How you use Apeiris.
Apeiris isn't another tool to run — it's the open, machine-readable, signed evidence layer that sits upstream of the tools you already have. It gives your GRC, security, gateway, agent, and pipeline systems one shared, vendor-neutral vocabulary of controls and evidence. Here's where it fits, and what you can do with it tomorrow.
Where Apeiris fits
Ingest the obligations once → map to concrete, testable controls → your tools consume the same signed evidence. No lock-in to a vendor's version of what governance means.
GRC & compliance teams
You can use this to prove obligation coverage — and see the gaps.
- Pull the per-framework coverage maps + the Evidence Proof Map for EU AI Act, ISO 42001, NIST AI RMF, DORA, SR 26-2.
- For each obligation, get the addressing controls, the evidence each needs, and a coverage verdict.
- Mark what you hold and watch mapped ≠ satisfied resolve — your real gap, obligation by obligation.
Security & SOC teams
You can use this to turn AI threats into the controls your detections must produce.
- Start from a MITRE ATLAS technique (e.g. prompt injection) via the pinned ATLAS model.
- Follow the graph to the controls that address it and the evidence they require.
- Wire the required evidence into your SIEM/SOAR so detection and control coverage stay connected.
AI gateway / platform teams
You can use this to gate autonomous actions on machine-readable controls.
- Fetch the domain matrices; each control carries a
blocking_effectandevidence_required. - Enforce the blocking controls inline at your gateway — block-runtime-action, requires-review, advisory.
- Emit evidence in the shared schema so downstream verdicts compose across domains.
Agent builders (Copilot Studio, LangGraph, Agents SDK)
You can use this to let your agents reason over the corpus — and bind provenance to every action.
- Point an MCP client at the read-only graph + ATLAS servers; both verify their artifact on load.
- Query controls, threats, and evidence in-flow; resolve a control by its
apeiris://URI. - Attach the evidence ontology to each consequential action so it can be checked and reviewed later.
CI/CD & platform engineering
You can use this to fail the build on an integrity or coverage regression.
- Fetch the signed manifest; recompute each artifact's SHA-256 and reject on mismatch.
- Verify the Ed25519 signature over the JCS-canonical manifest against the public trust anchor.
- Assert obligation coverage for your target frameworks as a pipeline gate.
Auditors & assessors
You can use this to cite exactly what you reviewed — and let anyone recompute it.
- Cite a control by its stable cross-domain URI, e.g.
apeiris://security/controls/IA-01. - Pin the manifest version + signature key so a reader can reproduce the exact corpus you cited.
- Recompute every hash and the signature live — don't trust, verify.
Everything here is open (CC BY 4.0), signed, and machine-readable — no login, no SDK required, no lock-in. Start from the quickstart, or watch one real action carry proof end to end.