Skip to content
Paula Livingstone writing · projects · tools

Projects

Attestable

When probabilistic AI feeds safety-critical systems, unproven output can drive physical action unchecked. Attestable is a discipline for marking a claim's basis, so it cannot.

OT SecurityCyber-Physical AssuranceIEC 62443ProvenanceSafety CaseLLM Agents

Every source below is open-access, with a link to its full text. The list is kept in two tiers: sources read in full and drawn on in the work, and sources found and under review but not yet incorporated. The distinction is deliberate. A source that has not been read cannot yet be relied upon, and is not presented as though it had been.

Read and cited

  1. Kalai, A. T., Nachum, O., Vempala, S. S., & Zhang, E. (2025). Why Language Models HallucinatearXiv:2509.04664.

    The mechanism: models are optimised to guess rather than abstain, so basis-free assertion is by design. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Why%20Language%20Models%20Hallucinate.pdf

  2. Groot, T., & Valdenegro-Toro, M. (2024). Overconfidence is Key: Verbalized Uncertainty Evaluation in Large Language and Vision-Language ModelsarXiv:2405.02917.

    Confidence is poorly calibrated; used, then set aside as the argument does not depend on calibration. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Overconfidence%20is%20Key.pdf

  3. Hicks, M. T., Humphries, J., & Slater, J. (2024). ChatGPT is BullshitEthics and Information Technology 26(2):38.

    The philosophical adjacency: assertion with no regard for truth, at the level of the speech act. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/ChatGPT%20is%20bullshit.pdf

  4. Yeom, S., Kim, M.-G., & Park, J. H. (2026). Understanding nursing handoff errors in clinical practiceBMC Nursing 25:359.

    Handover loses information; it does not evidence loss of basis, which remains this work to argue. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Understanding%20nursing%20handoff%20errors%20in%20clinical%20practice.pdf

  5. (2013). PROV-DM: The PROV Data ModelW3C Recommendation.

    Provenance can be used to form assessments; the assessment is placed outside PROV itself.

  6. (2013). Constraints of the PROV Data ModelW3C Recommendation.

    Validity means internal consistency, explicitly not truth or reliability.

  7. (2013). PROV-O: The PROV OntologyW3C Recommendation.

    The OWL encoding; no classes for authorization or admissibility.

  8. (2013). PROV-OverviewW3C Working Group Note.

    Confirms assessment is a potential use by external parties, not a function within PROV.

  9. Open Policy Agent — Documentationopenpolicyagent.org.

    A general-purpose policy engine: accepts arbitrary structured data, decouples decision from enforcement, supplies no model of the input.

  10. Rego — Policy Language Referenceopenpolicyagent.org.

    Domain-agnostic; no built-in notion of evidence, basis, or fitness-for-action. The user must define and supply them.

  11. (2021). Vulnerabilities and Attacks Against Industrial Control Systems and Critical InfrastructuresarXiv:2109.03945.

    Read in full. Purdue/DMZ zoning + full ICS attack catalogue (Stuxnet, Ukraine, Triton). Scaffolds the compartmentalisation convergence.

  12. (2013). eXtensible Access Control Markup Language (XACML) 3.0OASIS Standard.

    The older attribute-based access-control lineage: evaluates supplied attributes without defining what they mean.

  13. in-toto Attestation Framework: Specificationin-toto project.

    Authenticated metadata: the predicate carries arbitrary claims but in-toto does not validate their truth. Transport, not model; its intended consumers are policy engines.

  14. (2023). Supply-chain Levels for Software Artifacts (SLSA): Threat ModelOpenSSF.

    Entirely adversary-framed; makes no claims about whether an artifact is correct, true, or fit for purpose. False Determinism is outside its threat model by construction.

  15. Guo, C., Pleiss, G., Sun, Y., & Weinberger, K. Q. (2017). On Calibration of Modern Neural NetworksICML 2017 (arXiv:1706.04599).

    Modern networks are poorly calibrated, but temperature scaling largely fixes it post hoc. That a one-parameter fix works shows calibration is not the deep issue.

  16. Huang, L., et al. (2023). A Survey on Hallucination in Large Language Models: Principles, Taxonomy, Challenges, and Open QuestionsACM TOIS (arXiv:2311.05232).

