Every control behaved exactly as designed. Nothing failed.
The AI deleted the customer account — and that outcome should never have been possible.
The AI did exactly what it was permitted to do. No control broke. The composition of correct permissions and decisions allowed an outcome no control was responsible for preventing.
Why?
↓
Every step was permitted.
A human approved an action. Every check was green. Then:
The approval was valid. The execution was authorized. Both were correct. Nothing malfunctioned — the approved action was simply allowed to differ from the one that ran.
So — what went wrong?
Right — nothing failed. Every control did exactly its job. What went unprotected was an assumption: the approved action must remain the executed action. No control was ever responsible for holding it — so the correct parts composed into an outcome that should never have been possible.
The invariant lives on the edge, not the node.
Every control governs a node. What went unprotected is the assumption on the edge between them — the property that must stay true across the whole action, that no single control was assigned to keep. Hover an edge.
Traditional assurance verifies every node is correct. Nothing verifies the invariant on the edge — where one control's output becomes another's unspoken assumption.
These aren't failures. They're assurances no one was assigned.
Each is a property that must hold across an action. Every underlying control can be correct while the property goes unenforced.
- The approved object must remain the executed object.
- Trust labels must survive transformation.
- Authority must never increase through delegation.
- Privacy must survive aggregation.
- Evidence must remain attributable across autonomous execution.
The discovery method
When does an interaction need its own assurance?
- Two or more controls already exist.
- They all behave correctly.
- Their composition still violates an expectation.
- No control governs that relationship.
The full six-condition test →
A repeatable way to discover which invariants need governing — one that keeps working as AI systems evolve. That's the invention: not another control, a method.
The discipline built on that method
Compositional Assurance
Why didn't existing frameworks catch these?
They verify each control is correct.
We verify the invariants between them.
Correctness of each component is necessary — but not sufficient to assure the whole. Existing frameworks enumerate controls; Apeiris discovers the relationships that require entirely new assurances.
The same shape, everywhere.
Every part behaves correctly. The composition violates an invariant nobody protected.
The invariants we've proven
Each governs one composition. Every leg is an existing, individually-correct control; the compositional control holds the invariant across them. Live from the corpus.
Loading…
Only a handful. That's the discipline.
Apeiris isn't inventing controls for everything. Only the interactions that pass the test earn a new assurance — and those few are where the highest risk concentrates.
Traditional assurance proves each control is correct.
Compositional assurance proves the invariants between them hold.
Enterprise AI depends on both.
This is Act II. Act I — “One action, fully proven” walks a single AI action through every control that has to hold; then return here for why the invariants between them matter.