Determinism & forensic traceability.
Reproducibility is the institutional property that makes governance possible. The forensic chain is how the property is preserved across years, audits, and operational changes.
01Why determinism matters
Three institutional consumers are served directly by determinism, each for the same underlying reason: a non-deterministic decision cannot be reviewed; a deterministic one can.
- Auditors. A non-deterministic system cannot be audited in any meaningful sense — the auditor cannot reproduce the result. With determinism, the auditor receives the inputs and the policy version and re-derives the same output. Audit is a property of the architecture, not a process performed on top of it.
- Regulators. Regulatory frameworks for high-stakes AI (the EU AI Act being the most cited but not the only relevant frame) require explainability, traceability, and human oversight. Determinism subsumes traceability and reproducibility cleanly; explainability becomes "show the inputs, show the policy, derive the output."
- Insurers. Insurance pricing depends on reproducible loss estimation. A reproducible governance layer makes the loss model tractable. A probabilistic governance layer makes the loss model speculative. Determinism is what allows insurance to underwrite the layer.
02The hash-chained audit trail
Each decision produces a record. Each record carries its inputs, the policy version, the output, and the provenance of all three. Each record is signed with an ECDSA P-256 key. Each record's header includes the hash of the previous record. Two architectural properties follow.
First, tampering is detectable in O(1) per record: an adversary that modifies any field of any record changes that record's content hash, which invalidates the next record's predecessor hash, which invalidates the chain from that point forward. The verifier walks the chain and finds the break.
Second, the chain is append-only. There is no operation that overwrites a prior record under any circumstance — including authorized correction. A correction is a new record that references the corrected prior record by hash, signed and timestamped, and the chain accumulates rather than replaces.
03ECDSA P-256 signatures
Each record is signed with an ECDSA P-256 key bound to the issuing layer (the AGL, in production). P-256 is a well-understood, widely supported curve — it is the same primitive used by TLS, by the major government PKI systems, and by the audit-grade signature ecosystem. Choosing it is a deliberate institutional posture: novel cryptography in an audit context introduces review friction. P-256 introduces none.
04Replay capability
Any prior decision can be reconstructed from the chain. The replay procedure is mechanical:
- Locate the record by its decision identifier in the chain.
- Verify the signature and the link to the predecessor record.
- Read the typed inputs and the named policy version.
- Apply the policy version to the typed inputs.
- Compare the recomputed output to the recorded output. They are equal — by construction.
The procedure is the same whether the decision is replayed by the operations team during incident response, by an auditor during a compliance review, or by a regulator during a formal inquiry. It is also the same whether the replay happens an hour after the decision or a decade.
05OpenTimestamps proof
The forensic chain is bound to wall-clock time using OpenTimestamps. The current sealed-core proof carries the public ID SOV-2026-02-26. OpenTimestamps anchors the proof in the Bitcoin blockchain — not for any cryptocurrency-related reason, but because the Bitcoin blockchain provides a public, durable, third-party-independent timeline that cannot be unilaterally rewritten by the platform's operators.
The OpenTimestamps proof asserts that the sealed core, as a content-addressed artifact, existed at or before the timestamped moment. It does not assert any property of the content; that is the job of the chain itself and of the institutional review processes that attach to the platform.
06Probabilistic AI safety vs. deterministic governance
Probabilistic AI safety techniques — output filters, content moderation classifiers, alignment training — are valuable, but they share an architectural limitation: their guarantees are statistical. They are good for the median case; they are weak in the tail; and they cannot be relied upon to be reproducible from a regulator's review desk.
Deterministic governance is a different kind of guarantee. It does not say "this output is unlikely to be harmful." It says "given these inputs and this policy, this is the output, every time, and here is the chain that proves it." The two approaches compose: a probabilistic safety layer can be one of the inputs that the deterministic kernel evaluates. But they are not substitutes.
| Property | Probabilistic safety | Deterministic governance |
|---|---|---|
| Reproducibility | Statistical (varies by run) | Exact (same input → same output) |
| Auditability | By inspection, partial | By replay, complete |
| Tail behaviour | Unknown by construction | Specified by policy |
| Insurability | Hard — loss model speculative | Tractable — loss model derivable |
| Regulator review | Requires sampling and trust | Requires inputs, policy, replay |
| Composes with the other | Yes — as evidence | Yes — as the governing layer |