Continuous Defensibility Monitoring

ArcaKey Continuous Defensibility Monitoring

Cryptographically-signed monthly reports showing whether your AI stack still holds up against Title 21, PHIPA, Reg S-P, and the AI-specific signals no compliance dashboard watches. Reviewed by a credentialed verifier. Backed by our regulator-acceptance commitment.

Start monitoringSee a sample report

Launch August 2026. Audit customers receive 90 days of Monitoring Pro at no additional charge, auto-converting to paid Pro on day 91 unless cancelled.

Why monitoring

A Defensibility Audit answers the question “is my AI defensible today?” The answer is good for 30 days, maybe 90 if nothing changes.

But these things change all the time:

  • ·A new Zero Data Retention contract amendment lands with your model provider.
  • ·Your TEE image digest rolls forward.
  • ·A sub-processor's Business Associate Agreement quietly lapses.
  • ·Your team starts routing more dictations through cloud LLM instead of TEE.
  • ·The FDA publishes a draft AI guidance amendment.
  • ·A new sanctions list ships.
  • ·A regulatory framework you depend on adds a new requirement.
  • ·Your audit chain skips an entry due to a deployment race.

Most of these never reach the desk of the person who would notice. Monitoring is the layer that watches.

What you receive

A cryptographically-signed report — monthly (Lite), weekly (Pro), or daily (Enterprise) — covering:

AI-stack posture
TEE attestation digest, sub-processor Business Associate Agreement status, ZDR contract validity, model provider changes, and key rotation events.
Audit-chain integrity
Every signed entry verified against the chain head; gaps or signature failures flagged.
Framework-specific monitoring
Updates to your selected frameworks (Title 21, PHIPA, Reg S-P, etc.) with named impact: “21 CFR Part 11 amendment X affects workflow Y in your audit memo.”
Usage anomalies
Unusual patterns in your ArcaKey usage (sudden cloud-LLM spike, sudden TEE drop, off-hours bulk transcription).
Drug Formulary delta
For clinical customers: drugs added, removed, or relabeled in the Health Canada DPD that affect your prescribing patterns.
Verifier flags
Anything the credentialed verifier raised during their quarterly methodology check.

Each report is signed by an ML-DSA-65 (FIPS 204) post-quantum signature over the report contents, your customer-context hash, and the timestamp. The signature is verifiable against ArcaKey's published public key. If anyone modifies the report, the signature fails verification.

You keep every signed report permanently. Cancel and you retain every report ever generated for you, regardless of subscription state.

Verify the enclave

Every signed monitoring report is generated inside the same TEE-attested infrastructure (Intel TDX with NVIDIA Confidential Computing, on Phala) that powers the rest of the ArcaKey stack. The Vercel-side guardrail INFERENCE_RELAY_EXPECTED_MEASUREMENT is compared against the live image digest returned by the relay's Confidential Space attestation token. Open the viewer to verify the live attestation against the expected measurement, see the TEE stack identifiers, and (if you want) copy the raw token to verify externally against Google's JWKs.

How it works

Five working steps from application to active monitoring. Onboarding completes inside one business week.

  1. Day 0
    Onboarding
    Apply via the form. We respond within 3 business days with a Subscription Agreement and a kickoff scheduling link.
  2. Days 1–3
    Baseline
    45-minute working call. We confirm which frameworks apply to you, which workflows are in scope, and which signals matter most. If you've had a Defensibility Audit, the baseline is pre-populated from the memo.
  3. Day 4+
    Monitoring active
    Reports arrive on your selected cadence. Alerts (Pro and Enterprise) fire to email, Slack, webhook, or PagerDuty when monitored signals cross your configured thresholds.
  4. Quarterly
    Verifier methodology check
    A credentialed external verifier (named on your Subscription Agreement) reviews ArcaKey's monitoring methodology against current standards and signs the next quarter's reports.
  5. Annually
    Renewal review
    30-minute review of what was caught, what was missed, what to change. Subscription renews automatically.

What's monitored (the long list)

Three signal groups across every tier. Customer-usage signals are Pro and Enterprise only.

AI infrastructure signals
  • ·TEE attestation: relay measurement matches the Vercel-side guardrail (INFERENCE_RELAY_EXPECTED_MEASUREMENT).
  • ·Audit chain integrity: continuous Ed25519 + ML-DSA-65 verification against the chain head.
  • ·Per-encounter signature validation: spot-check 1% of recent encounters per period.
  • ·Sub-processor inventory: BAA status, ZDR contract validity, image digest provenance.
  • ·Model provider events: deprecations, training-data policy changes, BAA renewals.
Framework-specific signals (per framework you select)
  • ·Title 21: 21 CFR amendments, FDA AI guidance updates, ICH E6(R3) revisions.
  • ·PHIPA: Office of the IPC orders, Ontario Health updates, hospital-sector circulars.
  • ·Reg S-P: SEC rule updates, examination priority changes, FINRA notices.
  • ·HIPAA: HHS OCR enforcement actions and guidance (forthcoming).
  • ·Bill 25: CAI updates, Quebec data-residency announcements (forthcoming).
Customer-usage signals (Pro and Enterprise)
  • ·Cloud-vs-TEE LLM ratio: unexpected shifts trigger a note.
  • ·Off-hours bulk usage: pattern detection (could indicate credential compromise).
  • ·Drug verifier outputs: rising fraction of “unknown” tokens for clinical customers.
  • ·Voice transcription word-rate distribution and hallucination-guard refusal rate.
  • ·ArcaVoice correction memory growth: pattern shifts in physician-specific corrections.

