Raptor as a Compliance-Evidence Substrate for OMB M-25-21
Agencies are in continuous compliance posture: high-impact AI use cases must demonstrate minimum risk management practices when reviewed, inventoried, or challenged. This paper maps Raptor's architecture to each of the seven practices — what it produces, what it partially addresses, and what remains your organization's responsibility.
The compliance evidence gap is architectural, not procedural.
OMB M-25-21 establishes seven minimum risk management practices for high-impact AI. The practices presume a governance layer — something that produces evidence that the process was controlled, the output was classified, and the action was authorized. Probabilistic-everywhere AI architectures do not provide this layer.
Raptor is not a compliance product. It is a compliance-evidence substrate. Its architecture separates the AI's proposal (probabilistic, upstream, unrestricted) from the system's commit (deterministic, downstream, governed). This separation produces the artifacts M-25-21 requires as a byproduct of every governed execution, not as a separate compliance workflow.
Four of the seven practices, addressed at the substrate.
01 Pre-deployment testing
The cross-model evaluation harness produces immutable, replayable test results across providers. Testing evidence is recoverable on demand, not reconstructed.
Status: Implemented
02 AI impact assessment
Trust-boundary classification and provenance chains supply the structural inputs an impact assessment is built from — intent lineage, evidential basis per segment, decision-time risk records.
Status: Implemented
03 Ongoing monitoring
Every governed response stored immutably with trust-boundary tags. The execution history is the monitoring record — queryable by time, trust distribution, or correlation ID.
Status: Implemented (dashboards in development)
05 Human oversight
The confirmation gate halts every action with side effects until an authorized human approves. Each decision recorded immutably with actor, reason, and a policy snapshot.
Status: Implemented
Nine sections. Audit-grade throughout.
| Section | What it covers |
|---|---|
| 1. The compliance evidence gap | What M-25-21 requires, what probabilistic architectures can't produce, why observability and evals don't close the gap |
| 2. Raptor's architecture | Proposes/disposes model, execution events, trust boundaries, confirmation gate, multi-provider substrate |
| 3. Practice-by-practice mapping | All seven M-25-21 practices mapped to architecture, evidence produced, and gaps stated |
| 4. M-25-22 & M-26-04 | Vendor lock-in, data rights, US-produced AI, unbiased AI principles |
| 5. What Raptor does not solve | Probabilistic proposal layer, organizational practices, replay vs. re-inference, what's not built yet |
| 6. Verification matrix | Claim-by-claim status: implemented, validated, queryable, roadmap, requires agency process |
| 7. Buyer risk assessment | FedRAMP, data exposure, integration completeness, single-founder continuity — with mitigations |
| 8. Evidence artifacts | Named deliverables agencies receive from governed execution |
| 9. Action layer | Specific next steps for CAIOs, contracting officers, and prime compliance leads |
Also addresses M-25-22 and M-26-04.
Raptor's multi-provider substrate and open-weight bridge address M-25-22 vendor lock-in protections. Execution data stays in agency-controlled infrastructure, addressing government data-rights requirements. The platform is US-built and SDVOSB-certified.
For M-26-04, Raptor does not certify neutrality. It provides provenance, replay, and audit evidence that can support neutrality reviews.
Start with the paper. Then start a conversation.
The full paper is 18 pages — 5 minutes for the thesis, 30 minutes for the complete mapping with verification matrix and risk assessment. The first conversation is technical, not sales — you'll talk to Paul James III, a 20-year DISA veteran who built the substrate.
SDVOSB · CAGE 9M2N1 · UEI UJ5VCLDTKK87 · NAICS 541512 / 541511 / 511210