01The delegation chain (reconstructed from signed events)
Root
Human
granted_by = tenant root · scope = [approve_transfer] · policy = pol_transfer_approval_v1 · retains final approval authority
AI
granted_by = princ_customer_9 (delegation, not root grant) · scope = [review_transfer_request] · policy = pol_ai_transfer_advisory_review_v1 · review-only, no approval authority
The AI's granted_by field names the human principal directly. The replay engine's trace_provenance function walks: AI grant → find parent grant whose granted_to == princ_customer_9 → walks her root-grant → terminates at root. The delegation chain exists in the canonical event log.
02The reconstructed state_id
03The governance assertion (the spine of the proof)
| Assertion | Result |
|---|---|
AI scope contains review_transfer_request | TRUE |
AI scope does NOT contain approve_transfer | TRUE |
Human retains approve_transfer | TRUE |
AI authority derives from human (granted_by) | TRUE |
| Human authority derives from root | TRUE |
The proof's spine is the negative assertion: the AI's reconstructed scope does NOT contain approve_transfer. The test asserts this directly with a hard failure message — "GOVERNANCE FAILURE: AI scope contains approve_transfer — AI was authorized only to review, not approve."
04The forensic explanations
{
"authority_id": "auth_44962d9b-…_ai_transfer_review",
"included": true,
"reason": "Granted by princ_customer_9 to princ_ai_transfer_reviewer_001;
policy pol_ai_transfer_advisory_review_v1;
chain to root verified."
}
The phrase "chain to root verified" in the AI's explanation is the replay engine confirming that princ_customer_9's grant exists, is unrevoked, and is itself rooted. That's the forensic signal a regulator looks for.
05The five reconstructable facts (the regulator's checklist)
| Question | Reconstructed answer |
|---|---|
| 1. Who delegated authority? | princ_customer_9 (human, customer_id=9) |
| 2. What authority was delegated? | review_transfer_request (no approval) |
| 3. What policy constrained the AI? | pol_ai_transfer_advisory_review_v1 — advisory only, CONDITIONAL output, no override |
| 4. What did the AI recommend? | (Carried in receipt narrative for any live transfer; the chain proves the AI was authorized to produce it) |
| 5. Who made the final decision? | princ_customer_9 (retains approve_transfer) |
06The receipt narrative (template for a live AI-assisted approval)
{
"decision_class": "approved | denied | escalated",
"recommender": "princ_ai_transfer_reviewer_001",
"recommender_authority": "auth_44962d9b-…_ai_transfer_review",
"recommender_policy": "pol_ai_transfer_advisory_review_v1",
"recommendation_class": "CONDITIONAL",
"recommendation_text": "<the AI's natural-language recommendation>",
"final_approver": "princ_customer_9",
"final_approver_authority": "auth_44962d9b-…_transfer_approval",
"final_approver_policy": "pol_transfer_approval_v1"
}
Two principals named. Two authority IDs named. Two policies named. Three years later, replay reconstructs all of it.
07Known limitations
- Reconstruction-only, not live receipt. No transfer-approval receipt has been issued against a live endpoint with this tenant. Live issuance requires Bearer minting for both principals.
- Structural AI principal, not a deployed model. The AI is a principal in the canonical event log; the model / agent runtime it represents is out of scope.
- Single delegation level, not the full ladder. This is L1. L2 (Authority Envelope), L3 (Supervisor), L4 (Autonomous Operations) are subsequent proofs.
- Scope-subset enforcement is policy-layer, not chain-layer. The engine validates chain provenance; policy-correctness lives in
pol_*definitions. - AuthEvent.signature not verified at replay ingestion (Phase E lock; same as all current proofs).
08Where this proof sits in the agentic management ladder
09Evidence appendix
| Field | Value |
|---|---|
| state_id | 1cbd6979288513945e725a453e40446f9b936825ba90e42585e0483d96b36840 |
| Replay-until T (ms) | 1800000000000 |
| Tenant ID | tenant_ai_transfer_44962d9b-25f5-5622-bd9a-98d5580bb8a2 |
| Tenant root | princ_root_ai_transfer_44962d9b-… |
| Human principal | princ_customer_9 |
| AI principal | princ_ai_transfer_reviewer_001 |
| Human authority ID | auth_44962d9b-…_transfer_approval (scope: approve_transfer) |
| AI authority ID | auth_44962d9b-…_ai_transfer_review (scope: review_transfer_request) |
| Human policy | pol_transfer_approval_v1 |
| AI policy | pol_ai_transfer_advisory_review_v1 |
| AI grant granted_by | princ_customer_9 (DELEGATION CONFIRMED) |
| Reconstruction artifact | reconstruction.json |
| Harness | tests/ai_assisted_transfer_001.rs (scif-backend @ 1ede55071) |
| Same human, prior proof | V101 first proof — princ_customer_9 |
10Readiness determination
First AI-Assisted Transfer Approval (reconstruction, delegation chain): PROVEN IN OPERATION for one root → human → AI delegation, advisory-review capability scoped review-only, human retaining final approval authority.
What this unlocks: conversations with Ondo, Securitize, Kinexys, transfer agents, fund administrators, and regulators about constrained AI participation in regulated workflows. The answer is the delegation chain — visible in the canonical event log, replayable forever, with the AI's scope provably review-only.
What this does not unlock: a claim that any tokenization platform has deployed an AI reviewer; a claim that the chain handles multi-agent supervision (L3) or autonomous-operation envelopes (L4); a claim that scope-subset enforcement is engine-layer.
The AI principal here is structural — a principal in the canonical event log, not a deployed model. When the first tokenization platform integrates a real AI reviewer, this proof gets superseded by first-deployed-ai-assisted-transfer against their real customers and real model. The delegation property being proven is structural; the model identity is independent.
Issued by H33, Inc. · Eric Beans, CEO · 2026-06-02
Independently reconstructable. Inputs: canonical event log access · scif-backend @ 1ede55071 · harness tests/ai_assisted_transfer_001.rs.