Build on Apeiris.

Apeiris is an open, signed, machine-readable evidence substrate12 verification domains, 605 controls, a knowledge graph, and a verifiable manifest. Use it as the control-and-evidence layer under whatever you are building. You don't have to invent the ontology, curate the controls, or maintain the framework mappings — that part is public, and it's done.

Build on Apeiris if you are building…

Any product that needs a defensible, open control-and-evidence foundation instead of a proprietary one it has to invent and defend alone.

Governance & GRC

AI governance and GRC tools

Map your customers' controls to a public, versioned control set with framework provenance already attached — NIST AI RMF, ISO 42001, the EU AI Act, and more.

Runtime

Runtime assurance and agent security

Turn detections into control semantics: each Apeiris control carries a blocking effect and the evidence it requires, so a runtime signal maps to a governed decision.

Audit

Audit and continuous compliance

Build on the Evidence Proof Map and the attestation ontology — obligations resolve to addressing controls, required evidence, and an honest coverage verdict.

Procurement

Procurement and third-party review

Assess a vendor's AI system against the same open domains and evidence requirements every party can read, cite, and recompute — no black-box scoring.

Agents

Agent platforms and registries

Query the corpus from your agents over a single governed MCP server, with provenance on every response and a signed manifest behind it.

Tooling

IDE plugins, MCP servers, and dev tools

Pull controls, obligations, and the graph straight into the developer's workflow. The API is the data; the schemas are stable and public.

What you get.

An open substrate, published free under CC BY 4.0 — free to use, cite, redistribute, and build commercial products on.

  • The full control corpus

    Every domain matrix as normalized JSON: controls, validation objectives, required evidence, blocking effects, and framework mappings with fit and citation basis.

  • A public conformance contract

    The identifier grammar, every controlled vocabulary, the evidence ontology, and the consumer invariants — the ATT&CK-style data dictionary, derived live from the data.

  • MCP servers for agents

    One governed, read-only server exposes the corpus, graph, evidence, obligations, and a deterministic reasoning layer — checksum-verified on load.

  • A knowledge graph

    Typed nodes and provenance-carrying edges — control → threat → framework clause → normative source — deep-linkable and queryable.

  • The Evidence Proof Map

    Per-obligation proof chains for the anchored coverage frameworks: obligation → addressing controls → evidence → verdict and gap.

  • A signed, verifiable manifest

    Ed25519 over the JCS-canonical bytes, with a per-artifact SHA-256. Don't trust us — recompute every hash yourself, in the browser.

The pattern: fetch → verify → use.

Three steps, no login, nothing to install. Everything is static JSON behind a signed manifest.

Fetch

Pull the manifest.json and the artifacts you need — the domain matrices, the graph, the proof map — straight over HTTPS.

Verify

Check each artifact's SHA-256 against the manifest, and the manifest's Ed25519 signature against the published trust anchor. Trust the bytes, then use them.

Use

Read controls, obligations, evidence, and relationships — in your app, your pipeline, or your agent over MCP. mapped ≠ satisfied stays explicit.

Building something on Apeiris?

We are building this as shared infrastructure, and it is free during beta. If you're building a governance, runtime, procurement, audit, or agent-security product on the corpus, we'd like to hear about it — and help.