SERTIR .ai
EXECUTION SOVEREIGNTY · PATENT PENDING

The model dies
with the chip.

Sertir binds any AI — today's models, autonomous agents, and the AGI systems on the horizon — to the silicon you already own, and watches the binding continuously. Drift in the chip-AI relationship — from ageing, firmware change, agent boundary slippage, or active tamper — is detected, classified, and acted on in real time.

Cloud, edge, or device. NVIDIA across every generation, Google TPU, Azure Maia, Apple M-series, AMD, ARM, Intel. No special SKU, no vendor cooperation, no cloud lock-in.

All silicon NVIDIA · Google · Azure · Apple · AMD · ARM · Intel
Continuous drift analysis · alerts · automatic policy enforcement
Zero·vendor No PKI, no manufacturer keys, no cloud lock-in
DRIFT MONITOR · LIVE
SERTIR DRIFT v0.4
BOUND CHIP nvidia.h100.C1D5
MODEL llm.frontier-7b
UPTIME 14d 06:42:18
DRIFT SCORE ▸ NORMAL
0.018 σ from baseline
CRITICAL ELEVATED NORMAL
RECENT EVENTS
01 / THESIS

Verifiable AI today proves the box was sealed.
It does not prove it was your box.

Modern verifiable AI rests on chip vendor attestation — NVIDIA Confidential Computing, Intel TDX, AMD SEV-SNP, and their equivalents. These are excellent foundations, and Sertir builds alongside them, not against them. The hard part is what comes next: every trust chain that ends at a vendor's signing key inherits that vendor's lifecycle, jurisdiction, and product roadmap.

For most customers, that is a reasonable arrangement. For some — sovereign defence programmes, frontier labs, regulated medical devices, model risk in financial services, telecom critical infrastructure — the obligations are stricter. A regulator's audit, a sovereignty mandate, a fiduciary responsibility: these duties cannot be delegated to a third party, however reputable.

Sertir gives those customers a second, independent layer of proof — rooted in physical silicon they already operate. It works in your cloud tenancy, on your edge device, on your laptop, or across all three at once. Vendor attestation continues to do its job. Sertir adds the layer that the customer's obligations require.

02 / THREATS WE SOLVE
i.

Model Exfiltration

A frontier model trained at hundreds of millions of dollars walks out as a 400 GB file. Once copied, it runs anywhere. The theft is silent and the loss is total.

Sertir-bound weights run only on enrolled silicon. A copy is dead weight on any other chip.
ii.

Shadow Inference

AI running on infrastructure no one authorised — a contractor's GPU, an unattested cloud node, a development laptop, an agent spinning up rented compute on its own. Compliance officers cannot prove a negative.

Every inference produces a hardware-rooted attestation tied to a specific physical machine — held by the operator, verifiable independently.
iii.

Non-Delegable Trust

Some duties — sovereignty mandates, fiduciary responsibilities, regulator audits, recall-liability defence — cannot be satisfied by a third party's certificate, however well-issued. The customer must hold the proof themselves.

Sertir issues a hardware-rooted identity the customer controls end-to-end — independent of any vendor lifecycle.
iv.

Silent Drift

A bound AI looks healthy — until the silicon ages, the firmware is patched, an autonomous agent slips its operational boundaries, or an attacker tampers below the OS. Static attestation captures none of it.

Sertir Drift continuously analyses how the binding evolves. Severity-tiered alerts and policy-based blocks engage automatically; heartbeat locks halt operation when authorisation lapses.
03 / HOW IT WORKS

The Sertir protocol.
Four steps. Any silicon. Continuous.

  1. SERTIR
    PROBE
    The Sertir Probe runs locally on the host chip — NVIDIA (every generation, including H100 and standalone), Google TPU, Microsoft Azure Maia, Apple M-series, AMD, ARM, or Intel. Using a proprietary, patent-pending sequence, it elicits a characteristic trace of the chip's physical manufacturing variance — a signal the manufacturer never put there and cannot reproduce. The Sertir Core receives the trace and stores a chip-bound fingerprint.
  2. SERTIR
    BIND
    Model weights are sealed against the chip's fingerprint by the Sertir Bind operation. Loading the weights triggers a fresh Sertir Probe. If the probe trace fails to match the enrolled fingerprint within statistical bounds, the model refuses to load.
  3. SERTIR
    ATTEST
    Each inference emits a Sertir Attestation containing the live probe trace, the model identifier, and a signed hash of the inputs and outputs. Any third party — auditor, regulator, customer — can verify it independently, against the customer's own enrolment record.
  4. SERTIR
    DRIFT
    From enrolment forward, Sertir continuously analyses how the chip-AI binding evolves over time. Drift signatures classify normal hardware ageing apart from firmware modification, workload anomaly, or active tamper. Severity-tiered alerts and policy-based blocks engage automatically; cryptographic heartbeat locks halt operation when authorisation lapses. Patent-pending drift analysis · Provisional 4
σ PROBE FINGERPRINT SILICON ATTESTATION
04 / TWO LAYERS · COMPLEMENTARY

Two layers of trust.
The vendor's. And the one only you can hold.

Vendor attestation answers the question was the code sealed in a TEE. Sertir answers the question is this AI bound to the silicon I authorised. They are complementary. Most customers benefit from both.

