| Internet-Draft | VAP-LAP | February 2026 |
| Yamakawa | Expires 28 August 2026 | [Page] |
This document specifies the Verifiable AI Provenance (VAP) Framework, a cross-domain upper framework for cryptographically verifiable decision audit trails in high-risk AI systems, along with the Legal AI Profile (LAP), a domain-specific instantiation for legal AI and LegalTech systems.¶
VAP defines common infrastructure including hash chain integrity, digital signatures, unified conformance levels (Bronze/Silver/Gold), external anchoring via RFC 3161 Time-Stamp Protocol and compatible transparency services (including IETF SCITT), a Completeness Invariant pattern guaranteeing no selective logging, standardized Evidence Pack format for regulatory submission, and privacy-preserving verification protocols.¶
LAP extends VAP for the judicial AI domain, addressing unique requirements including attorney oversight verification (Human Override Coverage), three-pipeline completeness invariants for legal consultation, document generation, and fact-checking, tiered content retention with legal hold protocols for judicial discovery compliance, graduated override enforcement mechanisms, and privacy- preserving fields designed to maintain attorney-client privilege while enabling third-party auditability.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 28 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The deployment of AI systems in high-risk domains -- including finance, healthcare, transportation, and the administration of justice -- creates a structural accountability gap. AI decisions that affect fundamental rights and societal infrastructure lack standardized, cryptographically verifiable audit trails that independent third parties can inspect.¶
Current approaches rely on trust-based governance: AI providers assert that their systems are safe and well-logged, but no independent party can cryptographically verify these claims. The Verifiable AI Provenance (VAP) Framework addresses this gap by defining a "Verify, Don't Trust" architecture for AI decision provenance.¶
This document defines two complementary specifications:¶
VAP targets AI systems where "system failure could cause significant and irreversible harm to human life, societal infrastructure, or democratic institutions." This intentionally strict scope distinguishes VAP from general-purpose logging frameworks.¶
LAP specifically addresses legal AI systems that provide AI-powered legal consultation, document generation, and fact-checking services to licensed attorneys.¶
The core principle is "Verify, Don't Trust." Rather than relying on AI providers' claims about the safety and integrity of their systems, VAP enables independent, cryptographic verification of every AI decision's provenance, completeness, and human oversight.¶
NOTE: This Internet-Draft is the authoritative specification for the VAP Framework and LAP Profile. Where differences exist between this document and other published descriptions of the VAP Framework (e.g., companion white papers or implementation guides), this Internet-Draft takes precedence.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
VAP is organized into four core layers, a common infrastructure layer, and a domain profile layer:¶
VAP supports multiple domain profiles. Each profile MUST define:¶
Registered profiles include VCP (Finance), CAP (Content/Creative AI), and LAP (Legal AI, defined in Part II of this document). Additional profiles for automotive (DVP), medical (MAP), and public administration (PAP) domains are under development.¶
All VAP-conformant implementations MUST support the primary algorithms listed below. Implementations SHOULD support at least one alternative algorithm in each category for migration purposes. Post-quantum algorithms are listed for future migration readiness and are currently OPTIONAL.¶
| Category | Primary (MTI) | Alternative | Post-Quantum (Future MTI) |
|---|---|---|---|
| Hash | SHA-256 | SHA-384, SHA-512 | SHA3-256 |
| Signature | Ed25519 ([RFC8032]) | ECDSA P-256 ([RFC6979]) | ML-DSA-65 ([FIPS204]) |
| Encryption | AES-256-GCM | ChaCha20-Poly1305 | N/A (see KEM row) |
| KEM | N/A (classical key exchange) | N/A | ML-KEM-1024 ([FIPS203]) |
Note: The Post-Quantum signature algorithm ML-DSA-65 (formerly known as CRYSTALS-Dilithium, renamed upon FIPS 204 standardization in August 2024) provides security equivalent to AES-192. This parameter set was selected as a balance between signature size (3,309 bytes) and security margin for legal audit trails requiring multi-decade retention. ML-DSA-44 (AES-128 equivalent) was considered insufficient for the intended retention periods; ML-DSA-87 (AES-256 equivalent) imposes significantly larger signatures (4,627 bytes) with marginal practical benefit for this use case.¶
Note: ML-KEM-1024 (formerly known as CRYSTALS-Kyber, renamed upon FIPS 203 standardization in August 2024) is a key encapsulation mechanism (KEM), not an encryption algorithm. It is listed separately from symmetric encryption because KEM and symmetric encryption serve different roles: KEM establishes shared secrets for key agreement, while AES-256-GCM provides authenticated encryption of content.¶
