Contents
The compliance gap.
The EU AI Act creates binding obligations for organisations deploying AI in high-risk categories: maintain detailed logs of AI decision-making (Art. 12), operate a risk management system (Art. 9), explain decisions in accessible language (Art. 13), and preserve a human override pathway (Art. 14). The UK Online Safety Act and the ICO Children's Code impose parallel evidentiary duties on platforms today.
Most organisations deploying AI have no infrastructure that produces this evidence. Policy frameworks describe what should be done; they are not a mechanism for doing it. AILeash is the mechanism: an API endpoint that sits in the decision path, scoring and sealing every action before the response returns to the caller.
Higher figure applies for large organisations; lower for SMEs. Source: Art. 99, Regulation (EU) 2024/1689.
The scoring engine, exactly.
The engine is deterministic weighted scoring — a deliberate architectural constraint. Weights are immutable in code; there is no learned model in the decision path and therefore no model drift, no retraining opacity, and no explanation gap. Identical inputs produce identical outputs, forever. For a system whose output must survive regulatory scrutiny, determinism is a feature, not a limitation.
The nine signals and their exact weights
Weights sum to a maximum of 1.20 before clamping — deliberate headroom so that multiple simultaneous risk factors saturate the score rather than diluting each other.
Trust dynamics
Trust is per-user and persistent. It takes roughly 70 clean events to climb from neutral (0.5) to 0.75, and three blocks to fall below it. This asymmetry is the engine's institutional memory: burst attacks self-amplify (each BLOCK lowers trust, raising the next score) — observed in production testing as escalation from CHALLENGE 0.61 to BLOCK 0.95 across fifteen hostile events.
Velocity windows
Three sliding windows (60s / 5m / 1h) per user, maintained in memory with periodic eviction. They catch the three canonical attack tempos: burst (bot), sustained (scripted abuse), and slow-roll (patient fraud).
The audit chain, exactly.
Every decision is sealed before the API response returns. The construction:
Concurrency guarantee: the tip read, hash computation, and insert occur inside a single lock hold on a SQLite database in WAL mode. Two simultaneous requests cannot read the same tip and fork the chain — verified under 30 concurrent writes in testing, chain intact. This matters: a governance product whose own chain can fork under load would report false tampering on itself.
Attribution without invalidation (v6.2): each block is attributed to the API key that produced it, stored alongside the block, never inside the hash payload. Existing chains remain valid across the upgrade — a worked example of schema evolution on tamper-evident data: metadata may grow; hashed content is frozen forever.
What the chain proves — and what it doesn't
A valid chain proves the record has not been altered since genesis: change one character and every subsequent hash breaks, detectably, by anyone recomputing forward. It does not prove the recorded events were true — hashing seals claims; it does not certify them. This is precisely the property regulators require: tamper-evidence makes lying permanent and detectable, not impossible. Whether a specific court accepts a chain as sufficient evidence is a legal question; organisations should take their own advice. The gap between self-consistency and external truth is what cross-chain anchoring (Section 08, roadmap) exists to close.
Real-time visibility (v6.2).
Industry surveys circulating in 2026 suggest fewer than one in five firms can detect an AI problem while it is happening. v6.2 addresses this with two mechanisms:
Sealed-evidence alerting
The moment the engine returns BLOCK on a customer's traffic, the account holder is emailed the evidence: user, action, score, plain-language reasons, and the audit hash under which the event is already sealed. Alerts are throttled to one per hour per key so a burst attack cannot become an inbox attack — production-tested: fourteen consecutive blocks produced exactly one email, chain intact throughout.
The pulse endpoint
One call gives an operator their live risk posture and the chain tip their evidence is sealed under. Governance stops being a quarterly report and becomes an instrument reading.
Sovereign deployment & licensing.
Cloud governance tools create a structural contradiction: the data proving compliance leaves the customer's network and rests on a vendor's security posture. The Sebdog engine inverts this — engine, database, and chain run inside the customer's perimeter. Decision data does not need to leave their infrastructure to be scored, sealed, and verified.