Methodology

Our methodology is published. Monitoring uses the same named external standards as the Defensibility Audit:

  • ·FDA 21 CFR Part 312 (IND), Part 314 (NDA), Part 11 (Electronic records and signatures).
  • ·ICH E6(R3) Good Clinical Practice.
  • ·FDA 2024 guidance: Considerations for the Use of Artificial Intelligence to Support Regulatory Decision-Making for Drug and Biological Products.
  • ·NIST FIPS 203 (ML-KEM-768) — post-quantum key encapsulation.
  • ·NIST FIPS 204 (ML-DSA) — post-quantum digital signature.
  • ·NIST SP 800-204D — strategies for the integration of software supply chain security.
  • ·NIST AI Risk Management Framework (AI RMF 1.0) and the Generative AI Profile (NIST AI 600-1).
  • ·PHIPA and IPC Ontario guidance documents.
  • ·SEC Reg S-P and Investment Advisers Act guidance (where applicable).

We do not invent proprietary scoring rubrics. Reports map your current state against the named external standards above and report what we find.

Independent verifier

Every report carries an ML-DSA-65 signature. Quarterly, a credentialed external verifier reviews our monitoring methodology and signs off on the next quarter's reports. Verifiers are credentialed in post-quantum cryptography or regulatory law, are paid per quarter out of subscription revenue, hold no equity in ArcaKey, and have full authority to require methodology corrections before signing.

Your verifier is named on your Subscription Agreement. You may decline a specific verifier and request an alternative.

Objectivity disclosure

ArcaKey AI sells an encrypted private-AI workspace as a commercial product. Monitoring is intentionally usable by customers who do not run on ArcaKey infrastructure — for non-ArcaKey customers, we monitor what we can see (BAA status, regulatory deltas, framework signals) and explicitly mark which signals require an ArcaKey deployment. We are prepared to issue reports recommending non-ArcaKey remediation paths when those are appropriate, and we publish those at our discretion as part of our objectivity record.

Three commitments

Coverage commitment
Every signal listed in your Subscription Agreement is monitored on the cadence specified. If we miss a covered signal during a reporting period, we issue a corrected report at no charge.
Verifier commitment
Every quarter, a credentialed external verifier reviews the methodology and signs off on the next quarter's reports. If the verifier identifies methodology errors, those are corrected before the next report ships.
Regulator-acceptance commitment
If you submit a Monitoring report to FDA, SEC, HHS OCR, FINRA, or the Office of the Privacy Commissioner of Canada as part of your AI governance documentation, and the regulator finds the report insufficient, we will revise it at no charge until the regulator accepts it. Customer must provide ArcaKey with the regulator's written feedback to invoke this commitment.

Bundle with the Defensibility Audit

Every ArcaKey Defensibility Audit includes 90 days of Continuous Defensibility Monitoring Pro at no charge, beginning on the day the audit memo is delivered. On day 91, the subscription auto-converts to paid Monitoring Pro at $1,499/mo unless cancelled. Customers who cancel during the 90-day window keep every report generated during that window.

This is the engineered conversion path: the audit produces a baseline, and Monitoring shows that baseline holding (or not) every week for the next three months. By the time the customer makes the renewal decision, they have empirical data on how often the monitoring would have caught a real change.

Pricing

Three tiers. Flat monthly fees. Annual billing 15% off (Lite and Pro). Enterprise is quoted.

Monitoring Lite
$499/mo
Monthly signed reports
Solo consultants, post-audit conversion, light monitoring needs.
Monitoring Pro
$1,499/mo
Weekly signed reports + verifier co-signature
Small biotechs, boutique law firms, RIAs, multi-clinician healthcare practices.
Monitoring Enterprise
from $4,999/mo
Daily signed reports + named verifier on each report
Multi-entity, multi-framework, regulated buyers needing 24/7.
See full pricing detail →

About

ArcaKey AI builds the encrypted private-AI workspace for regulated professional work. Anthropic and OpenAI Zero Data Retention contracts active since April 2026. Tinfoil and Phala Business Associate Agreements in flight. Operator-blind by design. Founded by Randall Ausenhus, who built the platform, runs the audits, signs the monitoring reports, and answers the phone.

Apply

Onboarding takes 5–8 minutes. We respond within 3 business days. Monitoring begins within 1 week of acceptance.

Start monitoring

Confidential by default. Mutual non-disclosure agreement available before application.

ArcaKey Continuous Defensibility Monitoring is a recurring technical and regulatory assessment service. It is not legal counsel and does not constitute a legal opinion. ArcaKey AI is not a law firm and does not practice law. Where a finding requires legal interpretation, monitoring reports explicitly recommend the customer engage independent legal counsel. The Regulator-Acceptance Commitment covers revision of monitoring reports at no additional fee in the event a regulator finds a report insufficient as documentation; it does not warrant any specific regulatory outcome. Monitoring is not real-time intrusion detection or breach response — it operates on the cadence specified in your Subscription Agreement.

ArcaKey Continuous Defensibility Monitoring — signed monthly reports