Integrity Deviation Logging

Mechanism

A deviation occurs when an agent's contemplated or executed action falls outside the integrity envelope in force at evaluation time. The envelope is the credentialed scope of permissible behavior, computed from declared policy and contributing fields; an action outside that scope is a deviation regardless of whether the agent ultimately took the action, abstained from it, or substituted a fallback. The mechanism specifies that every such event is captured into a deviation log entry with sufficient fidelity to reconstruct the full context after the fact.

Each entry records the agent's state at evaluation — the values of the canonical fields, the active policy reference, the active capability tier, and the lineage cursor — along with the inputs that were under evaluation, the model identity and version that produced the contemplated action, the envelope width and contributing-field scores, the deviation magnitude relative to the envelope boundary, the disposition (executed, blocked, substituted, escalated), and the credentialed authority under which the disposition was applied. The entry also records the cross-reference to the provenance lineage of the inputs, so that an auditor following the cross-reference can reach the upstream sources that fed the deviation.

The log is tamper-evident by construction. Entries are not stored as a separate journal subject to independent alteration; they are an indexed view over the agent's lineage, which is itself a content-addressed hash-chained structure. Inserting, removing, or modifying a deviation entry would require altering the lineage, which would break the hash chain and be detected on any subsequent verification. The index is rebuildable from the lineage, so loss of the index does not compromise the underlying record.

Operating Parameters

Deviation magnitude is parameterized. The mechanism distinguishes minor envelope excursions — actions just outside a soft tolerance — from substantive deviations and from envelope violations that breach hard policy gates. Each magnitude class carries its own retention duration, redaction policy, and notification scope. Minor excursions may be retained for a shorter window; substantive deviations are retained for the lifetime of the agent's lineage; hard violations trigger immediate notification to credentialed governance subscribers.

Context fidelity is parameterized. The policy reference defines which canonical fields are recorded in full, which are recorded as content hashes for later credentialed disclosure, and which are recorded only as field presence indicators. This permits high-fidelity logging in regulated domains while supporting privacy-preserving logging in consumer domains, without changing the structural commitment that the deviation itself is recorded.

Capability-tier coupling is parameterized. Deviation entries are tagged with the capability tier in force, and downstream analytics may filter or weight deviations by tier. A deviation by a tier authorized to act broadly is recorded but may not warrant escalation; an identical deviation by a tier authorized only narrowly is escalated as a structural breach. The log's structure preserves the information necessary to apply tier-specific policy at review time.

Cross-reference fidelity is parameterized. At minimum, each entry references the immediate input lineage cursor; richer policies require references that resolve transitively to original credentialed sources, including upstream agents, sensors, or human approvers. The fidelity level in force is recorded with the entry so that an auditor can determine how far the provenance chain may be followed for that specific deviation.

Alternative Embodiments

Storage embodiments vary. A local embodiment keeps lineage and the deviation index on the agent's substrate; a federated embodiment replicates lineage across credentialed peers and reconstructs the deviation index at any peer; a notarized embodiment anchors lineage roots to an external timestamping authority so that the deviation log inherits external time evidence; a sealed-custody embodiment retains raw context fields under credentialed escrow and exposes only the structural deviation entry to routine review.

Indexing embodiments vary. A simple embodiment provides chronological indexing only; a richer embodiment provides indexing by deviation magnitude, by capability tier, by model version, by contributing-field score, and by upstream provenance source, supporting forensic queries such as 'show all substantive deviations attributable to upstream source X under model version Y'. The underlying lineage is unchanged across indexing embodiments; only the query surface differs.

Notification embodiments vary. A pull embodiment exposes the deviation index to credentialed reviewers who poll on their own cadence; a push embodiment streams new entries to credentialed subscribers filtered by magnitude and tier; a regulator-facing embodiment emits structured reports on a credentialed schedule. The choice of notification surface does not alter the structural commitment that every deviation is logged; it alters only how and when reviewers learn of logged deviations.

Composition With Envelope Computation and Corrective Action

The deviation log composes with the envelope-computation mechanism that defines what counts as a deviation. Changes to declared policy, contributing-field weighting, or capability-tier definitions change the envelope and therefore change which future actions register as deviations; the log records the policy reference active at each entry so that an envelope change does not retroactively reclassify historical entries. A deviation logged under one policy regime remains a deviation against that regime even after policy is amended.

