Roadmap

Built around a simple product truth: AI systems moving into regulated workflows need signed evidence, deterministic governance, and operational controls that can survive audit.

What We Are Building

A cryptographic audit and governance layer for AI systems: signed Trust Receipts, independent verification, deterministic policy decisions (yours or ours), and enterprise control-plane workflows.

What We Are Not Building

Not a foundation model company
Not another AI chat interface
Not a replacement for model providers
Not just an observability dashboard

Phase 1: Verifiable Trust Receipts

Cryptographic evidence for governed AI interactions, designed to verify independently of the platform operator.

DeliveredComplete

Ed25519 Trust Receipt Signing

Receipts are signed with real cryptographic signatures, not just hashed and logged.

RFC 8785 Canonical JSON

Canonical receipt payloads ensure signing and verification operate over the same byte-level representation.

Hash-Chained Ledger Continuity

Each new receipt advances the chain so tampering becomes evident across receipt history.

Independent Verification Endpoints

Public key and proof endpoints allow third parties to verify receipts without authenticated backend access.

Canonical Receipt Minting Path

Receipt generation now flows through one canonical minting path instead of multiple drifting implementations.

Receipt Crypto Contract Tests

Architectural invariant tests enforce the signing and verification contract across the platform.

What This Enables

Portable, tamper-evident audit artifacts for regulated AI workflows.

Phase 2: Deterministic Policy Layer

A two-tier evaluation model where advisory LLM signals feed a deterministic policy layer that remains the final authority. The layer is replaceable by customer-authored policy.

DeliveredComplete

Advisory Semantic Classification

Model-based classification detects domain, stakes, and risk signals and feeds them in as evidence — never as the verdict.

Deterministic Policy Evaluator

Domain packs, rule caps, thresholds, and decision composition remain deterministic and inspectable. Replaceable by customer policy.

Canonical Evaluation Path

Product trust evaluation is unified behind one policy path so callers cannot silently drift.

Structured Policy Trace Output

Receipts capture rationale, rule firings, signal gaps, and score composition in a reviewable trace.

Caller Contract Enforcement

Architecture tests ensure receipt-producing trust flows call the canonical evaluation path.

Review-Ready PASS / PARTIAL / FAIL Semantics

Governance outcomes are explicit, signed, and visible in both product UI and exported artifacts.

What This Enables

Auditable, reproducible policy outcomes instead of black-box LLM scoring — and a clear path for bring-your-own policy.

Phase 3: Enterprise Hardening

Enterprise deployment controls around signing, content handling, auditability, and receipt lifecycle management.

DeliveredComplete

Signer Abstraction

Receipt signing can use local keys or delegated external signer infrastructure.

External Signer Timeout & Startup Verification

Delegated signing fails fast on timeout and verifies signer metadata on startup to catch configuration drift.

Hash-Only Receipt Mode

Receipts can sign prompt and response hashes instead of embedding raw content directly.

Detached Content Archive

Prompt and response content can be archived separately with tenant-scoped retrieval controls.

Receipt Provenance Metadata

Receipts record signer source, timestamp source, content mode, and related provenance details.

Anchor Lifecycle Tracking

Queue, submit, refresh, and confirmation state are tracked for anchored receipt workflows.

Receipt Access Audit Logging

Content reads and anchor operations are explicitly logged for enterprise audit review.

What This Enables

Production readiness for security-sensitive and regulated customer environments.

Phase 4: Reference Enforcement Loop

A constraint-aware reference enforcement loop that coordinates sensing, analysis, action planning, and intervention. Reference app — replaceable with customer workflow.

DeliveredComplete

Advisory & Explicit-Authority Modes

The loop can recommend actions or execute constrained actions only when explicit authority has been granted.

Tenant-Safe Cycle Locking

One enforcement-loop cycle runs per tenant at a time, closing multi-tenant race conditions.

Constraint-Aware Action Execution

Actions are checked against safety constraints before they are executed or persisted.

Suppression of Refused / Reverted Actions

The planner no longer re-proposes recently blocked or reverted actions in repeated loops.

Configurable Cadence & Mode

Scheduler cadence, cooldowns, and execution mode are externalized to deployment configuration.

Operator Review & Override Workflows

Governed actions remain visible, reviewable, and auditable with explicit human override pathways.

What This Enables

Tenant-safe operational example beyond single-turn scoring and receipt issuance.

Phase 5: Federation & Advanced Controls

The next expansion is about broader deployment control, shared verification, and policy portability across organizations.

PlannedPlanned

Customer-Managed Signing Defaults

Make delegated signing through signer-service, KMS, or HSM-backed infrastructure the standard production posture.

Retention & Export Governance Policies

Policy-driven retention, archival, and export controls for enterprise data governance programs.

Cross-Organization Verification

Support shared verification workflows between organizations without requiring a shared operator backend.

Governance Simulation Sandbox

Replay historical governed sessions under new policy configurations before rollout.

Adaptive Remediation Suggestions

Suggest bounded remediation actions from receipt evidence while preserving explicit operator authority for execution.

Portable Policy Templates

Reusable governance packs and deployment patterns for sector-specific requirements.

Expanded Anchoring & Federation Options

Broader external anchoring and evidence portability for customers that need stronger external attestations.

What This Enables

Cross-organization verification, stronger deployment defaults, and governance operations at larger scale.

Experimental Research, Separated Clearly

We separate production-critical controls from exploratory research. That distinction is deliberate. Signed receipts, verification, runtime evidence, and the deterministic policy layer are product-critical. Emergence-style heuristics remain experimental.

Bedau Index and related emergence-style metrics remain exploratory research signals.

Phase-Shift Velocity is treated as a heuristic research artifact, not a calibrated production safety control.

Experimental signals are intentionally separated from the platform's canonical deterministic policy path.

Adaptive remediation is planned as suggestion and gating infrastructure, not autonomous execution without authority.

About This Roadmap

Delivered phases represent capabilities implemented in the current platform and supporting infrastructure. Planned phases are the next hardening and expansion steps, focused on customer-managed signing defaults, stronger policy portability, and cross-organization verification.

Current Platform Footprint

The platform already includes signed Trust Receipts, independent verification, deterministic policy decisions (with bring-your-own policy supported), and a reference enforcement loop. The next phase is about deployment defaults, federation, and policy portability.