Frequently Asked Questions
Common questions about IOA Core, governance framework, and compliance features.
General
What is IOA Core?
IOA Core is an open-source governance kernel for AI that enforces seven immutable System Laws at runtime and produces signed, auditor-ready evidence. It provides the foundational infrastructure for responsible AI deployment.
When will IOA Core be available?
IOA Core v2.5.0 is available now as open source. The website v1 launches on October 5, 2025, with evidence bundles publishing October 3-8, 2025.
What's the difference between IOA Cloud and IOA Core?
IOA Core is the open-source governance kernel (v2.x). IOA Cloud is the managed SaaS offering with hosted enforcement, evidence storage, and compliance cartridges. Learn more about IOA Cloud →
What are QIX Frameworks?
QIX (Quorum Integrity eXchange) frameworks are sector-specific governance packs for healthcare, pharma, legal, finance, and 30+ other industries. 3 are production-ready today. Explore all 35 frameworks →
System Laws & Scoring
What are the Seven System Laws?
The Seven System Laws are IOA's universal governance dimensions: Compliance Supremacy, Security & Safety, Privacy & Data Minimization, Fairness & Non-Discrimination, Reliability & Resilience, Auditability & Traceability, and Sustainability. They guide policy design and runtime enforcement across all workflows. See System Laws.
How are Law sub-scores calculated?
Sub-scores are computed from weighted runtime signals (policy pass rates, redaction efficacy, fairness checks, reliability health, audit completeness, sustainability metrics) and validated via 1M simulations. The overall score is a weighted aggregation. Evidence is signed and published in /evidence/latest/. See Methodology.
Do compliance cartridges replace the Laws?
No. Cartridges map specific regulations (e.g., GDPR, HIPAA, SOC 2) to runtime controls under Law 1 (Compliance Supremacy). All other Laws remain active and contribute to posture. See Compliance.
Where can I download evidence?
Download individual bundles or the complete package from /evidence/latest/ (e.g., evidence-ioa-complete.tar.gz). Each bundle includes checksums and signatures (cosign).
Compliance & Cartridges
Which compliance frameworks are supported?
Ready Now: EU AI Act and GDPR. Roadmap Q4 2025: HIPAA, SOC 2, ISO 27001, and ISO/IEC 42001. All statuses are linked to STATUS_REPORTs for verification.
How do cartridges work?
Cartridges run on the unified Cartridge Framework V1 with Mapping Manifests that map regulatory clauses to System Laws to implementation hooks to evidence. Each cartridge can run in Shadow (observe), Graduated (warn), or Strict (enforce) modes.
Can IOA replace Vanta or Drata?
IOA can coexist with Vanta/Drata today and consolidate as auditors accept runtime evidence. We provide adapter notes for integration with existing GRC tools.
Technical
How does the Assurance Score work?
The Assurance Score evaluates six dimensions (Transparency, Security, Compliance, Reliability, Ethics, Sustainability) with weighted scoring. It's calculated in real-time and published with signed evidence bundles.
What evidence does IOA produce?
IOA produces signed evidence bundles in JSON, HTML, and signature formats. Each bundle includes audit trails, compliance checks, and governance decisions with cryptographic verification via Sigstore.
Can IOA integrate with my existing CI/CD pipeline?
Yes. IOA provides GitHub Actions, GitLab CI templates, and generic webhooks. Run governance checks in CI before deployment. Integration guides →
What LLM providers does IOA support?
All of them. IOA is provider-agnostic (BYO-LLM): OpenAI, Anthropic, Google, Azure, AWS Bedrock, Cohere, or self-hosted. You control keys and routing. Consensus Pack docs →
Quorum & Consensus
Does Quorum introduce delay?
Only in Consensus mode, typically 2-5 seconds for 3-model evaluation. Models run in parallel, so latency equals the slowest model, not the sum of all models. Enterprises can configure quorum depth (1-5 models) and latency budgets (default: 10s timeout). Most deployments enable Quorum only for high-risk operations (PHI access, financial disclosure, legal citations). Learn more →
Who audits the models?
Each model's behavior is continuously assessed using Aletheia-aligned ethics scoring. IOA tracks bias metrics (demographic parity, equal opportunity), consistency (same prompt → same vote), and integrity (no hallucinations or policy violations). Models with declining performance are automatically downweighted or removed from quorum pools. Learn about Aletheia alignment →
How costly is Quorum?
About 3× the cost of a single LLM call for the same token count (e.g., $0.06 vs $0.02 for 1k tokens with GPT-4). Most enterprises enable Quorum only for high-risk operations (PHI, financial disclosure, legal citations), production deployments (disable in dev/staging), or specific user roles (admins, auditors, compliance officers). IOA's Consensus Pack add-on ($299/mo for 10k consensus requests) provides predictable pricing. View pricing →
What if models disagree?
IOA applies configurable consensus logic: Majority (2/3 or 3/5 votes determine result), Unanimous (all models must agree), Weighted (higher weight for internal policy engines or domain models), and Tie-breaking (DENY always wins ties as fail-safe). Disagreements are logged as high-priority evidence for human review. Learn more →
Can I see examples of Quorum evidence?
Yes! We provide sample evidence bundles for HIPAA PHI redaction, financial audit anomalies, and legal citation validation. Each bundle shows the complete quorum vote (all models, reasoning, timing) with cryptographic signatures. View evidence samples → | Technical documentation →
Enterprise
What enterprise features are available?
Enterprise features include advanced cartridges, priority support, custom integrations, and early access to new features. Contact us for specific enterprise requirements and pricing.
How do I become a design partner?
Design partners are typically finance or healthcare organizations with active compliance programs. The program involves 6-9 month engagements with co-development of cartridges and case studies. Apply through our contact form.
What is the regulatory sandbox program?
Regulatory sandboxes are controlled environments where innovative financial services can be tested under regulatory supervision. We are preparing applications for multiple regulatory sandboxes in 2025, which will include comprehensive regulator packs with evidence bundles and rollback plans.