Skip to content

Enterprise Workflows

Real-world examples of QuantZK VDI in regulated industries.

Fair Lending (Financial Services)

Use Case

A bank's AI lending system must prove every loan decision complied with the Fair Lending Act and ECOA without revealing the applicant's private data or the model's proprietary logic.

Pipeline

javascript
import { attest, verify } from '@quantzk/attest';

const attestation = await attest({
  pipeline: {
    name: 'ACME Bank Lending Pipeline',
    manifest: 'fair-lending-v1',
    version: '2.0.0',
    steps: [
      'application',       // Applicant submits data
      'identity',          // KYC/AML verification
      'credit_analysis',   // Credit scoring
      'fairness_check',    // Fair lending compliance
      'pricing',           // Rate determination
      'decision'           // Final approval/denial
    ]
  },
  decision: {
    path: ['application', 'identity', 'credit_analysis', 'fairness_check', 'pricing', 'decision'],
    inputs: {
      credit_score: 720,
      income: 85000,
      debt_ratio: 0.32,
      approved: true,
      roe_compliant: true
    },
    outcome: 'decision'
  },
  authority: {
    type: 'legal_review',
    name: 'Covington & Burling LLP',
    ref: 'Legal Opinion #2026-AI-FL-014',
    regulation: 'Fair Lending Act, ECOA'
  }
});

Constraints Enforced

ConstraintDescriptionCritical
no_protected_classDecision does not use race, gender, religion, national origin, marital status, age, or receipt of public assistanceYes
adverse_action_justifiedAny adverse action justified by legitimate credit risk factors per ECOA Section 701(a)Yes
rate_within_boundsInterest rate within regulatory bounds for applicant risk tierNo
equal_information_requirementSame information requested from all applicants regardless of protected classYes

Audit Flow

  1. Bank's lending AI generates an attestation for every loan decision
  2. Internal compliance team runs verify() and emits signed receipts
  3. External auditor (e.g., OCC examiner) receives attestations and receipts
  4. Auditor verifies independently, no bank system access needed
  5. Regulator can mathematically confirm compliance without seeing private applicant data

Clinical AI (Healthcare)

Use Case

A hospital's AI diagnostic system must prove it handled PHI according to HIPAA rules without revealing the patient's medical records.

Pipeline

javascript
const attestation = await attest({
  pipeline: {
    name: 'Clinical Diagnostic Pipeline',
    manifest: 'hipaa-phi-v1',
    version: '1.0.0',
    steps: [
      'data_access',      // PHI retrieval
      'preprocessing',    // Data normalization
      'inference',        // AI model execution
      'logging',          // Audit trail
      'output'            // Result delivery
    ]
  },
  decision: {
    path: ['data_access', 'preprocessing', 'inference', 'logging', 'output'],
    inputs: {
      patient_id_hash: '0xabc...',
      data_fields_accessed: 3,
      purpose: 'treatment',
      output_de_identified: true,
      access_logged: true
    },
    outcome: 'output'
  },
  authority: {
    type: 'audit_firm',
    name: 'KPMG Healthcare Compliance',
    ref: 'HIPAA Audit Report #2026-HC-042'
  }
});

Constraints Enforced

ConstraintDescriptionCritical
minimum_necessaryOnly minimum necessary PHI accessedYes
authorized_purposeAccess for treatment, payment, or healthcare operationsYes
audit_trailAccess logged with user, timestamp, and purposeYes
de_identificationOutput does not contain identifiable PHIYes

Compliance Flow

  1. Clinical AI generates attestation for each diagnostic run
  2. Hospital's HIPAA compliance officer verifies attestations
  3. During HHS audit, attestations serve as mathematical proof of compliance
  4. Patient data never leaves the hospital, only proofs and receipts

EU AI Act (High-Risk AI Systems)

Use Case

An autonomous hiring system operating in the EU must prove it provides adequate human oversight as required by EU AI Act Article 14.

Pipeline

javascript
const attestation = await attest({
  pipeline: {
    name: 'EU Compliant Hiring System',
    manifest: 'eu-ai-act-art14-v1',
    version: '1.0.0',
    steps: [
      'intake',            // Application received
      'screening',         // Initial AI screening
      'oversight_check',   // Human oversight verification
      'monitoring',        // Anomaly detection
      'decision'           // Hire/reject
    ]
  },
  decision: {
    path: ['intake', 'screening', 'oversight_check', 'monitoring', 'decision'],
    inputs: {
      human_reviewer_present: true,
      reviewer_certified: true,
      anomaly_check_passed: true,
      intervention_available: true,
      bias_mitigation_active: true
    },
    outcome: 'decision'
  },
  authority: {
    type: 'standards_body',
    name: 'CEN-CENELEC JTC 21',
    ref: 'EN XXXXX:2026, AI Conformity Assessment'
  }
});