Implementations MUST include algorithm identifiers in all cryptographic fields. The following table defines the canonical algorithm identifiers used in field values and wire-format prefixes:¶
| Algorithm | Field Value (hash_algo / sign_algo) | Wire Prefix (in encoded strings) | Reference |
|---|---|---|---|
| SHA-256 | "sha-256" | "sha-256:" | NIST FIPS 180-4 |
| SHA-384 | "sha-384" | "sha-384:" | NIST FIPS 180-4 |
| SHA-512 | "sha-512" | "sha-512:" | NIST FIPS 180-4 |
| SHA3-256 | "sha3-256" | "sha3-256:" | NIST FIPS 202 |
| Ed25519 | "ed25519" | "ed25519:" | [RFC8032] |
| ECDSA P-256 | "ecdsa-p256" | "ecdsa-p256:" | [RFC6979] |
| ML-DSA-65 | "ml-dsa-65" | "ml-dsa-65:" | [FIPS204] |
All algorithm identifiers MUST be lowercase ASCII strings with hyphens as separators. The field value and wire prefix use the same string (the wire prefix appends a colon as delimiter). Implementations MUST perform case-insensitive comparison when validating algorithm identifiers but MUST produce lowercase output. These identifiers enable crypto agility and algorithm migration as specified in Section 4.4.¶
Events MUST be linked in a hash chain where each event's hash includes the hash of the preceding event.¶
The Hash Input is computed by removing the following fields from the event before canonicalization:¶
The remaining fields (including security.hash_algo, security.sign_algo, and security.signer_id) are retained in the hash input. This explicit exclusion list prevents circular references (event_hash cannot be included in its own computation) and ensures that implementations agree on the hash input.¶
The computation proceeds as follows:¶
HashInput[n] = Event[n] with {security.event_hash,
security.signature} removed
EventHash[n] = HashAlgo(JCS-Canonicalize(HashInput[n]))
where:
Event[n].header.prev_hash = EventHash[n-1]
Event[0].header.prev_hash = null (genesis event)
HashAlgo is the algorithm specified in security.hash_algo
JCS-Canonicalize follows RFC 8785
¶
Canonicalization MUST follow [RFC8785] (JSON Canonicalization Scheme).¶
Chain integrity verification MUST confirm:¶
Every event MUST be signed. The signature MUST be computed over the EventHash bytes (not over the raw event):¶
Signature = SignAlgo.Sign(PrivateKey, EventHash_bytes)¶
The signature MUST be encoded as follows:¶
security.signature = sign_algo_id ":" Base64url(Signature_bytes)¶
where sign_algo_id is the canonical algorithm identifier from Table 2 matching the security.sign_algo field (e.g., "ed25519", "ecdsa-p256"), and Base64url encoding follows [RFC4648] Section 5 (URL-safe alphabet, no padding).¶
The primary mandatory-to-implement (MTI) signature algorithm is Ed25519 [RFC8032]. Implementations MUST support Ed25519 and SHOULD support at least one additional algorithm from Table 1 for migration purposes.¶
VAP is designed for crypto agility per BCP 201 [RFC7696]. Algorithm migration proceeds as follows:¶
During migration, the hash chain MAY contain events signed with different algorithms. Verifiers MUST support all algorithms that appear in the chain being verified.¶
Audit trails with multi-decade retention periods (up to 10 years at Gold level) face exposure to "harvest now, decrypt later" attacks. NIST has announced timelines for deprecating RSA and ECC algorithms (targeted deprecation by 2030, disallowance by 2035).¶
Implementations with Gold-level retention requirements SHOULD prepare for post-quantum transition by:¶
All VAP-conformant events MUST include the following fields:¶
{
"vap_version": "1.3",
"profile": {
"id": "string (VCP|CAP|LAP|DVP|MAP|PAP)",
"version": "semver string"
},
"header": {
"event_id": "UUIDv7 (RFC 9562)",
"chain_id": "UUIDv7",
"prev_hash": "sha-256:<64 lowercase hex chars> | null",
"timestamp": "RFC 3339 datetime with timezone",
"event_type": "string (profile-specific)",
"causal_link": {
"target_event_id": "UUIDv7 | null",
"link_type": "string (OUTCOME_OF|OVERRIDE_OF|HOLD_ON|
RECOVERY_OF|TIER_CHANGE_OF|null)"
}
},
"provenance": {
"actor": {
"actor_id": "string",
"actor_hash": "sha-256:<64 lowercase hex chars>",
"role": "string"
},
"input": { },
"context": { },
"action": { },
"outcome": { }
},
"accountability": {
"operator_id": "string",
"last_approval_by": "string",
"approval_timestamp": "RFC 3339"
},
"domain_payload": { },
"security": {
"event_hash": "sha-256:<64 lowercase hex chars>",
"hash_algo": "sha-256",
"signature": "ed25519:base64url...",
"sign_algo": "ed25519",
"signer_id": "string"
}
}
¶
Event identifiers MUST use UUIDv7 ([RFC9562]) to ensure time-ordered sortability. JSON canonicalization MUST follow [RFC8785].¶
The profile.id field MUST be 1-4 uppercase ASCII characters matching a registered profile identifier (see Section 21.2). Note that profile identifiers use uppercase (e.g., "LAP") while algorithm identifiers use lowercase (e.g., "sha-256") per Table 2; this distinction is intentional and reflects their different registries.¶
