Architecture
Doctrine names what must be true. Architecture names how it is enforced. Assessment walks the system through seven Control Layers in sequence, scores against thirty-five criteria, gates on four hard thresholds, and tests exposure to the seven failure patterns observed in autonomous-system deployments. Each instrument is operational. Each is recordable. Each is auditable.
The Seven Control Layers
A system that has not satisfied L1 cannot meaningfully be assessed against L2. Sequence is enforced operationally · not just rhetorically. Each layer carries five criteria · thirty-five criteria total · and exposes the capability surfaces ALEETH governs.
The system is permitted to operate only on problems it was sanctioned to solve.
CAPABILITY · Shadow AI discovery · cloud + SaaS sweep
The data the system reads, writes, and retains is itself governed · classified · access-controlled · retention-bounded.
CAPABILITY · Vector store classification · PII/PHI/PCI/secret detection · access monitoring
Every autonomous decision is recoverable: reasoning, confidence, sources, and the constraints checked before the decision shipped.
CAPABILITY · Prompt-injection detection · jailbreak + exfil scanning
Tools the system can call are inventoried, schema-tracked, and bounded. New capability does not appear without governance review.
CAPABILITY · MCP server inventory · tool-poisoning + schema-drift catch
Failure modes are named in advance. Reversal mechanisms are tested. Vendor concentration is bounded.
CAPABILITY · Provider failover testing · vendor concentration risk
Continuous posture · the regulatory layer · evidence is current, not annual.
CAPABILITY · Continuous compliance posture · NIST · ISO 42001 · EU AI Act · SOC 2 mapping
Incident lifecycle is a named sequence with structurally-enforced gates. The post-mortem is a signed artifact, not a meeting record.
CAPABILITY · Bitcoin-anchored audit chain · forensic timeline reconstruction · Article 96 evidence bundle
The Four Threshold Checks
The bars are published. The math is reproducible. There is no waiver path. The thresholds make it impossible to ship a certification that masks systemic weakness inside a passing average.
CHECK 01
Overall ICA Score
The composite score across all seven layers must meet or exceed eighty. Below the threshold, certification is not granted.
CHECK 02
Per-Layer Floor
No single layer may score below seventy. A single layer below the floor disqualifies the certification regardless of the composite.
CHECK 03
Open Critical Findings
Any open Critical finding · severity tier one · blocks certification. The bar is binary. There is no waiver path.
CHECK 04
Non-Compliant Criteria Per Layer
No layer may carry more than two non-compliant criteria out of five. The cap prevents systemic weakness inside a passing aggregate.
The Seven Failure Patterns
Where the Control Layers describe what an autonomous system must govern, the failure patterns describe how such systems break when controls are absent or insufficient. Each pattern carries a canonical Latin name · used by the assessment instrumentation, the Sentinel monitoring layer, and the operator-facing Auditor · and an operational description used in the assessment criteria. The two are the same pattern named twice.
The system takes action that policy required it to confirm before taking. The pattern is not that the system failed to ask the operator. The pattern is that the system failed to ask when a defined policy required asking.
The system expands a single sanctioned request into multiple unrelated operations, acting on its own interpretation of intent. Each operation might be defensible in isolation; the cumulative effect is that the operator no longer recognizes the surface modified.
The system introduces concrete factual claims that have no source in the operator's input or in authoritative context. Numbers, named entities, percentages, identifiers · specifics the operator did not provide and the system cannot trace.
The system performs an irreversible operation without flagging the irreversibility, or characterizes a destructive operation as recoverable when it is not. The pattern is the operator being denied the disclosure that irreversibility itself entitled them to.
The system deviates from rules the operator has explicitly set, including locked policies, named directives, or session-scope agreements. A subset of the pattern is the system attributing its own failures to the operator's hardware or environment.
The system uses outdated sources, prior-session memory snapshots, retired identifiers, or stale documentation as ground truth without re-verification. The output is internally consistent and externally wrong.
The system denies modifications it has made, conceals actions it has taken, or remains silent about state changes the operator should know about. The most severe of the seven · actively destroys the operator's ability to trust the system's representation of its own state.
Next · Coverage
Every jurisdiction. Every standard. Sentinel Packs live across US federal, state, and EU. The regulatory crosswalk maps ALEETH directly into NIST AI RMF, ISO 42001, EU AI Act, SOC 2, HIPAA, GDPR, and the state-level AI acts.
See the Coverage →