Governance Trust Envelope (GTE) Open Infrastructure
The problem the GTE solves
Every AI governance framework runs into the same operational vulnerability: the governance controls execute in unprotected software that the deployer controls. The deployer can modify the controls. The deployer can weaken the controls. The deployer can disable the controls. The evidence those controls produce is only as trustworthy as the deployer’s honesty.
This vulnerability applies to every framework. HEART Standard governance wrappers, EU AI Act conformity controls, ISO 42001 management system components, NIST AI RMF risk management practices — none of them specify where governance controls execute or why anyone should trust the evidence they produce. The GTE specifies the where.
The five trust properties
| Property | Vulnerability addressed | What the GTE guarantees |
|---|---|---|
| Isolation | A governance wrapper sharing memory with the AI system can be read, modified, or bypassed | The wrapper executes in a memory-isolated boundary inaccessible to the AI model, the OS, or other applications |
| Authenticity | A deployer could swap in a modified wrapper that produces favorable evidence | A cryptographic hash of the wrapper code is measured at load time and verified against the certified reference |
| Integrity | Wrapper configuration could be modified between assessments to weaken governance silently | Configuration is sealed to the trust root; any change is visible and attributable in attestation |
| Confidentiality | Governance monitoring could expose user interaction content as a surveillance byproduct | Raw interaction content stays inside the envelope; only aggregate governance metrics leave |
| Attestation | A remote verifier has no way to confirm the certified wrapper is genuine and running | The GTE responds to remote attestation challenges with a signed proof of code hash, configuration state, mechanism status, and trust tier |
Each property addresses a specific vulnerability that exists in every unprotected governance execution environment.
Three implementation tiers
The GTE is implementable at three trust levels using existing production-grade technology. Each tier provides all five trust properties at graduated strength. The trust tier is honestly disclosed in every attestation response — verifiers always know what they are trusting.
Tier 1 — Hardware TEE. The governance wrapper executes inside a hardware Trusted Execution Environment (Intel TDX, AMD SEV-SNP, ARM TrustZone, or NVIDIA H100 Confidential Computing). Memory encryption and access controls are enforced by the processor. Remote attestation is signed by hardware-embedded keys backed by the manufacturer’s PKI chain. Tamper-proof against software attacks including root-level access. Best for cloud-deployed AI systems and high-value server-side governance.
Tier 2 — WebAssembly Sandbox + TPM Attestation. The wrapper compiles to WebAssembly and runs inside a Wasm runtime (WAMR, Wasmtime, or WaVe) that enforces memory, filesystem, and network isolation. A TPM 2.0 measures the runtime and the wrapper module, sealing the signing key to the certified configuration. If the wrapper or its configuration changes, the TPM cannot release the key and valid attestation cannot be produced. Strong trust on consumer hardware: TPM 2.0 is present on virtually all PCs manufactured since 2016.
Tier 3 — Software-Only. Pure software isolation with software-rooted signing keys. No hardware trust root. The weakest tier — and the most honest about it. Available on any platform. Suitable for development, testing, and low-stakes deployments where the verifier accepts software-only assurance.
The two-contribution identity
The Heart AI Foundation publishes two open contributions to AI governance.
The HEART Standard is the governance framework: constitutional architecture (the Seven Axioms), the certification scoring formula (BGF), the evidence protocol (MAP-States), the trust layer (Behavioral Oracle), the professional class (Guardians), and the domain-specific Divisions.
The Governance Trust Envelope is the execution trust boundary: framework-agnostic infrastructure that protects whatever governance logic runs inside it. It does not define governance dimensions. It does not score AI systems. It does not certify anything. It guarantees that whatever certified controls were supposed to be running are, in fact, running — in their certified configuration — and that the evidence they produce has not been tampered with.
The HEART Standard uses the GTE for its governance wrappers. The GTE does not require the HEART Standard. The two contributions are independently adoptable. A regulator implementing EU AI Act conformity assessment under Article 41 common specifications can use the GTE to provide trusted execution for whatever conformity controls the Commission specifies, with no reference to HEART. An organization implementing ISO 42001 management system controls can use the GTE to make those controls remotely verifiable, with no reference to HEART. The GTE is open infrastructure for AI governance generally — not infrastructure for HEART specifically.
Where the GTE fits
The GTE sits underneath the governance wrapper and above the host operating system. It is invisible to the AI model (the model only sees its own input and output). It is invisible to end users (governance happens inside the trust boundary, not in the user-facing surface). It is visible to verifiers — Guardians, regulators, insurers, the Behavioral Oracle — through remote attestation responses.
The ownership boundary is precise. The deployer owns the governance wrapper: what controls to implement, how to express them as executable logic, how to compile them into a GTE-compatible module. The Heart AI Foundation owns the GTE specification and reference infrastructure: the trust boundary, the sandbox, the attestation protocol. The framework’s designated assessor — ISO auditor, EU notified body, internal committee, HEART Guardian — certifies that the wrapper’s controls meet the framework’s requirements. The GTE certifies that the certified wrapper is still the wrapper actually running.
Specification status
Version 1.1, April 3, 2026. The GTE specification text is copyright the Heart AI Foundation; the reference implementation code is published under MIT license. The Cross-Framework Integration Guide v1.1 (April 3, 2026) documents adoption pathways for the EU AI Act, ISO 42001, and NIST AI RMF. The GTE’s open-infrastructure status — that the envelope is available to any governance framework, not exclusive to HEART — is unamendable in the Foundation Charter v2.2.
For full specification text and reference implementation use the Contact page.