| Internet-Draft | VAP-LAP | February 2026 |
| AILEX | Expires 18 August 2026 | [Page] |
This document specifies the Verifiable AI Provenance (VAP) Framework, a cross-domain upper framework for cryptographically verifiable decision audit trails in high-risk AI systems, along with the Legal AI Profile (LAP), a domain-specific instantiation for legal AI and LegalTech systems.¶
VAP defines common infrastructure including hash chain integrity, digital signatures, unified conformance levels (Bronze/Silver/Gold), external anchoring via RFC 3161 Time-Stamp Protocol and compatible transparency services, a Completeness Invariant pattern guaranteeing no selective logging, standardized Evidence Pack format for regulatory submission, and privacy-preserving verification protocols.¶
LAP extends VAP for the judicial AI domain, addressing unique requirements including attorney oversight verification (Human Override Coverage), three-pipeline completeness invariants for legal consultation, document generation, and fact-checking, as well as privacy-preserving fields designed to maintain attorney-client privilege while enabling third-party auditability.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 18 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The deployment of AI systems in high-risk domains -- including finance, healthcare, transportation, and the administration of justice -- creates a structural accountability gap. AI decisions that affect fundamental rights and societal infrastructure lack standardized, cryptographically verifiable audit trails that independent third parties can inspect.¶
Current approaches rely on trust-based governance: AI providers assert that their systems are safe and well-logged, but no independent party can cryptographically verify these claims. The Verifiable AI Provenance (VAP) Framework addresses this gap by defining a "Verify, Don't Trust" architecture for AI decision provenance.¶
This document defines two complementary specifications:¶
VAP targets AI systems where "system failure could cause significant and irreversible harm to human life, societal infrastructure, or democratic institutions." This intentionally strict scope distinguishes VAP from general-purpose logging frameworks.¶
LAP specifically addresses legal AI systems that provide AI-powered legal consultation, document generation, and fact-checking services to licensed attorneys.¶
The core principle is "Verify, Don't Trust." Rather than relying on AI providers' claims about the safety and integrity of their systems, VAP enables independent, cryptographic verification of every AI decision's provenance, completeness, and human oversight.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
VAP is organized into four core layers, a common infrastructure layer, and a domain profile layer:¶
VAP supports multiple domain profiles. Each profile MUST define:¶
Registered profiles include VCP (Finance), CAP (Content/Creative AI), and LAP (Legal AI, defined in Part II of this document). Additional profiles for automotive (DVP), medical (MAP), and public administration (PAP) domains are under development.¶
All VAP-conformant implementations MUST support the following cryptographic algorithms:¶
| Category | Primary | Alternative | Post-Quantum (Future) |
|---|---|---|---|
| Hash | SHA-256 | SHA-384, SHA-512 | SHA3-256 |
| Signature | Ed25519 (RFC 8032) | ECDSA P-256 | ML-DSA-65 |
| Encryption | AES-256-GCM | ChaCha20-Poly1305 | Kyber-1024 |
Implementations MUST include algorithm identifiers in all cryptographic fields to support crypto agility and future algorithm migration.¶
Events MUST be linked in a hash chain where each event's hash includes the hash of the preceding event:¶
EventHash[n] = SHA-256(
Canonicalize(Event[n] without Signature field)
)
where Event[n].PrevHash = EventHash[n-1]
Event[0].PrevHash = null (genesis event)
Canonicalization MUST follow RFC 8785 (JSON Canonicalization Scheme).
