Causal Accountability Graphs

Formal Accountability Semantics over the HELM ProofGraph

Status: Foundational thesis — formal definitions, proof sketch, reference implementation Version: 2.0 Depends on: HELM UCS v1.2, ProofGraph DAG (§2.4), VGL/VPL protocols Canonical position: HELM ProofGraph accountability calculus, not a parallel graph model

Abstract

Current AI governance systems produce flat audit logs — timestamped records of what happened, but not why it happened or who is accountable. When an autonomous agent causes harm, the answer is "the AI did it." This is legally, ethically, and operationally inadequate.

This document defines Causal Accountability Graphs (CAG) — a formal accountability semantics over HELM's existing ProofGraph DAG. CAG does not introduce new node kinds or a parallel data model; it derives accountability chains from canonical ProofGraph nodes (INTENT, ATTESTATION, EFFECT, TRUST_EVENT, CHECKPOINT, MERGE_DECISION) by interpreting attestation subtypes. The central guarantee: for every EFFECT node in a well-formed ProofGraph, there exists a finite, verifiable causal chain terminating at a human-controlled sovereign authority.

1. Motivation

1.1 The Accountability Vacuum

Consider an autonomous agent that:

Receives a high-level intent from a sovereign operator
Delegates subtasks to specialized sub-agents
One sub-agent invokes a tool that transfers funds to the wrong account

Who is accountable? In current systems:

Flat logs record that the tool was called, but not the delegation chain that authorized it
Model providers (OpenAI, Anthropic, Google) produce usage logs, not causal graphs
Enterprise audit trails track authentication events, not decision provenance

The result: accountability is asserted retroactively by humans reading logs, not computed algorithmically from the system's own governance record.

1.2 What Causal Accountability Provides

CAG guarantees three properties:

Attribution completeness — every EFFECT node has a computable accountability chain
Sovereign termination — every accountability chain terminates at a human-controlled sovereign authority
Verifiability — the chain is independently verifiable from the ProofGraph alone (no external state needed)

1.3 Architectural Position

CAG is HELM's accountability calculus, not a new ontology:

Not a second graph model — it is a derived semantic layer over the single canonical ProofGraph
Not a homepage/category headline — it is a theorem, validator, and explorer capability
Not new top-level node kinds — it uses attestation-typed accountability derivation over existing canonical nodes

HELM's wedge remains execution firewall / control plane / deterministic enforcement. CAG is the theorem that makes HELM harder to dismiss when buyers ask: "fine, but who is actually responsible when an agent acts?"

2. System Model

2.1 ProofGraph Canonical Nodes (UCS v1.2)

CAG operates exclusively over the canonical ProofGraph node taxonomy:

NodeType	UCS canonical	Accountability role
INTENT	Yes	Origin of causal chain — sovereign operator's request
ATTESTATION	Yes	Umbrella for kernel verdicts, approvals, delegations (via subtype)
EFFECT	Yes	Terminal — the action that matters
TRUST_EVENT	Yes	Trust boundary change — key rotation, revocation
CHECKPOINT	Yes	Proof condensation boundary
MERGE_DECISION	Yes	Branch merge resolution

Attestation subtypes carry accountability semantics within the ATTESTATION node kind. The subtype is determined by the node's payload metadata:

Attestation subtype	Payload marker	Accountability role
`KERNEL_VERDICT`	`"subtype":"kernel_verdict"`	Policy decision point — where PDP evaluated
`HITL_APPROVAL`	`"subtype":"hitl_approval"`	Explicit human endorsement
`APPROVAL_CEREMONY_V1`	`"subtype":"approval_ceremony"`	Multi-signer approval ceremony
`ORG_GENESIS_APPROVAL`	`"subtype":"org_genesis"`	OrgGenome activation (VGL)
`DELEGATION_GRANT`	`"subtype":"delegation_grant"`	Authority delegation from sovereign to agent
`DELEGATION_REVOCATION`	`"subtype":"delegation_revocation"`	Delegation expiry or revocation
`EMERGENCY_OVERRIDE`	`"subtype":"emergency_override"`	Break-glass sovereign action

[!IMPORTANT] CAG does not create top-level node kinds for these. They are attestation subtypes — payloads within canonical ATTESTATION nodes. One ProofGraph, one conformance target, one truth surface.

