Products Demo Docs Blog About Contact Sign in Sign up
Blog · · Philippe Laporte

Inference Has No Controller

Why the log you wrote about yourself is not evidence, and what that means for anyone selling AI into a regulated buyer.

Anyone who has spent real time inside Kubernetes carries an intuition that is hard to unlearn once you have it.

A controller exists because two things are never quite the same: the state a system declares, and the state the system is actually in. You write a manifest that says three replicas. The cluster's own record says three replicas. Neither of those facts makes three replicas exist. The controller sits outside the object, looks at the world, looks at the declaration, and reconciles the difference. Remove the controller and the manifest becomes a wish.

The important part is not the reconciliation. It is the location.

The controller is not the thing it is reconciling. If an object could be trusted to report its own state accurately, there would be no need for a controller at all. The entire pattern is a standing admission that self-reported state is not evidence.

Now look at how the industry runs AI inference.

The operator runs the model. The operator writes the log. The log is the evidence. There is no controller anywhere in that loop, and nobody seems to find this strange.

The four words on every landing page

Read the copy on any agent platform shipping right now. You will find some version of the same four promises: useful, debuggable, controllable, trusted. They are presented as four dials on the same console, four instances of one underlying thing.

They are not.

The first three are properties you can engineer into a system. You make it more useful by making it better. You make it debuggable by instrumenting it. You make it controllable by adding policies, approval gates, and spend limits. Every one of those is work you do inside your own boundary, and when the work is done, it is done.

Trust is not that kind of property. Trust is a claim you are making to somebody else. You cannot manufacture it from inside the system that is asking to be trusted, for the same reason a defendant cannot serve as his own alibi.

And notice which tools get reached for when a team decides to take trust seriously: observability and evaluation. Both of them are artifacts a system produces about itself. That works right up until the party asking the question is not you.

What the usual answers actually attest

Three things get offered to close this gap. It is worth being precise about each, because they are not interchangeable and none of them finishes the job.

Audit logs. An audit log tells you what the operator recorded. It is written by the operator, stored by the operator, and produced by the operator on request. It is an excellent operational tool. It is not evidence to anyone who does not already trust the operator. That is not an accusation aimed at anybody's integrity; it is a structural fact. A log is a claim, not a proof.

Certifications. SOC 2, ISO 27001, ISO 42001. These are real, they are expensive, and they are worth having. They attest that an organization has controls, policies, and management systems, and that an auditor sampled them at a point in time. They say nothing at all about whether a specific output came from a specific model on a specific input. They are statements about process, not about computation. Necessary, and categorically different.

Confidential computing. This is the most technically serious answer and the one most often misread. A trusted execution environment, whether a GPU running in confidential mode, AMD SEV-SNP, or Intel TDX, gives you remote attestation: cryptographic evidence that a genuine, unmodified enclave with a known measured boot state is running, and that data stayed encrypted while in use. That is real security solving real problems.

It attests the box. It does not attest the computation.

A TEE will tell you that a trusted environment ran something. It will not tell you that this particular output is what this particular model produces on this particular input, in a form a third party can check later, without your hardware and without you. The attestation binds to hardware identity. It does not leave behind a portable artifact that survives the question "and why should I believe your hardware?"

The invariant

There is a single line running underneath all of this, and once you see it you cannot unsee it.

The executor cannot be the prover.

Not should not. Cannot. If the party that ran the computation is also the party vouching for it, the vouching carries no information. It is the same signature written twice. Every self-attestation scheme, however much cryptography is stacked on top of it, terminates in the operator saying so.

This is not a criticism of any particular vendor. It is a property of the arrangement itself. And it means the fix cannot be a better log, a stricter policy, or a stronger enclave. It has to be a structural separation. The thing that runs the job and the thing that proves the job must be different things, and the proof has to be checkable by someone who trusts neither of them.

The case that should worry people most

Here is the one I keep turning over.

The AI safety field has become quite good at showing that automated evaluators are unreliable. There is solid published work demonstrating that when a language model is used as a judge of safety, the judge is inconsistent, sensitive to surface artifacts, and can be swung dramatically by features of the phrasing that have nothing to do with the content. The evaluator, it turns out, cannot be trusted on the merits.

Fine. But look at what that entire line of research quietly assumes.

It assumes the evaluation ran the way the report says it ran.

A safety evaluation is an inference job. It is a batch of prompts pushed through a model, scored, and summarized. And the results of that job do not stay inside the lab. They become model cards. They become the technical documentation a general-purpose model provider files with a regulator. They become the evidence a bank, a hospital, or a defense ministry leans on when deciding whether to deploy.

The party that runs the evaluation is the party that reports the evaluation. Nothing in that chain lets an outside party confirm that the eval ran against the model that actually shipped, on the inputs claimed, producing the outputs claimed. The safety team is executor and prover of its own safety claims.

We are spending enormous energy arguing about whether these results are correct. Almost none asking whether they are verified.

Nobody evaluates the evaluator.

What we build, and where it stops

Cyberian emits a cryptographic receipt for every inference job. The receipt binds the model, the input, and the output into one structure, and the component that executes the job is architecturally separate from the component that proves it. A third party can take that receipt and independently confirm that a given output came from a given model on a given input, without trusting our hardware and without trusting us.

Two honest boundaries, because stated limits are worth more than claimed ones.

This is live today for deterministic and embedding-class workloads. Our first production workload is embedding generation, verified against a calibrated tolerance rather than bit-exact equality, because bit-exact determinism across heterogeneous hardware is a fantasy, and pretending otherwise disqualifies half the compute in the world while buying you no additional assurance.

Verification of generative outputs is a harder problem and we are not going to claim it is solved. It is the open question, and we would rather say so plainly than sell past it.

But the primitive underneath is the same in both cases, and the primitive is not complicated.

Something outside the system has to check the system.

Kubernetes worked that out a decade ago. Inference has not caught up.


PL
Philippe Laporte
Founder and CEO of Cyberian Systems, building verified AI inference infrastructure for regulated industries.

Try the live demo · Follow on LinkedIn · RSS