EVI v2 · Updated 2026-04-29

The open methodology behind every Trustmark.

EVI v2 is the open methodology Elephant Accountability uses to score B2B websites on agent-readiness. Six axes, 100 points, Bronze / Silver / Gold thresholds. Open-spec on GitHub under CC-BY-4.0.

Why this exists

The agent-protocol stack — A2A, MCP, ANP, OASF — gives agents a way to talk to each other. None of them score whether a business is reachable at the front door at all. EVI fills that gap. We publish the methodology open because trust auditors live or die on transparency: buyers and Trustmark recipients should see exactly what we score, how we weight it, and what triggers each tier. Opaque scoring makes us a vendor; published methodology makes us the auditor.

The six axes

Agents do four things in sequence — find a business, understand what it offers, act through its APIs, transact when commerce is involved — supported by trust and operational freshness. Six axes map onto that arc and sum to 100 points:

Axis	Weight	What it measures
A Discoverability primitives	24	Can an agent find the business?
B API surface	22	Can an agent act against published APIs?
C Commerce / transaction	18	Can an agent buy from you?
D Identity / trust	14	Can an agent verify what's published?
E Schema / semantic markup	14	Can an agent understand what's offered?
F Operational signals	8	Are the surfaces above kept current?
Plus a bonus pool of up to 5 points for forward-leaning signals (e.g. OASF skill-id taxonomy adoption). Bonus is additive on top of 100.

Surfaces scored

Twenty-seven detectable surfaces. Each row gives the canonical detection rule. Full per-rule detail lives in the open-spec repo.

Surface	Path / detection	Spec	Pts
Axis A — Discoverability primitives (24 pts)
A2A Agent Card	`/.well-known/agent-card.json` (legacy `/.well-known/agent.json`)	A2A	9
llms.txt	`/llms.txt`	llms.txt	6
robots.txt AI directives + Cloudflare Content-Signals	`/robots.txt`	Cloudflare	4
Sitemap freshness	`/sitemap.xml` + `<lastmod>` < 90d	sitemaps.org	3
Anthropic Agent Skills index	`/.well-known/agent-skills/index.json`	Skills	2
Axis B — API surface (22 pts)
OpenAPI / Swagger	`/openapi.json`, `/swagger.json`, `/v3/api-docs`	OpenAPI 3.1	8
MCP Server Card + registry	`/.well-known/mcp/server-card.json`	MCP	7
OAuth / OIDC metadata	`/.well-known/oauth-authorization-server`	RFC 8414	4
RFC 9727 api-catalog	`/.well-known/api-catalog`	RFC 9727	2
AsyncAPI / GraphQL / OData	Any one detected (bonus)	AsyncAPI	1
Axis C — Commerce / transaction (18 pts)
schema.org BuyAction + OfferCatalog + EntryPoint	JSON-LD parse with all three; `EntryPoint.urlTemplate`	schema.org	6
ACP conformance OR EUC manifest	Partner registry presence OR `/.well-known/euc.json`	ACP	5
schema.org Product + Offer + numeric price	JSON-LD `Offer` with `price` + `priceCurrency`	schema.org	4
x402 / pay-per-call signal	Paid endpoint returns 402 + `crawler-price` header	x402	2
AP2 mandate types referenced	Intent / Cart / Payment Mandate in MCP / A2A skills	AP2	1
Axis D — Identity / trust (14 pts)
W3C DID document	`/.well-known/did.json` (`did:web` / `did:wba`)	W3C DID	5
security.txt	`/.well-known/security.txt` with `Expires:` in future	RFC 9116	3
Web Bot Auth / Cloudflare Verified-Bot	`/.well-known/http-message-signatures-directory`	Web Bot Auth	3
Verifiable Credentials issuer	DID `service` array typed as VC issuer	W3C VC	2
ERC-8004 on-chain registration	Identity Registry query by domain	ERC-8004	1
Axis E — Schema / semantic markup (14 pts)
schema.org Organization	JSON-LD with `name` + `url` + `sameAs` ≥ 2	schema.org	4
Schema breadth	1 type → 1pt; 3 → 2; 5+ → 3; 8+ → 4	schema.org	4
schema.org Service / WebAPI	JSON-LD typed entries present	schema.org	3
Microformats / RDFa / hreflang / canonical	Cluster check	microformats	2
OpenGraph + Twitter Card	Both `og:title` and `twitter:card` present	OG	1
Axis F — Operational signals (8 pts)
RSS / Atom feed	Valid feed + `<updated>` < 60d	RFC 4287	2
Status page	`status.<domain>` OR `/api/v2/status.json`	—	2
Sitemap freshness cadence	Re-scored from `<lastmod>` velocity	—	2
apple-app-site-association + assetlinks.json	Both present (apps only)	Apple	1
humans.txt + PWA manifest + favicon	≥ 2 of 3	humans.txt	1