2.2 Sovereign Authority Classes

We define four principal kinds for accountability classification:

Kind	Symbol	Description	Can be accountability root?
SOVEREIGN	S	Human-controlled sovereign authority (individual, quorum, or franchise root)	Yes
AGENT	A	Autonomous software agent	No
SYSTEM	K	Infrastructure component (kernel, PDP, reflex engine)	No
DELEGATE	D	Agent acting under explicit sovereign delegation	No (must chain to sovereign)

Key invariant: Only SOVEREIGN principals can be accountability roots. This is broader than "a single natural person" — it covers:

Single sovereign operator (most common)
Quorum-based approvals (multi-signer ceremonies)
Franchised genomes with delegated semantic mirroring
Recovery quorum semantics for root control

The common thread: behind every SOVEREIGN authority is one or more identifiable humans who can be held accountable. The distinction from HUMAN is that SOVEREIGN also covers the collective structures (quorums, ceremonies) that HELM uses for multi-party governance.

2.3 Node Semantics for Accountability

Canonical NodeType	Attestation subtype	Principal constraint	Accountability role
INTENT	—	Must be SOVEREIGN or DELEGATE	Origin of causal chain
ATTESTATION	`kernel_verdict`	SYSTEM (kernel)	Policy evaluation checkpoint
ATTESTATION	`hitl_approval`	SOVEREIGN	Explicit human endorsement
ATTESTATION	`approval_ceremony`	SOVEREIGN (quorum)	Multi-signer endorsement
ATTESTATION	`org_genesis`	SOVEREIGN	VGL genesis activation
ATTESTATION	`delegation_grant`	SOVEREIGN	Grants authority to delegate/agent
ATTESTATION	`delegation_revocation`	SOVEREIGN	Terminates a delegation
ATTESTATION	`emergency_override`	SOVEREIGN	Break-glass action
EFFECT	—	Any	Terminal node — the observed effect
TRUST_EVENT	—	SOVEREIGN	Trust boundary change

3. Formal Definitions

3.1 Accountability Chain

Definition. An accountability chain for an EFFECT node e is a sequence of links:

C(e) = [(p₁, a₁, s₁, j₁, h₁), ..., (pₖ, aₖ, sₖ, jₖ, hₖ)]

where each link (pᵢ, aᵢ, sᵢ, jᵢ, hᵢ) consists of:

pᵢ — the principal (identifier)
aᵢ — the action (canonical NodeType)
sᵢ — the attestation subtype (if NodeType is ATTESTATION, else empty)
jᵢ — the justification (parent node hash that authorized this action)
hᵢ — the node hash in the ProofGraph

The chain is ordered from the EFFECT (link 1) back to the sovereign root (link k).

3.2 Well-Formed Accountability Chain

A chain C(e) is well-formed if:

EFFECT-rooted: The first link's action is EFFECT
Sovereign-terminated: The last link's principal kind is SOVEREIGN
Causally connected: For consecutive pairs (lᵢ, lᵢ₊₁), the node hᵢ₊₁ is a (transitive) parent of hᵢ in the ProofGraph DAG
Justification-valid: Each link's justification references a node that is an ancestor of the link's own node
Finite: |C(e)| < ∞

3.3 Accountable System

Definition. A governed autonomous system is accountable if for every EFFECT node e in its ProofGraph G, there exists a well-formed accountability chain C(e).

3.4 Accountability Gap

Definition. An accountability gap is an EFFECT node e for which no well-formed accountability chain exists. Gaps are classified:

Gap type	Condition	Severity
ORPHAN	e has no parents in the DAG	CRITICAL
BROKEN_CHAIN	Causal walk reaches a non-sovereign leaf	HIGH
DELEGATION_EXPIRED	Walk passes through an expired delegation	MEDIUM
CYCLE	Walk enters a cycle (malformed DAG)	CRITICAL

4. Accountability Theorem

4.1 Statement

Theorem (Causal Accountability). Let G be a ProofGraph produced by a HELM system operating under VGL and VPL constraints. If G is well-formed (acyclic, finite, every non-genesis node has ≥1 parent), then G is accountable: every EFFECT node has a well-formed accountability chain terminating at a SOVEREIGN principal.

4.2 Proof Sketch

The proof proceeds by structural induction on DAG depth.