Timestamps MUST conform to [RFC3339] (a profile of ISO 8601) and MUST include a timezone offset or "Z" for UTC. Implementations SHOULD use UTC for all timestamps.¶
The header.causal_link field provides a standardized location for referential integrity across all profiles. Outcome events MUST set target_event_id to the originating attempt event's identifier and link_type to "OUTCOME_OF". HUMAN_OVERRIDE events MUST set target_event_id to the target output event and link_type to "OVERRIDE_OF". Events with no causal link MUST set both fields to null.¶
Hash values MUST be encoded as lowercase hexadecimal strings, prefixed with the canonical algorithm identifier (from Table 2) followed by a colon (e.g., "sha-256:a1b2c3..."). The hexadecimal string MUST be the exact length corresponding to the hash output (64 characters for sha-256, 96 for sha-384, 128 for sha-512).¶
All text fields MUST be encoded as UTF-8 ([RFC3629]).¶
Fields representing monetary amounts, cryptographic values, or high-precision measurements SHOULD be encoded as JSON strings rather than JSON numbers. This recommendation is motivated by:¶
Fields where exact precision is not critical (e.g., event_count, token_count) MAY use JSON numbers. Implementations MUST document which fields use string encoding. Implementations that use JSON numbers for counters MUST ensure that any numeric-to-string conversion performed during canonicalization is deterministic and documented, to avoid signature verification ambiguity across languages and libraries.¶
VAP defines three conformance levels applicable to all domain profiles. Each level inherits all requirements of lower levels (Gold is a superset of Silver, which is a superset of Bronze).¶
Target: SMEs, early adopters. Core capabilities:¶
Note: Formal JSON Schema definitions for validation are provided in Appendix "Appendix B. Validation Requirements". Bronze implementations MUST validate the presence and type of all REQUIRED fields defined in Section 5.¶
Target: Enterprise, regulated industries. Additional requirements beyond Bronze:¶
Target: Highly regulated industries. Additional requirements beyond Silver:¶
External anchoring proves that events existed at a specific point in time, preventing backdating, forward-dating, and log forking.¶
VAP defines an abstract anchoring interface that can be realized by multiple service types. The baseline anchoring service is [RFC3161] Time-Stamp Authority (TSA), with [RFC5816] support for ESSCertIDv2 (enabling SHA-256 certificate identification instead of SHA-1). Additional service types include transparency logs and public blockchains.¶
Gold Level implementations MUST use at least one transparency log service (such as SCITT) or equivalent, in addition to or instead of RFC 3161 TSA. Implementations SHOULD use multiple independent anchoring services for critical deployments.¶
{
"anchor_id": "UUIDv7",
"anchor_type": "RFC3161 | TRANSPARENCY_LOG | BLOCKCHAIN",
"merkle_root": "sha-256:<64 lowercase hex chars>",
"event_count": 1000,
"first_event_id": "UUIDv7",
"last_event_id": "UUIDv7",
"first_event_timestamp": "RFC 3339",
"last_event_timestamp": "RFC 3339",
"anchor_timestamp": "RFC 3339",
"anchor_proof": { },
"service_endpoint": "https://tsa.example.com"
}
¶
The anchor_proof field is an object whose structure depends on the anchor_type:¶
Events MUST be batched into a binary Merkle hash tree for efficient anchoring and selective disclosure. The tree construction follows [RFC9162] (Certificate Transparency Version 2.0) Section 2, which obsoletes [RFC6962]:¶
MTH({}) = SHA-256() (empty hash for zero inputs)
MTH({d(0)}) = SHA-256(0x00 || d(0))
MTH(D[n]) = SHA-256(0x01 || MTH(D[0:k]) || MTH(D[k:n]))
where:
D[n] is the list of n event hashes
k is the largest power of 2 less than n
0x00 is the leaf node prefix
0x01 is the interior node prefix
|| denotes concatenation
¶
This construction uses domain separation prefixes (0x00 for leaves, 0x01 for interior nodes) to prevent second-preimage attacks, and handles non-power-of-two leaf counts without duplicating leaves, consistent with [RFC9162].¶
The resulting Merkle root is submitted to the external anchoring service. Merkle inclusion proofs enable selective disclosure: a verifier can confirm that a specific event is included in an anchored batch without accessing other events in the batch.¶
The Completeness Invariant is a mathematical guarantee that every "attempt" event has exactly one corresponding "outcome" event. This prevents selective logging -- the omission of inconvenient records.¶
General form:¶
For each pipeline P:
Count(P_ATTEMPT) = Count(P_SUCCESS)
+ Count(P_DENY)
+ Count(P_ERROR)
¶
The invariant enforces three properties:¶
Domain profiles MUST specify which event types constitute attempts and outcomes for the invariant. Each outcome event MUST set header.causal_link.target_event_id to the originating attempt event's event_id and header.causal_link.link_type to "OUTCOME_OF".¶
