---
status: current
---

# The Proofpane Architecture for AI Governance

**Version 1.0 — 17 July 2026**
**Author:** Louie Lu, Proofpane — [proofpane.com](https://proofpane.com)
**License:** CC BY 4.0 (§14). "Proofpane" is a trademark of its author; the architecture may be implemented by anyone (§13).

> A reference architecture for governing organizational AI such that every AI action is gated **in the execution path**, every decision leaves **tamper-evident evidence**, and both the evidence **and the rubric it is graded against** can be verified by parties who trust neither the operator nor the vendor.

---

## 0. Why this document is public

An organization that grades its own AI against its own private rubric has proven nothing. The rubric moves whenever the grade needs it to; the report is produced by the entity being judged; nobody outside can check either. Self-assessment against a secret standard is unfalsifiable — which is to say, it is not evidence.

The fix used everywhere else in engineering is the public reference: you do not invent a private definition of "well-architected" or "cryptographically sound"; you build against a published, versioned standard that anyone can read and anyone can test conformance against.

This document applies that fix to AI governance. It is public for three reasons:

1. **The verification wall applies to rules, not just records.** Evidence must be checkable outside the audited entity — and so must the standard the evidence is checked against. A public, versioned rubric is one that cannot quietly move.
2. **Adopters need independence.** A team that implements this architecture can point its board, auditor, or regulator at an external, dated, versioned reference — the same reason organizations adopt NIST or ISO instead of writing private policy from scratch.
3. **Prior art.** Publication establishes these mechanisms as public knowledge as of this date, free for anyone to implement (§13), and citable as prior art against later claims that attempt to privatize the mechanisms disclosed here.

One honesty note, in the spirit of §2-VI: publication does not make the author neutral. It makes the rubric **fixed and checkable**. Neutrality is achieved at conformance Level 3 (§12), where verification runs outside every interested party — including the author's own systems.

---

## 1. Scope and stance

**What this governs.** The organizational use of AI: agents and multi-step workflows, coding assistants, chat assistants, automation platforms, and any application calling a model API — collectively, **AI actions**: a model call, a tool call, an agent step, or a decision produced by any of these.

**What this is not.** Not a model-alignment method (it governs *use*, not *weights*). Not a GRC checklist (it specifies runtime machinery, not paperwork). Not a product manual (Proofpane is one implementation; §13).

**Relationship to public frameworks.** NIST AI RMF, ISO/IEC 42001, the EU AI Act, GDPR, and SOC 2 specify *outcomes*: oversight, accountability, records, proportionality. They deliberately do not specify machinery. This architecture is a *how*: an implementable reference whose byproduct is the evidence those frameworks ask for. It complements them and maps to them; it replaces none of them.

**Language.** "MUST", "SHOULD", and "MAY" are used as in RFC 2119. Conformance claims are defined in §12.

---

## 2. The six invariants

Everything else in this document is derived from these. An implementation that violates one of them may be useful software; it does not implement this architecture.

### I. Evidence by enforcement

Governance evidence MUST be a byproduct of the control acting — not a report produced beside it. The gate that allowed or denied the action is the thing that writes the record, atomically with the action. If the control didn't write the record, the record doesn't prove the control ran.

*Corollary:* the governance plane governs itself. Policy changes, version approvals, configuration edits, and administrative overrides are AI-adjacent actions and MUST land on the same evidence chain as everything else.

### II. Verification without trust

Evidence MUST be verifiable outside the producing system: exportable in a self-contained form, checkable **offline**, with publicly available verification tooling, by a party who trusts neither the vendor nor the operator. "Trust our dashboard" is not verification; a dashboard is a rendering of a database its owner can edit.

*Corollary (the verification wall):* evidence generated inside the audited entity, on infrastructure the audited entity controls end-to-end, is discounted by construction — position, not talent. Independent evidence requires rails the audited entity does not control.

### III. Compliance by construction

Controls MUST run in the execution path: the policy gate before the call, redaction before the model sees the content, the budget check before the spend, the human checkpoint before the irreversible step. Review-after-the-fact is an audit, not a control. The goal is structural: make the risky action impossible or self-correcting by design, so that human review stops being the bottleneck — and the ceiling on safe AI adoption becomes the quality of the rules and frameworks, not the vigilance of reviewers.

### IV. Surface-calibrated observation

Observation depth MUST match the actor and the blast radius — not the maximum technically available.

- Where AI **executes as the organization** — workflows, agents, tool-wielding sessions, application egress — inputs and outputs are governed as content, and secrets are redacted **in the pipe**, before model exposure and before storage.
- Where a **person uses AI as a personal work tool**, the system observes the action plane — which tools, which calls, tokens, cost, duration — and MUST NOT read personal content.
- Where content capture on a human-driven surface is warranted (an agent acting with real tools on real systems), capture MUST be disclosed to the user, redacted at source, and acquired through the platform's official integration surfaces — never through covert interception.

