Frequently Asked Questions

General

What is GLACIS?

GLACIS (Governance, Logic, Attestation, Compliance Infrastructure Service) is an AI compliance attestation platform that provides cryptographic proof-of-compliance for AI systems. It enables organizations to demonstrate that their AI governance policies are actually enforced at runtime.

Who is GLACIS for?

GLACIS is designed for:

• Enterprises deploying AI systems that need to demonstrate compliance
• Compliance teams managing ISO 42001, EU AI Act, or other AI regulations
• Engineering teams building AI applications that require audit trails
• Auditors verifying AI governance controls

What compliance frameworks does GLACIS support?

Primary support:

• ISO/IEC 42001:2023 — Full support with 184 controls
• EU AI Act — High-risk AI requirements
• SOC 2 — Trust service criteria for AI

Additional frameworks:

• NIST AI RMF
• GDPR (Article 22)
• HIPAA

Technical

How does zero-egress work?

In GLACIS’s zero-egress design, sensitive evidence (AI requests and responses) never leaves your infrastructure. Instead:

1. Your sidecar generates a cryptographic commitment (SHA-256 hash) of the evidence
2. Only the commitment is sent to GLACIS services
3. GLACIS cannot reverse the hash to get the original data
4. Auditors can verify the commitment matches without seeing the data

Your Infrastructure     │    GLACIS Services
                        │
Evidence (sensitive) ───┼─X─ Never transmitted
        │               │
        ▼               │
Commitment (hash) ──────┼───▶ Stored & verified

What are L0 and L2 attestations?

L0 (Metadata): Generated for every request

• Contains only metadata and commitment hashes
• ~200 bytes per attestation
• Proves request occurred without revealing content

L2 (Evidence): Generated for sampled requests

• Contains full evidence including policy scores
• ~2-10 KB per attestation
• Configurable sampling rate (default: 1 in 100)

How does sampling work?

GLACIS uses configurable sampling to balance coverage with storage:

// Default: 1 in 100 requests get L2 attestation
sampling: {
  rate: 100,
  // Override for specific conditions
  rules: [
    { condition: { field: 'model', operator: 'eq', value: 'gpt-4' }, rate: 1 },
  ]
}

All requests get L0 attestations (metadata only).

Can I verify attestations independently?

Yes. All GLACIS attestations include:

• Ed25519 signatures you can verify
• Merkle proofs you can validate
• Commitment hashes you can compare

import { verifyAttestation } from '@glacis/core';

const valid = verifyAttestation(attestation, publicKey);

What AI providers are supported?

Currently supported:

• OpenAI (GPT-4, GPT-3.5, etc.)
• Anthropic (Claude)
• Azure OpenAI
• Google Vertex AI (Gemini)
• Custom endpoints

Adding a new provider requires minimal configuration.

Deployment

Where can I deploy sidecars?

GLACIS sidecars support:

• Cloudflare Workers (recommended) — Global edge, sub-1ms cold start
• Google Cloud Run — Container-native
• AWS Lambda — Event-driven
• Kubernetes — On-prem or cloud

Does GLACIS add latency?

Minimal. Typical overhead:

• Cloudflare Workers: under 5ms
• Cloud Run/Lambda: under 20ms
• Kubernetes: under 10ms

Attestations are generated asynchronously when possible, so they don’t block the AI response.

Can I use GLACIS with existing AI infrastructure?

Yes. The sidecar acts as a proxy:

Before: App → OpenAI
After:  App → Sidecar → OpenAI

No changes to your AI application code required (just change the endpoint URL).

Compliance

Does GLACIS help with ISO 42001 certification?

Yes. GLACIS provides:

• Control library: All 184 ISO 42001 controls pre-loaded
• Auto-evidence: 4 controls receive automatic attestation evidence
• Gap analysis: AI-powered gap identification
• Certification Wizard: 20-minute interview to bootstrap compliance
• SOA export: ISO 42001-formatted Statement of Applicability

How does the Certification Wizard work?

The wizard is an AI-powered interview that:

1. Discovers your AI systems through conversation
2. Assesses your current compliance state
3. Generates policies, assessments, and documentation
4. Maps your responses to ISO 42001 controls

It takes approximately 20 minutes and bootstraps your compliance program.

What evidence does GLACIS automatically generate?

For these ISO 42001 controls, sidecars generate automatic evidence:

Control	Evidence Type
A.6.2.6	Request/response attestations
A.6.2.8	Latency and error metrics
A.7.5	Input validation scores
A.9.4	Usage pattern analysis

Can auditors verify GLACIS attestations?

Yes. Auditors can:

1. Export attestations and Merkle proofs
2. Verify signatures independently
3. Validate Merkle tree inclusion
4. Confirm sampling coverage
5. Review policy score distributions

All verification can be done without GLACIS involvement.

Security

Is my data safe with GLACIS?

Yes. Key protections:

• Zero-egress: Evidence never leaves your infrastructure
• Encryption: TLS 1.3 in transit, AES-256/XChaCha20 at rest
• Authentication: API keys and bearer tokens
• Audit logging: All operations logged
• SOC 2 certified: Annual third-party audits

What data does GLACIS see?

GLACIS services only receive:

• Commitment hashes (cannot be reversed)
• Attestation metadata
• Organization configuration
• Dashboard interactions

GLACIS never sees your actual AI requests, responses, or user data.

How are API keys protected?

• API keys are hashed with Argon2id before storage
• Keys can be scoped to specific permissions
• Keys can be rotated at any time
• Usage is logged and rate-limited

Is GLACIS HIPAA compliant?

Yes. For healthcare customers:

• BAA (Business Associate Agreement) available
• PHI never transmitted due to zero-egress design
• Attestation commitments contain no PHI
• HIPAA-specific deployment guidance available

Pricing

How is GLACIS priced?

GLACIS pricing is based on:

• Number of attestations per month
• Number of AI systems monitored
• Support tier (Standard, Premium, Enterprise)

Contact sales@glacis.io for specific pricing.

Is there a free tier?

Yes. The free tier includes:

• Up to 10,000 attestations/month
• 1 AI system
• Community support
• Core features

What’s included in Enterprise?

Enterprise includes:

• Unlimited attestations
• Unlimited AI systems
• SLA guarantees
• Dedicated support
• Custom integrations
• On-prem deployment option

Support

How do I get help?

• Documentation: You’re here!
• Discord: Join our community
• Email: support@glacis.io
• GitHub: Issues

Is there professional services available?

Yes. We offer:

• Implementation assistance
• Compliance consulting
• Custom integration development
• Training and workshops

Contact sales@glacis.io for details.

Where can I report bugs?

Report bugs via:

• GitHub Issues: https://github.com/Glacis-io/glacis-mvp/issues
• Email: support@glacis.io

For security vulnerabilities, email security@glacis.io.

Troubleshooting

Attestations not appearing in dashboard

1. Verify API key is correct
2. Check sidecar logs for errors
3. Verify network connectivity to receipts.glacis.io
4. Ensure organization ID matches

High latency on AI requests

1. Use Cloudflare Workers for lowest latency
2. Enable token caching in sidecar
3. Check if batching is appropriate for your use case
4. Review sidecar CPU/memory allocation

Invalid signature errors

1. Ensure system clock is synchronized (NTP)
2. Verify you’re using the latest sidecar version
3. Check that epoch hasn’t expired
4. Confirm sidecar key hasn’t been rotated

Tip

Still have questions? Join our Discord community for real-time help.