¶
Chain integrity verification MUST confirm:¶
Every event MUST be signed using Ed25519 ([RFC8032]). The signature MUST be computed over the event hash bytes:¶
Signature = Ed25519.Sign(PrivateKey, EventHash_bytes) Encoded as: "ed25519:" + Base64(Signature)¶
All VAP-conformant events MUST include the following fields:¶
{
"vap_version": "1.2",
"profile": {
"id": "string (VCP|CAP|LAP|DVP|MAP|PAP|EIP)",
"version": "semver string"
},
"header": {
"event_id": "UUIDv7 (RFC 9562)",
"chain_id": "UUIDv7",
"prev_hash": "sha256:... | null (genesis)",
"timestamp": "ISO 8601 with timezone",
"event_type": "string (profile-specific)"
},
"provenance": {
"actor": {
"actor_id": "string",
"actor_hash": "sha256:... (privacy-preserving)",
"role": "string"
},
"input": { },
"context": { },
"action": { },
"outcome": { }
},
"accountability": {
"operator_id": "string",
"last_approval_by": "string",
"approval_timestamp": "ISO 8601"
},
"domain_payload": { },
"security": {
"event_hash": "sha256:...",
"hash_algo": "SHA256",
"signature": "ed25519:...",
"sign_algo": "ED25519",
"signer_id": "string"
}
}
¶
Event identifiers MUST use UUIDv7 ([RFC9562]) to ensure time-ordered sortability. JSON canonicalization MUST follow [RFC8785].¶
Fields representing monetary amounts, cryptographic values, or high-precision measurements SHOULD be encoded as JSON strings rather than JSON numbers. This recommendation is motivated by:¶
Fields where exact precision is not critical (e.g., event_count, token_count) MAY use JSON numbers. Implementations MUST document which fields use string encoding. Implementations that use JSON numbers for counters MUST ensure that any numeric-to-string conversion performed during canonicalization is deterministic and documented, to avoid signature verification ambiguity across languages and libraries.¶
VAP defines three conformance levels applicable to all domain profiles. Each level inherits all requirements of lower levels (Gold is a superset of Silver, which is a superset of Bronze).¶
Target: SMEs, early adopters. Core capabilities:¶
Target: Enterprise, regulated industries. Additional requirements beyond Bronze:¶
Target: Highly regulated industries. Additional requirements beyond Silver:¶
External anchoring proves that events existed at a specific point in time, preventing backdating, forward-dating, and log forking.¶
VAP defines an abstract anchoring interface that can be realized by multiple service types. The baseline anchoring service is [RFC3161] Time-Stamp Authority (TSA). Additional service types include transparency logs and public blockchains.¶
Gold Level implementations MUST use at least one transparency log service (such as SCITT) or equivalent, in addition to or instead of RFC 3161 TSA. Implementations SHOULD use multiple independent anchoring services for critical deployments.¶
{
"anchor_id": "UUIDv7",
"anchor_type": "RFC3161 | TRANSPARENCY_LOG | BLOCKCHAIN",
"merkle_root": "sha256:...",
"event_count": 1000,
"first_event_id": "UUIDv7",
"last_event_id": "UUIDv7",
"first_event_timestamp": "ISO 8601",
"last_event_timestamp": "ISO 8601",
"anchor_timestamp": "ISO 8601",
"anchor_proof": "Base64-encoded proof",
"service_endpoint": "https://tsa.example.com"
}
¶
Events MUST be batched into a binary Merkle hash tree for efficient anchoring and selective disclosure. The tree construction uses SHA-256 as the hash function and follows a standard binary tree structure:¶
Leaf[i] = SHA-256(EventHash[i]) Interior[j] = SHA-256(Left_child || Right_child) MerkleRoot = Interior[root]¶
If the number of leaves is not a power of two, the last leaf MUST be duplicated to complete the tree. The resulting Merkle root is submitted to the external anchoring service.¶
Implementations MAY follow the tree construction specified in [RFC6962] (Certificate Transparency) or any equivalent binary Merkle tree construction that produces deterministic, verifiable inclusion proofs.¶
Merkle inclusion proofs enable selective disclosure: a verifier can confirm that a specific event is included in an anchored batch without accessing other events in the batch.¶
The Completeness Invariant is a mathematical guarantee that every "attempt" event has exactly one corresponding "outcome" event. This prevents selective logging -- the omission of inconvenient records.¶
General form:¶
For each pipeline P:
Count(P_ATTEMPT) = Count(P_SUCCESS)
+ Count(P_DENY)
+ Count(P_ERROR)
¶
The invariant enforces three properties:¶
Domain profiles MUST specify which event types constitute attempts and outcomes for the invariant. Each outcome event MUST contain a causal link field referencing the originating attempt event's identifier. Verification SHOULD account for a configurable grace period for in-flight operations.¶
An Evidence Pack is a self-contained, signed package of provenance events suitable for regulatory submission and third-party audit.¶
