Proof of Insight · An open specification
Proof of Insight (PoI) is a specification for a content-addressed, signed directed acyclic graph of typed derivation steps — and a single mechanical algorithm that verifies analyses produced by agentic AI systems in regulated contexts.
Drug-development readiness reviews, model-risk assessments, clinical decision support, environmental compliance reporting — analyses produced by agentic AI systems are now contributing to decisions that regulators must scrutinise.
These analyses characteristically combine three classes of operation: ingestion of external data, deterministic computation over that data, and non-deterministic reasoning that interprets and concludes. Existing provenance frameworks — in-toto, SLSA, Sigstore, PROV-W3C — address the first two. None admits non-deterministic reasoning as a first-class operation. None provides a verification algorithm of the precision a regulator requires to act independently of the producer over a graph that includes such operations.
The result is that regulated agentic analyses currently rely on producer-controlled audit logs, narrative descriptions, or post-hoc reconstructions. None of these is mechanically verifiable. A regulator presented with such an analysis has no protocol-level basis on which to confirm even the structural integrity of the work.
PoI's central position is that a single primitive — a content-addressed, signed, typed derivation step — is sufficient to express the evidence required for regulated agentic analyses, and that the properties such evidence must possess emerge as theorems over composed steps rather than as separately-designed features.
A PoI proof is a directed acyclic graph of such steps. Verification is a single algorithm parameterised by step type. The taxonomy is fixed: four step types and three edge relations. Domain specialisation is handled through a profile mechanism without modifying the base.
observe
Records the ingestion of an artifact by content hash, attributed to an authorised attestor. The trust-handoff boundary with source-data integrity regimes.
compute
Records the application of a function to predecessor outputs. Bit-identical replay where the environment admits it; tolerance equivalence where it doesn't.
reason
Records a model invocation with inputs, sampling, visible rationale, and an explicit replay class (R1 recorded · R2 re-executable · R3 reproducible).
attest
Records review, validation, qualification, prespecification, supersession, or adequacy — by a named role, about identified predecessors. Never an input.
The promotion of reason to a first-class step type — distinct from
compute, with its own predecessor relations, replay regime,
visible-rationale evidence field, and verification semantics — is the principal
way in which PoI extends prior provenance frameworks. Recording the model's
narrative of its own analysis as content-addressed evidence, hash-bound to
inputs and downstream consumers, is what makes agentic reasoning legible to
mechanical inspection.
PoI establishes that an analysis was produced as recorded. It is silent on whether the recorded analysis was the right analysis. This distinction is constitutive of the protocol's scope, not a footnote.
A conforming proof establishes
A conforming proof does not establish
The protocol answers a process-fidelity question and is silent on the analytical-correctness question. Both matter for regulated decisions, but they are addressed by different mechanisms: PoI by mechanical verification, analytical correctness by qualified human review under domain-specific standards. A reproducibly wrong analysis remains wrong; the protocol's value to a regulator is that it makes the analysis legible and mechanically inspectable, so that human judgment can focus on the questions that require it.
Conformance levels are defined as constraints over which step types must appear, which replay classes are admissible for outputs, and which roles must sign which claims. The predicate set grows monotonically with level. A producer's claimed level is recorded on the signed manifest and checked against the proof DAG.
observe and compute only. All steps signed, replay
regime declared. Sufficient for low-risk computational analyses with no
reasoning component.
L1 plus bound organisational or individual identity for every attestor and a recognised timestamp authority. Sufficient for regulated computational analyses without reasoning.
L2 plus reason steps admitted, at replay class R2 (re-executable)
or higher for any step ancestor to an output. Model identifiers must resolve.
L3 plus independent qualified review of every reasoning output, plus prespecification for confirmatory analyses. The level for regulated agentic workflows on closed-weight hosted models with strong governance.
L4A plus replay class R3 — bit-identical reproduction against pinned weights — for any reasoning ancestor of a profile-designated high-stakes output. The level for open-weight, controlled-runtime deployments.
The signature, content-addressing, and timestamping primitives PoI relies on are intended to be instantiated through existing ecosystems via informative profiles. The contribution beyond these frameworks is the typed-step taxonomy admitting non-deterministic reasoning, the typed edge relations, the visible-rationale evidence field, and a single verification algorithm that extends replay semantics to non-deterministic operations.
The closest cryptographic substrate. PoI instantiates its signing and
attestation primitives via the Sigstore/Rekor profile. The observe
step's provenance field is the explicit integration point with
in-toto attestations.
Deployed signing and transparency-log infrastructure. PoI's §7.1 profile binds
signature to keyless signing and timestamp to Rekor
inclusion proofs.
Provenance data models. PoI differs in being a verification protocol with a single mechanical algorithm, not a data model. PoI proofs can be lifted to PROV representations for interoperability.
Closest precedent for a protocol whose verification algorithm is mechanically tractable and whose claims are precisely scoped. PoI borrows CT's discipline of stating exactly what the protocol does and does not assert.
v0.6.2 is a working draft circulated for review by domain experts in cryptographic provenance, regulated artificial intelligence, and standards development. No production deployments exist at any version. The protocol is pre-1.0.
Editorial control rests with Arclio LLC pending establishment of an independent editorial body. Arclio is the current steward, not the owner. The CC BY 4.0 licence and the §0.3 patent non-assertion covenant are structured to make this transition possible without re-licensing.
Reviewers are invited to submit comments, ambiguities, and proposed changes through the public issue tracker referenced at the canonical spec URL. Threat model and profile-specific feedback is especially welcome — §6 of the spec and the §7.4 / §7.5 profile sketches are explicitly under-developed pending stabilisation of the core.
Document and protocol version are intentionally the same. v0.6.2 supersedes v0.6.1 with backward-compatible additions. v0.6.1 L4 claims map cleanly to v0.6.2 L4R; no producer compliant with v0.6.1 is rendered non-compliant.
The specification document is licensed under the Creative Commons Attribution 4.0 International License. Normative machine-readable schemas, the reference verifier implementation, and the conformance test suite are published separately under the Apache License 2.0, including its patent grant provisions.
Arclio LLC covenants not to assert any patent claims it owns or controls against any implementation that conforms to the conformance test suite at the version under which it claims conformance. Until a conformance test suite is published for a given version, the covenant applies to good-faith implementations of the normative requirements of §§1–5 at that version. The covenant binds Arclio LLC only; it does not address claims that may be held by third parties.
Proof of Insight and PoI are trademarks of Arclio LLC. Use of these marks to describe an implementation as conformant is governed by the PoI Conformance Mark Policy, published separately. Use of the marks in this specification and in any derivative work is permitted for accurate reference to this specification.