    The mainstream, peer-reviewed view: hallucination is mitigable, not inevitable. Cited as the countervailing position the mechanism argument must accommodate.

  17. Geifman, Y., & El-Yaniv, R. (2019). SelectiveNet: A Deep Neural Network with an Integrated Reject OptionICML 2019 (arXiv:1901.09192).

    Selective prediction / reject option: a model may abstain, trading coverage for a bounded error rate on what it answers. The ML register of "not every claim should be acted on."

  18. Mozannar, H., & Sontag, D. (2020). Consistent Estimators for Learning to Defer to an ExpertICML 2020 (arXiv:2006.01862).

    Learning to defer: the model hands off based on the DOWNSTREAM expert's expected accuracy, not its own uncertainty. Action-relative admissibility, reached independently by ML.

  19. Zhang, Y., et al. (2023). Siren's Song in the AI Ocean: A Survey on Hallucination in Large Language ModelsarXiv:2309.01219.

    Second hallucination survey, read in full. Independent taxonomy (input/context/fact-conflicting) and the same life-cycle causal account as Huang; same mitigation stance. Triangulates the mainstream view.

  20. Okafor, C., Schorlemmer, T. R., Torres-Arias, S., & Davis, J. C. (2024). SoK: Analysis of Software Supply Chain Security by Establishing Secure Design PropertiesSCORED (arXiv:2406.10109).

    Systematizes supply-chain security into transparency / validity / separation. Confirms integrity establishes an unchanged, authorized artefact, not correctness or fitness of what it does.

  21. INL / DOE CyOTE (2022). Case Study: TRITON Malware Attack Against Petro RabighINL/RPT-22-67981.

    The canonical intrusion-to-safety-controller case. Contains a documented False Determinism event: engineers diagnosed an attacker-caused SIS trip as a mechanical error and resumed operations.

  22. MITRE ATT&CK for ICS: Triton (S1009)MITRE ATT&CK.

    Confirms Triton targeted Triconex SIS controllers and could reprogram SIS logic to allow unsafe conditions to persist.

  23. (2025). Cyber Security of OT Networks: A Tutorial and OverviewarXiv:2502.14017.

    OT security field anchor: IT-vs-OT priority inversion (safety/availability first), Purdue model, IEC 62443 zones/conduits, and the irreversibility of physical actions.

  24. Hawkins, R., Paterson, C., Picardi, C., Jia, Y., Calinescu, R., & Habli, I. (2021). Guidance on the Assurance of Machine Learning in Autonomous Systems (AMLAS)Univ. of York / arXiv:2102.01564.

    The hardest test of the safety-assurance exclusion. Assures the ML component at design time; presupposes evidence standing; names automation bias but hands it on. Confirms it consumes admissibility judgements rather than producing them.

  25. Torres-Arias, S., et al. (2019). in-toto: Providing farm-to-table guarantees for bits and bytesUSENIX Security 19.

    Primary in-toto paper, read in full. Threat model is adversarial and about process integrity (layout/artifact-flow/step-authentication); a step by the authorized functionary is trusted in its output. Verifies custody and sequence, not content correctness. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/sec19-torres-arias.pdf

  26. Kelly, T. P., & Weaver, R. A. (2004). The Goal Structuring Notation: A Safety Argument NotationDSN 2004 Workshop on Assurance Cases.

    GSN foundational paper, read in full. A safety argument structures the connection between a top claim and its supporting evidence (goals, strategies, context, solutions); it organises reasoning over evidence whose standing is presupposed. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/The_goal_structuring_notation-a_safety_argument_no.pdf

  27. Moreau, L. (2010). The Foundations for Provenance on the WebFoundations and Trends in Web Science 2(2-3).

    The canonical provenance survey, read in full. Provenance is a logbook: it offers the means to decide whether data can be trusted, but the decision is made by a separate reasoner. Grew from closed database/workflow systems; Web provenance was built precisely to cross the handover boundary this work adjudicates. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/psurvey.pdf

  28. Mitchell, M., et al. (2019). Model Cards for Model ReportingFAT* 19.

    Documentation, not adjudication (read in full). Describes a model in general, intended use and out-of-scope uses, for a human reader at design time. Gestures at fitness-for-purpose but does not represent an individual output's basis or adjudicate at runtime.