SERTIR LAYER
VENDOR ATTESTATION LAYER
Question answered
Is this AI bound to my silicon?
Was the code sealed in a TEE?
Identity rooted in
Physical silicon, customer-held
Manufacturer PKI, vendor-held
Hardware footprint
Any architecture, any generation
Confidential-compute SKUs
Deployment shape
Cloud, edge, device, or hybrid
Cloud or on-prem TEE host
Survives weight exfiltration
Yes — copy is inert off-chip
No — weights run on any attested host
Independent of vendor lifecycle
Yes
No — tied to vendor PKI
Best suited for
Non-delegable obligations
General-purpose confidential compute

Sertir is the σ-bound trust layer
between any AI and the silicon that runs it.

SERTIR · EXECUTION SOVEREIGNTY
05 / WHO BUYS THIS

Built for the buyers whose obligations
cannot be delegated.

DEFENCE & SOVEREIGN AI

Air-gapped models that cannot be exfiltrated.

Stolen weights run as dead silicon on any chip outside the enrolled fleet. National AI programmes that need a layer of trust they hold themselves — independent of any third party — gain a sovereignty primitive that lives entirely on their own hardware, whatever architecture that hardware happens to be.

MoD · national AI programs · classified inference
FRONTIER LABS

Model IP that is physically married to your fleet.

A nine-figure training run produces a file that, today, is one exfiltration event away from a competitor. Sertir makes the weights worthless on any silicon you did not enrol — including the silicon your former employees take with them when they leave.

frontier labs · proprietary fine-tunes · model-as-IP
MEDICAL · FDA 524B

Hardware-rooted identity for AI/ML medical devices.

The 524B framework requires demonstrable lineage and version control of any AI/ML component reaching a clinician. Sertir provides cryptographic, hardware-rooted proof that the deployed model is the cleared model, on the cleared device, in the cleared site — across whatever heterogeneous silicon the hospital fleet runs.

SaMD · radiology AI · surgical robotics · hospital deployments
FINANCE · MODEL RISK

Model-chip provenance for trading and risk systems.

SR 11-7 and the EU AI Act demand documented model lineage and execution control. Sertir produces tamper-evident proof — for an internal auditor, the OCC, or the ECB — that an inference came from the validated model on the validated host, not a shadow copy on an unmanaged GPU.

quant trading · credit models · regulatory model inventory
TELECOM · EDGE AI

AI bound to the carrier silicon it runs on.

5G core networks, RAN intelligence, and edge inference at the cell site increasingly rely on AI that must be auditable to regulators and traceable across vendor handoffs. Sertir attests that the AI running on a base station, MEC node, or core function is the version certified by the operator — not a sideloaded copy on grey-market hardware.

5G core · RAN intelligence · MEC nodes · network sovereignty
06 / TECHNOLOGY
All silicon
Validated across NVIDIA (every generation, including H100 and standalone deployments), Google TPU, Microsoft Azure Maia, Apple M-series, with AMD, ARM, and Intel architectures supported.
Trillion·σ
Inter-chip separation between same-SKU units. Dead-easy classification, no gray zone.
4 USPTO filings
Provisional patents covering probe, bind, attestation, drift analysis, agent identity, and cluster silicon discovery. UPC filings in preparation.
130+ patents
Founder portfolio across two prior CTO exits to Fortune 500 acquirers. Domain experience across defence, telecommunications, healthcare, and retail.
07 / ROADMAP

Where Sertir is going.
What ships when.

Honest separation between what is operational today, what is in active engineering against alpha-customer milestones, and the vision the underlying patents support. Investors and partners deserve the long view; customers deserve to know what they can deploy now.

SHIPPING NOW
  • Sertir Probe validated across NVIDIA, Google TPU, Azure Maia, Apple M-series, AMD, ARM, and Intel.
  • Sertir Bind for AI model weights — chip-bound load enforcement.
  • Sertir Attestation per inference, with auditor-readable logs.
  • Sertir Drift — continuous binding analysis with severity classification, configurable alerts, and heartbeat-bound operational lock.
  • Cross-architecture integration for cloud, edge, and device deployments.
IN ENGINEERING · 2026
  • Predictive Drift Modelling — proprietary AI model trained on cross-customer drift signatures, anticipating binding degradation before alerts trigger.
  • Per-tool-call attestation for autonomous agents, with policy-bound revocation by chip-ID at single-device granularity.
  • Fleet-scale Sertir Core — enrolment, rotation, and revocation for thousands of bound chips.
  • Native integrations for major LLM serving frameworks and agent runtimes.
VISION · WHAT THE IP SUPPORTS
  • Cluster Silicon Identity — multi-chip cluster fingerprinting via DBSCAN, for hyperscale training and inference fleets.
  • Hardware-level operational lock for environments where software heartbeat is insufficient.
  • AGI binding primitives — extending the silicon-bound trust layer to systems whose autonomy and tool access exceed today's agents.
  • Chipmaker partnerships for embedded probe primitives at fabrication time.
PATENT FOUNDATION

Four USPTO provisionals filed, 2026. Coverage spans probe, bind, attestation, drift analysis, agent identity architecture, and cluster silicon discovery. UPC filings in preparation.

08 / PRIVATE ALPHA

Access is by invitation.
Defence, regulated industries, and frontier labs are prioritised.

Responses within five working days. Sertir does not host customer inference.

Request received.

Your message has been delivered to contact@sertir.ai. We will reach out from a sertir.ai address within five working days. If your matter is time-sensitive, mark the subject line accordingly.