Base case (depth 0): Genesis nodes. The VGL protocol requires that the genesis INTENT node is created by a SOVEREIGN principal (the sovereign operator or quorum) who signs the OrgGenome. Any EFFECT at depth 0 is directly attributed to this sovereign authority. ∎

Inductive case (depth d → d+1): Assume all EFFECT nodes at depth ≤ d have well-formed accountability chains. Consider an EFFECT node e at depth d+1. By the well-formedness invariant, e has ≥1 parent. Consider the parent set P(e):

Case 1: Some parent p ∈ P(e) is an INTENT with a SOVEREIGN principal. Direct attribution. C(e) = [(e.principal, EFFECT, ⊥, p.hash, e.hash), (p.principal, INTENT, ⊥, ⊥, p.hash)]. ∎

Case 2: Some parent p ∈ P(e) is an ATTESTATION with subtype hitl_approval or approval_ceremony. The attestation provides explicit sovereign endorsement. By induction on depth, the walk from p to its ancestors terminates at a sovereign. ∎

Case 3: Some parent p ∈ P(e) is an ATTESTATION with subtype kernel_verdict. The kernel verdict was triggered by a prior governance event. By VPL, every kernel verdict traces to an INTENT or ATTESTATION that authorized it. By induction, the walk terminates. ∎

Case 4: Some parent p ∈ P(e) is an ATTESTATION with subtype delegation_grant. The delegation was created by a SOVEREIGN. Walk terminates at the delegate grantor. ∎

Termination: The DAG is finite and acyclic (content-addressed hashing — a cycle requires a SHA-256 collision). Any ancestor walk terminates in ≤|G| steps. ∎

4.3 Scope and Limitations

The theorem holds under:

VGL compliance — The OrgGenome was activated through the full VGL ceremony
VPL compliance — All effects pass through the Verified Pipeline Loop
DAG integrity — Content-addressed hashing is intact
Standard cryptographic assumptions — No SHA-256 collisions

If any are violated, Validate() detects the resulting gaps algorithmically.

5. Attribution Algorithm

5.1 Core Algorithm: Attribute(effectHash)

The algorithm walks the ProofGraph from an EFFECT node back to its sovereign root, selecting the most authoritative parent at each hop:

function Attribute(G, effectHash):
    e ← G.GetNode(effectHash)
    if e is nil or e.Kind ≠ EFFECT: return ERROR
    
    chain ← [], visited ← {}
    
    function Walk(node, depth):
        if node.hash ∈ visited: return ERROR("cycle")
        visited.add(node.hash)
        
        chain.append(Link{node.Principal, ClassifyPrincipal(node), 
                          node.Kind, Subtype(node), depth})
        
        if ClassifyPrincipal(node) = SOVEREIGN: return SUCCESS
        
        parent ← SelectAccountabilityParent(node.Parents)
        if parent is nil: return ERROR("broken chain")
        return Walk(parent, depth + 1)
    
    return Walk(e, 0)

5.2 Parent Selection Strategy

When a node has multiple parents, select the most authoritative for the accountability chain:

ATTESTATION with subtype hitl_approval or approval_ceremony — explicit sovereign endorsement
ATTESTATION with subtype delegation_grant — authority grant
INTENT — originating action
ATTESTATION with subtype kernel_verdict — policy checkpoint
Any other canonical node as fallback