This is the observation model a privacy regulator can stand behind: govern the machine's actions fully; govern people's usage at the metadata and cost plane, never their content.

### V. Earned autonomy

Autonomy MUST be granted by recorded precedent and revoked instantly. Risky actions start behind a human checkpoint; each approval MAY become a reusable precedent ("approve and remember"); the autonomy envelope expands only along the precedent record and contracts immediately on anomaly (pause, kill, quarantine). Two honesty rules are load-bearing:

- An agent's approval is recorded as an **agent's** approval — never presented as a human's.
- Every widening of the envelope is itself evidence: who approved, what precedent, when, for what scope.

### VI. Honest boundaries

Every deployment MUST publish its coverage ceiling: which surfaces are governed at which depth (§5), and what it deliberately cannot reach. Evidence gaps — a crash window, an ungoverned surface, a client that only permits observation — MUST be disclosed as first-class events, not silently omitted. An unstated ceiling is a claim waiting to be falsified; a published ceiling is what makes the rest of the claims credible.

---

## 3. Reference model

A conformant system comprises seven planes. Names are descriptive, not prescriptive.

**A. Governed execution pipeline** — the request path every AI action traverses: identity and tenant resolution → policy gate (allow / deny / require-human) → data-loss prevention (redaction before model exposure) → budget gate → model or tool invocation → metering at a single choke point → append to the evidence chain. A denial is not an error; it is evidence (§4).

**B. Human oversight plane** — checkpoints designed into workflows plus checkpoints triggered at runtime (risk tier of an output, behavioral anomaly, cost spike); an approval surface that lives where operators live; precedent memory (V); pause / resume / kill on any running agent; per-step acceptance criteria evaluated deterministically, with bounded fallback on failure.

**C. Evidence plane** — the append-only, hash-chained, organization-scoped log; periodic cryptographic anchoring of the chain head; export as a self-contained signed pack; an offline verifier anyone can run; mappings from recorded actions to public-framework controls. Detailed in §4.

**D. Quality and change plane** — golden datasets and offline evaluation gating what ships; online quality sampling with **calibrated** judges (a judge's trustworthiness is itself measured, as agreement with human gold labels); drift alerts; changes to production defaults made only by recorded experiments that pass a significance gate; every prompt, skill, workflow, and agent versioned, with approval policy and rollback; past runs replayable.

**E. Economic plane** — all spend metered at one choke point; attribution (organization, department, user, agent, app) stamped at emit time and frozen on the immutable record; reconciliation of recorded usage against provider invoices; budget caps whose refusals are audited; anomaly detection on burn rate; statements exportable in signed, independently verifiable form.

**F. Coverage and surface plane** — the model of *where* governance physically attaches (§5), plus continuous discovery of ungoverned AI presence in the estate (coverage scanning), and change-detection on third-party tool definitions (a tool that silently rewrites itself is a supply-chain event and MUST be surfaced).

**G. Enablement and data-readiness plane** — the organizational loop that makes governance produce value rather than only cost: departments write their procedures down; the convertible ones become governed workflows; the non-convertible ones are still written down, because written process is the substrate that lets AI ROI be *measured* rather than asserted, and lets organizational change be planned on evidence. In parallel: the current shape of the organization's data determines which retrieval and grounding methods are even possible — data structuring is a prerequisite pillar, not a later optimization.

---

## 4. The evidence model

What distinguishes **auditable evidence** from logging:

1. **Append-only and tamper-evident.** Records are hash-chained per organization; sealed records cannot be edited in place; deletion or substitution is detectable by re-verification against periodically signed chain anchors.
2. **Written by the control** (Invariant I), atomically with the governed action — including refusals, denials, pauses, and human resolutions.
3. **Self-contained on export.** An evidence pack carries the record slice, the manifest, the public key material, and everything needed to verify it **offline** — no callback to the producer, no trust in the producer's uptime or honesty.
4. **Versioned context travels with the evidence.** The policy version, prompt version, price table version, and rubric version in force at the time of each action are recorded, so any historical claim ("this call cost $X under policy Y") is recomputable, not merely asserted.
5. **Gaps are disclosed.** A crash window, an observe-only surface, an unreachable client — recorded as explicit gap events. Silence is the one thing the chain must never contain.
6. **Mapped outward.** Records link to controls in public frameworks (NIST AI RMF, ISO/IEC 42001, EU AI Act, GDPR, SOC 2), so an auditor reads evidence in their own vocabulary.

