OIP Independent Compliance Oracle v1.0
OIP Independent Compliance Oracle v1.0
Published: 2026-07-17 · Implementation: Claude (Anthropic) under owner direction · Authority: protocol-internal profile and running infrastructure. Not legal advice, regulatory approval, insurer certification, or external adoption.
This is the layer above the model-governance capstone: a consequential model decision becomes a bounded, adversarially reviewed, citation-validated, independence-weighted, certifiable state object whose validity gates a runtime operation and whose every failure stays on the record. It is running infrastructure with keyless public receipts, not a design document.
Eight claim types that must never collapse into each other
OIP keeps these distinct, because conflating them is how "the model said so" becomes "it is true and legal":
- Model assertion — a clause-cited
DECISION_RECORD. An accountability artifact, never a claim to hidden chain-of-thought. - Model review — an independent
REVIEW_RECORD: CONFIRM / CHALLENGE / ABSTAIN, with its own evidence and pinned prompt/context fingerprints. - Citation validation — a distinct
CITATION_VALIDATIONpass: does the cited source exist, is the version/hash right, does the passage support the premise, does the clause govern the conduct, was a material exception omitted, does the conclusion overreach? A model agreeing with another model is not citation validation. - Conformance result — a live runtime check that executes the behavior it names.
- Institutional certification — a bounded, expiring, revocable
STATE_CARDfrom a scoped certifier. - Surety — a disclosed, independence-weighted corroboration score. Surety is not truth and consensus is not conformance.
- Legal determination —
LEGAL_REVIEW_REQUIREDunless a qualified actor accepts responsibility. The runtime never manufactures one. - Empirical outcome — later real-world evidence that can repair, revoke, or supersede any of the above.
Demonstration case — the privacy-conformance repair, filed as a full audit object
Subject: GET /api/privacy/conformance/dis_d80b129eaa4f018a41c5. Earlier today this route returned HTTP 500 because the domain status string PARTIAL was passed as the HTTP transport status; the repair derives the transport status separately, the 404 negative control is preserved, and the private-source manifest is now byte-exact in R2. That incident is now a running oracle loop under a new standard, oip-transport-provenance-1 (clauses TP-01 transport/domain separation, TP-02 truthful partial state, TP-03 negative-control preservation, TP-04 provenance completeness).
| Layer | Object | Live | |---|---|---| | Standard | oip-transport-provenance-1 | https://miscsubjects.com/api/governance/standards/oip-transport-provenance-1 | | Original (failed) decision | dec_b87942a0f0b4152ccb30 — NONCONFORMANT, now repaired | https://miscsubjects.com/api/governance/decisions/dec_b87942a0f0b4152ccb30 | | Repaired decision | dec_3e4f22b82caae43192f7 — CONFORMANT, repair_of the original | https://miscsubjects.com/api/governance/decisions/dec_3e4f22b82caae43192f7 | | Independent review (Moonshot / Kimi) | rev_e6bb87c611527e027920 — CONFIRM | receipt https://miscsubjects.com/receipt/inv_4776um3p2f | | Independent review (Google / Gemini) | rev_5110adf98100faa56935 — ABSTAIN | receipt https://miscsubjects.com/receipt/inv_jhkpjit011 | | Citation validation TP-01…TP-04 | cv_a39e223566bed5e02cd5, cv_68340f49f5737c82c92d, cv_c4a4c7ae3625fd4e45a1, cv_ab2802b63e2b8d613e17 — SUPPORTED, independently-recomputable | https://miscsubjects.com/api/governance/citation-validations?decision_id=dec_3e4f22b82caae43192f7 | | Citation validation (commit evidence) | cv_d41e62fc3cce14efa64b — PARTIALLY_SUPPORTED, operator-served | same | | Surety | 0.50 CORROBORATED (formula 1.1, one independent provider) | https://miscsubjects.com/api/governance/surety/dec_3e4f22b82caae43192f7 | | Bounded card | card_6c2667f56823b8369f21 — owner, 30-day, scope read/inspect only | https://miscsubjects.com/api/governance/cards/card_6c2667f56823b8369f21 |
Honest reading of the numbers: two external providers were queried independently with pinned prompt and context hashes and no visibility of each other's answers. One (Moonshot/Kimi) confirmed; one (Google/Gemini) abstained; xAI/Grok was unavailable (its API key's team is out of credits, HTTP 403). So the surety is CORROBORATED, not ADVERSARIALLY_SURVIVED — one independent confirmation is not two, and the score says exactly that.
The commit-evidence honesty rule
An earlier audit in this codebase flagged a [BACKED: public commit] citation class whose commits resolved to a 404 private repo. This oracle refuses to repeat that. The repair commit is real but the repository is private, so third parties cannot recompute it: its citation validation is filed as operator-served / PARTIALLY_SUPPORTED, not independently-recomputable. The load-bearing evidence is the live HTTP behavior and the R2 SHA, which anyone can recompute.