  29. Gebru, T., et al. (2018). Datasheets for DatasetsarXiv:1803.09010.

    Documentation of a dataset at creation time for humans (read in full). Records recommended/proscribed uses as guidance, not binding runtime constraint. Same kind as provenance: record, not permission.

  30. Simmhan, Y. L., Plale, B., & Gannon, D. (2005). A Survey of Data Provenance TechniquesIndiana Univ. TR IUB-CS-TR618.

    Second canonical provenance survey (e-science/workflow). States the boundary: provenance backs a history "that will allow the user to apply their own metrics to determine if the data is acceptable." Record informs; user decides. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Simmhan-provenance-survey.pdf

  31. Alam, M. M., & Wang, W. (2021). A Comprehensive Survey on the State-of-the-art Data Provenance Approaches for Security EnforcementJ. Computer Security 29(4) / arXiv:2107.01678.

    The nearest-to-adjudication provenance strand, and it still separates record from decision: provenance is captured; a separate analyzer, invoked by users, determines attack behaviour. Forensic/retrospective. Its reference-monitor triad (tamperproof, complete-mediation, verifiable) = the admissibility-gate requirements, reached independently. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Alam-provenance-security-survey.pdf

  32. NIST (Hu, V. C., et al.) (2014). Guide to Attribute Based Access Control (ABAC)NIST SP 800-162.

    The ABAC standard. The mechanism decides and enforces; policy is authored separately. Content-neutral. The metaattribute passage (an assurance score MAY feed the decision, if supplied) confirms ABAC is ready to evaluate a basis model it does not produce. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/NIST.SP.800-162.pdf

  33. Alam, M. M., & Wang, W. (2021). A Survey on Data Provenance Approaches for Security EnforcementJ. Computer Security / arXiv:2107.01678.

    Nearest-to-adjudication provenance strand, still separating record from decision (capture vs. a separate analyzer). Its reference-monitor triad mirrors the admissibility-gate requirements. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Alam-provenance-security-survey.pdf

  34. Parasuraman, R., & Riley, V. (1997). Humans and Automation: Use, Misuse, Disuse, AbuseHuman Factors 39(2):230-253.

    The seminal automation-trust taxonomy. Misuse = overreliance, failing to monitor. Catalogues CFIT and autopilot accidents where crews acted on conveyed state indistinguishable from correct. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Parasuraman-Riley-1997-use-misuse-disuse-abuse.pdf

  35. Mehrotra, S., et al. (2023). A Systematic Review on Fostering Appropriate Trust in Human-AI InteractionarXiv:2311.06305.

    Carries classic trust-in-automation into the AI era. Names automation bias, blind reliance, and appropriate-trust/calibration (reliance matched to capability, requiring purpose/process/performance = basis). Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Mehrotra-2023-appropriate-trust-review.pdf

  36. Leonard, N. (2021). Epistemological Problems of TestimonyStanford Encyclopedia of Philosophy.

    The bounded coda anchor. Transmission-vs-generation debate = whether authority can grow across the speaker-hearer boundary. The persistent-believer case (hearer justified where speaker was not) = the promotion this work names; philosophy has the case but no name for the elevation itself.

  37. Kendall, A., & Gal, Y. (2017). What Uncertainties Do We Need in Bayesian Deep Learning for Computer Vision?NIPS 2017 / arXiv:1703.04977.

    Aleatoric (irreducible observation noise) vs epistemic (model ignorance, reducible). Confidence conflates two things, neither is evidence a claim holds. Opens with the first assisted-driving fatality. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Kendall-Gal-2017-what-uncertainties.pdf

  38. Angelopoulos, A. N., & Bates, S. (2021). A Gentle Introduction to Conformal Prediction and Distribution-Free Uncertainty QuantificationarXiv:2107.07511.

