Cyber Assurance: Current Achievements, Limitations, and the Breakthrough of ADIC

Moving from Technical Defense to Replayable and Verifiable Decisions

Introduction: The Era of “Verifiability” in Cyber Assurance

The paradigm of cybersecurity is undergoing a massive tectonic shift. Traditionally, the industry’s focus has been concentrated on technical defense — how to protect the perimeter and block attacks. Today, however, our attention has clearly shifted toward cyber assurance: how an organization can objectively prove, report, and verify to third parties that its security measures are appropriate and functioning as intended.

Driven by rising global geopolitical risks, increasingly sophisticated supply chain attacks, and the rapid, widespread adoption of AI, governments and regulatory bodies worldwide increasingly demand transparency, traceability, incident reporting, and clear accountability beyond traditional technical defense.

In this modern governance landscape, a critical distinction has emerged: stakeholders are no longer satisfied with subjective “explainability.” What modern compliance and governance increasingly point toward is objective verifiability; ADIC extends this direction into replayability.

This article meticulously outlines the state of cyber assurance in 2026, analyzing its current achievements through global regulations and technical standards, while exposing the persistent “assurance gaps” (limitations). Finally, we introduce a new trust layer designed to break through these limitations: ADIC (Advanced Data Integrity by Ledger of Computation), and explore the paradigm shift it brings to modern governance.

1. Achievements in Cyber Assurance: Advanced Controls, Regulations, and Machine-Readable Evidence

The existing domain of cyber assurance has moved far beyond static paper audits and checklist compliance. It has reached an unprecedented level of maturity, driven by a triad of legal regulations, industry standards, and automation technologies.

① Global Regulations Enforcing Management Accountability and Resilience

Global security frameworks and regulations have decisively shifted from technical checklists to organizational governance and operational resilience.

• NIST CSF 2.0: The framework introduced “Govern” as a sixth core function alongside Identify, Protect, Detect, Respond, and Recover. This explicitly places the responsibility on senior leadership to establish, communicate, and monitor the organization’s cybersecurity risk management strategy, expectations, and policies.

• EU NIS2 Directive: Targeting 18 critical and highly critical sectors, NIS2 mandates strict risk-management measures and incident reporting timelines. Crucially, it strengthens management-body responsibility for approving and overseeing cybersecurity risk-management measures.

• EU DORA (Digital Operational Resilience Act): This regulation requires financial entities and their critical third-party ICT providers to establish robust ICT risk management frameworks, report major incidents, conduct digital operational resilience testing (such as Threat-Led Penetration Testing: TLPT), and manage third-party risk systematically.

• EU CRA (Cyber Resilience Act): Officially enacted as Regulation (EU) 2024/2847, the CRA mandates that products with digital elements must adhere to cybersecurity requirements throughout their entire lifecycle, from design and development to vulnerability handling. Under this horizontal framework, active reporting obligations take effect on September 11, 2026, followed by the enforcement of core compliance and CE marking obligations on December 11, 2027.

② “Assurance” in Supply Chain Procurement and Transactions

Proving cybersecurity posture has rapidly become a prerequisite for B2B transactions and government procurement.

• U.S. CMMC 2.0 (Cybersecurity Maturity Model Certification): For the defense industrial base, self-assessments, third-party assessments, and formal affirmations of compliance with standards like NIST SP 800–171 are being phased in as mandatory conditions for awarding federal contracts.

• Japan’s SCS Evaluation System (Supply Chain Cybersecurity Evaluation System): Developed under METI and the National Cybersecurity Office, and operated by IPA, this framework is being actively developed. Currently positioned as a voluntary evaluation system, with launch targeted around the end of FY2026, it is intended to support supply-chain transactions by helping purchasers indicate appropriate cybersecurity assurance levels to suppliers.

③ Machine-Readable Compliance and Supply Chain Provenance

The technical infrastructure for automating audits and verifying product provenance is rapidly maturing.

• NIST OSCAL (Open Security Controls Assessment Language): This standard represents security controls and assessment information in machine-readable formats (XML/JSON/YAML). When integrated with modern GRC (Governance, Risk, and Compliance) and continuous authorization tools, such as Vanta or ServiceNow GRC/CAM, OSCAL can serve as a foundational layer enabling continuous compliance automation.

• IETF SCITT (Supporting trustworthy Contents and Integrity of Things): This emerging architecture uses a transparency service to register signed statements on an append-only ledger. Third parties can then verify the integrity and authenticity of supply chain artifacts using cryptographic receipts.

