When an inspector asks where did this AI output come from?, there are two structurally different ways to answer. One is forensic: pull the logs, reconstruct what the model saw at inference time, infer which retrieved passage shaped which line of output, defend the reconstruction. The other is provenance at generation time: the output itself carries the substrate trace, and the answer is in the response the inspector is already holding.
The two answers look superficially similar - both produce some kind of here is what grounded the output artefact. They are not the same. The forensic answer is reconstruction by an auditor; the substrate answer is assertion by the system. The reconstruction is fragile, contestable, and slow. The assertion is fixed, structured, and instant. The discipline-gap between them is the difference between post-hoc explainability and audit-by-construction.
This note is about that gap, what it takes to close it, and what closes when you do.
01 / What forensic reconstruction actually is
The dominant pattern in production AI systems treats provenance as a logging concern. Three streams of log data are kept alongside the inference: the prompt, the model’s response, and the documents the retrieval layer returned. Sometimes a fourth: the conversation history. When provenance is asked for later, the answer requires reading the four streams in parallel and inferring how they relate.
Three things make this fragile. First, the relationship between a retrieved passage and a specific claim in the output is not asserted by the system - it is inferred by the auditor. Second, retrieval is suggestive: the model can use, paraphrase, ignore, or hallucinate around retrieved content, and the log does not know which. Third, the answer the auditor produces is hypothetical. It is the most plausible reconstruction, given the evidence, not the actual chain. None of these are model failures; they are properties of the architecture. Provenance was parallel to inference, not part of it.
In healthcare workflows, this architecture fails the compliance question. The inspector is not interested in the auditor’s reconstruction. The inspector wants the substrate’s own statement of where the output came from. The forensic answer is here is our best guess, given the logs. The defensible answer is here is what the system itself said it consulted, at generation time, in the same call that produced the output.
02 / What provenance at generation time actually requires
The shift is structural. It is not a richer logging schema or a better post-hoc explainer. It is the commitment that every output carries its substrate trace as part of the response object, recorded as the inference happens, by the same system that produced the output.
Four properties have to be true at once for this to work.
The substrate has to be queryable in structured form. The AI cannot point at the document we were trained on or the passage we retrieved; it has to point at substrate elements with stable identifiers, at specific versions, with a rationale or rule associated with each element. The substrate carries this information as a first-class property of each node, not as metadata derived later.
The model has to be constrained to compose from substrate elements. This is the architectural commitment from the anchor essay - the substrate sits underneath the model, and the model is bounded by it. Without this, the substrate trace attached to a response is decorative: the model could have ignored the substrate and produced the output anyway, with the trace bolted on for show. With this, the trace is binding: the substrate elements are what the output is composed from.
The response object has to carry the trace inline. Not in a separate log, not in a provenance sidebar that the consumer correlates by request-id, not in an audit pipeline that runs hours later. The response includes the prose answer and the trace as one structured object. A downstream system, or an auditor, reads them together because they are the same artefact.
The trace has to be at the claim level, not the call level. An output that composes multiple substrate elements - say, a clinical decision-support recommendation that combines a coding decision, a drug-interaction check, and a regulator-specific reporting rule - needs to record each grounding, not just the fact that three substrate calls happened. Claim-level provenance is what an inspector reads to verify that this specific recommendation is defensible, not that some substrate consultation occurred.
All four properties have to hold together. Any one of them missing degrades the trace to a forensic artefact at best, and back to plausible-deniability at worst.
03 / Where MCP lands and where it stops short
Model Context Protocol is the closest open standard we have that approaches this architecture. MCP gives AI agents structured access to tools and resources, and tool calls are part of the conversation trace by design. That is materially more disciplined than retrieval-augmented generation, which makes no claim at all about which retrieved passage shaped which output line.
But MCP alone is not provenance at generation time, and treating it as such is a category error.
MCP standardises the call interface between agents and external systems. It does not constrain the response discipline of the systems on the other side of the calls. An MCP server backing an AI agent can return whatever it wants to return - including unstructured text, including text without provenance, including text that does not resolve to canonical references. The discipline has to live in the server, not in the protocol.
MCP also does not, by itself, constrain the model from composing outside the substrate. A model with access to an MCP server can still ignore the substrate’s response and produce its own answer, just as a model with retrieved documents can. The architectural binding - the model is bounded by the substrate, not just informed by it - is a separate commitment, made by the system designer, that MCP can support but does not enforce.
And the trace MCP produces is per-tool-call, not per-claim. The conversation transcript shows which tools the agent called and what each returned. It does not show, for a paragraph of output, which substrate elements grounded which sentence. Claim-level provenance has to be re-derived if the output is plural and the calls are not.
The pattern that works treats MCP as the transport for a substrate that carries its own provenance discipline. The agent calls into a substrate that returns structured nodes with stable identifiers and versions. The agent’s response - the prose it produces for the user, or the downstream document it composes - carries the substrate’s response inline, claim by claim, recorded as the agent generates the output. MCP is the wire; the substrate’s discipline is the cargo. The combination is provenance-at-generation-time. MCP alone is not.
04 / The pharmacovigilance trace, made concrete
The anchor essay used ICSR coding as the worked example - a signal-detection AI mapping a patient narrative to MedDRA terms, evaluating seriousness, and flagging expedited-reporting requirements. The architectural claim there was that the response has to carry a substrate trace. This note is about what that trace consists of, at a concept level.
For the coding decision, the trace records the lower-level-term identifier at the MedDRA version consulted, the preferred term it rolls up to under that version’s hierarchy, and the rule or rationale for the LLT-to-PT mapping. For the seriousness evaluation, it records the criteria set the AI applied and the version of that criteria set. For the expedited-reporting flag, it records the regulator-specific threshold consulted and the rationale for which regulator’s framework was applied, given the jurisdiction. Where any of these required curator judgement rather than a rule, the curator-of-record is on the trace, not implied by it.
The inspector reads this trace and sees, directly, what the AI consulted. There is no reconstruction step. The substrate’s own statement of grounding sits next to the output it grounded. If the inspector wants to verify that the grounding is current, she pins the version. If she wants to verify that the curator’s judgement was sound, the curator-of-record is on the record. If she wants to audit every coded event in the quarter, the same trace runs at scale through the same query. The audit pipeline is the substrate, queried under the same discipline as everything else.
The forensic counterpart, by contrast, would offer logs of the prompt, the retrieved MedDRA passages, and the model’s response. The inspector would then have to read each, infer which passage influenced which code, and reason about whether the inference is right. The discipline-gap between the two is what an audit cycle measures in weeks - and it is also what the difference between plausibly defensible and defensibly built looks like in practice.
05 / Why this is the closing move of the arc
The architectural arc this journal opened with - the anchor essay’s claim that knowledge belongs underneath AI rather than alongside it - has three load-bearing parts. The substrate underneath; the model bounded by it; and the provenance recorded in the response. The first two have been argued at length elsewhere. This note is the third. Without it, underneath and bounded produce a system that looks more disciplined than the alternatives but cannot prove that it is. With it, the discipline is in the response itself - which is what makes the architecture survive an audit by construction rather than by goodwill.
The Attic Standard sits underneath all three commitments and shows up here as Aletheia made structural. Aletheia is disclosure: the substrate’s claims have a source, and the source is itself first-class. Provenance at generation time is that disclosure made operational - the source is in the response, at the moment the response is produced, in a form the inspector reads directly. The discipline and the architecture are the same commitment, expressed at different layers.
The next note in this thread will move from the architecture to the engineering underneath it - why we shipped MERGE-only loaders, the design choice that makes the versioned substrate this whole architecture depends on actually possible to refresh safely.