An Evidence Pack MUST contain:¶
The manifest MUST include the following fields:¶
The manifest MAY include additional profile-specific fields as defined by the domain profile specification.¶
VAP enables verification of system integrity without disclosure of sensitive data. This is achieved through:¶
This mechanism is particularly critical for LAP, where attorney-client privilege prevents disclosure of consultation content while still requiring verifiable audit trails.¶
| Level | Events | Anchor Records | Evidence Packs | Keys |
|---|---|---|---|---|
| Bronze | 6 months | N/A | On-demand | 1 year after last use |
| Silver | 2 years | 5 years | 2 years | 3 years after last use |
| Gold | 5 years | 10 years | 5 years | 7 years after last use |
Retention periods MUST be extended upon: regulatory investigation notification, legal hold orders, security or safety incidents, and third-party audit requests.¶
Domain profiles MAY specify extended retention periods beyond the VAP baseline where domain-specific regulations require longer retention (see Section 18 for LAP extensions).¶
For privacy regulation compliance (e.g., [GDPR] "right to be forgotten"), implementations at Silver level and above SHOULD support crypto-shredding: encrypting personal data with per-user keys and deleting those keys to render the data cryptographically unrecoverable while preserving hash chain integrity.¶
Verification is available at three access levels:¶
Verification steps:¶
The Legal AI Profile (LAP) is a VAP domain profile for judicial AI and LegalTech systems. LAP addresses unique challenges in the legal domain:¶
| Field | Value |
|---|---|
| Profile ID | LAP |
| Full Name | Legal AI Profile |
| Domain | Legal AI / LegalTech |
| Regulatory Scope | Attorney regulation, AI governance (informative) |
| Time Precision | Second |
| Profile Version | 0.2.0 |
LAP defines three functional pipelines and one cross-cutting control event type:¶
AI-powered legal consultation:¶
AI-assisted legal document drafting:¶
AI-powered legal fact verification:¶
Implementations MAY define LEGAL_FACTCHECK_DENY for cases where a fact-check request is refused due to rate limiting, insufficient permissions, or consent constraints. The deny_reason field SHOULD distinguish these from system errors.¶
If an implementation does not support LEGAL_FACTCHECK_DENY, refusal conditions MUST be recorded as LEGAL_FACTCHECK_ERROR with a deny_equivalent indicator set to true in the error detail, ensuring the Completeness Invariant is maintained.¶
HUMAN_OVERRIDE events record an attorney's review of any AI output:¶
HUMAN_OVERRIDE events reference the target outcome event via target_event_id (establishing a causal link) and include the attorney's identity (bar number hash), override type, and optional modification details.¶
LAP applies the Completeness Invariant independently to all three pipelines:¶
For each pipeline P in {QUERY, DOC, FACTCHECK}:
Count(LEGAL_{P}_ATTEMPT)
= Count(LEGAL_{P}_RESPONSE)
+ Count(LEGAL_{P}_DENY) [if supported]
+ Count(LEGAL_{P}_ERROR)
Expanded:
LEGAL_QUERY_ATTEMPT = LEGAL_QUERY_RESPONSE
+ LEGAL_QUERY_DENY
+ LEGAL_QUERY_ERROR
LEGAL_DOC_ATTEMPT = LEGAL_DOC_RESPONSE
+ LEGAL_DOC_DENY
+ LEGAL_DOC_ERROR
LEGAL_FACTCHECK_ATTEMPT = LEGAL_FACTCHECK_RESPONSE
+ LEGAL_FACTCHECK_DENY [if supported]
+ LEGAL_FACTCHECK_ERROR
¶
For implementations that do not support LEGAL_FACTCHECK_DENY, the invariant simplifies to ATTEMPT = RESPONSE + ERROR for Pipeline 3. Refusal conditions recorded as ERROR with deny_equivalent MUST be counted toward the invariant.¶
Each outcome event MUST contain a causal link field referencing the originating attempt event's identifier, ensuring referential integrity can be verified independently of event ordering.¶
HUMAN_OVERRIDE events are outside the Completeness Invariant but LAP defines Override Coverage as a critical operational metric:¶
Override Coverage = Count(HUMAN_OVERRIDE) / (Count(LEGAL_*_RESPONSE) + Count(LEGAL_*_DENY))¶
This metric quantifies the degree to which human professionals review AI outputs. In jurisdictions where regulations require that a licensed professional personally scrutinize AI-generated work products, this metric provides measurable evidence of compliance.¶
| Coverage | Assessment | Operational Implication |
|---|---|---|
| 100% | Ideal | Full professional oversight of all AI outputs |
| 70-99% | Good | Majority reviewed; low-risk outputs may be excluded |
| 30-69% | Warning | Insufficient review; operational improvement recommended |
| <30% | Critical | Professional oversight requirements likely unmet |
ERROR events are excluded from the denominator because they do not produce an output suitable for professional approval or rejection. Completeness of error handling is evaluated separately via the per-pipeline invariant, where ERROR is a first-class outcome type.¶