Verification SHOULD account for a configurable grace period for in-flight operations. The grace period MUST NOT exceed 300 seconds (RECOMMENDED default: 60 seconds). If an ATTEMPT event has no corresponding outcome event after the grace period has elapsed, a verification implementation SHOULD treat this as a completeness violation. Implementations MAY emit a synthetic TIMEOUT_ERROR outcome event when the grace period expires, to maintain the invariant.¶
An Evidence Pack is a self-contained, signed package of provenance events suitable for regulatory submission and third-party audit.¶
An Evidence Pack MUST contain:¶
The Evidence Pack SHOULD be packaged as a ZIP archive with the media type application/vap-evidence-pack+zip (see Section 21.1). The manifest MUST use the media type application/vap-manifest+json.¶
The manifest MUST include the following fields:¶
The manifest MAY include additional profile-specific fields as defined by the domain profile specification.¶
VAP enables verification of system integrity without disclosure of sensitive data. This is achieved through:¶
This mechanism is particularly critical for LAP, where attorney- client privilege prevents disclosure of consultation content while still requiring verifiable audit trails.¶
Per-tenant salts MUST meet the following requirements:¶
For fields with low input entropy (such as bar registration numbers, which occupy a bounded numeric space), plain SHA-256(salt || value) is vulnerable to dictionary attack if the salt is compromised. For such fields, implementations MUST use HMAC-SHA-256 with the tenant salt as key:¶
BarNumberHash = "sha-256:" || hex(HMAC-SHA-256(tenant_salt,
bar_number_bytes))
¶
In the event of salt compromise, the implementation MUST:¶
| Level | Events | Anchor Records | Evidence Packs | Keys |
|---|---|---|---|---|
| Bronze | 6 months | N/A | On-demand | 1 year after last use |
| Silver | 2 years | 5 years | 2 years | 3 years after last use |
| Gold | 5 years | 10 years | 5 years | 7 years after last use |
Retention periods MUST be extended upon: regulatory investigation notification, legal hold orders, security or safety incidents, and third-party audit requests.¶
Domain profiles MAY specify extended retention periods beyond the VAP baseline where domain-specific regulations require longer retention (see Section 18 for LAP extensions).¶
For privacy regulation compliance (e.g., [GDPR] "right to be forgotten"), implementations at Silver level and above SHOULD support crypto-shredding: encrypting personal data with per-user keys and deleting those keys to render the data cryptographically unrecoverable while preserving hash chain integrity.¶
VAP audit trails are designed to minimize tension with data protection regulations:¶
NOTE: The applicability of specific GDPR exceptions to VAP audit trails is a legal determination outside the scope of this specification. Implementations SHOULD consult legal counsel regarding data protection compliance in their deployment jurisdictions.¶
Implementations face a tension between privacy-preserving verification (which favors early deletion of sensitive content) and legal discovery obligations (which may require content disclosure). To address this, VAP defines three content retention tiers that domain profiles MAY adopt:¶
Transition from Tier 1 to Tier 2 MUST NOT occur while any Legal Hold is active for the affected events. Transition from Tier 2 to Tier 3 MUST NOT occur while any Legal Hold is active.¶
Implementations MUST log all tier transitions as RETENTION_TIER_CHANGE events in the provenance chain.¶
Tier 2 escrow custodians MUST satisfy the following:¶
A CONTENT_RECOVERY_EXECUTED event MUST be logged upon successful recovery, including: hold_id, recovered_event_range, recovered_by (actor hash), custodian_id, and court_order_reference_hash (if applicable).¶
A Legal Hold freezes the current retention tier for all events within scope, preventing content deletion or tier transition.¶
Legal Hold triggers:¶
When a Legal Hold is activated:¶
Legal Hold activation MUST be available at Bronze level. Automated Legal Hold detection (e.g., triggered by court filing notifications or regulatory inquiry receipt) is RECOMMENDED at Gold level.¶
When a court or regulatory body orders full content disclosure for specific events, the response depends on the current retention tier:¶
Content is cryptographically unrecoverable. The implementation MUST provide:¶
This three-tier approach enables implementations to demonstrate to judicial authorities that content deletion followed a documented, auditable process rather than constituting potential evidence spoliation.¶
NOTE: The adequacy of hash-only evidence for specific judicial proceedings is a jurisdiction-specific legal determination outside the scope of this specification. This framework provides the maximum available technical evidence in each retention tier.¶
Verification is available at three access levels:¶
Verification steps:¶
Silver and Gold level implementations that expose a third-party verification endpoint MUST support at minimum the following HTTP endpoints. All responses MUST use Content-Type application/json and MUST include appropriate authentication (e.g., Bearer token, mutual TLS).¶
