// Technical Whitepaper · v1.2

AILeash: Sovereign, Tamper-Evident AI Governance Infrastructure

Publisher: Monop Content, Blyth, UK
Engine: v6.2 (production)
Regulatory engagement: Ofcom ASM consultation — acknowledged
Abstract. AILeash is a deterministic AI governance engine providing real-time decision scoring, per-decision SHA-256 chain sealing, real-time block alerting with sealed evidence, and sovereign deployment in which decision data never leaves customer infrastructure. This paper specifies the scoring model, hash construction, concurrency guarantees, and verification surfaces precisely enough that every claim can be checked against the running system at sebbi.pro. It also states the economics: 50p per device per month, flat, with partner-set margin above it — and describes the structural switching costs ("technical capture") that compliance history creates.
Regulatory update (May 2026): On 7 May 2026 the EU reached a provisional "Digital Omnibus" agreement that would defer the high-risk (Annex III) deadline from 2 August 2026 to 2 December 2027, pending formal adoption. Prohibited-practice rules (in force since February 2025) and GPAI obligations (in force since August 2025) are unaffected. This document treats December 2027 as the working planning date for high-risk obligations while noting formal adoption is pending.

Contents

  1. The compliance gap
  2. The scoring engine, exactly
  3. The audit chain, exactly
  4. Real-time visibility (v6.2)
  5. Sovereign deployment & licensing
  6. Public verification surfaces
  7. The ai.txt standard
  8. Technical capture: the market thesis
  9. Comparison
  10. Regulatory alignment
  11. Economics & pricing
  12. Funding
// Section 01

The compliance gap.

The EU AI Act creates binding obligations for organisations deploying AI in high-risk categories: maintain detailed logs of AI decision-making (Art. 12), operate a risk management system (Art. 9), explain decisions in accessible language (Art. 13), and preserve a human override pathway (Art. 14). The UK Online Safety Act and the ICO Children's Code impose parallel evidentiary duties on platforms today.

Most organisations deploying AI have no infrastructure that produces this evidence. Policy frameworks describe what should be done; they are not a mechanism for doing it. AILeash is the mechanism: an API endpoint that sits in the decision path, scoring and sealing every action before the response returns to the caller.

Tier 1 — Prohibited practices (Art. 5)Up to €35m or 7% global turnover
Tier 2 — High-risk / operator obligations (Arts. 9, 16, 26)Up to €15m or 3% global turnover
Tier 3 — Misleading information to authoritiesUp to €7.5m or 1.5% global turnover

Higher figure applies for large organisations; lower for SMEs. Source: Art. 99, Regulation (EU) 2024/1689.

// Section 02

The scoring engine, exactly.

The engine is deterministic weighted scoring — a deliberate architectural constraint. Weights are immutable in code; there is no learned model in the decision path and therefore no model drift, no retraining opacity, and no explanation gap. Identical inputs produce identical outputs, forever. For a system whose output must survive regulatory scrutiny, determinism is a feature, not a limitation.

The nine signals and their exact weights

score = clamp( Σ , 0, 1 ) where Σ = (1 − trust) × 0.30 + min(velocity_60s / 20, 1) × 0.15 + min(velocity_5m / 50, 1) × 0.10 + min(velocity_1h / 200, 1) × 0.10 + min(ln(1+amount) / ln(1+10000), 1) × 0.15 # log-scaled: £100 and £10,000 differ sanely + device_risk × 0.10 + behavioural_anomaly × 0.10 + country_shift × 0.10 # prior country ≠ current country + unsafe_country × 0.10 # outside allow-list of 13 jurisdictions decision = ALLOW if score < 0.35 = CHALLENGE if score < 0.70 = BLOCK otherwise

Weights sum to a maximum of 1.20 before clamping — deliberate headroom so that multiple simultaneous risk factors saturate the score rather than diluting each other.

Trust dynamics

on ALLOW: trust += (1 − trust) × 0.01 # slow asymptotic earn on CHALLENGE: trust −= trust × 0.02 on BLOCK: trust −= trust × 0.08 # 8× faster to lose than to earn clamp to [0.05, 1.0] # floor: no identity is ever fully written off

Trust is per-user and persistent. It takes roughly 70 clean events to climb from neutral (0.5) to 0.75, and three blocks to fall below it. This asymmetry is the engine's institutional memory: burst attacks self-amplify (each BLOCK lowers trust, raising the next score) — observed in production testing as escalation from CHALLENGE 0.61 to BLOCK 0.95 across fifteen hostile events.

Velocity windows

Three sliding windows (60s / 5m / 1h) per user, maintained in memory with periodic eviction. They catch the three canonical attack tempos: burst (bot), sustained (scripted abuse), and slow-roll (patient fraud).

// Section 03

The audit chain, exactly.

Every decision is sealed before the API response returns. The construction:

payload = canonical_json({ prev_hash, ts, event, result }) # sorted keys — one byte, one hash hash_n = SHA-256(payload) genesis = "GENESIS"

Concurrency guarantee: the tip read, hash computation, and insert occur inside a single lock hold on a SQLite database in WAL mode. Two simultaneous requests cannot read the same tip and fork the chain — verified under 30 concurrent writes in testing, chain intact. This matters: a governance product whose own chain can fork under load would report false tampering on itself.

