Runtime proof · OVERT

Independent AI Attestation: Proof, Not Promises

Independent AI attestation is tamper-evident proof a third party can verify that your AI controls executed — without protected data leaving home.

Joe Braidwood
Joe BraidwoodCo-founder & CEO
June 2026 · 6 min read

Most claims about AI safety are recollections. Independent AI attestation is meant to be evidence. The difference matters because a system that acts — at the inference call, the tool call, the agent boundary — produces consequences that someone, eventually, will be asked to account for. When that moment arrives, a policy document describes what was supposed to happen. A self-reported log describes what an operator says happened. Neither is proof.

The word “independent” is the load-bearing one, and it is the part most often quietly dropped. Plenty of systems generate something they call attestation. Far fewer produce a record that an outside party can verify without taking the operator’s word for it. This piece is about that distinction — what separates attestation that is genuinely independent from a confident dashboard wearing the costume of proof — grounded in the four commitments of the OVERT open standard.

For the head-term primer on the mechanics, see our companion guide, AI attestation: cryptographic compliance evidence. This piece goes one level deeper on the property that makes any of it count: independence.

Why independent AI attestation is the property that counts

As OVERT puts it: governance has always been able to say what ought to be done; it has rarely been able to prove what was. Policies, audit narratives, and self-reported logs record intentions and recollections — they are not evidence.

So when a control runs, attestation should capture it as a by-product of the work itself. A governed action — a permit, a deny, an override, an escalation, a response — yields a record an auditor can verify after the fact. The claim is narrow and checkable: this enforcing component, in this configuration, was active when this action occurred. Not “we take safety seriously.” Not “controls are in place.” A specific, falsifiable statement about a specific event.

But a falsifiable statement is only as good as the party that can falsify it. If the operator both runs the AI and is the sole keeper of the record, the statement reverts to a promise. Independence is what turns a checkable claim into a checked one — by ensuring the checker is not the same entity as the checked.

The timing of this is not academic. According to reporting from Bloomberg and CNBC, a single discovered jailbreak was enough to pull a frontier model off the market for a class of users in June 2026. When one finding can have consequences that large, the ability to show — independently, after the fact — which controls actually held becomes the question operators, buyers, regulators, and insurers all converge on.

Four properties that make attestation real

OVERT names four commitments. Read them as a test: strip any one out, and what you have left is assertion.

Evidence, not assertion

A governed action yields a receipt a third party can check — not a claim it is asked to trust. This is the line between attestation and a status page. A status page tells you the operator’s system believes a control fired. A receipt lets an independent party confirm it did, using cryptography rather than goodwill. If the only way to verify your AI security posture is to take the vendor’s word for it, you have a report, not evidence.

Containment by construction

Verification is supposed to reduce risk, not create new risk. The naive way to prove what your AI did is to hand over the transcripts — the prompts, the outputs, the data the model touched. That turns every audit into a fresh data-egress event, which is unacceptable in healthcare, financial services, or defense.

OVERT’s answer is containment by construction: only cryptographic fingerprints and signatures cross the boundary. The content stays home. An auditor can confirm that an event occurred, in what order, under which control, without ever seeing the underlying data. The attestation channel is silent about everything it need not disclose — which is what makes it safe to use at all.

Independence by structure

This is the property the name promises, and the one most often faked. Self-attestation is not independent attestation. If the same party that operates the AI also generates, signs, and stores the proof that it behaved, the proof is only as trustworthy as that party — which is to say, it is not proof, it is a promise with extra steps.

Independence here means whoever attests is structurally separate from whoever is governed. The attesting component is not under the operator’s unilateral control; the telemetry is not reducible to logs the operator could quietly edit. This is not a matter of intent or good faith. It is a matter of structure — built so that the record cannot be forged even if someone wanted to, and so an outside reviewer never has to wonder whether it was.

Measurement, not adjective

Safety stated as an adjective — “robust,” “secure,” “rigorously tested” — cannot be reproduced, so it cannot be audited. Measurement can. OVERT asks for safety expressed in intervals and sample sizes an auditor can reproduce: what was in scope, what was excluded, how the denominators were derived. “We block prompt injection” is an adjective. “Over this window, across this population of calls, here is the coverage and here is how it was counted” is a measurement. Only one of them survives scrutiny.

What an independent receipt actually contains

Concretely, the unit of evidence in OVERT is the ControlAction — the receipt a governed action emits. A verifiable ControlAction receipt is built to answer the questions a security reviewer or auditor actually asks:

OVERT 1.1 also publishes an informative reference schema for the ControlAction artifact, so implementers have a concrete shape to build and verify against. The receipt is the deliverable. Everything else — the policies, the diagrams, the intentions — is context around it.

Why an open AI security standard makes independence credible

Independence is hard to claim inside a closed, single-vendor system, because the thing you would most want to verify is the vendor’s own honesty. An open standard changes the footing. OVERT is GLACIS’s royalty-free, openly published AI security standard for exactly this: producing independent, tamper-evident proof that runtime controls executed, without protected content leaving the operator’s environment.

Because the format and the verification procedure are public, a receipt is not a proprietary token you have to take on faith — it is an artifact anyone holding the standard can check. That is what makes it a foundation for verifiable AI rather than another dashboard: the proof outlives the relationship with any one vendor, and an auditor, a regulator, or an insurer can verify it on their own terms.

This is the shift the moment calls for. Documentation, questionnaires, and AI governance dashboards describe intent — what an organization means to do. Independent AI attestation proves execution — what the system actually did. As AI systems take on more consequential actions, the gap between those two is the gap that will eventually need to be answered for.

The short version

AI attestation is only worth the name when it is independent: evidence not assertion, contained by construction, separate by structure, and measured rather than described. A receipt the operator can forge is not proof. A receipt anyone can check — without your data ever leaving home — is.

Read the full standard at overt.is, or verify a receipt to see what independent AI attestation looks like in practice. When you’re ready to put controls behind it, get runtime coverage.