A study reveals possible solutions for separating proposal, authorization and verification.
Raffaella Aghemo
I must admit that I have learned a lot recently about the governance of artificial intelligence systems, which are increasingly autonomous and independent of strict human supervision, but I have also been “helped” by reading an excellent independent work by Jason Davis entitled “From Proposal to Proof: Governing Action in Agentic AI Systems”, which focuses on an extremely important point: not what AI thinks, but what it can do.
Although the study is extremely technical, I will try to explain it as I understand it, i.e. by grasping its potential, both at a technological level and, above all, at a legal level of responsibility, in a context increasingly oriented towards automation independent of strict human supervision and in the absence, as yet, of comprehensive regulatory rules on the dilemma of who to attribute responsibility to in the event of damage and malfunction.
When an intelligent system is not limited to generating text but can activate APIs and purchase items on platforms on our behalf, reasoning, decision-making and execution end up in the same circuit. At that point, the risk is no longer cognitive: it is operational. And the current architecture, according to the author, is structurally fragile because action becomes a side effect of reasoning.
The author states: «The architecture proposed in this paper does not attempt to predict the behaviour of future AGI or ASI systems. Rather, it establishes a structural invariant: intelligence alone is never sufficient to cause an action. By separating proposal, authorization, and verification into distinct layers, the system transforms existential “runaway” concerns into concrete governance problems, problems that can be verified, regulated, and corrected using existing security and institutional tools… Applied to robotics and embodied artificial intelligence, the separation of intelligence, authority, and verification ensures that physical action remains a regulated privilege rather than an emergent property of capability.»
This document proposes a three-stage evolution, which does not affect the intelligence of the model, but rather the separation between proposal, authorization, and execution.
In today’s most common model, the agent reasons, decides and acts. Authorization is implicit and probabilistic. If the model is convinced (or is induced to be so by prompt injection), the action starts. The logs record what happened, but do not prove that it was lawful to do so. In regulatory terms, this is a problem: the audit is based on an ex post interpretation of the system’s intentions.
Here Davis introduces an interesting concept: ‘risk surface’ and conducts an analysis of what to do to improve security by following three steps: 1) architectural restructuring only, 2) implementation of UAS in the restructured architecture, 3) implementation of the Aletheia protocol.
Step 1: Separate proposal and execution
The first step, seemingly trivial, is actually powerful: intelligence does not execute, it proposes. Execution passes through a separate gate. It seems like a technical subtlety, but it is not. In this scheme, cognitive manipulation does not automatically equate to an effect on the outside world. Potential damage is confined before it becomes irreversible.
From a regulatory perspective, this separation is already a paradigm shift: responsibility can be localized. The issue is no longer “what did the model want to do”, but “who authorized the action”.
Step 2: Universal Authority Substrate (UAS)
First, let me explain exactly what UAS means: imagine an artificial intelligence system that does not just answer questions, but can do concrete things: authorize a payment, modify a contract, send an order to a machine. The critical point is this: who decides that action is permitted?
Today, the decision is often implicit. If the system “thinks” that the action is correct and finds no obstacles in the code, it executes it. Authorization is incorporated into its own reasoning.
This Universal Authority Substrate is, in simple terms, a separate layer that does only one thing: it does not reason, it does not plan, it simply checks. We can imagine it as an automatic notary or a security turnstile between “thinking” and “doing”.
So, the process becomes:
1. The AI proposes an action (“I want to do this”).
2. The UAS verifies that the action is permitted, according to clear, predefined rules.
3. If the answer is yes, the action goes ahead.
4. If the answer is no, the action is not performed.
The UAS introduces a deterministic level of authorization that is independent of the AI. The decision therefore becomes binary: PASS or FAIL, either authorized or not authorized. The intelligence can propose anything, but it cannot act without explicit permission.
Each decision generates an object, called a Universal Binary Object (UBO), which records the proposal, context and decision in a reproducible form. It does not explain or interpret the reasoning behind the model, it only certifies whether the action was permitted, becoming equivalent to an “official and standardized receipt” of authorization!
In case of doubts and checks, even months after the operation, while traditional systems would consult internal system logs, which are often complex and sometimes modifiable, with UBO, you can see
• what the proposed action was,
• in what context it was evaluated,
• what the decision was (authorized or denied), according to given rules.
All this is even more relevant today, because when an AI system begins to affect the real world, the problem is no longer technological but institutional.
In sensitive areas, such as banking or healthcare, how could we prove that an action was permitted? How could we distinguish a system error from a violation of the rules? And, above all, to whom should we clearly assign responsibility?