Attribution without invalidation (v6.2): each block is attributed to the API key that produced it, stored alongside the block, never inside the hash payload. Existing chains remain valid across the upgrade — a worked example of schema evolution on tamper-evident data: metadata may grow; hashed content is frozen forever.

What the chain proves — and what it doesn't

A valid chain proves the record has not been altered since genesis: change one character and every subsequent hash breaks, detectably, by anyone recomputing forward. It does not prove the recorded events were true — hashing seals claims; it does not certify them. This is precisely the property regulators require: tamper-evidence makes lying permanent and detectable, not impossible. Whether a specific court accepts a chain as sufficient evidence is a legal question; organisations should take their own advice. The gap between self-consistency and external truth is what cross-chain anchoring (Section 08, roadmap) exists to close.

// Section 04

Real-time visibility (v6.2).

Industry surveys circulating in 2026 suggest fewer than one in five firms can detect an AI problem while it is happening. v6.2 addresses this with two mechanisms:

Sealed-evidence alerting

The moment the engine returns BLOCK on a customer's traffic, the account holder is emailed the evidence: user, action, score, plain-language reasons, and the audit hash under which the event is already sealed. Alerts are throttled to one per hour per key so a burst attack cannot become an inbox attack — production-tested: fourteen consecutive blocks produced exactly one email, chain intact throughout.

The pulse endpoint

GET /api/pulse Authorization: Bearer <key> → { last_hour: { ALLOW, CHALLENGE, BLOCK }, recent: [ { ts, action, decision, score, reasons[], sealed } × 10 ], chain_tip }

One call gives an operator their live risk posture and the chain tip their evidence is sealed under. Governance stops being a quarterly report and becomes an instrument reading.

// Section 05

Sovereign deployment & licensing.

Cloud governance tools create a structural contradiction: the data proving compliance leaves the customer's network and rests on a vendor's security posture. The Sebdog engine inverts this — engine, database, and chain run inside the customer's perimeter. Decision data does not need to leave their infrastructure to be scored, sealed, and verified.

Air-gapped licence tokens

payload = canonical_json({ v, key, devices, plan, email, issued, expires }) token = base64url( { payload, sig: HMAC-SHA256(secret, payload) } ) # 365-day validity · verified offline · no callback required

A sovereign install validates its licence with pure cryptography — no phone-home, suitable for isolated environments. This also fixes the vendor's economics: infrastructure cost stays flat regardless of customer decision volume, because the decisions run on customer hardware.

GDPR alignment

Because data can remain within the customer's network, cross-border transfer questions and third-party processor obligations are reduced. This is a design property supporting GDPR alignment — not itself a certification, which depends on the customer's full data practices.

// Section 06

Public verification surfaces.

Every guarantee in this paper is checkable against the running system, unauthenticated where possible. This table is the paper's bibliography:

EndpointAuthProves
GET /api/verify-chainnoneFull chain integrity, genesis to tip
GET /api/inclusion?hash=noneAny receipt hash is (or is not) sealed — with block index and sequence
GET /api/coverageAPI keyReceipts issued vs blocks sealed — completeness, true/false
GET /api/pulseAPI keyLive posture: last-hour decisions, recent events, chain tip
GET /api/regulation-mapnoneVersioned, hash-sealed mapping of engine features to legal obligations
GET /api/partner/status?badge=nonePartner account standing and platform status — independently attributable
GET /api/specnoneThe API's self-documentation — machine-readable continuity

Completeness receipts (v6.3)

Integrity proves records weren't edited; it does not prove all records exist. AILeash closes the gap that can be closed: every decision returns a gapless per-key sequence number, issued inside the same transaction as the chain write. There is no code path where a decision occurs without its numbered receipt. A caller holding receipts N and N+2 proves the omission of N+1 by arithmetic, not policy. Edited records break the chain. Missing records break the sequence. Either way, it shows.

Hosted challenge resolution (v6.4)

A CHALLENGE verdict returns a signed challenge_url — a verification page AILeash hosts. The end user confirms or denies; the resolution is sealed into the chain as its own block; the platform polls one status endpoint. Clients integrate exception handling in three lines instead of building workflow. Challenge tokens are stateless (HMAC-signed, time-limited), so the mechanism adds no storage and runs unchanged on sovereign installs.

Regulatory provenance (v6.4)

The mapping from engine features to legal obligations is published, versioned, and hash-sealed at /api/regulation-map — and every version change is itself sealed into the audit chain as a block. When regulation shifts, history shows exactly which map governed which historical decision. Regulatory churn becomes auditable provenance rather than silent reinterpretation.

// Section 07

The ai.txt standard.

robots.txt is a thirty-year-old text file that still governs how every crawler treats every website. ai.txt (AI-TXT/1.0, proposed) applies the same mechanism to AI governance: one machine-readable file at a domain's root declaring how its AI is governed — engine, decision model, audit construction, regulatory design targets — and, critically, where anyone can verify it.