    The most rigorous UQ rung: distribution-free prediction sets. But coverage is MARGINAL (averaged over the distribution), not a per-claim warrant. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Angelopoulos-Bates-2021-conformal-prediction.pdf

  39. Conti, M., Donadel, D., & Turrin, F. (2021). A Survey on Industrial Control System Testbeds and Datasets for Security ResearcharXiv:2102.05631.

    Scaffolds the CIA-inversion claim: OT ranks availability/safety above confidentiality, so acting on a wrong value is physical harm not disclosure. Conti-2021-ICS-testbeds-datasets. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Conti-2021-ICS-testbeds-datasets.pdf

  40. Humayed, A., Lin, J., Li, F., & Luo, B. (2017). Cyber-Physical Systems Security: A SurveyarXiv:1701.04525.

    Scaffolds the boundary claim: the cyber/cyber-physical/physical decomposition names the point computation becomes physical action = where the gate sits. Humayed-2017-cyber-physical-systems-security. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Humayed-2017-cyber-physical-systems-security.pdf

  41. Bhamare, D., et al. (2020). Cybersecurity for Industrial Control Systems: A SurveyComputers & Security / arXiv:2002.04124.

    Scaffolds the why-now claim: automation is already an OT attack vector (SCADA brute-force), so probabilistic AI intensifies an existing exposure. Bhamare-2020-cybersecurity-for-ICS. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/Bhamare-2020-cybersecurity-for-ICS.pdf

  42. Li, Y., Wu, S., & Pan, Q. (2023). Network Security in the Industrial Control System: A SurveyarXiv:2308.03478.

    Scaffolds the positioning claim: characterises the defence-in-depth paradigm that admissibility is ORTHOGONAL to (authorised transit != sufficient basis). ICS-network-security-survey-2023. Read copy: https://server1.lon1.cdn.digitaloceanspaces.com/paulalivingstone/citations/ICS-network-security-survey-2023.pdf

  43. NIST (2023). Artificial Intelligence Risk Management Framework (AI RMF 1.0)NIST AI 100-1.

    AI-gov block. Four functions (Govern/Map/Measure/Manage); "valid and reliable" as the foundational trustworthiness characteristic, accountability and transparency as distinct ones. Frames admissibility vs process-accountability.

  44. European Union (2024). Regulation (EU) 2024/1689 (Artificial Intelligence Act), Article 13Official Journal of the European Union L 2024/1689.

    AI-gov block. Art.13: high-risk systems must be transparent enough for the deployer to interpret output and "use it appropriately". Transparency owed TO the receiver; law names the handover, does not specify a per-output basis representation.

  45. Raji, I. D., Smart, A., White, R. N., Mitchell, M., Gebru, T., Hutchinson, B., Smith-Loud, J., Theron, D., & Barnes, P. (2020). Closing the AI Accountability Gap: Defining an End-to-End Framework for Internal Algorithmic AuditingFAT* 2020; arXiv:2001.00973.

    AI-gov block. Auditing is process/lifecycle accountability: checks the development process was done, not that a particular output basis suffices for a particular act. Description-vs-adjudication line in the governance register.

  46. Doshi-Velez, F., & Kim, B. (2017). Towards A Rigorous Science of Interpretable Machine LearningarXiv:1702.08608.

    AI-gov block. Interpretability serves auxiliary goals (trust, fairness, causality) that "evaluation metrics cannot capture" - the field admits its quality measures do not certify soundness. Interpretability is not admissibility.

  47. OECD (2019). Recommendation of the Council on Artificial Intelligence, Principle 1.3 (Transparency and explainability)OECD/LEGAL/0449.

    AI-gov block. Principle 1.3: provide meaningful information to enable those affected to understand and to challenge the output. Explanation owed so a decision can be contested; receiver needs the basis. Accountability Principle 1.5 text not yet read, not cited.

  48. NIST (2024). Artificial Intelligence Risk Management Framework: Generative AI ProfileNIST AI 600-1.

    AI-gov block, strongest official witness. Names "Confabulation" (confidently stated but erroneous content by which users may be misled) and "Human-AI Configuration" (automation bias, over-reliance) as official GAI risk categories, plus content provenance as a core consideration.