Error responses MUST use standard HTTP status codes (400 for malformed requests, 401/403 for authentication/authorization failures, 404 for unknown resources, 500 for server errors) with a JSON body containing "error" (string code) and "detail" (human-readable description).¶
The Legal AI Profile (LAP) is a VAP domain profile for judicial AI and LegalTech systems. LAP addresses unique challenges in the legal domain:¶
| Field | Value |
|---|---|
| Profile ID | LAP |
| Full Name | Legal AI Profile |
| Domain | Legal AI / LegalTech |
| Regulatory Scope | Attorney regulation, AI governance (informative) |
| Time Precision | Second |
| Profile Version | 0.4.0 |
LAP defines three functional pipelines, one cross-cutting control event type, and administrative event types for retention and enforcement management:¶
AI-powered legal consultation:¶
AI-assisted legal document drafting:¶
AI-powered legal fact verification:¶
Implementations MAY define LEGAL_FACTCHECK_DENY for cases where a fact-check request is refused due to rate limiting, insufficient permissions, or consent constraints. The deny_reason field SHOULD distinguish these from system errors.¶
If an implementation does not support LEGAL_FACTCHECK_DENY, refusal conditions MUST be recorded as LEGAL_FACTCHECK_ERROR with a deny_equivalent indicator set to true in the error detail, ensuring the Completeness Invariant is maintained.¶
HUMAN_OVERRIDE events record an attorney's review of any AI output:¶
HUMAN_OVERRIDE events MUST set header.causal_link.target_event_id to the target outcome event's identifier and header.causal_link.link_type to "OVERRIDE_OF". The event MUST also include the attorney's identity (bar number hash), override type, and optional modification details in the domain_payload.¶
LAP defines additional event types for retention management and override enforcement:¶
These events are NOT part of the three-pipeline Completeness Invariant (they are control and administrative events, similar to HUMAN_OVERRIDE). However, they MUST be included in the hash chain and signed.¶
LAP applies the Completeness Invariant independently to all three pipelines:¶
For each pipeline P in {QUERY, DOC, FACTCHECK}:
Count(LEGAL_{P}_ATTEMPT)
= Count(LEGAL_{P}_RESPONSE)
+ Count(LEGAL_{P}_DENY) [if supported]
+ Count(LEGAL_{P}_ERROR)
Expanded:
LEGAL_QUERY_ATTEMPT = LEGAL_QUERY_RESPONSE
+ LEGAL_QUERY_DENY
+ LEGAL_QUERY_ERROR
LEGAL_DOC_ATTEMPT = LEGAL_DOC_RESPONSE
+ LEGAL_DOC_DENY
+ LEGAL_DOC_ERROR
LEGAL_FACTCHECK_ATTEMPT = LEGAL_FACTCHECK_RESPONSE
+ LEGAL_FACTCHECK_DENY [if supported]
+ LEGAL_FACTCHECK_ERROR
¶
For implementations that do not support LEGAL_FACTCHECK_DENY, the invariant simplifies to ATTEMPT = RESPONSE + ERROR for Pipeline 3. Refusal conditions recorded as ERROR with deny_equivalent MUST be counted toward the invariant.¶
Each outcome event MUST set header.causal_link.target_event_id to the originating attempt event's event_id and header.causal_link.link_type to "OUTCOME_OF", ensuring referential integrity can be verified independently of event ordering.¶
HUMAN_OVERRIDE events are outside the Completeness Invariant but LAP defines Override Coverage as a critical operational metric:¶
Override Coverage =
Count(distinct target_event_id with at least one
HUMAN_OVERRIDE where link_type = "OVERRIDE_OF") /
Count(LEGAL_*_RESPONSE)
¶
This metric quantifies the degree to which human professionals review AI outputs. In jurisdictions where regulations require that a licensed professional personally scrutinize AI-generated work products, this metric provides measurable evidence of compliance.¶
Design notes on the denominator:¶
| Coverage | Assessment | Operational Implication |
|---|---|---|
| 100% | Ideal | Full professional oversight of all AI outputs |
| 70-99% | Good | Majority reviewed; low-risk outputs may be excluded |
| 30-69% | Warning | Insufficient review; operational improvement recommended |
| <30% | Critical | Professional oversight requirements likely unmet |
Override Coverage tracking alone provides post-hoc accountability but does not prevent the use of unreviewed AI outputs in professional practice. LAP defines four enforcement levels to address this structural limitation:¶
When a user attempts to export, copy, or transmit an AI-generated output that has no corresponding HUMAN_OVERRIDE event, the system MUST display a prominent warning indicating that the output has not been professionally reviewed.¶
The warning MUST: (a) be displayed in-context at the point of export or copy action; (b) require explicit acknowledgment before proceeding; and (c) record a REVIEW_WARNING_ACKNOWLEDGED event in the provenance chain.¶
For designated high-risk document types, the system MUST require a HUMAN_OVERRIDE event before permitting export or transmission.¶
The gate MUST: (a) block export, copy, and transmit actions until a HUMAN_OVERRIDE (APPROVE or MODIFY) event exists for the target output; (b) record a REVIEW_GATE_BLOCKED event when an export attempt is blocked; and (c) allow the gate to be bypassed ONLY by a user with "attorney" role AND explicit override, recorded as a REVIEW_GATE_OVERRIDE event with a mandatory reason field.¶