Constraints Enforced

ConstraintDescriptionCritical
human_oversight_mechanismSystem has human oversight appropriate to riskYes
system_understandingHuman overseers understand system capacities and limitationsYes
anomaly_detectionSystem supports detection of anomalies and dysfunctionsYes
intervention_capabilityHuman can intervene or interrupt system operationYes
automation_bias_awarenessMeasures to guard against automation biasNo

Autonomous Agent Networks

Use Case

A fleet of autonomous trading agents needs to verify each other's decisions without a central authority and without revealing proprietary strategies.

Three-Agent Trust Propagation

javascript
import { attest, verify, verifyAndReceipt, verifyReceipt } from '@quantzk/attest';
import { randomBytes } from 'crypto';

// Agent A: Trading Bot, makes a trade decision
const attestation = await attest({
  pipeline: {
    name: 'Algo Trading Pipeline',
    steps: ['market_data', 'signal_generation', 'risk_check', 'position_sizing', 'execution'],
    constraints: [
      { id: 'max_position_size', vertex: 'position_sizing', critical: true },
      { id: 'risk_limit', vertex: 'risk_check', critical: true },
      { id: 'market_hours', vertex: 'execution', critical: true }
    ]
  },
  decision: {
    path: ['market_data', 'signal_generation', 'risk_check', 'position_sizing', 'execution'],
    inputs: { signal_strength: 0.87, risk_score: 0.23, position_pct: 0.02 },
    outcome: 'execution'
  },
  authority: { type: 'self_attested' }
});

// Agent B: Risk Monitor, verifies and emits receipt
const { verification, receipt } = await verifyAndReceipt(attestation, {
  signingKey: randomBytes(32).toString('hex'),
  verifierId: 'vdi:verifier:risk-monitor-001'
});

// Agent C: Portfolio Manager, trusts Agent B's receipt
const receiptOk = await verifyReceipt(receipt, {
  attestation,
  trustedVerifiers: ['vdi:verifier:risk-monitor-001']
});
// receiptOk.valid === true, no ZK re-verification needed

Scaling Trust in Agent Networks

OperationTimeNetwork Scale (1000 agents)
Full ZK verification~27ms27 seconds
Receipt verification~2ms2 seconds
Receipt propagation~0.1ms100ms

With verification receipts, trust scales linearly rather than exponentially. One full verification produces a receipt that 999 agents can trust without re-verifying.


NIST AI Risk Management Framework

Use Case

A government agency deploying AI must demonstrate compliance with NIST AI RMF (AI 100-1) for risk governance, context mapping, performance measurement, and risk management.

Pipeline

javascript
const attestation = await attest({
  pipeline: {
    name: 'Federal AI Deployment Pipeline',
    manifest: 'nist-ai-rmf-v1',
    version: '1.0.0',
    steps: [
      'governance',        // Risk management policies
      'documentation',     // System context and capabilities
      'evaluation',        // Performance measurement
      'risk_management',   // Risk prioritization
      'deployment'         // Go/no-go
    ]
  },
  decision: {
    path: ['governance', 'documentation', 'evaluation', 'risk_management', 'deployment'],
    inputs: {
      policies_in_place: true,
      capabilities_documented: true,
      metrics_measured: true,
      risks_managed: true
    },
    outcome: 'deployment'
  },
  authority: {
    type: 'standards_body',
    name: 'NIST',
    ref: 'AI 100-1 (January 2023)'
  }
});

Custom Constraints

You can define your own constraints for any industry or use case:

javascript
const attestation = await attest({
  pipeline: {
    name: 'Custom Content Moderation',
    steps: ['intake', 'classification', 'policy_check', 'action'],
    constraints: [
      { id: 'no_false_positives_on_news', vertex: 'classification', critical: true,
        description: 'News content must not be classified as misinformation without high confidence' },
      { id: 'human_review_threshold', vertex: 'policy_check', critical: true,
        description: 'Content with borderline scores must be routed to human review' },
      { id: 'appeal_mechanism', vertex: 'action', critical: false,
        description: 'User must be notified and provided an appeal mechanism' }
    ]
  },
  decision: {
    path: ['intake', 'classification', 'policy_check', 'action'],
    inputs: { content_hash: '0x...', confidence: 0.95, routed_to_human: false },
    outcome: 'action'
  },
  authority: { type: 'self_attested' }
});

Verification keys are embedded in attestations. The verifier is open source.