---

## 5. The surface model

Where governance can physically attach is decided by the client's architecture and its **billing mode** — not by the governor's ambition. A conformant deployment classifies every AI surface in the estate into one of four coverage classes and publishes the result (Invariant VI):

| Class | Meaning | Typical surfaces |
|---|---|---|
| **Gate + transform** | Content passes through the governance pipe and can be blocked or redacted in-flight | API-key egress via a broker; MCP tool traffic via a governed daemon; gateway-routed automation platforms |
| **Gate only** | Actions can be allowed/denied but content is not transformed | Tool/MCP calls where payload rewriting is unsupported |
| **Observe** | Actions and usage are visible (attributed, metered) but not blockable | Subscription clients' native tools; platforms that volunteer execution events; official hook APIs |
| **Blind (disclosed)** | Deliberately or physically out of reach — published as such | Vendor-internal reasoning; surfaces reachable only by techniques the deployment refuses (§10) |

Two structural rules:

- **Billing mode decides the surface.** Flat-rate subscription clients expose the protocol layer (tools, MCP, hooks, usage metadata); pay-per-token API clients expose the egress layer (full content gate + transform). One deployment typically runs both.
- **Governance lives in the pipe, not in a new tool.** Coverage is achieved by wrapping the tools people already use — hooks, protocol proxies, brokers, gateways — never by requiring the workforce to migrate to a governance UI. A governance plane that requires tool migration collapses to the coverage of whoever migrated.

---

## 6. Threat model

Concept-level; implementations choose mechanisms.

| Threat | Architectural answer |
|---|---|
| History edited or deleted after the fact | Hash chain + signed anchors + append-only storage (§4) |
| Self-serving reporting by the audited entity | Verification wall: offline-verifiable export + public verifier + public rubric (§0, II) |
| Secrets reaching a model | Redaction in the pipe, before model exposure (III, IV) |
| Runaway agents / runaway spend | Budget gates, behavioral anomaly detection, runtime pause/kill, hard caps with audited refusal |
| Tool / skill poisoning, rug-pulls | Containment, not detection-claims: non-overridable credential guards, egress redaction, tool-definition change detection, coverage scanning. The architecture does **not** claim to recognize poisoned instructions — it makes the payload inert and the change visible |
| Shadow AI (ungoverned usage) | Coverage scan + attribution at emit time + published coverage matrix |
| Governance plane compromised or misused | The plane audits itself (I, corollary); its own admin actions are chained evidence |

**Non-goals.** The architecture does not defend model weights, does not audit the vendor's internal reasoning, and by default refuses techniques that would make the governor itself a new attack surface: OS/kernel interception, TLS man-in-the-middle, browser-extension surveillance, employee-content capture beyond §2-IV. Crossing any of those lines is a named, consented, per-customer exception — never a default (and belongs in the published boundary, Invariant VI).

---

## 7. Anti-patterns

Designs this architecture explicitly rejects:

- **Attested logging.** A governance report produced *beside* the execution path, by code that could disagree with what actually ran. (Violates I.)
- **Dashboard evidence.** Screenshots, CSV exports, and web views of a mutable database presented as audit artifacts. (Violates II.)
- **Self-graded compliance.** Scoring your own AI against a rubric you privately author and can privately revise. (Violates §0; the reason this document exists.)
- **Surveillance-first governance.** Reading employee content wholesale in the name of oversight. It is both a privacy failure and unnecessary: the action plane carries the governance signal. (Violates IV.)
- **Detection theater.** Claiming a classifier "detects" prompt injection or poisoned tools. Recognition of adversarial text is an unsolved problem; claiming it is the over-claim. Contain instead. (§6.)
- **Tool-replacement governance.** "Everyone must use our portal, then they're governed." Coverage by migration is coverage of the compliant minority. (Violates §5.)
- **Approval spoofing.** Letting an automated approval appear human, or letting an agent resume a human-gated checkpoint without the grant being explicit, recorded, and labeled. (Violates V.)

---

## 8. The autonomy model in practice

The progression a conformant deployment supports, per agent and per scope:

1. **Supervised** — every consequential action behind a human checkpoint.
2. **Precedented** — approvals recorded as reusable precedents; identical actions in identical scope auto-approve, each auto-approval citing its precedent.
3. **Bounded autonomy** — the agent operates freely inside hard structural limits (path allowlists, budget caps, risk-tier triggers, acceptance criteria per step) with runtime anomaly monitoring.
4. **Contraction** — on anomaly, threshold breach, or operator action: pause, kill, or quarantine, immediately and auditable — autonomy contracts faster than it expands.

At every level the record answers: what was allowed, by whom or by what precedent, under which version of which policy.

---

## 9. The measurement loop

Governance that only says "no" is overhead. The same records that prove compliance are the raw material for optimization:

- **Usage → ROI.** Because every action is attributed and priced (E), automation claims become measurable: which SOPs, converted to governed workflows, actually saved time and money — per department, on evidence.
- **Quality → promotion.** Because outputs are sampled and judged by calibrated judges (D), "the new prompt/model is better" becomes a significance-gated experiment with a recorded verdict, not a vibe.
- **Both feed planning.** Written-down process + attributed usage + judged quality is the dataset on which organizational change (roles, structures, budgets) can be planned defensibly.