Legal AI handles extremely sensitive data protected by professional privilege. LAP extends VAP's privacy-preserving verification with the following hashed fields:¶
| Original Data | Hash Field | Sensitive Content |
|---|---|---|
| User query text | PromptHash | Legal consultation content (privileged) |
| AI response text | ResponseHash | AI-generated legal advice |
| Document output | OutputHash | Generated legal documents |
| Case number | CaseNumberHash | Case identifier (high specificity) |
| Bar number | BarNumberHash | Professional registration number |
| Party names | PartyHash | Personal information of parties |
| Modification detail | ModificationHash | Professional's corrections |
| Factcheck content | TargetContentHash | Content under verification |
Hash computation uses per-tenant salts to prevent cross-tenant correlation. Third-party verifiers can confirm event existence and chain integrity without accessing privileged content.¶
| Requirement | Bronze | Silver | Gold |
|---|---|---|---|
| Hash Chain | Yes | Yes | Yes |
| Digital Signature | Yes | Yes | Yes |
| External Anchoring | No | Daily | Hourly |
| Completeness Invariant | No | 3 Pipelines | 3 Pipelines |
| Override Coverage Tracking | No | Yes | Yes (with alerts) |
| Evidence Pack | No | Yes | Yes |
| Privacy Hashing | No | Yes | Yes |
| HSM | No | No | Yes |
| Retention | 6 months | 3 years | 10 years |
| Real-time Audit API | No | No | Yes |
LAP extends the standard VAP retention periods. Silver level requires 3 years (vs. VAP baseline 2 years) and Gold requires 10 years (vs. VAP baseline 5 years). This extension is driven by the longer statutory limitation periods typical in legal proceedings across multiple jurisdictions.¶
This section is entirely informative and non-normative. It illustrates how LAP audit trail capabilities can support compliance with various regulatory frameworks. Legal compliance determinations are jurisdiction-specific and require independent legal analysis.¶
Many jurisdictions restrict the practice of law to licensed attorneys. Where AI systems assist attorneys in legal work, regulations may require that the attorney personally review and take responsibility for AI-generated outputs. LAP's HUMAN_OVERRIDE events and Override Coverage metric can support demonstrating such oversight.¶
As an example, the Japanese Ministry of Justice guideline ([MOJ-GUIDELINE]) establishes that AI-based legal services provided to attorneys are permissible when the attorney personally scrutinizes and modifies the output as necessary. LAP audit trails can help meet these expectations through:¶
Legal AI systems may be classified as high-risk under AI governance frameworks such as the EU AI Act ([EU-AI-ACT]), particularly under Annex III "Administration of justice" category. LAP Silver level and above provides audit trail capabilities that can help satisfy record-keeping requirements, including:¶
The degree to which these capabilities satisfy specific regulatory requirements should be evaluated on a per-jurisdiction basis.¶
VAP-LAP implementations face several security considerations:¶
This document has no IANA actions at this time.¶
Future versions of this document might request registration of a media type for VAP Evidence Pack manifests (e.g., "application/vnd.vap.evidence-pack+json") and an IANA registry for VAP Domain Profile identifiers. Until then, profile identifiers are managed by the VeritasChain Standards Organization (VSO). The initial registered profiles are VCP (Finance), CAP (Content/Creative AI), and LAP (Legal AI).¶
| Aspect | VCP (Finance) | CAP (Content) | LAP (Legal) |
|---|---|---|---|
| Time Precision | Nanosecond | Second | Second |
| Key Invariant | SIG to ORD | GEN_ATTEMPT to GEN/DENY/ERROR | 3 Pipeline Invariants |
| Unique Feature | Signal integrity | Safe Refusal (SRP) | Human Override Coverage |
| Regulatory Focus | Financial regulation | Content regulation | Attorney regulation + AI governance |
| Privacy Model | Trade data | Creative content | Professional privilege |
| Retention (Gold) | 5 years | 5 years | 10 years |
This section tracks changes between Internet-Draft revisions and will be removed before publication.¶
The VAP Framework and LAP Profile were developed with input from: the CAP v1.0 Safe Refusal Provenance (SRP) design experience, the VCP v1.1 operational feedback, regulatory engagement from legal practitioners, and open-source community contributions.¶
LAP v0.2 design draws from the AILEX SaaS reference implementation, the Ministry of Justice guideline on AI services and [JAPAN-ATTORNEY-ACT] Article 72 (August 2023), and the [JFBA-AI-GUIDANCE] on generative AI in attorney practice (September 2025).¶