AI Trust Layer · Open Protocol

Verifiable evidence when AI governance disagrees with AI judgment.

Every time your policy layer overrides a model — or agrees with it — SONATE mints a cryptographically signed Trust Receipt. The decision is provable to any auditor, regulator, or court, without trusting a vendor dashboard.

Code signing for AI decisions
Non-repudiation for the agentic era

AI systems already make consequential decisions — approving loans, drafting clinical notes, generating legal analysis. Frontier LLMs are unreliable judges of their own output. Enterprises have no defensible record of what was asked, what was returned, which policy ran, and whether the model and the policy agreed.

SONATE fixes that. One signed artifact, generated at the point of interaction, verifiable by anyone with a public key.

Trust Receipt
Signed record of one AI interaction
Policy override
receipt_idsha256:4072a60c…
signatureEd25519:4f84a8b9…
policy_versioncustomer-ai-policy-v7
policy_hashsha256:b3f01a…
rules_firedmanipulation.consent_boundary
policy_resultpartial · human review
linked_hashprev:5bfebbe8b779…
Sign
Ed25519
Hash
SHA-256
Canonical
RFC 8785
Evidence
Cryptographic proof, not screenshots.
Policy
Your policy, versioned and hashed.
Verification
Anyone can verify, anywhere.
What is a Trust Receipt?

A Trust Receipt is verifiable evidence — not a log.

A cryptographically signed, hash-chained record of an AI interaction and the policy that judged it.

The receipt captures what was asked, what was returned, which policy decided, and whether the model and the policy disagreed — in a form anyone can verify independently.

Ed25519SHA-256RFC 8785DID-ready identities

What the model was asked

What it returned

Which policy decided (version + hash)

Which rules fired

Whether the model and the policy disagreed

Who authorized it and when

Why enterprises need this

Auditability, evidence, and override accountability for real AI operations.

1. Auditability for the EU AI Act

High-risk AI systems must produce verifiable execution records. Logs and screenshots do not survive contact with a regulator.

2. Legal defensibility

When AI causes harm, vendor dashboards are not evidence. A signed receipt that anyone can verify is.

3. Override accountability

When governance overrides a model — or fails to — someone has to be able to prove what was decided, by which policy, on which input.

4. Invisible failure modes

Drift, bias, and manipulation rarely trigger alerts on their own. They become defensible findings when the receipt records the disagreement.

One product, one primitive

SONATE is one thing: signed Trust Receipts of AI interactions.

Everything else is a reference implementation around that primitive.

The receipt records what your policy layer decided and why. The default policy evaluator ships with SONATE so you can run end-to-end on day one — but it's designed to be replaced. Bring your own deterministic policy, and the receipt records its version, hash, and rule firings instead of ours.

Replaceable

Default policy evaluator

A reference deterministic policy layer that ships with SONATE so you can run end-to-end on day one. Designed to be swapped out.

  • Six default policy dimensions, weighted and capped deterministically
  • Domain packs for hiring, medical, manipulation, privacy, and more
  • Versioned and hashed — `policy_version` + `policy_hash` written into every receipt
  • Replace it with your own deterministic policy; the receipt records yours instead
Optional

Reference enforcement loop

An example of how receipt-backed evidence can drive gated actions: observe, plan, gate authority, execute, record.

  • Advisory mode by default — proposes, does not act
  • Enforced mode requires explicit operator authority
  • Every cycle produces a signed audit receipt
  • Reference app, not the core product
Advisory

Drift & manipulation signals

Behavioural and semantic signals that flow into the policy layer as evidence inputs — never as the verdict.

  • Behavioural drift detection
  • Phase-shift velocity model
  • Session-level manipulation detection
  • Recorded in the receipt as advisory facts, weighted by your policy

These reference implementations are useful, but they are not the product claim. The product claim is the receipt and the protocol behind it. Customers are expected to adopt the receipt as-is, and replace any of the reference layers above with their own.

SONATE doesn't score AI.
It proves what your policy decided.

The override demo

When the model and the policy disagree, the receipt proves it.

We sent a manipulation prompt — wrapped in legitimate-sounding behavioural-science language — to two frontier LLM judges and to SONATE's deterministic policy layer. The judges and the policy disagreed. The signed receipt records the disagreement.

Upstream LLM judges
GPT-4o-mini · Claude Haiku 4.5
Verdict: PASS · 7.5 / 10 ethical
“The email allows for user override and does not manipulate the decision-making process… Overall, the email aligns well with ethical norms.”

Verbatim from the model judges. Both missed the manipulation framing.

Deterministic policy layer
Manipulation domain pack applied
Verdict: PARTIAL · 5.1 / 10 · human review required
  • Manipulation pack fired (covert influence + agency erosion)
  • Consent and ethical-override principles capped
  • Upstream LLM verdict explicitly overridden
The signed receipt

Both verdicts are recorded. Anyone can verify it.

Receipt 4072a60c77f75bc6… is Ed25519-signed, hash-chained to the prior receipt, and verifiable in the browser using SONATE's public key. The override is provable to any auditor, off-platform.

Architecture

From AI interaction to verifiable proof in milliseconds.

01 — Intercept

Unified gateway captures the AI request and the model's response.

02 — Evaluate

Your policy layer (or SONATE's default) produces a versioned, hashed result. The model's own judgment is recorded as advisory evidence, not as the verdict.

03 — Sign

Ed25519 signature plus a hash-link to the prior receipt.

04 — Store

Immutable receipt stored as signed JSON, with support for DID / VC-style envelopes.

05 — Verify

Anyone can verify independently using the open SDK. No vendor trust required.

Why now

AI is becoming production infrastructure.
Non-repudiation becomes mandatory infrastructure.

Regulatory tailwinds

  • EU AI Act: auditability required for high-risk systems
  • NIST AI RMF: governance documentation expected
  • ISO/IEC 42001: AI management system controls
  • APRA, OAIC, SEC: tightening oversight

Enterprise reality

AI is already making decisions that carry legal, financial, and ethical consequences. Operators need evidence before the claims process starts, not after.

The missing primitive

TLS for networks. Code signing for software. Digital signatures for transactions. Nothing comparable existed for AI execution. SONATE is the primitive that fills that gap.

Early Access

We're onboarding design partners now. Start with the open SDK or apply for full platform access.

Open SDK

Free
  • Open verification SDK (MIT licensed)
  • Public Trust Receipt spec
  • Browser receipt verifier
  • Community access

Design Partner

Now accepting
Early Access
  • Full platform access
  • Bring-your-own policy support
  • RBAC + SSO + webhooks
  • Direct founder access
  • Shape the product roadmap

Custom Pilot

Let’s Talk
  • Air-gapped or on-prem deployment
  • Custom policy framework integration
  • Regulatory sandbox alignment
  • High-assurance timestamping
  • Dedicated onboarding
About

Operator-built. Execution-first.

Stephen Aitken, Founder & CEO. Twenty years in regulated fintech operations. Built SONATE solo using AI-assisted development — 200K+ lines of code in under twelve months. No traditional engineering background. The product is the proof of concept.

Raising pre-seed to onboard design partners and hire the team.

“The hard part of AI governance is not stopping bad outputs. It's proving what happened — and what was overridden — to someone who wasn't there.”

Stephen Aitken — Founder & CEO