This is the loop that makes the governance plane self-funding: the evidence produced for the auditor is the same evidence that tells the operator what to improve next.

---

## 10. Data readiness

Retrieval-grounded AI inherits the shape of the data it retrieves from. The architecture therefore treats **data structuring as a governance-adjacent prerequisite**: an organization's current data topology (structured vs. free-text, owned vs. embedded in third-party silos, labeled vs. not) determines which grounding methods are possible at all — and therefore which AI use cases can be governed into production rather than demoed. Conformant programs SHOULD assess data readiness per use case before committing autonomy levels, and SHOULD treat data-structuring work as part of the AI program, not as an assumed given.

---

## 11. Adopting the architecture

A realistic adoption order, matching the conformance ladder (§12):

1. **See** (→ L1): attach observation to every reachable surface; attribute and meter everything; draft the coverage matrix; disclose the blind spots.
2. **Stop** (→ L2): put the policy gate, redaction, budget caps, and human checkpoints into the execution path of the surfaces that can support them; wire runtime pause/kill.
3. **Prove** (→ L3): chain and anchor the record; stand up offline-verifiable export; map to the public frameworks your auditors read; version everything the evidence depends on.
4. **Optimize** (§9): turn the accumulated record into ROI measurement, quality experiments, and expansion of the autonomy envelope along recorded precedent.

---

## 12. Conformance

Three levels. Each includes all requirements of the previous.

### Level 1 — Observed *("you can see")*

- Every AI action on covered surfaces is attributed — organization, actor, application/agent, model — at emit time, to an append-only, organization-scoped log.
- Usage and cost are recorded per action at a single metering choke point.
- Human tool-use is observed at the metadata plane only (Invariant IV).
- A coverage matrix exists, classifying every known AI surface (§5).

### Level 2 — Governed *("you can stop")*

- A policy gate (allow / deny / require-human) runs **before** the action, in the execution path.
- Secret/PII redaction runs before model exposure on all gate+transform surfaces.
- Budget caps exist and their refusals are recorded as evidence.
- Human checkpoints trigger on designed steps and on runtime risk signals; running agents can be paused and killed; precedents (V) are recorded objects.

### Level 3 — Provable *("you can prove — to someone who doesn't trust you")*

- The record is hash-chained and periodically anchored with a digital signature.
- Evidence exports are self-contained and verifiable **offline** with publicly available tooling.
- Versioned context (policy / prompt / price / rubric versions) travels with the evidence.
- Records map to at least one public compliance framework.
- Evidence gaps are disclosed as first-class events.

### Claiming conformance

A conformance claim MUST state the level, the architecture version, and publish the deployment's coverage matrix — e.g.:

> *"Conformant with the Proofpane Architecture v1.0, Level 2 (coverage matrix: <url>)."*

Self-assessment is permitted and MUST be labeled as such. Independent verification of an L3 claim requires only the evidence pack and the public verifier — that is the point of L3.

---

## 13. Reference implementation

Proofpane ([proofpane.com](https://proofpane.com)) is the original implementation of this architecture. Conformance claim (self-assessed, per §12): conformant with the Proofpane Architecture v1.0, Level 3 (coverage matrix: https://proofpane.com/#coverage). Every Evidence Pack export includes a standalone offline verifier; the architecture described here may be implemented, in whole or in part, by anyone, in any stack, without permission or fee. Attribution per §14.

---

## 14. Citation, license, versioning

**License.** This document: [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/) — share and adapt with attribution. The ideas: free to implement (ideas are not copyrightable; that is by design here — see §0, prior art). The name "Proofpane" identifies the author's implementation and this architecture's origin; conformance claims per §12 are welcome and encouraged.

**Cite as:**

> Lu, L. (2026). *The Proofpane Architecture for AI Governance* (Version 1.0.0). Zenodo. https://doi.org/10.5281/zenodo.21402332

```bibtex
@techreport{lu2026proofpane,
  author      = {Lu, Louie},
  title       = {The Proofpane Architecture for AI Governance},
  institution = {Zenodo},
  year        = {2026},
  month       = {7},
  note        = {Version 1.0.0},
  doi         = {10.5281/zenodo.21402332},
  url         = {https://doi.org/10.5281/zenodo.21402332}
}
```

**Versioning.** Semantic: patch = editorial; minor = additive clarification or new optional material; major = any change to the six invariants or to conformance requirements. The invariants are intended to be stable across minor versions. All versions remain archived and citable.

**Changelog.** v1.0 (2026-07-17) — initial publication.
