Federal & public sector

Built for missions that can’t afford blind spots.

GRIFF AI gives mission and program teams a clear, verifiable record of what every AI agent did, under what authority, and who signed off — built to hold up under a procurement security review, not just a sales call.

Section 889 screenedNIST-aligned controlsTamper-evident audit trailNo public listener on production

Why mission teams choose GRIFF AI

Posture that answers the security questionnaire before it’s asked.

Supply chain

Covered-vendor screening on every release

Every release is checked against the NDAA Section 889 / FAR 52.204-25 covered-vendor list before it ships — the same class of check a procurement review will ask for on day one.

Audit

A record nobody can quietly edit

Every consequential action an agent takes is written to a tamper-evident, hash-chained log — actor, action, target, and timestamp — aligned to NIST AU-2, AU-3, and AU-12.

Access

Credentials that expire on their own

Production access credentials rotate automatically on a 30-day cycle, aligned to NIST AC-2(3) — a compromised credential has a short shelf life, not a year-long one.

Edge

No direct line to production

Production systems sit behind a zero-trust edge with no public listener. Every request is authenticated before it ever reaches application logic.

Chain of custody

A record built to survive a dispute, not just a demo.

The audit trail is the evidence behind everything else on this page. It is designed so that a reviewer can verify integrity directly, rather than trust a dashboard that says everything is fine.

01

Every action is fingerprinted

Each recorded event carries a cryptographic fingerprint of exactly what happened and where it came from, sealed at the moment it occurs.

02

Each record links to the one before it

Records chain together in sequence, so altering or removing any single entry breaks the chain forward of that point — not just at the edge.

03

The chain is checkable, not just trusted

Integrity can be independently verified at any time — a reviewer does not have to take our word for it.

Compliance posture

Where we stand today, and what’s next.

We would rather a procurement reviewer read this on our own page than discover it midway through a questionnaire. Here is the honest split between what’s shipped and what’s ahead.

In place today

  • Automated Section 889 covered-vendor screening on every release
  • Tamper-evident, hash-chained audit logging for consequential actions
  • 30-day rotation on credentials with access to production systems
  • Zero-trust edge with no direct public listener on production

On the roadmap

  • Formal FedRAMP authorization (Low or Moderate baseline)
  • CMMC certification, pursued alongside a funded federal engagement
  • Published software bill of materials (SBOM) per release
  • Third-party assessment and Authorization to Operate (ATO) on a customer system boundary

These move forward alongside a qualified pilot or federal engagement, not on a generic timeline.

Talk to us

Security questionnaire pre-fill, NDA review, and a live walkthrough.

Email reaches the team directly, with a reply typically within one business day. Under NDA we can share deeper evidence behind the posture on this page and on /security.