  49. Mittelstadt, B., Russell, C., & Wachter, S. (2018). Explaining Explanations in AIFAT* 2019; arXiv:1811.01439.

    AI-gov/xAI keystone. LIME and gradient/linear methods are simplified models that approximate the true criteria ("all models are wrong, but some are useful"), give "false assurances", and "do not provide evidence of the trustworthiness or acceptability of the model overall".

  50. Bhatt, U., Xiang, A., Sharma, S., Weller, A., Taly, A., Jia, Y., Ghosh, J., Puri, R., Moura, J. M. F., & Eckersley, P. (2020). Explainable Machine Learning in DeploymentFAT* 2020; arXiv:1909.06342.

    AI-gov empirical witness. ~50 interviews at ~30 orgs: explainability as deployed serves internal ML engineers, not the affected end users - "a gap between explainability in practice and the goal of transparency". Governance mandate failing in the field.

  51. Wachter, S., Mittelstadt, B., & Russell, C. (2018). Counterfactual Explanations Without Opening the Black Box: Automated Decisions and the GDPRHarvard Journal of Law & Technology 31(2); arXiv:1711.00399.

    AI-gov flagship legal remedy. Counterfactuals "do not attempt to convey the logic involved" and bypass the internal workings; authors doubt human-comprehensible meaningful information about a particular decision can ever exist. Three receiver-side aims: understand, contest, alter.

  52. Selbst, A. D., & Barocas, S. (2018). The Intuitive Appeal of Explainable MachinesFordham Law Review 87(3):1085-1139.

    AI-gov 10th. Inscrutability (what the rules are) vs nonintuitiveness (why the rules are appropriate) are distinct: a description of the rules does not justify them. Making a model interpretable may not help if the goal is to assess whether the basis for decision-making is normatively defensible. Explanation-as-action takes decisions as given and shifts responsibility to those affected.

  53. Umer, M. A., Junejo, K. N., Jilani, M. T., & Mathur, A. P. (2022). Machine Learning for Intrusion Detection in Industrial Control Systems: Applications, Challenges, and RecommendationsarXiv:2202.11917.

    OT/AI boundary. ML intrusion/anomaly detection in ICS at network level (packets) and physical-process level. Detected anomalies are reported to plant engineers expected to take appropriate actions - the handover. Behaviour-based ML detection carries zero-day and false-alarm problems.

  54. Luo, Y., Xiao, Y., Cheng, L., Peng, G., & Yao, D. (2021). Deep Learning-Based Anomaly Detection in Cyber-Physical Systems: Progress and OpportunitiesACM Computing Surveys; arXiv:2003.13213.

    OT/AI boundary. Taxonomy of DL anomaly detection in CPS by threat model, detection strategy, and anomaly scores. Explicitly discusses deficiencies of DL approaches. The learned boundary monitor emits a score, not a basis - ties to the UQ thread.

  55. Anthi, E., Williams, L., Rhode, M., Burnap, P., & Wedgbury, A. (2020). Adversarial Attacks on Machine Learning Cybersecurity Defences in Industrial Control SystemsJournal of Information Security and Applications; arXiv:2004.05005.

    OT/AI boundary, fatality of the method. ML-based IDS at the ICS boundary evaded by adversarial samples (JSMA): Random Forest and J48 accuracy decreased by 16 and 20 percentage points under attack, diverting malicious data past the detector. The learned firewall can be crossed by design.

  56. Sayghe, A., Hu, Y., Zografopoulos, I., Liu, X., Dutta, R. G., Jin, Y., & Konstantinou, C. (2020). A Survey of Machine Learning Methods for Detecting False Data Injection Attacks in Power SystemsIET Cyber-Physical Systems; arXiv:2008.06926.

    OT/AI boundary. ML detectors guarding power-system state estimation against false data injection. FDIAs can bypass residual-based Bad Data Detection; ML detectors adopted for speed and accuracy but are themselves learned classifiers over the boundary.

  57. Bui, V.-H., Das, S., Hussain, A., Hollweg, G. V., & Su, W. (2024). A Critical Review of Safe Reinforcement Learning Techniques in Smart Grid ApplicationsarXiv:2409.16256.

    OT/AI decision-making. DRL makes control decisions in power systems but often falls short in guaranteeing safety, a critical concern in critical infrastructure; safety issues always receive top priority while DRL may not meet operators safety requirements. Priority inversion applied to a learned controller.

