SMARTHAUSMathematically Governed AI
Talk to us
The Decision Receipt

The artifact your auditor
has been asking for.

Every governed AI decision produces one: a signed, reproducible record of what the AI did, which proven rule decided it, and the verdict — issued the moment the decision is made. Your reviewers re-verify it on their own machine, without us in the room.

Bring a decision you'd have to defendSee inside one
Decision ReceiptAICP · live
DENIED
before the action could fire
Codex · shell.exec · decided pre-action
agentCodex
actiongit push origin main
rule firedbranch.protect.main
predicatedeny when target ∈ protected
evalpredicate matched → deny
verdictDENIED · pre-action
proofLean 4 · soundness PROVEN
signaturesigning…
Deniedmain is protected · open a PR
Who signs off

Everyone who has to approve it — gets what they need.

A sign-off stalls when one reviewer can’t get the evidence their job requires. Each role needs a different thing, and the receipt answers all of them from one artifact.

Compliancesigns off the deployment
“Prove the control applied before the action, every time.”
The pre-action verdict on every decision — admit or refuse, decided before it fired, not logged after.
Riskowns what happens when it’s wrong
“What’s the residual risk, and where does coverage end?”
The named rule defines exactly what’s guaranteed — and anything routed around the gate leaves no receipt, so the boundary of coverage is explicit, never hidden.
Internal audittests the control
“Reproduce a decision from eighteen months ago.”
Replay the recorded inputs through the sealed runtime — same inputs, same decision, byte for byte.
CISOowns the security of it
“Where do the keys live, and can this be tampered?”
Signed with a key you hold, hash-chained and tamper-evident. SMARTHAUS never holds it — the proof survives even us.
External auditorattests to it
“Show me it’s genuine and unaltered, without trusting the vendor.”
Verify the signature against your own key — we never hold it, so the record can’t have been written by us.
The boardis accountable if it fails
“Can we defend this if it goes to court?”
A signed, time-bound, independently re-derivable record per decision — evidence that holds up, not a policy you hope covers you.
The regulatorexamines you
“Give me the reason this specific decision was made.”
The named, proven rule is the reason — a theorem re-checkable in the public kernel, not a model’s after-the-fact rationalization.
Without it

The AI works in the demo, but approval stalls for months — no one can produce evidence the control held.

With the receipt

Every reviewer opens the artifact, checks the field their job requires, and signs. From stalled to shipped.

Anatomy

Every field answers a question you'll be asked.

Not a log written about the decision after the fact. It is a record produced by the gate at the instant the decision is made — naming the exact proven rule it was checked against, with each field mapped to a question an auditor or regulator will put to you.

Decision Receipt#LN-2231
Banking · Consumer lending
1actionextend_credit($45,000)
2caller · momentagent.lending.v3 · 14:22:07 UTC
3rule · versionfair_lending.reg_b · r9
4verdictADMITTED · pre-action
5reproducible?byte-identical replay
6signaturekey we don't hold
Admittedsigned · re-verifiable without us
  1. 1The action. Exactly what the AI did — or tried to do. The receipt exists whether it was admitted or refused.“What did the system actually do?”
  2. 2The caller and the moment. Which agent or model, and the exact timestamp — bound into the signature, so it cannot be backdated after a complaint.“Who decided this, and when?”
  3. 3The governing rule and its version. The named invariant that decided it, machine-checked in Lean 4, pinned to the version in force at the time.“Under which policy, exactly?”
  4. 4The verdict, before the fact. Admit, refuse, or hold — decided before the action could fire, not flagged after.“Was the control applied in time?”
  5. 5Reproducibility. The same inputs return the same decision, byte for byte — the basis for replay.“Can you reproduce it for me?”
  6. 6The signature. Signed with a key SMARTHAUS does not hold, so it verifies off-platform, without us.“How do I know this is genuine?”
Chain of custody

Two receipts. One unbroken chain.

Proof comes in two parts. Once, when the software is built, the rule is proven sound and sealed — the Receipt of Truth. Then every decision stamps a Decision Receipt that points back to it. One proves the rule is right; the other proves this decision followed it. An auditor can walk the whole chain.

Build time

The rule is proven

Authored with your risk and compliance team, drafted into math, and checked by the public Lean 4 kernel. If it doesn’t hold, it doesn’t ship.

Sealed

The Receipt of Truth

The proof and the rule are hashed and sealed into the runtime. Change one byte and the hash breaks — tamper is evident.

Run time

The Decision Receipt

Every governed decision names that same rule version and records the verdict, signed at the moment it fires.

Audit

Walk it backward

From a single decision, trace the rule to its proof and re-check it yourself — decision, to rule, to math.

Maps to your obligations

We don't make you pick a regime. We cover them all.

Every AI regulation in force or arriving is converging on the same handful of demands. The receipt answers all of them, so you are covered under whichever one applies to you and ready for the next.

Nine obligations, every framework, one artifact.

01 · Record-keeping

A record of every automated decision

One signed receipt per governed decision, retained in your environment. Nothing happens off the record.

02 · Traceability

Which rule applied, and when

Each decision names the exact invariant and version in force at the moment it fired.

03 · Explainability

A real reason, not a guess at one

The reason is the proven rule itself — including a clear basis for an adverse action like a decline.

04 · Reproducibility

The decision can be reproduced

Same inputs return the same decision, byte for byte, on a clean machine years later.

05 · Human oversight

The control acts before the action

Admit, refuse, or hold for review is decided pre-action — oversight that’s in the path, not after it.

06 · Non-discrimination

Evidence of consistent treatment

Deterministic decisions plus a proven fairness rule show like cases were treated alike — provably, not on average.

07 · Integrity

Tamper-evident and unbackdatable

Signed with your key and bound to its timestamp; alter one byte and the signature breaks.

08 · Independent verification

Re-verifiable without the vendor

Your auditor checks the signature and re-proves the rule off-platform, with no SMARTHAUS in the loop.

09 · Retention & export

Yours to keep and produce

Receipts live in your environment, on your keys, exportable on demand for an examination.

One receipt, ready for every regime — as the rules keep arriving
EU AI ActColorado AI Act · SB 26-189NYDFSNAIC Model BulletinNIST AI RMFISO/IEC 42001SR 11-7 Model RiskSOC 2FDA AI/ML SaMDHIPAAGDPR automated decisionsECOA · Reg B
Verify it yourself

Three checks. Your technical reviewer runs them.

A receipt isn’t proof because we say so. It’s proof because anyone with the artifact — your engineers, an independent expert, the regulator’s technical staff — can re-derive the truth on their own hardware, with no SMARTHAUS in the loop.

The three steps below describe the verification. Real verification runs against the signed receipt on your own hardware — your reviewer's tooling and the public Lean 4 kernel — not as live in-browser cryptography on this page.

01

Check the signature

Verify it against the customer’s public key. The decision is genuine, unaltered, and was signed at the moment it happened.

02

Re-prove the rule

Take the named invariant and re-check its proof in the public Lean 4 kernel. The rule guarantees what it claims.

03

Replay the inputs

Run the recorded inputs through the sealed runtime on a clean machine. The same decision comes back, byte for byte.

Not technical? The short version — an independent party can prove every decision without trusting us, and it holds up in an exam or a court.

Where the boundary is, honestly: a receipt covers an action that passed through the gate. Anything routed around the gate leaves no receipt — and that absence is itself the tell. SMARTHAUS never holds your receipts or your signing key; we could not produce, alter, or backdate one if we wanted to.

Bring a decision you'd have to defend.

We'll show you its receipt — and let you verify it yourself.

Talk to usSee how we build it