Air-gapped licence tokens
A sovereign install validates its licence with pure cryptography — no phone-home, suitable for isolated environments. This also fixes the vendor's economics: infrastructure cost stays flat regardless of customer decision volume, because the decisions run on customer hardware.
GDPR alignment
Because data can remain within the customer's network, cross-border transfer questions and third-party processor obligations are reduced. This is a design property supporting GDPR alignment — not itself a certification, which depends on the customer's full data practices.
Public verification surfaces.
Every guarantee in this paper is checkable against the running system, unauthenticated where possible. This table is the paper's bibliography:
| Endpoint | Auth | Proves |
|---|---|---|
| GET /api/verify-chain | none | Full chain integrity, genesis to tip |
| GET /api/inclusion?hash= | none | Any receipt hash is (or is not) sealed — with block index and sequence |
| GET /api/coverage | API key | Receipts issued vs blocks sealed — completeness, true/false |
| GET /api/pulse | API key | Live posture: last-hour decisions, recent events, chain tip |
| GET /api/regulation-map | none | Versioned, hash-sealed mapping of engine features to legal obligations |
| GET /api/partner/status?badge= | none | Partner account standing and platform status — independently attributable |
| GET /api/spec | none | The API's self-documentation — machine-readable continuity |
Completeness receipts (v6.3)
Integrity proves records weren't edited; it does not prove all records exist. AILeash closes the gap that can be closed: every decision returns a gapless per-key sequence number, issued inside the same transaction as the chain write. There is no code path where a decision occurs without its numbered receipt. A caller holding receipts N and N+2 proves the omission of N+1 by arithmetic, not policy. Edited records break the chain. Missing records break the sequence. Either way, it shows.
Hosted challenge resolution (v6.4)
A CHALLENGE verdict returns a signed challenge_url — a verification page AILeash hosts. The end user confirms or denies; the resolution is sealed into the chain as its own block; the platform polls one status endpoint. Clients integrate exception handling in three lines instead of building workflow. Challenge tokens are stateless (HMAC-signed, time-limited), so the mechanism adds no storage and runs unchanged on sovereign installs.
Regulatory provenance (v6.4)
The mapping from engine features to legal obligations is published, versioned, and hash-sealed at /api/regulation-map — and every version change is itself sealed into the audit chain as a block. When regulation shifts, history shows exactly which map governed which historical decision. Regulatory churn becomes auditable provenance rather than silent reinterpretation.
The ai.txt standard.
robots.txt is a thirty-year-old text file that still governs how every crawler treats every website. ai.txt (AI-TXT/1.0, proposed) applies the same mechanism to AI governance: one machine-readable file at a domain's root declaring how its AI is governed — engine, decision model, audit construction, regulatory design targets — and, critically, where anyone can verify it.
The format is deliberately trivial: key–value pairs, comments, unknown keys ignored. The discipline is in one rule: a declaration without a verify endpoint is marketing; a declaration with one is accountability. The first ai.txt is live at sebbi.pro/ai.txt. As agents begin choosing which platforms to transact with, they will read this file before they read anyone's marketing — and whichever chain a domain's ai.txt points at holds that domain's continuity.
Technical capture: the market thesis.
Lock-in is contractual: exit fees, term commitments, lawyers holding the door. Technical capture is structural: the product's own physics make leaving expensive, with no clause compelling anyone to stay. In compliance, four mechanisms compound:
| Mechanism | Effect on switching |
|---|---|
| Continuity | Exported records are data; the tamper-evidence regulators demand lives in the unbroken chain, which cannot migrate. Unbroken beats rebuilt, every time a regulator asks. |
| Trust reset | Per-user trust is earned decision-by-decision inside the engine. A departing platform restarts every user at neutral — detection quality drops on day one of leaving. |
| Public shields | Customer badges are rendered live against account standing. Leaving is publicly visible on the customer's own site — UNVERIFIED, in grey. |
| Standard-setting | ai.txt declarations point at a verify endpoint. Whoever's chain the ecosystem's files point at holds the ecosystem's continuity. |
Roadmap: cross-chain anchoring
Self-consistency has a known boundary: a chain rebuilt from scratch is internally valid. The answer is mutual witnessing — independent organisations' chains periodically anchor each other's tips, so even a perfect rewrite is caught by records someone else holds. Proposed model: compliance vendors £10k/month, flat fee for industry participants, first ten members free to seed the network. Status: design stage — stated as roadmap, not as a shipped capability.