Document types subject to gating SHOULD be configurable per tenant. The default gated types are: court filings, settlement and mediation documents, client-facing legal opinions, and contracts and agreements.¶
| Enforcement | Bronze | Silver | Gold |
|---|---|---|---|
| Level 0 (Metric Only) | Default | Minimum | N/A |
| Level 1 (Warn) | OPTIONAL | REQUIRED | REQUIRED |
| Level 2 (Gate) | N/A | RECOMMENDED | RECOMMENDED |
| Level 3 (Strict) | N/A | OPTIONAL | OPTIONAL |
To distinguish genuine professional review from perfunctory approval, LAP defines an Override Latency metric:¶
Override Latency = HUMAN_OVERRIDE.timestamp
- target_output_event.timestamp
¶
Implementations at Silver level and above SHOULD flag HUMAN_OVERRIDE events with Override Latency below a configurable threshold (RECOMMENDED default: 10 seconds) as "rapid approval" in the provenance chain.¶
This does NOT block the override but records a RAPID_APPROVAL_FLAG in the event metadata, which: (a) is visible in Evidence Packs and audit reports; (b) may indicate insufficient review depth; and (c) can trigger alerts at Gold level when rapid approvals exceed a configurable percentage (RECOMMENDED: 20%).¶
This specification acknowledges that no technical mechanism can fully guarantee the quality or depth of human professional review. A licensed attorney may approve an AI output after genuine review or after cursory inspection; the system cannot distinguish between these without introducing unacceptable surveillance of professional judgment.¶
The enforcement framework therefore aims to: (a) create friction against entirely unreviewed AI output usage; (b) provide auditable evidence of review or lack thereof; (c) enable risk-proportionate controls (stronger for high-risk document types); and (d) preserve professional autonomy while recording accountability metadata.¶
The combination of enforcement levels, latency monitoring, and comprehensive provenance logging shifts the accountability model from "trust alone" to "trust with verification infrastructure," acknowledging that while absolute prevention is impossible, the cost and detectability of non-compliance can be substantially increased.¶
Legal AI handles extremely sensitive data protected by professional privilege. LAP extends VAP's privacy-preserving verification with the following hashed fields:¶
| Original Data | Hash Field | Hash Method | Sensitive Content |
|---|---|---|---|
| User query text | PromptHash | SHA-256(salt || content) | Legal consultation content (privileged) |
| AI response text | ResponseHash | SHA-256(salt || content) | AI-generated legal advice |
| Document output | OutputHash | SHA-256(salt || content) | Generated legal documents |
| Case number | CaseNumberHash | HMAC-SHA-256(salt, value) | Case identifier (high specificity) |
| Bar number | BarNumberHash | HMAC-SHA-256(salt, value) | Professional registration number |
| Party names | PartyHash | HMAC-SHA-256(salt, value) | Personal information of parties |
| Modification detail | ModificationHash | SHA-256(salt || content) | Professional's corrections |
| Factcheck content | TargetContentHash | SHA-256(salt || content) | Content under verification |
Fields with low input entropy (CaseNumberHash, BarNumberHash, PartyHash) MUST use HMAC-SHA-256 with the tenant salt as key, per Section 10.1, to resist dictionary attacks. Fields with high input entropy (content hashes) MAY use simple salted SHA-256.¶
Hash computation uses per-tenant salts as specified in Section 10.1. Third-party verifiers can confirm event existence and chain integrity without accessing privileged content.¶
The availability of original content corresponding to these hashes depends on the current Content Retention Tier (Section 11.2). At Tier 1, original content is available in encrypted form. At Tier 2, it is recoverable via escrowed keys. At Tier 3, only hashes remain.¶
| Requirement | Bronze | Silver | Gold |
|---|---|---|---|
| Hash Chain | Yes | Yes | Yes |
| Digital Signature | Yes | Yes | Yes |
| External Anchoring | No | Daily | Hourly |
| Completeness Invariant | No | 3 Pipelines | 3 Pipelines |
| Override Coverage Tracking | No | Yes | Yes (with alerts) |
| Override Enforcement Level | Level 0 | Level 1 (REQUIRED) | Level 1 (REQUIRED) |
| Evidence Pack | No | Yes | Yes |
| Privacy Hashing | No | Yes | Yes |
| Content Retention Tiers | Tier 3 only | Tier 2 + Tier 3 | All 3 Tiers |
| Legal Hold Protocol | Yes (manual) | Yes (manual) | Yes (automated detection) |
| Content Recovery Escrow | No | RECOMMENDED | REQUIRED |
| HSM | No | No | Yes ([FIPS140-3]) |
| Retention | 6 months | 3 years | 10 years |
| Real-time Audit API | No | No | Yes |
In many jurisdictions, only licensed attorneys may provide legal advice. AI systems that generate legal analysis or draft legal documents operate in a regulatory space where the boundary between "legal information" and "legal advice" determines whether unauthorized practice of law has occurred.¶