• SLSA / in-toto: SLSA (Supply-chain Levels for Software Artifacts) ensures the integrity of software artifacts by securing build provenance, while in-toto provides a framework to define and verify the integrity of the entire software supply chain step-by-step.

2. Transitioning from Provenance to the Era of AI Agents (Increasing Verification Complexity)

While existing cyber assurance frameworks have reached high maturity, the operating entities within systems are rapidly shifting from humans to AI, exponentially increasing the difficulty of verification.

① Proliferation of Agentic AI and the Five Key Risks

As outlined in joint guidance from CISA, the NSA, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the UK NCSC (Careful Adoption of Agentic AI Services), autonomous AI agents capable of operating IT environments with delegated tools, data, and credentials introduce unprecedented risks:

1. Privilege Risk: The risk of AI agents abusing excessive privileges to perform unauthorized actions.

2. Design and Configuration Risk: The risk of flawed logic in agent orchestration, inadequate fallback controls, or compromised third-party integrations.

3. Behaviour Risk: The risk of agents executing unexpected system modifications during dynamic, non-linear reasoning.

4. Structural Risk: The risk introduced by cascading dependencies across third-party plugins and APIs.

5. Accountability Risk: The inability to trace or explain the exact decision path of an agent when a failure or security incident occurs.

Without a verifiable evidence structure that allows third parties to retrospectively trace and reconstruct thousands of autonomous decision points, practical governance over agentic systems remains impossible.

② The Impact of “Machine-Speed Execution” via Claude Mythos

The public evaluations of Anthropic’s “Claude Mythos Preview” and independent verification by the UK AI Security Institute (UK AISI) highlight the urgency of this challenge.

UK AISI reported that Claude Mythos Preview became the first model to complete its 32-step corporate network attack simulation (“The Last Ones”) end-to-end, succeeding in 3 out of 10 attempts. The task is estimated to require approximately 20 hours for a human expert. In a world where AI-driven vulnerability discovery, exploitation, and automated defenses operate at machine speed, traditional audit approaches, such as sampling logs or manual reviews over weeks, face clear limitations and may become insufficient for machine-speed operations.

3. The Limitations of Cyber Assurance: The “Assurance Gap” in Decision Executions

Despite these advanced frameworks, a critical “assurance gap” persists in dynamic system operations and business decision-making.

Existing standards and tools (OSCAL, SCITT, SLSA, SBOM, etc.) are highly effective at proving static states: “What existed (conformity),” “How it was built (build provenance),” and “What components it contains (software inventory).” However, they are not designed to answer the following dynamic question:

The Blind Spots of Existing Cyber Assurance

1. The Gap Between “Fact Provenance” and “Logic Re-verification”: While existing frameworks secure artifacts and log entries, they do not verify the logic behind a decision. Proving that an event log was signed (via SCITT) guarantees that the log was not tampered with, but it does not prove that the internal logic that generated the decision was mathematically correct and compliant with policies active at that exact moment.

2. The Risk of Post-Hoc Rationalization: When an incident or system failure occurs, operators or automated systems can reconstruct and interpret ambiguous, unstructured logs in their favor. Without a system that cryptographically freezes the decision logic and thresholds at the time of execution, preventing post-hoc rationalization remains a persistent challenge.

4. The Breakthrough: “ADIC” Transforming Decision Execution into a Replayable Ledger of Computation

To bridge this assurance gap, GhostDrift introduces ADIC (Advanced Data Integrity by Ledger of Computation).

ADIC is not a replacement for firewalls, WAFs, EDRs, or GRC tools. Instead, it serves as a specialized assurance layer. It ingests the events and facts captured by existing defenses (or verified by SCITT) and packages the subsequent decision-making process into a replayable, mathematically verifiable ledger.