UAS serves to prevent AI from acting without permission.
Today, if an employee proposes an expense, the administrative office checks whether it falls within the budget and policies, and if approved, a signed receipt is issued, after which payment is made. We have been using this mechanism in the human world for years, and for the author of this work, something similar should also exist for agentic AI.
UAS + UBO do not make AI smarter, nor automatically more ethical, only governable. And that is a substantial difference, especially when AI is no longer limited to talking, but starts to act.
Compliance and liability
This shift has profound implications for compliance and liability. Audits no longer reconstruct a narrative (“what did the system intend to do?”) but verify a fact, whether or not the action passed a deterministic check. Governance ceases to be a hermeneutic exercise and becomes a mechanism.
For those involved in AI regulation, this represents a turning point: enforcement authority can be regulated without getting into the merits of the model’s internal cognition. It is a technologically neutral approach.
Step 3: ALETHEIA
At the final level, it is not the behaviour of the system that changes, but the quality of the proof. ALETHEIA is an open source cryptographic verification layer that makes UBOs independently verifiable, replayable (i.e. this proof can be presented, verified and accepted multiple times in different contexts or at different times, without having to regenerate the authorization each time: once obtained, the proof “travels” with the user or with the authorized object), and non-alterable. ALETHEIA deterministically verifies that the authorization decision is valid, unaltered and reproducible, without trusting the system that generated it.
It reduces residual ambiguity, making the truth independent. In a litigation or insurance context, the difference is enormous: there is no need to trust the operator who managed the system. The decision can be verified mechanically. In other words, the architecture does not promise “secure” AI in an absolute sense. It promises something more pragmatic: limited execution risk and traceable responsibility.
ALETHEIA is not an additional control system, nor is it an extra security filter. It is a pure verification layer that operates exclusively on objects produced by the UAS, the UBOs. It does this not by observing the model or evaluating policies, but simply by verifying.
This distinction is crucial. In most AI systems currently in production, evidence of what has happened is contained in application logs, internal audit trails, elements that require trust in the operator or infrastructure, i.e. parts of the same domain that is being verified.
ALETHEIA introduces a conceptual break: the evidence of authorization is made cryptographically replayable and independent of the system that generated it, taking a UBO out of its original operational context and mathematically proving that the proposal was that, the context was that, and the decision (PASS/FAIL) was produced following deterministic rules, without alterations of any kind.
It is a shift from institutional trust to mechanical verifiability.
Until now, when an agentic system caused damage, as a probabilistic model with structural ambiguity, the forensic process became interpretative, analysing prompts, reasoning chains, configurations and policies, as the link between intention and action could not be formally demonstrated. With this phase, the dispute shifts from an epistemic level (understanding the mind of the system) to a formal one (verifying the correctness of the authorisation).
It is, in essence, an infrastructure of evidence.
Interoperability and standardization
Another important aspect to note is interoperability, as what could be achieved is an ecosystem in which, for example, a supervisory authority can verify decisions without accessing the model’s proprietary code, especially in a context such as Europe, where the AI Act pushes for auditability and accountability, and where transparency becomes crucial.
Its value lies not in primary prevention, but in reducing systemic ambiguity. It transforms the question “can we trust it?” into “can we verify it?”.
This phase allows us not to limit artificial intelligence, but to make its actions demonstrable, enabling its integration at an institutional level.
And this is where Davis’ paper ceases to be just an architectural proposal and becomes a reflection on the future of responsibility in the era of intelligent automation, with additional implications.
First and foremost, regulation could shift from “AI explainability” to “execution accountability”, i.e. no longer asking models to explain themselves better, but demanding that no irreversible action can take place without deterministic authorization and verifiable proof.
On this basis, innovation could accelerate rather than slow down. Separating intelligence and authority allows models to be more exploratory on a cognitive level without increasing operational risk.
Of course, risks remain: incorrect configurations, human overrides. But these fall within the realm of classic security, not cognitive unpredictability.
The final message of this paper is simple and, in its own way, radical: there is no need to make AI perfectly understandable in order to govern it. We need to prevent it from acting without explicit authorization and be able to prove it: “My work does not aim to make AI ‘safe”. It does something more defensible and more valuable: it limits the risk of execution regardless of intelligence AND converts governance from interpretation to proof.”
If AI is destined to operate in an increasingly pervasive manner, the real innovation will not be the next most powerful model, but the architecture that will decide when that model is legitimized to touch the real world.
All Rights Reserved
Raffaella Aghemo, Lawyer