The deviation log also composes with corrective-action mechanisms. A credentialed governance subscriber observing a pattern of substantive deviations may issue a policy amendment, a model rollback, a tier demotion, or a credential revocation; each corrective action is itself recorded in lineage with a cross-reference to the deviation entries that motivated it. The chain — deviation entry, governance review, corrective action, post-correction observation — is structurally complete and auditable end to end.

The log composes with provenance attribution. Because each entry cross-references upstream provenance, repeated deviations attributable to a common upstream source can be detected and the source's credential weight adjusted; conversely, a source that consistently contributes to in-envelope action accrues credential weight. The deviation log thus participates in the broader credentialing economy that governs which inputs the agent admits.

Prior-Art Distinction

Conventional audit logging in software systems records events into journals that are external to the producing system and that depend on the integrity of the journal substrate. Tamper resistance is typically asserted through access control, write-once media, or external SIEM ingestion, none of which binds the audit record to the producing computation through cryptographic continuity. Conventional model-monitoring systems record drift and out-of-distribution events but do so as statistical summaries rather than as fully reconstructable per-event entries with policy, tier, and provenance context.

The disclosed mechanism differs structurally. Deviation logging is implemented as an indexed view over the agent's content-addressed hash-chained lineage; tamper resistance is intrinsic rather than asserted; each entry contains the full structural context required to reconstruct the deviation; cross-references resolve to the upstream provenance through the same lineage substrate; and capability-tier coupling, magnitude classification, and policy versioning are first-class entry fields rather than after-the-fact annotations. The log is not a record of what an external observer noticed; it is a record of what the agent itself structurally committed to having evaluated.

Failure Modes and Their Structural Treatment

Several failure modes are addressed structurally. Log suppression, in which an adversary attempts to omit an inconvenient deviation from the record, is prevented by implementing the log as an indexed view rather than as a writable journal: the underlying lineage records every evaluated action, and a deviation entry that does not appear in the index when the lineage indicates a deviation occurred is itself a detectable anomaly. Index reconstruction is deterministic, so an adversary cannot suppress a deviation by corrupting the index alone; reconstruction surfaces the omitted entry.

Backdating and forward-dating are prevented by the cryptographic continuity of the lineage: each entry's position in the chain is fixed by its content hash and by the surrounding entries' hashes, and an attempt to insert a later-fabricated entry at an earlier position would require recomputing the chain forward, which is detected by any verifier holding a previously witnessed lineage root. Notarized embodiments anchor lineage roots to external timestamping authorities, so even a verifier holding no prior root can establish a temporal lower bound on the entry's existence.

Context starvation, in which an entry is technically recorded but with so little context that reconstruction is impossible, is prevented by policy-level minimum fidelity requirements: an agent operating under a credential that requires high context fidelity may not emit deviation entries below the credentialed minimum, and an attempt to do so is itself a structural breach recorded as such. Conversely, over-collection in privacy-sensitive domains is prevented by the field-presence and content-hash modes, which preserve the structural commitment to logging without retaining sensitive raw context beyond what the policy admits.

Replay confusion, in which a historical deviation is reintroduced into review as if newly observed, is prevented by the entry's binding to the lineage cursor and policy reference active at the original evaluation; reviewers see not only the entry but its position in lineage and the policy regime under which it was generated, and the same entry cannot present itself as belonging to a later regime. Governance review thus operates on entries whose temporal and policy provenance are structurally fixed.

Disclosure Scope

The disclosure encompasses the deviation event definition relative to the integrity envelope, the structural entry containing state, inputs, model identity and version, capability tier, envelope and contributing-field scores, magnitude, disposition, and credentialed authority, the implementation as an indexed view over content-addressed hash-chained lineage providing intrinsic tamper-evidence, the cross-reference from each entry to the upstream provenance lineage, the parameterization of magnitude class, context fidelity, tier coupling, and cross-reference fidelity, the alternative embodiments for storage, indexing, and notification, the composition with envelope computation and with corrective-action mechanisms, and the integration with provenance attribution. Application domains include autonomous vehicles, clinical and therapeutic agents, financial-decision agents, regulated enterprise automation, and any setting in which post-hoc reconstruction of agent behavior under governance review is a structural requirement.