[ADIC's Position in the Cyber Assurance Stack]

 ┌────────────────────────────────────────────────────────┐ │  Compliance & Governance Automation (Vanta, ServiceNow)│ └──────────────────────────┬─────────────────────────────┘                            │ (Control Policies & Evidence Demands) ┌──────────────────────────▼─────────────────────────────┐ │  Defense, Detection & Supply Chain Security (Wiz, SCITT)│ └──────────────────────────┬─────────────────────────────┘                            │ (Event Data & Provenance Facts) ┌──────────────────────────▼─────────────────────────────┐ │ ★ ADIC (Decision Replay & Verification Layer)           │ │  ⇒ Proves "Rules + Inputs + Auth + Outputs" as Replayable│ └────────────────────────────────────────────────────────┘

The Four Core Components of ADIC

ADIC structures any operational decision or security execution into four distinct elements, securing them using cryptography and formal verification:

1. Policies / Rules as Code: The formalized, machine-readable rules that must be satisfied.

2. Context / Attested Facts: The recorded or externally attested state data referenced during the decision.

3. Authorizations / Clearances: Cryptographic signatures of authorized human operators or AI agents.

4. Calculated Verification Result: The deterministic, logical outcome of the execution (e.g., Permit or Deny).

Instead of saving these elements as flat text logs, ADIC packages them into a Replay Certificate. Any third party running the same verification logic over the same certificate can reproduce the same deterministic verification result, within the stated formal assumptions.

Connecting to Mathematical Assurance via Formal Methods (Lean 4)

ADIC’s architecture is rooted in formal methods, a discipline famously demonstrated by DARPA’s HACMS (High-Assurance Cyber Military Systems) project to build systems that mathematically satisfy security specifications. Following this paradigm, ADIC leverages Lean 4, a functional programming language and theorem prover, to formalize and mechanically check the core soundness argument of its replay-verification layer.

The core soundness theorem, published in the open-source proofs by GhostDrift数理研究所, is formalized as:

-- Conceptual representation of ADIC's core soundness theorem in Lean 4theorem verifierBool_sound (cert : Certificate) (spec : Specification) :  verifierBool cert spec = true → semantic_validity cert spec

This theorem mathematically guarantees the soundness of the verifier: if the Replay Verifier accepts a certificate under a given specification, it logically implies the certificate holds semantic_validity under the formalized rules.

⚠️ Technical Boundaries: What ADIC Guarantees and Does Not Guarantee

To maintain technical integrity and avoid industry hype, the boundaries of ADIC’s guarantees must be strictly defined:

• What ADIC Guarantees (Formally Verified Safety Properties):

• Machine-Verifiability Within Scope: Within the boundaries of the formalized policies (specifications) and assumptions, the acceptance of a certificate by the Replay Verifier mathematically guarantees the semantic validity of the execution decision.

• Reduction and Detection of Post-Hoc Rationalization: Because the policy rules, thresholds, and input parameters are cryptographically locked at the exact moment of execution, operators cannot retroactively alter or manipulate the decision logic to justify a past action.

• What ADIC Does NOT Guarantee (Out-of-Scope Challenges):

• The Physical Truth of Input Data: ADIC verifies logical derivation, but it cannot guarantee if the input sensors or external data feeds were physically spoofed, broken, or inaccurate in the real world.

• The Real-World Appropriateness of Policies: ADIC cannot evaluate whether the chosen organizational policies or thresholds are legally, ethically, or operationally optimal; that remains a human design responsibility.

• System-External Operational Integrity: ADIC cannot prevent physical, out-of-band actions where an insider bypasses the digital system entirely to compromise an asset.

5. Non-Replaceable Domains: How ADIC Coexists with Existing Security Solutions

To understand ADIC’s unique value, it must be positioned alongside — rather than in competition with — the existing cybersecurity ecosystem.

Domain

Existing Approaches (e.g., Wiz, GRC, SCITT)

What ADIC Handles

Defense, Detection & Static Audits

Firewalls, WAFs, EDRs block attacks. SBOM and SCITT secure product provenance. GRC platforms automate evidence collection for policy adherence.

No Replacement: ADIC relies on these tools, ingesting their detections, logs, and provenance proofs as trusted “Facts.”

Dynamic Decision Re-Verification

Human auditors manually review, interpret, and sample static documents and text logs. High risk of post-hoc rationalization.

Unique Domain: Cryptographically binds rules, inputs, signatures, and outcomes, allowing a deterministic program to run and “replay” the decision.

Agentic Governance

Flat text logs of agent actions, combined with static API access controls.

Unique Domain: Captures the rapid, dynamic decisions of autonomous AI agents, producing millisecond-level replayable ledgers of why an action was permitted.

Conclusion: The Future of Assurance

Supported by frameworks like NIST CSF 2.0, NIS2, DORA, and CRA, alongside technical standards like OSCAL, SCITT, and SLSA, modern cyber assurance has successfully automated evidence collection and provenance.

