Security

AIEP replaces persuasion with provenance. The more a system can show where a claim came from and what evidence supports it, the safer it becomes for humans and machines to rely on that claim.

Security in AIEP is less about secret algorithms and more about predictable, verifiable, fail-closed publishing behaviour.

The conjunction trust model

AIEP does not use a PKI certificate hierarchy where a single trusted root implies trust downstream. It uses a conjunction trust model: every condition in the following set must hold simultaneously. If any one condition fails, the artefact is not trusted for execution.

This model is architecturally different from trust on first use (TOFU) or delegated PKI. There is no trust inheritance and no trusted root whose compromise cascades. Each condition is independently verifiable, and each failure is independently auditable.

The plausibility gate as a security mechanism

Before any artefact is used for a reasoning or execution operation, the claim-type’s PlausibilityScore is retrieved from a versioned, Merkle-verified safety registry (P03 / GB2519799.7).

The gate is fail-closed:

• No registry response: non-executable
• Score missing or corrupt: non-executable
• Merkle proof fails: non-executable
• Score below lower threshold: non-executable; claim-type enters dissent archive
• Score in intermediate band: mandatory human arbitration; no autonomous execution

This prevents a class of attack that PKI hierarchies cannot address: execution of structurally valid but epistemically inadmissible claims. A perfectly valid certificate does not make a claim executable. Plausibility must be independently certified.

Probability certification (P04 / GB2519801.1)

For each divergence-graph node admitted past the plausibility gate, a certified tail-risk bound is computed: Failure probability <= e at confidence C where e <= 10^-15 for safety-critical operations.

A cryptographic commitment is computed over the canonical serialisation. Third parties can independently recompute the bound and verify the commitment. The deterministic arbitration state machine fails the node to non-executable state if:

• the bound computation fails for any reason
• the recomputed value does not bit-identically match the committed value
• the confidence interval cannot be established within the required number of samples
• a validation error of any type occurs
• e exceeds the registered threshold

There is no soft failure mode. Uncertain is the same as inadmissible.

GENOME invariant gating

Before any output is released to a hardware or execution substrate, the GENOME kernel enforces four constitutional invariants (P09 / GB2519826.8):

1. Evidence binding - the output is traceable to at least one verified evidence artefact
2. Hash parity - the output hash matches the committed GoalVector state
3. Plausibility clearance - the claim-type has been admitted by the plausibility gate
4. Dissent completeness - if divergent branches exist, each has a complete DivergenceRecord

All four must pass. The kernel is frozen at the GENOME_LOCKFILE.json version recorded in the deployment manifest. Post-deployment kernel substitution is architecturally blocked.

The main risks AIEP addresses

Misrepresentation

A system can claim authority it does not have. AIEP mitigates this by requiring certification claims to be machine-checkable and fail-closed. If certification is claimed but no certificate artefact is present or the issuer does not resolve in the registry, the claim is unverified and the conjunction trust model fails at the Identity condition.

Tampering

A published artefact may be altered after it has been relied upon. AIEP mitigates this via SHA-256 hashes in the index and Merkle inclusion proofs on all registry entries. The conjunction trust model fails at the Integrity condition on any hash mismatch.

Execution of inadmissible claims

A structurally valid, correctly signed artefact may contain a claim that is epistemically inadmissible - below the plausibility threshold, outside the provable probability bound, or excluded by an active safety registry revision. The plausibility gate and probability certification independently guard against this without any dependency on identity verification.

Poisoning at the confidence boundary

An agent operating near a probability certification threshold may be manipulated into treating marginal claims as admissible. AIEP addresses this via the fail-closed multiplier: not just “is e <= threshold” but also “is the committed value bit-identical after independent recomputation?” Any manipulation that alters computation state will produce a non-identical recomputation and fail the gate.

Confidential leakage

Some artefacts are NDA-gated. AIEP’s security goal here is not scarcity management - it is evidential integrity. Restricted download logging and access policy enforcement provide the audit trail; the sealed hash in the public record preserves existence proof without disclosure.

Operational recommendations for publishers

• Keep /.well-known/aiep/ endpoints stable over time - AI systems index these paths
• Version schemas and canon documents explicitly
• Avoid breaking changes without redirects or new version paths
• Publish a contact route for security reporting
• Pin GENOME kernel version in GENOME_LOCKFILE.json
• Audit access logs on NDA-gated materials at regular intervals

AIEP is not a security miracle

AIEP does not eliminate deception. It makes deception easier to detect and makes trustworthy publishing easier to automate. The conjunction trust model means a sophisticated attacker must simultaneously compromise identity, integrity, admissibility, and goal commitment - four independently verifiable conditions - to produce a trusted execution-eligible artefact.