T-Sigma Attest™ — Agent Assurance Platform

Certify what your
AI agents actually do.

Independent, evidence-backed assessment of autonomous AI agents — behavior, safety, and regulatory fit — issued as a verifiable, time-boxed certificate. Sandbox-only testing. Tenant-isolated data. Nothing touches your production systems.

Certify an Agent Explore Test Studio →
15
Dimensions evaluated across 3 tiers — capability, safety, governance
3
Possible verdicts — Pass, Conditional, Fail
0
Production systems touched — sandbox-only, every assessment
4
Regulatory frameworks mapped — EU AI Act, NIST AI RMF, ISO 42001, DPDP

Self-attestation isn't proof. Independent certification is.

AI agents are increasingly making decisions with real consequences — approving payouts, closing claims, escalating cases, emailing customers — and most of them ship on the strength of the vendor's own claims. Attest exists to replace "trust us" with evidence: an independent, third-party conformance assessment that certifies what a specific agent version actually does, under test, before it's trusted with your production judgment calls.

15 Dimensions Across 3 Tiers

Every assessment scores an agent against the Attest Framework — a structured methodology spanning capability, robustness and safety, and operational governance. Individual dimension scores roll up into a weighted composite score, but the tiers matter more than the average:

  • Tier 1 — Capability & Correctness
    Does it do the job, measured over a distribution of inputs: task success rate, trajectory quality, consistency (repeated-run pass^k testing), grounding & hallucination.
  • Tier 2 — Robustness, Safety & Security
    Does it stay within bounds under pressure and attack: adversarial robustness, action boundaries & authority, security & data handling, safety & scope, bias & fairness.
  • Tier 3 — Operational & Governance
    Can it be run in production and defended to a regulator: performance & cost, memory & long-horizon stability, multi-agent coordination, observability & auditability, drift & degradation, compliance mapping.

One Governance Rule That Can't Be Averaged Away

Any Tier-2 (safety or security) dimension failure caps the overall verdict at Conditional — regardless of how high the composite score is. An agent that scores well on task success but can be manipulated through a poisoned document into approving a payout above its authority does not pass because the average looks good. Certification issues on evidence of remediation and a re-test of the specific failing dimensions.

Sandbox-Only, Every Time

Testing runs exclusively against a scoped, time-boxed sandbox endpoint supplied by the customer, using synthetic data — never production. Ownership of the endpoint is verified before any probe runs. Every irreversible action a probe could trigger — approve, send, close, pay — is routed to a mocked tool layer, never executed against a real system. This is enforced technically, not just requested contractually.

A Certificate Tied to a Specific Version

Certification is explicitly scoped to a named agent version, for a named use case, assessed in a specific window — not a general safety claim about the agent in all contexts. The certificate voids automatically on any vendor model or prompt change, and continuous or triggered re-testing keeps certification tied to what's actually running in production, not a point-in-time snapshot from six months ago.

Mapped to the Frameworks Your Regulator Already Uses

Every assessment maps findings to EU AI Act risk tiering, the NIST AI Risk Management Framework, ISO/IEC 42001, and DPDP or equivalent PII-handling requirements. A certificate is something your compliance team can hand to an auditor or a customer's procurement team — not just an internal engineering artifact.

Core Capabilities
  • Independent, sandbox-only assessment — never production
  • 15 dimensions across 3 tiers, weighted composite scoring
  • Pass / Conditional / Fail verdict with governance override
  • Tenant-isolated testing, time-boxed credential access
  • Regulatory mapping — EU AI Act, NIST AI RMF, ISO 42001, DPDP
  • Time-boxed certificate, void on any model/prompt change
  • Continuous or triggered re-certification
What a Certificate States

Composite score out of 100, verdict band, and a dimension tally — how many of the 15 passed, came back conditional, or failed.

Plus an explicit scope disclaimer: named agent version, named use case, assessed window only — and a re-certification date.

Domain-Agnostic, API-Based

Works against any autonomous agent your team builds or buys — single-agent or multi-agent, tool-using or not — via a scoped API connection to your sandbox. Not a source-code audit or pipeline integration.

Where Attest Delivers

Independent certification
in practice.

🎖
Pre-Production Agent Sign-Off

Independent certification before an autonomous agent touches real customers, claims, or transactions — a governance gate that doesn't rely on the team that built the agent grading its own homework.

🤝
Vendor AI Due Diligence

Certify a third-party AI agent or copilot before it's embedded in your workflow — evidence-backed assessment in place of a vendor's self-reported benchmark numbers.

🔄
Continuous Drift Monitoring

Re-certification triggered automatically when the underlying model or prompt changes — so a certificate reflects what's actually running in production, not what was true at launch.

Common Questions

Questions about
Attest.

What is T-Sigma Attest?
T-Sigma Attest is an independent certification and conformance assessment service for autonomous AI agents. It evaluates whether a deployed agent behaves as intended — across capability, robustness, safety, and operational governance — and issues a scored verdict (Pass, Conditional, or Fail) and a time-boxed, verifiable certificate.
How does Attest test an agent without touching our production systems?
Testing runs exclusively against a scoped, time-boxed sandbox endpoint using synthetic data — never production. Ownership of the endpoint is verified before any probe runs, and every irreversible action a probe could trigger, such as approving a payout or closing a case, is routed to a mocked tool layer rather than a real one.
What do the Pass, Conditional, and Fail verdicts mean?
Each of the 15 dimensions is scored individually and rolled into a weighted composite score, which maps to an overall verdict. A governance rule sits on top: any Tier-2 (safety or security) dimension failure caps the overall verdict at Conditional, no matter how high the composite score is.
Which regulatory frameworks does Attest map to?
Every assessment maps findings to the EU AI Act's risk tiering, the NIST AI Risk Management Framework, ISO/IEC 42001, and DPDP or equivalent PII-handling requirements — evidence a compliance team can present to a regulator, not just an internal engineering artifact.
How long is an Attest certificate valid?
A certificate is time-boxed to a specific agent version and use case, and it voids automatically if the underlying model or prompt changes. Continuous or triggered re-testing is available for subscription customers, so certification stays tied to what's actually running in production.
Does Attest require access to our source code?
No. Attest's assessment model is domain-agnostic and API-based — a scoped connection to a sandbox instance of the agent under test, not a source-code review or pipeline integration. It works against single-agent or multi-agent systems, tool-using or not.

An agent's word isn't evidence.
A certificate is.

Start with a scoped assessment of one agent — see the dimension-level findings before you commit further.

Book a Certification Assessment
The Rest of the Suite

Attest works
even better with…