Skip to content
Paula Livingstone writing · projects · tools

Attestable The Thesis

The Problem Statement

How probabilistic state acquires false authority at a handover boundary, why existing provenance, attestation and policy mechanisms do not close the gap, and the question that opens.

Modern operations depend on state produced by one owner and acted upon by another. Assertions about assets, configurations, and conditions cross organisational, system, and human-machine boundaries continuously: through shift handovers, contractor engagements, tool integrations, ticketing systems, and, increasingly, autonomous and semi-autonomous agents.

At each transfer, a claim tends to shed its epistemic history. How it was established, from what evidence, by whom or what, under what scope, at what time, and with what stated limitations are all information that the transfer mechanism does not carry. What survives the handover is the value alone. The receiving owner, lacking any representation of the claim's basis, treats it as fact.

That handover degrades transmitted information is well established empirically. Clinical handover is the most intensively studied instance, and there the characteristic failure is omission rather than corruption. Yeom et al.'s systematic review and meta-analysis of nursing handoff errors finds omission to be the dominant error type, reported in six of the nine studies examining error types, and explains why: "information omission refers to the complete absence of information transfer and tends to occur more frequently than discrepancies in the conveyed information," because discrepancies "may be corrected during handoffs through documentation review or bidirectional communication" whereas absent information presents nothing to correct [1]. The structural causes it identifies, time pressure, reliance on verbal transfer, and the necessity of selective summarisation, are not specific to clinical work.

Two qualifications must be entered here, and they define the boundary of what the empirical literature can be made to support.

First, this literature measures the loss of information, which is to say the loss of clinical facts. It does not measure the loss of a claim's basis, and it is not designed to: the outcome of interest is patient harm, and the tractable independent variable is whether a fact was transferred at all. The proposition that handover strips the epistemic standing of what survives, how it was established, and therefore what it can bear, is not a finding that can be borrowed. It is an argument that has to be made.

Second, and more tellingly, the remedies developed in response are revealing precisely by what they omit. Structured forms, SBAR, and handover checklists reduce omission by constraining which fields must be carried: they standardise the transfer of values. None of them carries the basis of the values transferred. That a mature, safety-critical, heavily-researched discipline has converged on standardising what is handed over without ever standardising how firmly it is known is the first indication that this gap is real, and that it has gone unnoticed because, until the originator could be a generator rather than an observer, it did not need to be noticed.

The mechanism: False Determinism

The degradation described above is longstanding and has historically been absorbed by human judgement, institutional memory, and the relatively low volume of claims in circulation. Three properties of machine-generated assertions dissolve those mitigations.

Generation is not observation. A probabilistic model produces claims by sampling a distribution conditioned on context. The resulting assertion is not a report of a measurement; it is an artefact of a generator. No amount of re-querying converts it into one, because re-querying is re-sampling rather than verification. Kalai et al. establish that hallucination is not a defect to be engineered away but a predictable consequence of how such models are trained and evaluated: "hallucinations need not be mysterious, they originate simply as errors in binary classification," and models are "optimized to be good test-takers," for whom "guessing when uncertain improves test performance" [2]. Under any grading regime in which abstention scores zero, confident guessing strictly dominates the admission of ignorance. A correctly-functioning, well-trained model is therefore one that asserts under uncertainty by design.

Confidence is not a warrant for action. A model's expressed confidence is a property of its own output distribution, not a measurement of the world. Empirically, such confidence is poorly calibrated: Groot and Valdenegro-Toro find that "both LLMs and VLMs have a high calibration error and are overconfident most of the time, indicating a poor capability for uncertainty estimation" [3].

The empirical finding, however, is not the load-bearing claim, and it is important to be clear about why. If poor calibration were the whole problem, the remedy would be better calibration, and the problem would be temporary, a defect that the next generation of models might well repair. The argument here is stronger and does not depend on the current state of the art: confidence, however well calibrated, is the wrong kind of information. It is a statement about the generator's internal state, not evidence that the asserted condition obtains. A perfectly calibrated model asserting a proposition with 0.99 confidence has still not observed anything; it has reported the shape of its own distribution with commendable honesty. Calibration improves the odds. It does not supply a basis, and no degree of confidence converts an inference into an observation.

