more weight.
SOC 2
52 machine
106 attested
ISO 27001
51 machine
85 attested
ISO 27017
2 machine
0 attested
ISO 27018
1 machine
1 attested
ISO 27701
3 machine
22 attested
ISO 27036
5 machine
0 attested
ISO 42001
1 machine
0 attested
GDPR
4 machine
22 attested
eIDAS 2.0
1 machine
0 attested
NIS2
5 machine
0 attested
DORA
5 machine
1 attested
EU AI Act
pending
pending
Frameworks where all controls are machine-verified (ISO 27017, ISO 27036, ISO 42001, eIDAS 2.0, NIS2) tend to be narrower in scope, covering controls that map directly to technical signals the AEGIS auditors can evaluate autonomously. Privacy and governance frameworks (ISO 27701, GDPR) rely more heavily on operator attestation because the underlying facts — such as whether a DPO has been formally designated — are organizational, not technical.
The compliance score is one output of a larger architecture. These pages explain the system that produces it.
TACHYON is the multi-assumption post-quantum foundation that signs every compliance envelope. Lattice, hash, and physics assumptions in parallel. Secure unless all three break simultaneously.
TACHYON › Audit engineAEGIS is the seven-component autonomous compliance agent that produced every number on this page. Probe, hash, sign, anchor. Per-control audit: 6.5 ms typical. Full-fleet scan: 460 ms.
AEGIS › ContextAgentic compliance means the system audits itself, signs its own evidence, and produces the bundle the auditor reads. This page explains how it compares to continuous-monitoring tools.
Agentic Compliance ›Every Hive surface signs its own evidence with the same primitives: SHA3-256 canonical hashing, Ed25519 + ML-DSA-65 dual signatures, and a published Merkle Mountain Range root. The receipt is the audit evidence. The envelope is the universal generalization — every transaction, every framework, every surface.