Comparison.
| Capability | AILeash | GRC platforms | Cloud AI guardrails | Consultancies |
|---|---|---|---|---|
| Per-decision tamper-evident record | Yes — SHA-256 chain | Editable logs | Provider-held logs | No runtime |
| Omission detectable | Gapless receipts | No | No | — |
| Public verification | Unauthenticated endpoints | No | No | — |
| Decision latency | 28ms median | Not in decision path | Varies; model-dependent | — |
| Data leaves customer? | Never (sovereign) | Vendor cloud | Provider cloud | Engagement-based |
| Deterministic / explainable | Immutable weights | Policy text | ML, drift-prone | Human judgement |
| Entry price | 50p / device / month | £20k–£100k+ / yr | Usage-priced | £50k+ engagements |
Categories characterised in general terms; individual vendors vary. The claim defended here is narrow and checkable: no incumbent category combines per-decision sealing, omission detection, public verification and sovereign deployment at this price point.
Regulatory alignment.
Design targets, feature by feature — published, versioned and sealed at /api/regulation-map. "Built for" is a design claim, not a certification; conformity assessment remains the deploying organisation's obligation.
EU AI ACT — ART. 9
Continuous risk management → per-event scoring across nine signals, velocity windows at three tempos, persistent per-user trust.
EU AI ACT — ART. 12
Record-keeping → per-decision chain sealing, gapless receipts, public inclusion and coverage verification.
EU AI ACT — ART. 13
Transparency → plain-language reason codes on every verdict; deterministic weights, publishable in full.
EU AI ACT — ART. 14
Human oversight → CHALLENGE verdicts with hosted human resolution, sealed as first-class chain events.
UK ONLINE SAFETY ACT
Evidence-backed moderation → real-time scoring with sealed audit trail; Ofcom ASM consultation submission acknowledged, publication consent granted.
ICO CHILDREN'S CODE
Child-first design → Guardian: free family tool. One-tap Help, check-ins, and plain-English flagging of known grooming patterns. Never asserts a message is "safe"; message text is never stored, only a sealed fingerprint.
Economics & pricing.
50p per device per month, flat. Partners and resellers set their own price above it and keep the margin — a partner charging £1.99 retains £1.49 per device monthly. A referral layer pays introducers 10p per device per month, permanently: distribution that funds itself.
The structural advantage is cost shape. Sovereign deployment moves decision execution onto customer hardware, so vendor infrastructure cost is flat with respect to decision volume. Incumbent per-seat GRC pricing (typically £20k–£100k+ annually) leaves the mid-market unserved; 50p per device is priced for the platforms the incumbents ignore — and August 2026 obligates precisely those platforms.
Guardian is free for families, permanently.
Funding.
Position, stated plainly: the platform is live, the billing loop is verified end-to-end, and the company is pre-revenue. Four years of development were self-funded on infrastructure costing pounds per month. There is no burn to outrun — the engine survives indefinitely at current cost. What capital buys is speed, not survival.
Seeking £500,000 to convert a working engine into a market position ahead of enforcement: incorporation and compliance certifications (ISO 27001, Cyber Essentials Plus); first engineering and partner-support hires to retire the single-founder bottleneck; white-label partner onboarding; and standing up the cross-chain anchoring network while the standard is uncontested.
Diligence starts at the endpoints: every technical claim in this paper is verifiable against production before a single call is taken.
Open a conversation →