This distinction matters operationally, because it determines where the remedy must sit. If the problem were miscalibration, the remedy would belong to the model vendor. Because the problem is the category of the evidence rather than its quality, the remedy must belong to the system that decides what may be acted upon.

Fluency disguises basis. Machine-generated claims arrive formatted, articulate, and syntactically indistinguishable from authoritative record. The surface features by which practitioners have historically triaged trustworthiness, hesitancy, hedging, incompleteness, obvious provenance, are precisely the features that generation removes. Worse, the incentive structure identified by Kalai et al. actively selects against their presence.

This collapse of surface signal has an exact precedent in network security, and the precedent is instructive because its remedy is known. Firewalls once discriminated traffic largely by port: the port number was a cheap, present-in-the-packet attribute that correlated with the nature of the traffic behind it. That correlation collapsed when applications converged on port 443. Once everything arrived over the same port, the inspected attribute no longer discriminated anything, and inspection had to move up the stack, to attributes that were not present in the packet and had to be established by other means. The evidential surface of a claim has undergone the same collapse. Register, hedging, and provenance-by-style were weak, present-in-the-artefact signals of how far a claim had been established; fluent generation has driven all claims into the same declarative envelope, and those signals no longer discriminate the measured from the merely produced. The lesson transfers with the failure: when the discriminating signal is no longer recoverable from the artefact, it must instead be attached to it.

The consequence is that probabilistic output is routinely promoted to deterministic fact without any measurement having occurred. This is the failure mode named False Determinism: the unsanctioned elevation of a claim's epistemic authority at a handover boundary, in the absence of evidence sufficient to warrant the elevation.

False Determinism is structural rather than incidental. It does not require negligence, deception, or model error. It occurs when a correctly-functioning generator produces a well-formed claim which a correctly-functioning process transmits, and which a diligent recipient acts upon, because nothing in the chain represents the claim's basis, and therefore nothing in the chain can reject its promotion. This is what distinguishes the problem from hallucination as ordinarily construed. Hallucination is a property of an utterance; False Determinism is a property of a system of transfer. It would persist even if hallucination rates fell to near zero, because the recipient would still have no means of establishing that a given claim was among the rare failures, and no means of establishing it about anything derived from it.

Contamination of derived claims

The failure compounds. Claims are rarely terminal; they are inputs to other claims. A model-inferred topology feeds a human-authored assessment; the assessment is filed as a report; the report is later retrieved as authoritative record. At no point in that sequence is a falsehood introduced, yet the probabilistic origin of the original inference has become unrecoverable.

This is the laundering path, and it is the reason that any remedy operating only at the point of generation is insufficient. Marking model outputs at the moment they are produced does not help if the marking is not inherited by everything derived from them. A remedy must therefore govern derivation, not merely origination.

The gap: what existing mechanisms do not do

Three established families of mechanism address adjacent problems, and none addresses this one.

Provenance and lineage systems (W3C PROV and its descendants; workflow and data-lineage tooling) record where a claim came from: the entities, activities, and agents involved in its production. They are descriptive and retrospective. A complete PROV graph can faithfully record that a value was generated by a model, and still offer no answer to the question of whether that value may now be acted upon.

Cryptographic attestation and supply-chain integrity systems (in-toto, SLSA, signed provenance, transparency logs) establish who produced an artefact and that it was not altered in transit. Their guarantees are about authenticity and integrity. A perfectly signed, verifiably unaltered claim may still be a hallucination: the signature attests to custody, not to basis. Integrity is orthogonal to admissibility.

Policy languages and access-control frameworks (OPA/Rego, XACML, and similar) can express rich conditions over requests and attributes. They are, however, general-purpose evaluators over whatever attributes they are given. They presuppose the very thing that is missing: a principled, portable representation of a claim's evidentiary basis and of the actions that basis can and cannot warrant. A policy engine can enforce such a model; it cannot supply one.

The gap, stated precisely:

No existing mechanism allows a receiving owner to determine whether the evidence behind a claim is sufficient for the specific action they intend to take.

This is not a provenance gap, an integrity gap, or an enforcement gap. It is the absence of a model of action-relative admissibility: the recognition that a claim adequate for prioritising an investigation may be wholly inadequate for authorising a configuration change, and that the difference between those two uses is not a difference of confidence but a difference of the evidence the action demands.

