P187 — AIEP — Evidence Provenance Completeness Verification Protocol

Publication Date: 2026-03-27 Status: Open Source Prior Art Disclosure Licence: Apache License 2.0 Author/Organisation: Phatfella Ltd Schema: AIEP_OS_SPEC_TEMPLATE v1.0.1 — https://aiep.dev/schemas/aiep-os-spec-template/v1.0.1

Framework Context

[0001] This disclosure operates within an Architected Instruction and Evidence Protocol (AIEP) environment as defined in United Kingdom patent application number GB2519711.2, filed 20 November 2025, the entire contents of which are incorporated herein by reference.

[0002] The present disclosure defines a protocol for verifying that every evidence artefact in an AIEP corpus has a complete, structurally valid, and hash-consistent ProvenanceChain (P150) — detecting artefacts with missing, truncated, or internally inconsistent provenance records and either triggering automated remediation or flagging them for governance review.

Field of the Disclosure

[0003] This disclosure relates to provenance integrity verification and completeness auditing protocols for evidence corpora in governed artificial intelligence systems.

[0004] More particularly, the disclosure concerns: a provenance completeness definition for each artefact type; a ProvenanceCompletenessVerifier process; a ProvenanceGapReport schema; automated remediation for common incompleteness patterns; escalation to governance review for non-automatable gaps; and the integration of provenance completeness status with evidence access control (P166) and quality metrics (P172).

Background

[0005] The ProvenanceChain (P150) is the deterministic record of an artefact’s full lifecycle from ingestion through all transformations. Its integrity is the foundation of the AIEP trust model: a reasoning chain’s confidence in an artefact’s content is only as strong as the completeness and consistency of that artefact’s ProvenanceChain.

[0006] ProvenanceChains may be incomplete due to ingestion pipeline errors (a normalisation step completed but was not recorded), node failures during admission (the CLASSIFY step ran but the chain was not updated before the node crashed), or retroactive artefact migration (artefacts imported from external systems without full provenance reconstruction). These gaps must be detectable and addressable in a governed way.

[0007] Completeness verification is distinct from tampering detection (P175, P178): completeness addresses structural gaps and missing steps; tampering detection addresses modification of existing steps. Both are required for full ProvenanceChain integrity assurance.

Summary of the Disclosure

[0008] Completeness Definition: A ProvenanceChain is considered complete for a given artefact when it contains, in order, all required steps for the artefact’s type:

Standard artefact: INGEST, NORMALISE, CLASSIFY
Artefact with transformation: INGEST, NORMALISE, CLASSIFY, TRANSFORM (one or more)
SynthesisNode (P185): INFER (no preceding steps required — INFER replaces INGEST/NORMALISE/CLASSIFY for synthesised artefacts)
Transferred artefact (migrated from external system): TRANSFER, NORMALISE, CLASSIFY

[0009] Completeness Verification Rules: A ProvenanceChain passes completeness verification if:

All required step types for the artefact type are present
Steps are in legal ordering (INGEST/TRANSFER before NORMALISE before CLASSIFY before TRANSFORM; TRANSFORM before any subsequent TRANSFORM)
Each step’s step_hash matches the SHA-256 of the canonical artefact content at that step
Each step’s performed_by node fingerprint (P46) is a known registered node
No step’s performed_at timestamp is earlier than its predecessor’s performed_at

[0010] ProvenanceGapRecord Schema: For each incompleteness detected:

gap_id — SHA-256 of canonical serialisation
subject_deid — DEID (P162) of the artefact with the incomplete ProvenanceChain
gap_type — one of: MISSING_STEP:{step_type}, ILLEGAL_STEP_ORDER, HASH_INCONSISTENCY:{step_type}, UNKNOWN_NODE:{node_fingerprint}, TIMESTAMP_REGRESSION:{step_types}, ORPHANED_CHAIN (chain has no INGEST, TRANSFER, or INFER step)
gap_severity — MINOR (step recorded but hash inconsistency only; does not affect access), MODERATE (missing non-mandatory step), CRITICAL (INGEST/TRANSFER/INFER step missing or ORPHANED_CHAIN — access restricted pending resolution)
automated_remediation_available — boolean
remediation_plan — the automated or manual remediation steps required
status — OPEN, REMEDIATION_IN_PROGRESS, RESOLVED, ESCALATED_TO_GOVERNANCE
detected_at — ISO 8601 timestamp

[0011] ProvenanceCompletenessVerifier: The ProvenanceCompletenessVerifier runs on a configurable schedule (default: every 6 hours) across all active artefacts, checking each ProvenanceChain against the completeness rules in [0009]. It produces a ProvenanceCompletenessReport summarising:

Total artefacts checked
Count of chains passing verification
Count of MINOR, MODERATE, and CRITICAL gaps detected
New ProvenanceGapRecords opened in this run
ProvenanceGapRecords resolved since the previous run

[0012] Automated Remediation: Where automated_remediation_available: true, the ProvenanceCompletenessVerifier attempts automated remediation without operator intervention:

MISSING_STEP:NORMALISE — if the artefact content is available, re-execute the normalisation process and record a new NORMALISE step; the step’s performed_by is set to REMEDIATION_AGENT:{remediator_fingerprint} to distinguish it from the original pipeline step
HASH_INCONSISTENCY:INGEST — if the dual-ledger (P80) has a conflicting hash, the discrepancy is escalated rather than auto-remediated (hash inconsistency at INGEST is a potential tampering indicator and must be reviewed per P178)

[0013] Access Restriction for CRITICAL Gaps: Artefacts with CRITICAL ProvenanceGapRecords are placed in PROVENANCE_INCOMPLETE access status: they are excluded from evidence query results and reasoning-ready packages (P174) until the gap is resolved. This prevents reasoning chains from consuming artefacts whose fundamental provenance is unverifiable.

ASCII Architecture

Evidence Corpus (all active artefacts)
        │ every 6h
        ▼
ProvenanceCompletenessVerifier
  - check all required steps present
  - check step ordering
  - verify step hashes
  - verify node fingerprints
  - check timestamp ordering
        │
        ├── PASS ──▶ no action
        └── FAIL ──▶ ProvenanceGapRecord
                         │
              ┌──────────┴─────────────────┐
              │                            │
         MINOR/MODERATE               CRITICAL
              │                            │
         automated_remediation      access restricted
         available?                 (PROVENANCE_INCOMPLETE)
              │                            │
          YES: remediate            ESCALATED_TO_GOVERNANCE
          NO: flag for review             │
                                   Governance Node (P89)
                                   manual review + P178 Challenge
                                   if tampering suspected

ProvenanceCompletenessReport ──▶ Quality Metrics (P172)
                              ──▶ Operator Dashboard

Operational Detail

[0014] Incremental Verification: Rather than re-verifying all artefacts from scratch on every run, the ProvenanceCompletenessVerifier uses a watermark: it stores the most recent admitted_at timestamp previously verified and only re-verifies artefacts admitted after that watermark in each run. Artefacts with open ProvenanceGapRecords are always re-verified regardless of the watermark.

[0015] Integration with Quality Metrics: The ProvenanceCompletenessReport is included in the Evidence Quality Metrics corpus health report (P172), surfacing provenance gap counts as a key corpus quality indicator alongside trust and freshness metrics.

Claims-Exclusion Notice

This specification is published as open-source prior art. No patent claims are asserted by the author in respect of the mechanisms described. Any third party seeking to patent mechanisms substantially equivalent to those described herein is placed on notice of this prior art disclosure.