  58. Irfan, M., Sadighian, A., Tanveer, A., Al-Naimi, S. J., & Oligeri, G. (2023). False Data Injection Attacks in Smart Grids: State of the Art and Way ForwardarXiv:2308.10268.

    OT/AI decision-making. FDI corrupts the internal state-estimation process that feeds control, able to bypass conventional Bad Data Detection. The decision input the controller acts on can be falsified stealthily - basis is corruptible at source.

  59. Kushwaha, A., Ravish, K., Lamba, P., Kumar, P., & Mahajan, A. (2026). A Survey of Safe Reinforcement Learning and Constrained MDPs: A Technical Survey on Single-Agent and Multi-Agent SafetyarXiv:2505.17342.

    OT/AI decision-making. CMDP formalism for constraining a learned policy actions. Constrained approaches bound risk probabilistically rather than guaranteeing safety absolutely; industrial process control where exceeding a limit once can be catastrophic.

  60. Cummins, L., Sommers, A., Bakhtiari Ramezani, S., Mittal, S., Jabour, J., Seale, M., & Rahimi, S. (2024). Explainable Predictive Maintenance: A Survey of Current Methods, Challenges and OpportunitiesIEEE Access; arXiv:2401.07871.

    OT/AI decision-making. ML predicts optimal maintenance time, driving actions. As methods are adopted for potentially life-threatening applications, human operators need to trust the predictive system, so XAI is introduced to amplify trust - the explanation-vs-basis gap, in OT maintenance decisions. Ties to the AI-gov block.

  61. Bezold, V., Wagner, P., Hofmann, J., Huber, M., & Sauer, A. (2025). Trustworthy and Explainable Deep Reinforcement Learning for Safe and Energy-Efficient Process Control: A Use Case in Industrial Compressed Air SystemsarXiv:2512.18317.

    OT/AI decision-making, the foil. A DRL agent emits compressor setpoints (a physical control action) with a SHAP/gradient-sensitivity explainability pipeline claiming trustworthiness. Uses exactly the post-hoc explanation methods the AI-gov entry showed are approximations, not evidence of basis.

  62. Hendrycks, D., & Gimpel, K. (2017). A Baseline for Detecting Misclassified and Out-of-Distribution Examples in Neural NetworksICLR 2017; arXiv:1610.02136.

    TML/OOD. Softmax classifier probabilities are not directly useful as confidence estimates: random Gaussian noise into an MNIST classifier gives 91% predicted class probability. A confident output on an input unlike anything in training - the wrong-category claim demonstrated. Max-softmax is a useful OOD baseline but poor as a confidence signal.

  63. Lakshminarayanan, B., Pritzel, A., & Blundell, C. (2017). Simple and Scalable Predictive Uncertainty Estimation using Deep EnsemblesNeurIPS 2017; arXiv:1612.01474.

    TML/epistemic UQ. Deep ensembles as a non-Bayesian alternative for predictive uncertainty. Key: a prediction may be accurate yet miscalibrated, and vice versa (calibration orthogonal to accuracy). Even improved methods only express higher uncertainty on OOD - still a distributional signal, not a per-claim basis.

  64. Sensoy, M., Kaplan, L., & Kandemir, M. (2018). Evidential Deep Learning to Quantify Classification UncertaintyNeurIPS 2018; arXiv:1806.01768.

    TML/evidential UQ (Dempster-Shafer/subjective logic). Places a Dirichlet over class probabilities to represent evidence and I-do-not-know. Diagnoses softmax as not capable of inferring predictive-distribution variance; the distance of the predicted label is not useful for the conclusion. Still yields an evidence-mass distribution, not a per-action warrant.

  65. Ovadia, Y., Fertig, E., Ren, J., Nado, Z., Sculley, D., Nowozin, S., Dillon, J. V., Lakshminarayanan, B., & Snoek, J. (2019). Can You Trust Your Model's Uncertainty? Evaluating Predictive Uncertainty Under Dataset ShiftNeurIPS 2019; arXiv:1906.02530.

