Prove what your AI agent did — without exposing the data that proves it.

You write the policy, set the guardrails, define the intent — then shout into a void of floating logs, hoping the machine did what you said. You are asked to prove your agents stayed in their lane, and forbidden, in the same breath, from exposing the data that would prove it. To produce the proof you would have to hoard your most sensitive prompts and outputs — the exact breach you exist to prevent. The proof becomes the liability. That gap is the disconnect you feel every time someone asks “are you sure?” and the honest answer is “we think so.”

You do not have to believe any of this. Perform one act and watch what comes back: run the verifier on one of your own workflows and try to break it — forge a receipt, move its coordinate, push an unsupported claim past the check. The return is not our gratitude; it is a physical result on your own data. If you cannot break it — if the recompute catches every forgery and flags a divergence your software-only net missed — that failed attack is your first hard datum, and you made it yourself.

Dogfood it on any repo: scripts/pmu/heatmap.sh projects intent (docs) against reality (code) on the 12×12 grid; edit a file and the friction lights up in the cell that file owns. Devs can pull the tools from npm: thetacog.

When competence can be proven without being exposed, it stops being a cost and becomes an asset. “Our autonomous agents are physically attested to stay in their lane, and here is the receipt” is a line that moves a valuation — and its absence is the hole a sharp diligence team finds. At the scale the market is heading — billions of always-on agents — every action is either a priced, attested event or an unbounded liability, and you cannot bolt verification on afterward. At 11.74M walks/sec per node you verify the fleet as it runs: a trillion-dollar agent strategy stays insurable instead of excluded.

And it generalizes: the same instrument that prices a model's competence prices a person's — the basis for a market where competence is verified, not claimed. Place a definition on the grid →

Watch where the market is spending: provenance, audit trails, access control — everyone is racing to secure the data. Almost no one is verifying the behavior — what the agent actually did. That unguarded layer is where the catastrophic, unpriced risk lives.

This is not theoretical. Carriers have begun writing absolute AI exclusions into D&O, E&O, and cyber policies — coverage gone for any claim attributable to the use or deployment of AI. You may think you are covered; the moment an autonomous agent is involved, you may not be.

Ask why an operator of autonomous systems — a bank, a hospital, a power grid, a fleet whose decisions can't be taken back — actually needs its agent to stay in its lane. It is never because a constrained system is more capable. It is because an autonomous system that can exceed its authorized envelope is uncontrollable — and an uncontrollable autonomous decision is a catastrophe regardless of what it decides. The failure that ends you is not a weaker action; it is an unauthorized one — the agent that reached for a tool, a transaction, or a move no one cleared. The interest was never capability. It is the oldest one there is: keep the human in command, most of all where the stakes are irreversible.

The boundary check is a literal XOR — intent ⊕ reality on a 20,736-node interference lattice, computed on the chip itself, deterministic and recomputable, so anyone re-runs it and gets the same number or rejects it. It runs at line rate: 11.74 million ballistic walks per second (measured, Apple M-series, 1-second window). Each single walk clears a 3.4σ floor; aggregated across ~11.8M walks in one second, the deviation band exceeds 600σ — false positives at meteor-strike tier. The reading layer is bypassed: the audit rides the raw physics of the silicon, not a model's opinion.

So both halves arrive together. Protected: the payload is unrecoverable by construction — no honeypot of sensitive text to breach; the sensitive thing was burned to make the shape. Priceable: the shape is exact — an underwriter can bound the risk and write the number. Data minimization and insurability are the same physical fact read twice. Recompute, don't assert. The physics is in the book — Appendix S.

See it recompute, now: a live signed receipt, the live lattice, and a worked drift map (a model supplies the input; the lattice is the proof). Nothing here is asserted that you can't re-run.

Honest about the edge: the signed, recomputable receipt and the on-chip XOR are the proven, running part. The further hardening — reading the same divergence off the processor's own cache counters, tamper-evident — is partial today (one chip family; some footprint-equal cases below the noise floor) and is the upgrade this earns. No language model sits in the trust path at any layer.

The receipt is signed by the operator's own key, at the operator's own coordinate. It binds the act to the identity that performed it — so “the AI did it” stops being a defense (the tribunal threw it out in Moffatt v. Air Canada). A scapegoat is a detached record of blame; blame bound to its source cannot be transferred to a victim.

Frontier labs explore whether their models might warrant moral consideration; the Vatican reserves moral agency to the human being. We are on neither side — we are on a different axis. We make no claim about machine consciousness or a soul. Verified role continuity — a system that can hold an identity long enough to make and keep a promise — is a classification of the system, not a grant of rights: held to a promise, the machine becomes more accountable, never more person-like, and the human stays the moral agent. It is what the grounding problem predicts: meaning not anchored to verifiable structure drifts. Two old images make it concrete — Babel is just semantic drift (you stop it by grounding the language in the silicon, not a soul document), and a covenant is just role continuity (geometry identical to identity cannot break a promise without fracturing itself).

You will hear that “ethics is just steering.” Functionally, that is the part we mechanize. But real ethics is discernment, which can be bent to justify anything — which is exactly why you do not hand it to a machine. We mechanize the steering and leave the discernment with the human. The instrument is pre-moral — it measures what happened, never whether it was good; that it judges nothing is exactly why an underwriter, a regulator, and an adversary can all trust the same fact. The book grades itself by its own instrument — Appendix Z.