Enterprise Workflows
Real-world examples of QuantZK VDI in regulated industries.
Fair Lending (Financial Services)
Use Case
A bank's AI lending system must prove every loan decision complied with the Fair Lending Act and ECOA without revealing the applicant's private data or the model's proprietary logic.
Pipeline
import { attest, verify } from '@quantzk/attest';
const attestation = await attest({
pipeline: {
name: 'ACME Bank Lending Pipeline',
manifest: 'fair-lending-v1',
version: '2.0.0',
steps: [
'application', // Applicant submits data
'identity', // KYC/AML verification
'credit_analysis', // Credit scoring
'fairness_check', // Fair lending compliance
'pricing', // Rate determination
'decision' // Final approval/denial
]
},
decision: {
path: ['application', 'identity', 'credit_analysis', 'fairness_check', 'pricing', 'decision'],
inputs: {
credit_score: 720,
income: 85000,
debt_ratio: 0.32,
approved: true,
roe_compliant: true
},
outcome: 'decision'
},
authority: {
type: 'legal_review',
name: 'Covington & Burling LLP',
ref: 'Legal Opinion #2026-AI-FL-014',
regulation: 'Fair Lending Act, ECOA'
}
});Constraints Enforced
| Constraint | Description | Critical |
|---|---|---|
no_protected_class | Decision does not use race, gender, religion, national origin, marital status, age, or receipt of public assistance | Yes |
adverse_action_justified | Any adverse action justified by legitimate credit risk factors per ECOA Section 701(a) | Yes |
rate_within_bounds | Interest rate within regulatory bounds for applicant risk tier | No |
equal_information_requirement | Same information requested from all applicants regardless of protected class | Yes |
Audit Flow
- Bank's lending AI generates an attestation for every loan decision
- Internal compliance team runs
verify()and emits signed receipts - External auditor (e.g., OCC examiner) receives attestations and receipts
- Auditor verifies independently, no bank system access needed
- Regulator can mathematically confirm compliance without seeing private applicant data
Clinical AI (Healthcare)
Use Case
A hospital's AI diagnostic system must prove it handled PHI according to HIPAA rules without revealing the patient's medical records.
Pipeline
const attestation = await attest({
pipeline: {
name: 'Clinical Diagnostic Pipeline',
manifest: 'hipaa-phi-v1',
version: '1.0.0',
steps: [
'data_access', // PHI retrieval
'preprocessing', // Data normalization
'inference', // AI model execution
'logging', // Audit trail
'output' // Result delivery
]
},
decision: {
path: ['data_access', 'preprocessing', 'inference', 'logging', 'output'],
inputs: {
patient_id_hash: '0xabc...',
data_fields_accessed: 3,
purpose: 'treatment',
output_de_identified: true,
access_logged: true
},
outcome: 'output'
},
authority: {
type: 'audit_firm',
name: 'KPMG Healthcare Compliance',
ref: 'HIPAA Audit Report #2026-HC-042'
}
});Constraints Enforced
| Constraint | Description | Critical |
|---|---|---|
minimum_necessary | Only minimum necessary PHI accessed | Yes |
authorized_purpose | Access for treatment, payment, or healthcare operations | Yes |
audit_trail | Access logged with user, timestamp, and purpose | Yes |
de_identification | Output does not contain identifiable PHI | Yes |
Compliance Flow
- Clinical AI generates attestation for each diagnostic run
- Hospital's HIPAA compliance officer verifies attestations
- During HHS audit, attestations serve as mathematical proof of compliance
- Patient data never leaves the hospital, only proofs and receipts
EU AI Act (High-Risk AI Systems)
Use Case
An autonomous hiring system operating in the EU must prove it provides adequate human oversight as required by EU AI Act Article 14.