Why these three, and not the safety literature

The comparison class above is chosen deliberately, and the choice warrants defence.

An obvious alternative would be to position this work against the safety and assurance literature, assurance cases, safety integrity levels, hazard and operability analysis, since operational technology is the exemplar domain and safety is the consequence in play. That framing is rejected, for two reasons.

First, those methods make a different kind of claim. An assurance case argues that a system is acceptably safe for a stated operating context, and does so as a design-time, human-authored, human-reviewed artefact. It is not a runtime mechanism for adjudicating individual claims, and it presupposes exactly what is at issue here: that the propositions entering the argument have known evidentiary standing. Safety engineering consumes admissibility judgements; it does not produce them.

Second, and decisively, the nearest rivals are the mechanisms that do attach machine-readable metadata to claims and do adjudicate them at runtime, which is to say provenance, attestation, and policy evaluation. A contribution is properly measured against what most nearly already does its job. Provenance, attestation and policy languages already carry structured assertions across trust boundaries and already make automated decisions about them; if any of them supplied action-relative admissibility, this work would be redundant. They do not, and demonstrating precisely why is the burden discharged above.

Safety and OT thus enter as the domain that supplies the consequences, the scenarios, and the evaluation criteria, not as the competing claim to novelty.

Why operational technology is the exemplar

The consequences are most acute in operational technology, where decisions cross from information into physical action and are frequently irreversible. The distance between asserted, inferred, observed, and demonstrated is, in that setting, the distance between a safe action and an unsafe one. A claim that a circuit is de-energised is safe to use when deciding what to investigate next, and unsafe to use when deciding whether to touch it, and this is true regardless of how confident the claim's originator was.

OT therefore serves as the exemplar domain and the source of evaluation scenarios. The problem, however, is general: it arises wherever one owner acts on state produced by another, and the OT case is distinguished by the sharpness of its consequences rather than by any special structure.

The question this opens

The problem is a design gap: the required artefact does not exist. The question, then, is whether it can be built.

Can action-relative admissibility be formalised as a discipline, with a claim taxonomy, a basis model, an inheritance rule for derived claims, and an admissibility policy, such that False Determinism becomes mechanically rejectable rather than a matter of practitioner vigilance?

Underneath it sit four narrower questions:

  1. What minimal representation of a claim's basis is sufficient to decide admissibility for an intended action, and what must it capture beyond origin and integrity?
  2. What inheritance rule correctly governs derived claims, such that probabilistic ancestry cannot be laundered through subsequent derivation?
  3. Under what conditions may a claim's admissibility be legitimately elevated, and can illegitimate elevation be distinguished from legitimate elevation mechanically?
  4. Does the resulting discipline reject False Determinism in realistic OT scenarios without rejecting so much legitimate practice as to be unusable?

The fourth is the one on which the work is falsifiable. A discipline that rejects everything is trivially safe and practically worthless; it stands or falls on the discrimination it achieves, not merely on its conservatism.

What is in and out of scope

In scope: the conceptual model (claim taxonomy, basis model, derivation and inheritance rules, admissibility policy, promotion as a named and constrained operation); a reference implementation as a software library; evaluation against OT-derived scenarios.

Out of scope: the truth of claims (this work concerns whether a claim's basis warrants an action, not whether the claim is correct); the cryptographic transport of attestations (assumed available, and orthogonal); model interpretability and the internal states of generators; organisational adoption and change management.

References

[1] Yeom, S., Kim, M.-G., & Park, J. H. (2026). Understanding nursing handoff errors in clinical practice: trends and contributing factors based on a systematic review and meta-analysis. BMC Nursing, 25, 359. https://doi.org/10.1186/s12912-026-04607-x

[2] Kalai, A. T., Nachum, O., Vempala, S. S., & Zhang, E. (2025). Why Language Models Hallucinate. arXiv preprint arXiv:2509.04664. https://arxiv.org/abs/2509.04664

[3] Groot, T., & Valdenegro-Toro, M. (2024). Overconfidence is Key: Verbalized Uncertainty Evaluation in Large Language and Vision-Language Models. arXiv preprint arXiv:2405.02917. https://arxiv.org/abs/2405.02917