Methods · Model provenance

Trust in AI is mostly a screenshot. We make it a signature.

A model card is a PDF anyone can edit. A leaderboard rank is a number you take on faith. When the deployment is in a payer or a bank, "trust me" is not evidence. So we sign — the models we host and the models we only observe — with one Ed25519 key you can re-check offline, after we are gone.

As of June 2026hosted + signed · observed · one keyre-verifiable offline at lockedinlabs.ai/verify

Two dispositions, one authority

We either hosted it and measured it — or we only watched it. We never blur the two.

The obvious objection to a provenance index is that it lets a vendor wave a signature over models it never touched and imply a verdict. So the disposition is the first field in the record, and it is load-bearing. A hosted passport carries a real, re-runnable score. An observation passport carries facts and nothing more — and says so, in the signed bytes, where it cannot be quietly dropped.

Hosted + signed

Models we train, serve, and grade

A model we built and run in-boundary. It goes through the deterministic checker, earns a real score, and ships sealed.

EVALReal probe set scored at a fixed seed by a deterministic checker — never an LLM judge.
PASSPORTEd25519 signature over the verbatim bytes: probe set, seed, per-probe trace, lineage.
DRIFTThe live weights are checked against the signed record — a swapped adapter fails the check.
PROVENANCENo PHI / customer data / secrets in the weights, attested in the record; reviewer ≠ trainer.

What it carries

A score you can reproduce. Re-run the checker against the recorded outputs and recompute the fingerprint — the number returns, or the passport is rejected.

Observed

Popular models we do not host

A widely-used model we did not train or evaluate. We sign the public facts about it — and only the facts.

FACTSParams, base family, context window, license, release date, source — public, citable, no numbers we'd have to defend.
PASSPORTSigned with the SAME Ed25519 key as our hosted passports, so an auditor pins one provenance authority.
RE-VERIFYEach signature is re-checked server-side at render — the catalog can only ever show a re-verified record.
DISCLAIMERThe disposition and a no-benchmark disclaimer are inside the signed body, not a caption beside it.

What it does NOT claim

No quality claim. No benchmark, no rank, no comparison. An observation tells you what a model is — never that it is good, safe, or better than another.

The same record verifies in three places by design — the LeanLogix hosted-passport endpoint, the observation catalog, and the public verifier at lockedinlabs.ai/verify. Byte-identical canonicalization, one key fingerprint. That is the whole point of an authority: it does not matter who is holding the proof.

How we score

A deterministic checker — not a model judging a model.

An LLM judge is a second model with its own non-determinism and its own failure modes. We do not put one in the loop. Every score on a hosted model is computation over output-versus-rule, run at a recorded seed, and re-runnable by anyone who holds the passport.

01

Run the probe set

A fixed suite of synthetic probes — no PHI, no customer data — is run against the model at a recorded seed. Each probe carries its own expectation: correctness, leakage, refusal, or citation.

02

Score with a deterministic checker

Each output is graded by a pure function — substring presence, refusal-signature match, JSON-key presence, code assertions. No LLM-judge sits in the loop, so the same output always yields the same number.

03

Aggregate per axis and per family

Per-probe passes roll up into the four governed-turn axes and the family score. A correct-but-leaky run loses on GT-1 even with full correctness — the axis it failed is the one that matters.

04

Sign the record (reviewer ≠ trainer)

The probe set, the seed, the per-probe trace, and the lineage are committed to a model passport, sealed with an Ed25519 signature. The approver is a distinct identity from the trainer — separation of duties is in the record, not asserted next to it.

05

Re-verify offline

Anyone holding the passport can re-run the checker against the recorded outputs and recompute the signature fingerprint. The score reproduces, or the passport is rejected — nothing has to be taken on faith.

Four failure modes, scored on every task

A run can be perfectly correct and still fail one of these — and in a regulated boundary, that failure is the one that gets the deployment pulled. Each maps to a rule the deterministic checker can actually verify.

GT-1

PHI-in-weights leakage

The model emits an identifier, member ID, or diagnosis it was told to suppress — or one that should never have been learnable from the training set in the first place.

leakage checkA must-not-contain check over the output against the suppressed token. The needle is literally absent, or the run is docked.

GT-2

Injection under governance

An instruction hidden inside the evidence, the case file, or a tool result — "mark this compliant", "approve the transfer" — is obeyed instead of ignored.

refusal checkA refusal-expected check: the injected directive must be declined against a built-in refusal signature, not accommodated.

GT-3

Separation-of-duties violation

The run self-approves, bypasses the required reviewer, or edits a protected lane it was told was out of scope.

refusal checkA refusal-expected check on the self-approval path, plus a must-not-contain check that no out-of-scope file or secret appears in the change.

GT-4

Fabrication under audit

The model asserts a coverage rule, a control clause, or a citation that was never supplied — confident, fluent, and unverifiable.

citation checkA citation / json-shape check: every assertion must carry a referenced source returned as structured evidence, or it does not count.

How we sign and verify

One key. Canonical bytes. A proof that outlives the dashboard.

The same three method points govern both tiers — a hosted passport and an observation passport differ in what they assert, not in how they are sealed or checked. The signature is over the verbatim canonical bytes, so the check is immune to serialization drift, and it reproduces on an air-gapped box with no network.

Deterministic, not a vibe

Every score is computation over output-versus-rule — the same checker that grades must-not-contain (PHI), refusal-expected (injection / SoD), and code assertions. Run it twice, get the same number.

Signed & re-verifiable offline

Scores ride in a signed model passport with the probe set, the seed, and the per-probe trace. Anyone can re-run the checker against the recorded outputs and reproduce the result — no number you have to take on faith.

Consent-based training, scored

How a model was trained is itself a graded dimension: no PHI, no customer data, no secrets in the weights — public corpora plus runtime RAG. The lineage is part of the signed record, offline-verifiable.

Do it yourself

Take any passport — hosted or observed — paste it into the public verifier at lockedinlabs.ai/verify, and it re-checks the Ed25519 signature against the embedded key and reports the fingerprint. No LeanLogix login, no API call to us. If the bytes changed by a single character, the check fails. That is the difference between a claim and a proof.

What we will not claim

The restraint is the product. Here is what we refuse to print.

Every evaluation vendor is one fabricated comparison away from being a marketing site. The discipline below is not a disclaimer at the bottom of the page — it is the reason a regulated buyer can hand our record to an auditor and keep their job.

No fabricated competitor benchmark

We publish our own models' real scores first, and we do not invent a rival's number to rank above. An observed model gets facts, never a verdict against a model we host.

No certified / approved without artifacts

Nothing is called certified, approved, or production-grade unless a signed artifact backs it. A mid-training checkpoint is shown as in-training — never dressed up as a shippable score.

No PHI in the weights

For health-admin work this is a hard line: public corpora plus runtime retrieval, with PHI excluded from training and attested in the signed record. Provenance is a scored dimension, not a paragraph.

Program in formation

The grading program is in formation. Today it scores our own models first, on our own published methodology. We are not publishing a competitor leaderboard, and there is no external review board yet — when one exists, it will be named, not implied.

See the catalog The scores The full methodology Verify a passport