LAP provenance supports regulatory compliance through:¶
In Japan, the [JAPAN-ATTORNEY-ACT] Article 72 prohibits unauthorized practice of law. The [MOJ-GUIDELINE] (August 2023) clarifies that AI contract review services may constitute unauthorized practice when crossing into dispute-related legal advice. The [JFBA-AI-GUIDANCE] (September 2025) requires that responsibility for legal advice remains with the attorney and that AI output cannot reach clients without attorney review. LAP's Human Override Coverage metric provides verifiable evidence that these requirements are met.¶
Japan's AI Promotion Act [JAPAN-AI-ACT] (enacted May 2025, effective September 2025) establishes transparency as a statutory principle. While no specific audit trail requirements are imposed, the Act's agile governance model relies on private-sector technical standards for implementation, creating potential demand for frameworks like VAP.¶
Legal AI systems may be classified as high-risk under AI governance frameworks such as the [EU-AI-ACT], particularly under Annex III Section 8(a) which explicitly covers AI systems intended to "assist a judicial authority in researching and interpreting facts and the law."¶
LAP Silver level and above provides audit trail capabilities that can help satisfy the following [EU-AI-ACT] requirements:¶
NOTE: Enforcement timelines for Annex III high-risk AI obligations are subject to revision. The core technical requirements under Articles 12, 14, 18, and 19 remain stable regardless of enforcement timing. The degree to which LAP capabilities satisfy specific regulatory requirements should be evaluated on a per-jurisdiction basis.¶
This section describes the threat model and security considerations for VAP-LAP implementations, following the guidance in [RFC3552].¶
VAP assumes the following attacker capabilities and trust assumptions:¶
An adversary with write access could attempt to modify past events, insert fabricated events, or delete events. The hash chain provides integrity: any modification to a past event changes its EventHash, breaking the chain at that point. External anchoring at Silver level and above makes post-hoc modification detectable by comparing the stored Merkle root against the independently timestamped root. Implementations SHOULD use Merkle consistency proofs (per [RFC9162] Section 2.1.4) to detect log forking.¶
Timestamp rollback or clock skew can cause false completeness verification failures and undermine event ordering guarantees. Implementations SHOULD use monotonic time sources and SHOULD cross-validate local timestamps against external anchoring timestamps. External anchoring at Silver level and above provides an independent time reference. Implementations MUST reject events with timestamps that differ from the external anchor timestamp by more than a configurable bound (RECOMMENDED: 300 seconds for batch anchoring, 60 seconds for real-time anchoring).¶
An authorized operator could forge events, suppress events before they are anchored, or create fabricated ERROR events to satisfy the Completeness Invariant while hiding actual outcomes. Mitigations include:¶
Compromise of signing keys allows event forgery. Bronze implementations SHOULD rotate keys annually. Silver MUST rotate semi-annually. Gold MUST use HSM storage ([FIPS140-3]) and quarterly rotation.¶
Upon key compromise detection, the implementation MUST:¶
During key rotation (including non-emergency rotation), the hash chain continues unbroken. The new key signs a KEY_ROTATION event that includes the old key's public key hash, establishing chain continuity. Verifiers MUST accept events signed by either key during the overlap period specified in the KEY_ROTATION event.¶
Per-tenant salting prevents cross-tenant hash correlation. Implementations MUST NOT share salts across tenants. Event metadata (timestamps, event types, counts) may leak statistical information even when content is hashed; this is an inherent limitation of any audit trail system. Selective disclosure via Merkle proofs (Section 7.3) enables verifiers to inspect specific events without accessing the full event store, reducing exposure.¶
Denial-of-service attacks against the logging infrastructure could prevent event recording, violating completeness. Gold level implementations MUST have geographic redundancy. Implementations SHOULD buffer events locally when the central event store is unavailable, and MUST reconcile buffered events upon reconnection.¶
A signer could repudiate previously signed events. External anchoring provides non-repudiation: the independently timestamped Merkle root proves the event existed at the anchor time. Combined with the signer's public key bound to their identity, this provides evidence against repudiation.¶
An adversary could present only favorable events to a verifier, hiding unfavorable records. The Completeness Invariant detects such omissions: any missing outcome event will cause the invariant to fail for the affected pipeline. External anchoring of Merkle roots makes it infeasible to present a consistent subset of events that satisfies the invariant if any events have been omitted.¶