    TML capstone/calibration-under-shift. Large-scale benchmark: traditional post-hoc calibration does indeed fall short under dataset shift. The calibration reassurance (Guo) evaporates exactly when inputs move away from training - i.e. exactly when stakes rise. Uncertainty quality and accuracy both degrade under shift.

  66. Nixon, J., Dusenberry, M., Jerfel, G., Nguyen, T., Liu, J., Zhang, L., & Tran, D. (2019). Measuring Calibration in Deep LearningCVPR Workshops 2019; arXiv:1904.01685.

    TML/calibration critique. Expected Calibration Error, the most popular calibration metric, has numerous flaws; rank ordering of recalibration methods is drastically impacted by the choice of measure. The yardstick the field reassures itself with is itself unreliable.

  67. Minderer, M., Djolonga, J., Romijnders, R., Hubis, F., Zhai, X., Houlsby, N., Tran, D., & Lucic, M. (2021). Revisiting the Calibration of Modern Neural NetworksNeurIPS 2021; arXiv:2106.07998.

    TML/calibration, interrogates Guo (2017) already in review. The modern-nets-are-miscalibrated trend is less pronounced in recent architectures; the most recent models are among the best calibrated. Complicates the calibration story rather than confirming it - the entry holds both.

  68. Gal, Y., & Ghahramani, Z. (2016). Dropout as a Bayesian Approximation: Representing Model Uncertainty in Deep LearningICML 2016; arXiv:1506.02142.

    TML/epistemic UQ (MC-dropout). The wrong-category claim from the most-cited UQ method: softmax outputs are often erroneously interpreted as model confidence; a model can be uncertain in its predictions even with a high softmax output. Read directly rather than via secondary mention.

  69. Gawlikowski, J., Njieutcheu Tassi, C. R., Ali, M., Lee, J., Humt, M., Feng, J., Kruspe, A., Triebel, R., Jung, P., Roscher, R., Shahzad, M., Yang, W., Bamler, R., & Zhu, X. X. (2021). A Survey of Uncertainty in Deep Neural NetworksArtificial Intelligence Review (2023); arXiv:2107.03342.

    TML capstone survey. The field’s own comprehensive survey: basic NNs do not deliver certainty estimates or suffer over/under confidence; estimating predictive uncertainty is NOT sufficient for safe decision-making. Names inability to distinguish in- vs out-of-domain and to give reliable per-decision uncertainty.

Under review, not yet incorporated

Found and accessible, awaiting a full reading. Listed for transparency; not yet drawn on.

  1. (2023). Supply-chain Levels for Software Artifacts (SLSA): full specificationOpenSSF.

    The threat model is read (see the read tier); the rest of the spec (levels, provenance format) is not yet incorporated.

  2. Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero Trust ArchitectureNIST SP 800-207.

    The attribute-rides-with-the-request move; nearest analogue to basis attached to a claim.

  3. Newman, Z., Meyers, J. S., & Torres-Arias, S. (2022). Sigstore: Software Signing for EverybodyACM CCS 2022.

    Keyless signing + Rekor transparency log. Candidate: covered via the SoK for now; read in full if the design chapter needs the signing detail.

  4. CISA / NSA (2025). A Shared Vision of Software Bill of Materials (SBOM) for CybersecurityCISA/NSA joint guidance.

    SBOM/attestation pushed into OT/critical-infra by policy: the two-fields fusion. Gov PDF 403d the fetcher; read in full before citing.

  5. Ulmer, D., et al. (2024). A Comprehensive Survey on Evidential Deep Learning and Its ApplicationsarXiv:2409.04720.

    Dempster-Shafer / subjective-opinion UQ, separating aleatoric and epistemic. Queued.

  6. (2023). NIST SP 800-82r3: Guide to Operational Technology (OT) SecurityNIST.

    The authoritative OT security standard (316pp). Scope known; full text unread. Cite specific controls only after reading the relevant sections.

  7. Lee, J. D., & See, K. A. (2004). Trust in Automation: Designing for Appropriate RelianceHuman Factors 46(1):50-80.

    The seminal appropriate-trust model (purpose/process/performance). PAYWALLED; read at one remove via Mehrotra and Parasuraman. Candidate for direct read.