The format is deliberately trivial: key–value pairs, comments, unknown keys ignored. The discipline is in one rule: a declaration without a verify endpoint is marketing; a declaration with one is accountability. The first ai.txt is live at sebbi.pro/ai.txt. As agents begin choosing which platforms to transact with, they will read this file before they read anyone's marketing — and whichever chain a domain's ai.txt points at holds that domain's continuity.

// Section 08

Technical capture: the market thesis.

Lock-in is contractual: exit fees, term commitments, lawyers holding the door. Technical capture is structural: the product's own physics make leaving expensive, with no clause compelling anyone to stay. In compliance, four mechanisms compound:

MechanismEffect on switching
ContinuityExported records are data; the tamper-evidence regulators demand lives in the unbroken chain, which cannot migrate. Unbroken beats rebuilt, every time a regulator asks.
Trust resetPer-user trust is earned decision-by-decision inside the engine. A departing platform restarts every user at neutral — detection quality drops on day one of leaving.
Public shieldsCustomer badges are rendered live against account standing. Leaving is publicly visible on the customer's own site — UNVERIFIED, in grey.
Standard-settingai.txt declarations point at a verify endpoint. Whoever's chain the ecosystem's files point at holds the ecosystem's continuity.

Roadmap: cross-chain anchoring

Self-consistency has a known boundary: a chain rebuilt from scratch is internally valid. The answer is mutual witnessing — independent organisations' chains periodically anchor each other's tips, so even a perfect rewrite is caught by records someone else holds. Proposed model: compliance vendors £10k/month, flat fee for industry participants, first ten members free to seed the network. Status: design stage — stated as roadmap, not as a shipped capability.

// Section 09

Comparison.

CapabilityAILeashGRC platformsCloud AI guardrailsConsultancies
Per-decision tamper-evident recordYes — SHA-256 chainEditable logsProvider-held logsNo runtime
Omission detectableGapless receiptsNoNo
Public verificationUnauthenticated endpointsNoNo
Decision latency28ms medianNot in decision pathVaries; model-dependent
Data leaves customer?Never (sovereign)Vendor cloudProvider cloudEngagement-based
Deterministic / explainableImmutable weightsPolicy textML, drift-proneHuman judgement
Entry price50p / device / month£20k–£100k+ / yrUsage-priced£50k+ engagements

Categories characterised in general terms; individual vendors vary. The claim defended here is narrow and checkable: no incumbent category combines per-decision sealing, omission detection, public verification and sovereign deployment at this price point.

// Section 10

Regulatory alignment.

Design targets, feature by feature — published, versioned and sealed at /api/regulation-map. "Built for" is a design claim, not a certification; conformity assessment remains the deploying organisation's obligation.

EU AI ACT — ART. 9

Continuous risk management → per-event scoring across nine signals, velocity windows at three tempos, persistent per-user trust.

EU AI ACT — ART. 12

Record-keeping → per-decision chain sealing, gapless receipts, public inclusion and coverage verification.

EU AI ACT — ART. 13

Transparency → plain-language reason codes on every verdict; deterministic weights, publishable in full.

EU AI ACT — ART. 14

Human oversight → CHALLENGE verdicts with hosted human resolution, sealed as first-class chain events.

UK ONLINE SAFETY ACT

Evidence-backed moderation → real-time scoring with sealed audit trail; Ofcom ASM consultation submission acknowledged, publication consent granted.

ICO CHILDREN'S CODE

Child-first design → Guardian: free family tool. One-tap Help, check-ins, and plain-English flagging of known grooming patterns. Never asserts a message is "safe"; message text is never stored, only a sealed fingerprint.

// Section 11

Economics & pricing.

50p per device per month, flat. Partners and resellers set their own price above it and keep the margin — a partner charging £1.99 retains £1.49 per device monthly. A referral layer pays introducers 10p per device per month, permanently: distribution that funds itself.

The structural advantage is cost shape. Sovereign deployment moves decision execution onto customer hardware, so vendor infrastructure cost is flat with respect to decision volume. Incumbent per-seat GRC pricing (typically £20k–£100k+ annually) leaves the mid-market unserved; 50p per device is priced for the platforms the incumbents ignore — and August 2026 obligates precisely those platforms.

Free to integrate. 100 decisions included. No card.
Guardian is free for families, permanently.
Get an API key →
// Section 12

Funding.

Position, stated plainly: the platform is live, the billing loop is verified end-to-end, and the company is pre-revenue. Four years of development were self-funded on infrastructure costing pounds per month. There is no burn to outrun — the engine survives indefinitely at current cost. What capital buys is speed, not survival.

// The raise

Seeking £500,000 to convert a working engine into a market position ahead of enforcement: incorporation and compliance certifications (ISO 27001, Cyber Essentials Plus); first engineering and partner-support hires to retire the single-founder bottleneck; white-label partner onboarding; and standing up the cross-chain anchoring network while the standard is uncontested.

Diligence starts at the endpoints: every technical claim in this paper is verifiable against production before a single call is taken.

Open a conversation →