5.3 Attestation Subtype Resolution

The attestation subtype is extracted from the ATTESTATION node's payload metadata. The canonical encoding uses a subtype field in the JSON payload:



```json
{
  "subtype": "hitl_approval",
  "approver": "sovereign:alice",
  "intent_hash": "..."
}


This allows accountability semantics to evolve (new attestation subtypes) without modifying the canonical node taxonomy.

---

## 6. Risk-Class-Aware Accountability

### 6.1 Proof Surface Economics

Full accountability chains increase the retained proof surface. HELM's Autonomy Trilemma (§AUTONOMY_TRILEMMA.md) and proof condensation economics require that accountability depth is **risk-class aware**:

| Risk class | Accountability depth | Proof surface budget |
|:--|:--|:--|
| T0 (read-only) | Condensed — sovereign root only | ~32 bytes (hash pointer to condensed checkpoint) |
| T1 (soft writes) | Summary — sovereign root + direct authorizer | ~256 bytes |
| T2 (hard writes) | Full chain — all hops retained | ~1-4 KB |
| T3 (critical/irreversible) | Full chain + all delegation hops + ceremony proofs | ~10-30 KB |

### 6.2 Condensation Interaction

When proof condensation (§UCS 6.2) replaces a sub-DAG with a CHECKPOINT node, the accountability chains for condensed effects are preserved via:

- **T0/T1:** The CHECKPOINT records only the sovereign root hash(es) for its condensed sub-graph
- **T2/T3:** The CHECKPOINT retains the full delegation chain metadata in its payload

The condensation algorithm must maintain the invariant: every CHECKPOINT node records sufficient accountability information for its risk class.

### 6.3 Conformance Requirement

CAG should become a conformance gate: *for every retained EFFECT in profile X, `Attribute(effect_hash)` must return an accountability chain or a typed gap, at the fidelity required by X's risk class.* This is stronger than merely logging receipts — it is a verifiable structural property of the proof surface.

---

## 7. Delegation Semantics

### 7.1 Bounded Delegation

A DELEGATION_GRANT attestation delegates authority from a SOVEREIGN to an AGENT or DELEGATE. Delegations are bounded:

- **Scope** — which effect types the delegate may produce (from the effect taxonomy)
- **Duration** — TTL after which the delegation expires
- **Depth** — maximum re-delegation depth (sovereign → agent₁ → agent₂ is depth 2)

### 7.2 Delegation Chain Accountability

When an EFFECT is produced by a delegate, the accountability chain records every delegation hop:

> EFFECT(agent₂) → ATTESTATION/kernel_verdict(kernel) → ATTESTATION/delegation_grant(agent₁→agent₂) → ATTESTATION/delegation_grant(sovereign→agent₁) → INTENT(sovereign)

Each delegation attestation explicitly records who granted authority, what scope, and the justification.

### 7.3 Expired Delegation

If a delegation has expired at the time the EFFECT was produced, the accountability chain is flagged with a `DELEGATION_EXPIRED` gap. The chain still exists (the delegation was issued), but it is marked as potentially unauthorized.

---

## 8. Comparison with Existing Systems

| System | Audit mechanism | Causal structure | Sovereign termination guarantee |
|:--|:--|:--|:--|
| OpenAI API | Usage logs | None (flat timestamps) | No |
| Anthropic Claude | Request/response logs | None | No |
| Google Vertex AI | Cloud Audit Logs | None | No |
| LangChain/LangSmith | Trace spans | Partial (call stack) | No |
| AWS CloudTrail | Event stream | Partial (request chaining) | No — IAM roles, not humans |
| **HELM CAG** | **ProofGraph DAG** | **Full causal DAG** | **Yes — by construction** |

The fundamental difference: existing systems log *what happened*. HELM's CAG proves *who is accountable and why*, with cryptographic verifiability, over existing canonical governance nodes.

---

## 9. Productization Surface

### 9.1 Enterprise Evidence and Disputes

CAG makes "who authorized this and through what delegation chain?" a first-class answer rather than implicit. Valuable in: finance, IAM, regulated communications, physical-world delegation, cross-org incident review.

### 9.2 Accountability Explorer (UI)

CAG should surface as an Accountability Explorer view within Mission Control / Trust Portal — **not** a separate subsystem. A buyer clicks an EFFECT and immediately sees: originating intent, kernel verdict, approving sovereigns, delegation hops, expired grants, emergency overrides, and the precise reason this action was attributable.

### 9.3 Conformance and Certification

CAG becomes a conformance requirement: "for every retained EFFECT in profile X, `Attribute(effect_hash)` returns an accountability chain or a typed gap, at the fidelity required by the profile's risk class." Stronger than logging receipts — it is a structural, verifiable property.

---

## 10. Future Work

### 10.1 Regulatory Mapping

Map CAG properties to specific requirements:
- **EU AI Act, Article 14** — Human oversight → sovereign termination guarantee
- **GDPR, Article 22** — Automated decision-making → decision provenance chain
- **SOC 2 Type II** — Control evidence → chain verifiability

### 10.2 Cross-System Accountability

When HELM governs external AI systems (via A2A protocol), the accountability chain extends across system boundaries. Define federation semantics for inter-system accountability.

### 10.3 Quantitative Metrics

- **Mean delegation depth** across all effects
- **Accountability latency** — time from effect to its sovereign root's original intent
- **Gap rate** — fraction of effects with accountability gaps

---

## Appendix A: Notation Summary

| Symbol | Meaning |
|:--|:--|
| G | ProofGraph DAG |
| e | EFFECT node |
| C(e) | Accountability chain for effect e |
| S, A, K, D | Principal kinds: Sovereign, Agent, System (Kernel), Delegate |
| P(n) | Parent set of node n |
| VGL | Verified Genesis Loop |
| VPL | Verified Pipeline Loop |
| CAG | Causal Accountability Graph (derived semantics, not a parallel model) |

CAUSAL_ACCOUNTABILITY