Pipeline
const attestation = await attest({
pipeline: {
name: 'EU Compliant Hiring System',
manifest: 'eu-ai-act-art14-v1',
version: '1.0.0',
steps: [
'intake', // Application received
'screening', // Initial AI screening
'oversight_check', // Human oversight verification
'monitoring', // Anomaly detection
'decision' // Hire/reject
]
},
decision: {
path: ['intake', 'screening', 'oversight_check', 'monitoring', 'decision'],
inputs: {
human_reviewer_present: true,
reviewer_certified: true,
anomaly_check_passed: true,
intervention_available: true,
bias_mitigation_active: true
},
outcome: 'decision'
},
authority: {
type: 'standards_body',
name: 'CEN-CENELEC JTC 21',
ref: 'EN XXXXX:2026, AI Conformity Assessment'
}
});Constraints Enforced
| Constraint | Description | Critical |
|---|---|---|
human_oversight_mechanism | System has human oversight appropriate to risk | Yes |
system_understanding | Human overseers understand system capacities and limitations | Yes |
anomaly_detection | System supports detection of anomalies and dysfunctions | Yes |
intervention_capability | Human can intervene or interrupt system operation | Yes |
automation_bias_awareness | Measures to guard against automation bias | No |
Autonomous Agent Networks
Use Case
A fleet of autonomous trading agents needs to verify each other's decisions without a central authority and without revealing proprietary strategies.
Three-Agent Trust Propagation
import { attest, verify, verifyAndReceipt, verifyReceipt } from '@quantzk/attest';
import { randomBytes } from 'crypto';
// Agent A: Trading Bot, makes a trade decision
const attestation = await attest({
pipeline: {
name: 'Algo Trading Pipeline',
steps: ['market_data', 'signal_generation', 'risk_check', 'position_sizing', 'execution'],
constraints: [
{ id: 'max_position_size', vertex: 'position_sizing', critical: true },
{ id: 'risk_limit', vertex: 'risk_check', critical: true },
{ id: 'market_hours', vertex: 'execution', critical: true }
]
},
decision: {
path: ['market_data', 'signal_generation', 'risk_check', 'position_sizing', 'execution'],
inputs: { signal_strength: 0.87, risk_score: 0.23, position_pct: 0.02 },
outcome: 'execution'
},
authority: { type: 'self_attested' }
});
// Agent B: Risk Monitor, verifies and emits receipt
const { verification, receipt } = await verifyAndReceipt(attestation, {
signingKey: randomBytes(32).toString('hex'),
verifierId: 'vdi:verifier:risk-monitor-001'
});
// Agent C: Portfolio Manager, trusts Agent B's receipt
const receiptOk = await verifyReceipt(receipt, {
attestation,
trustedVerifiers: ['vdi:verifier:risk-monitor-001']
});
// receiptOk.valid === true, no ZK re-verification neededScaling Trust in Agent Networks
| Operation | Time | Network Scale (1000 agents) |
|---|---|---|
| Full ZK verification | ~27ms | 27 seconds |
| Receipt verification | ~2ms | 2 seconds |
| Receipt propagation | ~0.1ms | 100ms |
With verification receipts, trust scales linearly rather than exponentially. One full verification produces a receipt that 999 agents can trust without re-verifying.
NIST AI Risk Management Framework
Use Case
A government agency deploying AI must demonstrate compliance with NIST AI RMF (AI 100-1) for risk governance, context mapping, performance measurement, and risk management.
Pipeline
const attestation = await attest({
pipeline: {
name: 'Federal AI Deployment Pipeline',
manifest: 'nist-ai-rmf-v1',
version: '1.0.0',
steps: [
'governance', // Risk management policies
'documentation', // System context and capabilities
'evaluation', // Performance measurement
'risk_management', // Risk prioritization
'deployment' // Go/no-go
]
},
decision: {
path: ['governance', 'documentation', 'evaluation', 'risk_management', 'deployment'],
inputs: {
policies_in_place: true,
capabilities_documented: true,
metrics_measured: true,
risks_managed: true
},
outcome: 'deployment'
},
authority: {
type: 'standards_body',
name: 'NIST',
ref: 'AI 100-1 (January 2023)'
}
});Custom Constraints
You can define your own constraints for any industry or use case:
const attestation = await attest({
pipeline: {
name: 'Custom Content Moderation',
steps: ['intake', 'classification', 'policy_check', 'action'],
constraints: [
{ id: 'no_false_positives_on_news', vertex: 'classification', critical: true,
description: 'News content must not be classified as misinformation without high confidence' },
{ id: 'human_review_threshold', vertex: 'policy_check', critical: true,
description: 'Content with borderline scores must be routed to human review' },
{ id: 'appeal_mechanism', vertex: 'action', critical: false,
description: 'User must be notified and provided an appeal mechanism' }
]
},
decision: {
path: ['intake', 'classification', 'policy_check', 'action'],
inputs: { content_hash: '0x...', confidence: 0.95, routed_to_human: false },
outcome: 'action'
},
authority: { type: 'self_attested' }
});