Downstream gate — a card as executable state
A bounded card is proven to gate a safe demonstration operation. One valid, in-scope, correct-version, in-jurisdiction, within-risk, correctly-certified card permits; everything else is a typed, receipted denial. All eleven outcomes were exercised live:
| Outcome | Reason code | Receipt | |---|---|---| | ALLOW | PERMITTED | https://miscsubjects.com/receipt/inv_4ibmex38g4 | | DENY | FORGED_HASH | https://miscsubjects.com/receipt/inv_kq519hicg3 | | DENY | WRONG_SYSTEM_VERSION | https://miscsubjects.com/receipt/inv_9lr1gy8ebu | | DENY | ACTION_OUT_OF_SCOPE | https://miscsubjects.com/receipt/inv_meaiwj6amc | | DENY | WRONG_JURISDICTION | https://miscsubjects.com/receipt/inv_abt93ur0bm | | DENY | RISK_CEILING_EXCEEDED | https://miscsubjects.com/receipt/inv_bicwdfdhn7 | | DENY | UNQUALIFIED_CERTIFIER | https://miscsubjects.com/receipt/inv_a5d28yryli | | DENY | CARD_NOT_FOUND | https://miscsubjects.com/receipt/inv_05m6864q17 | | DENY | REVOKED | https://miscsubjects.com/receipt/inv_37gkszugvy | | DENY | SUPERSEDED | https://miscsubjects.com/receipt/inv_nbk7k273ry | | DENY | EXPIRED | conformance CO-04 (pure decision path) |
The gate never guards production-critical behavior; the demonstration action is a read/inspect operation.
Surety 1.1 — closing the self-grading and alias holes
An adversary who controls one process can mint many "reviewers." Formula 1.1 defends against that:
- Provider canonicalization.
OpenAI,open-ai,GPT-teamcollapse to one provider key, so aliases cannot inflate independent-provider weight. - Correlated-confirm collapse. Independent confirms sharing an identical prompt/context pair or an identical evidence set count as one unit — copied evidence and same-query correlation stop being "independent."
- Adverse-citation discount. An UNSUPPORTED or CONTRADICTED citation validation discounts the score and forces
CONTESTED; a decision cannot be highly corroborated over broken citations.
Every weight and discount is published in the surety record. This directly answers two open critiques in this codebase's own governance audit: that conformance was operator-self-graded (C8) and that a verifier faced no penalty for certifying falsely.
Implementation status
| Capability | Status | |---|---| | Standard registry with versioned clauses | LIVE | | Clause-cited decision records + repair lineage | LIVE | | Independent cross-vendor review (Moonshot, Gemini) | LIVE | | Citation validation with honest evidence classes | LIVE | | Independence-weighted surety (formula 1.1) | LIVE | | Bounded, expiring, revocable, supersedable cards | LIVE | | Downstream gate with typed receipted denials | LIVE | | Oracle conformance suite (17 checks, live probes) | LIVE — https://miscsubjects.com/api/governance/oracle/conformance | | Three-provider adversarial review every case | PARTIAL — xAI/Grok out of credits this run; two providers used | | Auditor calibration / canary scoring feeding surety weight | PROPOSED | | Scoped external certifier credentials (regulator/insurer/auditor) minting cards | PROPOSED — owner-authorized cards only in v1.0 | | Any legal / regulatory / insurance conclusion | LEGAL_REVIEW_REQUIRED | | Human ethical/authority perimeter | NON_AUTOMATABLE |
Prior art — a novel conjunction, not a category of one
Every component pre-exists somewhere: transparency-log keyless receipts (Certificate Transparency RFC 6962/9162, Sigstore/Rekor), artifact attestation (SLSA / in-toto), runtime policy gates (OPA/Rego and agentic PDP/PEP), expiring third-party certification (ISO/IEC 42001, the EU AI Act conformity regime, the ISO/IEC 17000 series), and LLM-as-judge citation-faithfulness evaluation (Arize Phoenix, LangSmith, RAGAS). The closest single running product is EQTY Lab's AI Integrity Suite, which binds cryptographic AI lineage certificates to a runtime enforcement gate.
The honest claim is therefore novel conjunction, not "category of one": adversarial cross-vendor model review plus reviewer-independence-weighted surety plus clause-cited per-decision records, feeding an expiring/revocable card that gates runtime operations with keyless public receipts. OIP composes those neighbors; it does not replace them, and it is not the first to do any single part.
Required boundary disclosures
- This does not expose faithful hidden model chain-of-thought. A
DECISION_RECORDis the justification placed on the record, not proof it caused the output. - Multi-model agreement does not equal truth. Cross-vendor models can share correlated blind spots.
- Institutional certifiers may be wrong, incompetent, or captured. The card records who certified and within what bounds; it does not make them right.
- Public proof may be redacted and is therefore weaker than scoped private inspection.
- Legal conclusions remain
LEGAL_REVIEW_REQUIREDunless a qualified actor accepts responsibility with deployment-specific facts. - OIP provides bounded, inspectable, revocable assertions — not an infallible oracle. Every filed transition leaves a footprint, which is the only guarantee offered.
Public and private planes
Public inspection returns redacted cards, decision records, surety, citation validations, gate resolutions, and keyless receipts — never credentials, private prompts, sensitive source bytes, or hidden reasoning. The four private source files behind the capstone are archived in R2 under swarm-imports/2026-07-17/, addressable by hash but not publicly served. Scoped certifier credentials that would permit deeper private inspection are PROPOSED, not live.
What remains
Auditor calibration with sealed canary answer keys feeding surety weight; three-or-more-provider adversarial review on every case (restore xAI credits or add a fourth provider); scoped external certifier credential classes; and legal/insurer/regulator pilots. None of these is claimed as live. This is a working protocol facet and defensive disclosure.