Trustmark thresholds

Tiers gate on score floors plus per-axis minimums plus required surfaces. Tiers are additive — Gold implies Silver implies Bronze. A failed gate returns the highest tier the site qualifies for plus the reasons a higher tier was not awarded — that list is the upgrade roadmap.

≥ 50

Bronze

Axis A ≥ 12 / 24
security.txt present

≥ 70

Silver

Axis A ≥ 16 / 24
Axis B ≥ 12 / 22
No AI-bot blanket-block
Schema.org Organization complete

≥ 85

Gold

Axis A ≥ 20 / 24
Axis B ≥ 16 / 22
Axis D ≥ 8 / 14
≥ 1 of: ACP, EUC, BuyAction + OfferCatalog

Auto-fail conditions

Two conditions block tier issuance regardless of score. The audit still produces a raw_score for diagnostic visibility; the published evi_score is zeroed.

1. robots.txt blanket-blocks all AI bots. A User-agent: * block with Disallow: / and no offsetting allow is treated as an explicit "agents not welcome" signal. Targeted blocking (e.g. Disallow: /private) is fine; blanket-blocking is not.

2. Cloaking detected. A homepage that serves materially different content to AI-bot User-Agents than to anonymous fetches (body-size delta > 50%) is auto-failed. Cloaking is the inverse of transparency.

What we don't score (and why)

A methodology is more credible for what it excludes than for what it includes. Surfaces evaluated and not scored in v2:

AITP — pre-v1.0; near-zero adoption outside NEAR.
OASF on-domain — lives in OCI registries / AGNTCY Directory, not at the brand domain. No .well-known/oasf.json convention exists.
WebMCP — W3C draft, Chrome 146 Canary in early 2026. Not yet stable cross-browser.
W3C Web of Things Thing Description — IoT-specific; not applicable to B2B SaaS.
WebFinger / host-meta — federation signals; irrelevant unless the site is identity- or social-platform-shaped.

Full exclusion list with rationale: see the spec repo.

Versioning

EVI is versioned. v1 is deprecated; v2 is current. Audits issued before 2026-04-29 used v1. Old scores remain valid as EVI-v1; new scores ship as EVI-v2. The audit engine carries both for one release before v1 is removed. Reports stay scored on the methodology version they were issued under — we do not retroactively rewrite scores.

ISO 42001 alignment

Disclaimer. This crosswalk does not claim ISO/IEC 42001 certification. ISO 42001 certification is issued only by accredited certification bodies. Trustmark is an independent agent-readiness audit and is not a substitute for formal ISO 42001 certification.

That said — the EVI surfaces produce artifacts that map onto specific ISO 42001 Annex A controls. Strongest mappings:

EVI surface / axis	ISO 42001 control	Strength
Axis A — Discoverability (full axis)	A.6.2 Transparency to interested parties	strong
robots.txt AI-bot directives	A.10 Third-party AI relationships	strong
Cloudflare Content-Signals	A.10 Third-party AI relationships	strong
Cloaking detection (auto-fail)	A.6.2 Transparency	strong
llms.txt + Agent Card	A.4.6 Documentation of the AI system	medium
Axis B — API surface	A.7 Resources for AI systems	medium
DID document	A.6.1 Roles and responsibilities	medium
security.txt	A.7.4 Accountability + A.9	medium

Read the full crosswalk → (14 mappings, sources, self-positioning paragraph)

Open methodology

The full spec lives at github.com/Chris-Eaccountability/Chris-Eaccountability-orchestrator-marketing under CC-BY-4.0. Use it, fork it, build a competing scorer, cite it in research. Attribution back to the methodology repo is required.

Surface proposals and weight revisions go through GitHub issues — see CONTRIBUTING.md. New surfaces ship as minor-version bumps; weight changes ship as major-version bumps.

For per-audit cohort details (e.g. the F100 baseline run) see our transparency page. For the production scorer that implements this methodology see the free scan.