Cryptographically Auditable Inference Receipts
Make an AI decision as auditable as a human one. Every inference emits a signed, ledger-anchored receipt an auditor can reconstruct years later — which model, on which input, produced which output, under which policy.
What
CAIR (Cryptographically Auditable Inference Receipts) is the protocol that turns an AI decision into evidence. Each inference emits a structured cair-v1 event that binds together the four things an auditor needs:
- Model fingerprint — exactly which weights ran, down to the specific adapter and corpus version.
- Input commitment — a hash of what the model actually saw.
- Output commitment — a hash of what it returned, plus its reasoning trace.
- Policy & provenance — the policy in force, the citations relied on, and the authorization context at decision time.
Each event is signed with the hyfstele-hash hybrid signature scheme and chained into the hyfstele-ledger — so the receipt inherits the ledger's WORM and offline-verification guarantees. A second component, an anomaly-detector, produces a zero-knowledge proof that the inference fell within expected bounds, without exposing the model internals or the proprietary detector.
Why this matters
Every AI inference produced for a regulated use case has to be defensible at audit time. "Defensible" means an auditor years from now can take the recorded artifact and confirm that this exact model, on this exact input, produced this exact output, under a policy that allowed it. Most production AI systems can do none of that — they log a prompt and a completion to a mutable database and call it governance.
- The AI is accountable, not a black box. CAIR records the decision and its full reasoning as a verifiable artifact, so a recommendation can be re-examined rather than taken on faith.
- Survives the vendor going dark. Because receipts ride the ledger, they verify from their own bytes and a published key — no live call to a model API that may no longer exist.
- Reproducibility by fingerprint. The model fingerprint binds every event to an exact adapter and corpus, so "which version decided this" is never ambiguous.
- Privacy-preserving assurance. The ZK anomaly component proves the decision was in-bounds without revealing the model or the detector — assurance without disclosure.
Where it ships
- Pharma MLR — every per-claim accept / reject / modify verdict is captured as a
cair-v1event and exported in the signed review bundle. - CAPA / NCR — deviation severity calls and MRB dispositions recorded as inference receipts with their citations attached (coming soon).
- Any regulated AI surface — CAIR is vertical-agnostic; the schema is the same whether the decision is a promo claim, a quality disposition, or a logistics call.
Status
The cair-v1 event schema is in production in Hyfstele MLR, capturing model, input, output, and policy for every decision. The cryptographic signing path (ML-DSA-65 + ECDSA hybrid via hyfstele-hash) and the zero-knowledge anomaly-proof component are in active integration against the same primitives the rest of the stack already runs in production.
hyfstele-hash provides the primitives, hyfstele-ledger provides the tamper-evident state, and CAIR is the inference protocol that rides on both. Buy the audit-trail layers alone, or add CAIR when a model makes the call.