Yet, a critical black box has remained: the ability to mathematically prove and replay the logic behind dynamic, real-time decisions. As autonomous agents and high-speed models like Claude Mythos become deeply integrated into IT operations, this gap becomes a critical vulnerability.

ADIC addresses this gap directly by structuring execution decisions into a replayable ledger of computation, backed by the mathematical rigor of Lean 4. By transforming cyber governance from “the collection of static evidence” to “the deterministic replayability of decisions,” ADIC emerges as the missing link that maximizes the value of an organization’s existing security and compliance investments.

References

NIST CSF 2.0:

• Title: The NIST Cybersecurity Framework (CSF) 2.0

• Publisher: National Institute of Standards and Technology (NIST)

• Publication Date: February 26, 2024

• URL: https://www.nist.gov/cyberframework (Accessed May 2026)

NIST OSCAL:

• Title: Open Security Controls Assessment Language (OSCAL)

• Publisher: National Institute of Standards and Technology (NIST)

• URL: https://pages.nist.gov/OSCAL/ (Accessed May 2026)

EU NIS2 Directive:

• Title: Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS 2)

• Publisher: Official Journal of the European Union (EUR-Lex)

• Publication Date: December 27, 2022

• URL: https://eur-lex.europa.eu/eli/dir/2022/2555/oj (Accessed May 2026)

EU DORA:

• Title: Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA)

• Publisher: Official Journal of the European Union (EUR-Lex)

• Publication Date: December 14, 2022

• URL: https://eur-lex.europa.eu/eli/reg/2022/2554/oj (Accessed May 2026)

EU CRA:

• Title: Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)

• Publisher: Official Journal of the European Union (EUR-Lex)

• Publication Date: November 20, 2024

• URL: https://eur-lex.europa.eu/eli/reg/2024/2847/oj (Accessed May 2026)

U.S. CMMC 2.0:

• Title: Cybersecurity Maturity Model Certification (CMMC) Program

• Publisher: Office of the Under Secretary of Defense for Acquisition & Sustainment / Department of Defense (DoD)

• URL: https://dodcio.defense.gov/CMMC/ (Accessed May 2026)

Japan’s SCS Evaluation System:

• Title: Basic Policy for Establishing the Supply Chain Cybersecurity (SCS) Evaluation System

• Publisher: Ministry of Economy, Trade and Industry (METI), National Center of Incident Readiness and Strategy for Cybersecurity (NISC), and Information-technology Promotion Agency (IPA)

• Publication Date: March 2026

• URL: https://www.ipa.go.jp/security/ (Accessed May 2026)

IETF SCITT:

• Title: Supporting trustworthy Contents and Integrity of Things (SCITT) Working Group

• Publisher: Internet Engineering Task Force (IETF)

• URL: https://datatracker.ietf.org/wg/scitt/about/ (Accessed May 2026)

SLSA / in-toto:

• Title: Supply-chain Levels for Software Artifacts (SLSA) / in-toto framework

• Publisher: OpenSSF (Open Source Security Foundation) / in-toto project

• URL: https://slsa.dev and https://in-toto.io (Accessed May 2026)

Five Eyes Joint Guidance on Agentic AI:

• Title: Careful Adoption of Agentic AI Services

• Publisher: Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), and UK National Cyber Security Centre (NCSC)

• Publication Date: May 1, 2026

• URL: https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services (Accessed May 2026)

Anthropic Claude Mythos & UK AISI:

• Title: Our evaluation of Claude Mythos Preview’s cyber capabilities / UK AI Security Institute (AISI) Research and Evaluations

• Publisher: Anthropic PBC / UK Government AI Security Institute

• Publication Date: April 13, 2026

• URL: https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities (Accessed May 2026)

DARPA HACMS:

• Title: High-Assurance Cyber Military Systems (HACMS) Program Summary

• Publisher: Defense Advanced Research Projects Agency (DARPA)

• URL: https://www.darpa.mil/program/high-assurance-cyber-military-systems (Accessed May 2026)

Lean 4 Theorem Prover:

• Title: The Lean 4 Programming Language and Theorem Prover

• Publisher: Leonardo de Moura et al. / Lean community

• URL: https://lean-lang.org/ (Accessed May 2026)

ADIC GitHub Repository:

• Title: ADIC Replay Verification Lean 4 Proof Artifact (verifierBool_sound)

• Publisher: GhostDrift数理研究所

• URL: https://github.com/GhostDriftTheory/adic-lean-proof-replay (Accessed May 2026)