An adversary could replay valid events from one context into another. The chain_id field binds events to a specific chain, and the prev_hash field creates a strict ordering dependency that makes replayed events detectable (they will break the hash chain at the insertion point). UUIDv7 event identifiers provide globally unique, time-ordered identification that further constrains replay.¶
The tension between privacy-preserving hash-only retention and judicial discovery obligations creates a risk that hash-only evidence may be deemed insufficient by courts. The Tiered Retention model (Section 11.2) mitigates this by maintaining recoverable content during periods when discovery is most likely, while the Legal Hold Protocol (Section 11.4) prevents premature content destruction when litigation is anticipated.¶
Enforcement Levels 1 and 2 (Section 16.2) can be circumvented by users who copy AI output through means outside the system's control (e.g., screen capture, manual transcription). Technical enforcement addresses the common case of system-mediated export but cannot prevent all forms of circumvention. The provenance chain nonetheless records the absence of HUMAN_OVERRIDE events, providing post-hoc accountability.¶
Users aware of the Override Latency threshold (Section 16.4) might delay approval clicks to avoid the RAPID_APPROVAL_FLAG. This is a known limitation. Statistical analysis of approval latency distributions across users and document types can detect such gaming patterns in audit reviews.¶
Legal Hold activation and release events must be protected from unauthorized modification. Gold level implementations SHOULD require multi-party authorization for Legal Hold release.¶
IANA is requested to register the following media types in the "Media Types" registry:¶
IANA is requested to create a "VAP Domain Profile Identifiers" registry with the following initial entries. The registration policy is Specification Required per [RFC8126] Section 4.6.¶
| Profile ID | Full Name | Domain | Reference |
|---|---|---|---|
| VCP | VeritasChain Protocol | Finance | This document |
| CAP | Content AI Profile | Content/Creative AI | This document |
| LAP | Legal AI Profile | Legal AI / LegalTech | This document |
| DVP | Driving/Vehicle Profile | Automotive | Reserved |
| MAP | Medical AI Profile | Healthcare | Reserved |
| PAP | Public Admin Profile | Public Administration | Reserved |
Each registration MUST include: Profile ID (1-4 uppercase ASCII characters), Full Name, Domain description, and a reference to the defining specification.¶
IANA is requested to create a "VAP Event Types" registry. The registration policy is Specification Required per [RFC8126] Section 4.6. Initial entries include all event types defined in Section 14 of this document.¶
| Aspect | VCP (Finance) | CAP (Content) | LAP (Legal) |
|---|---|---|---|
| Time Precision | Nanosecond | Second | Second |
| Key Invariant | SIG to ORD | GEN_ATTEMPT to GEN/DENY/ERROR | 3 Pipeline Invariants |
| Unique Feature | Signal integrity | Safe Refusal (SRP) | Human Override Coverage + Enforcement |
| Regulatory Focus | Financial regulation | Content regulation | Attorney regulation + AI governance |
| Privacy Model | Trade data | Creative content | Professional privilege + Tiered Retention |
| Retention (Gold) | 5 years | 5 years | 10 years |
Bronze level implementations MUST validate that all events conform to the Common Event Structure (Section 5). At minimum, validation MUST check:¶
Formal JSON Schema definitions will be published as a companion document or hosted at a stable URI referenced in a future revision of this specification.¶
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.¶
According to [RFC7942], "this section, as well as the cited RFC, should be removed before the document is approved for publication as an RFC."¶
This section tracks changes between Internet-Draft revisions and will be removed before publication.¶
draft-ailex-vap-legal-ai-provenance-02¶
draft-ailex-vap-legal-ai-provenance-01¶
draft-ailex-vap-legal-ai-provenance-00 Initial submission.¶
The VAP Framework and LAP Profile were developed with input from: the CAP v1.0 Safe Refusal Provenance (SRP) design experience, the VCP v1.1 operational feedback, regulatory engagement from legal practitioners, and open-source community contributions.¶
LAP v0.4 design draws from the AILEX SaaS reference implementation, the Ministry of Justice guideline on AI services and [JAPAN-ATTORNEY-ACT] Article 72 (August 2023), the [JFBA-AI-GUIDANCE] on generative AI in attorney practice (September 2025), and operational feedback from pilot law firms regarding judicial discovery and attorney oversight workflows.¶
The authors thank the reviewers who provided detailed technical feedback on the -01 draft, particularly regarding cryptographic algorithm naming accuracy, hash computation clarity, Merkle tree construction consistency, and IANA registration completeness.¶