Published on: June 9, 2026
Ready to accelerate your breakthrough? Send yourself an Un-Robocall™ • Get transcript when logged in
Send Strategic Nudge (30 seconds)🎧 Listen to this post (The Defect Nobody Can Prove):
Here is the conviction, stated before any proof, because you price risk for a living and you deserve to know exactly what is being claimed. We believe that "did this agent's governance fail?" is a question with a measurable, deterministic answer — the kind your parametric desk already underwrites — and that it has been unanswerable until now for one structural reason: everyone tried to answer it in software, and software cannot witness its own behaviour. We answer it one layer down, in silicon, where an agent's authorised role becomes a physical position and "out of role" becomes a physical mismatch you can read off a gate.
The reason this matters to you specifically, and now, is that the law just moved. On 9 December 2026 the EU's revised Product Liability Directive (2024/2853) brings software and AI into strict product liability across the bloc — no-fault, defect-based. Strict liability does not ask whether anyone was careless. It asks whether the product failed to provide the safety a person was entitled to expect. That is a defect test, and a defect test needs evidence of defect. For a physical product the defect is visible — a cracked weld, a contaminated batch. For an agent the defect is a behavioural event, and there has never been an instrument that could show it happened.
We believe the receipt is that instrument, and that it speaks the dialect you already trust. A parametric policy does not pay on a loss adjuster's narrative; it pays on a deterministic trigger that either crossed the line or did not. The drift receipt is a parametric trigger for role continuity: it measures whether an action's position matched its authorised intent, at the substrate, and emits a signed number. The defect strict liability requires becomes a trigger your desk already knows how to write.
We hold this the way an underwriter holds a model: provisionally, with the failure modes published. The rest of this post is the evidence — what is proven, what is measured, what is merely the math of a limit — and the one place where the proof honestly stops. If you are the kind of reader who recomputes rather than believes, this was written for you.
The claim, bounded up front: Strict liability now attaches an AI defect that no software monitor can certify (Rice's Theorem). We make that defect a physical, signed, recomputable measurement — a parametric trigger for role continuity. We prove the hardware witness, we cite the law that creates the demand, and we name the single place where we report closeness instead of exactness.
If you underwrite, you have already taken the defensive action, and you took it because the file would not close. In January 2026 the Insurance Services Office issued new generative-AI exclusions to the standard commercial general liability form — CG 40 47, CG 40 48, and CG 35 08 — and carriers adopted them immediately; Berkley filed an "absolute" AI exclusion across D&O, E&O and fiduciary lines. That is not unfamiliarity with a new technology. That is the discipline doing what it does when it cannot independently measure a loss: it excludes.
You are not imagining the gap, and you are in credentialed company seeing it. The thin slice of AI risk that is bindable proves the rest of the point: the first standalone AI liability policy written at Lloyd's (Armilla, April 2025, underwritten by Chaucer) prices around named, enumerable failure types — prompt injection, tool misuse, agent privilege escalation. Notice what those have in common: each is a role boundary being crossed. The market can already see that the unit of AI loss is an agent leaving its lane. What it cannot do yet is measure the crossing.
So this is not a lecture about a risk you do not hold. It is a name for a position you already occupy — exclusions filed on one side, a strict-liability statute arriving on the other — and a claim that the discomfort between them is the correct response to a real, measurable absence we built an instrument to fill.
The reason this has stayed unmeasurable is not that the right monitoring product has not shipped. It is a proof. To certify that an agent is still in its authorised role, a software checker would have to decide a semantic property of another program's behaviour — and Rice's Theorem (1953) establishes that every non-trivial semantic property of program behaviour is undecidable. A better model does not close that gap; it inherits it. The checker is the same kind of object as the checked, runs in the same domain, and shares its blind spot. An LLM monitoring an LLM is marking its own homework — the full argument is here.
This is exactly the failure your actuaries already price as exclusion, stated as physics rather than as a renewal note. As the book puts it: "If the deployer's AI system and its verification layer share a failure domain, the loss distribution is untractable — not hard, not expensive, untractable. No premium can be quoted." (The Budget Is The Proof, Ch. 12). The exclusion is not a temporary stance awaiting better software. It is the correct actuarial reading of a shared failure domain.
There is a tempting objection here — doesn't the EU AI Act already mandate logging? It does: Articles 12 and 19 require high-risk systems to keep automatic logs, and Article 72 requires post-market monitoring. But a log is the system's own account of itself — a story about a story, generated inside the failure domain it is meant to police. The Act creates the demand for an evidence trail and is silent on the one property that makes evidence admissible against a determined adversary: that it originate outside the system being measured. Mandated logging is the question. It is not the answer.
Rice does not say drift is hard to catch. It says no software verifier can guarantee it — and over a long-running agent any non-zero miss-rate eventually escapes. You can catch cases. You cannot get the certificate. That is why the answer had to leave software entirely.
The sharpest move in this whole conversation did not come from us — it came from a London-market practitioner who underwrites with one hand and reads cryptographic attestation with the other. Pushed on whether AI drift is insurable, he reframed it away from professional indemnity (treating the agent like a rogue employee whose conduct you litigate) and into product liability — where the "product" is the governance of the agent, and the question is simply whether that product failed. That reframe is the unlock, and it deserves to be recognised as the expert instinct it is.
It is the right lens because it changes what you have to prove. Negligence litigates conduct; strict product liability litigates the artifact. As the book now states it: "Negligence litigates conduct — what the deployer should have done. Strict liability litigates the artifact — what the thing did. The first needs evidence of fault. The second needs evidence of defect." (Ch. 12, "Strict Liability Does Not Ask Who Was Careless"). Evidence of fault is a story you argue. Evidence of defect is a measurement you read.
And it lands you on terrain you already own. You do not need a philosophy of machine intent. You need a deterministic trigger that says the governance product held or did not — the same shape as the wind speed or the quake magnitude your parametric book already pays against. The reframe does not ask you to learn our world. It shows that the instrument belongs in yours.
What this architecture hands you is not another dashboard or model card. It is a receipt at the coordinate of the action: a signed artifact that says "this agent, at this step, was still acting in the role you authorised, and here is the drift, measured." An agent's intent is compressed to a 64-bit signature — its shape, the payload burned down until only the structure survives — and that signature's value is a physical address. Verifying drift is then one hardware act: compare the shape the agent has now against the shape it was hired with, at that address, with an XOR and a population count. The gate that performs that comparison clocks in the sub-nanosecond range on commodity silicon — a runtime signal generated as the action happens, not an audit run after the fact. Out-of-lane is a physical mismatch, not a software opinion you can spoof.
Because the receipt is the shape of the meaning rather than the meaning itself, there is nothing sensitive to leak — which is exactly what makes it underwritable. A thing you can verify without exposing is a thing a third party can price. The contribution is not "trust us"; it is "recompute it yourself." You can verify a signed receipt in a browser and run the mechanism on your own hardware (npx thetacog-mcp pmu-demo); the underlying address-fetch-as-verify mechanism is filed as patent US 19/637,714.
In your vocabulary the receipt is a parametric trigger for role continuity, and the price it produces is an equation your check writer is already running in their head: Trust Debt = (1 − Rc) × VaR, where Rc is the measured coefficient of role continuity and VaR is the exposure if the agent drifts past authorisation (Ch. 12, "The Check Writer"). Until Rc is measurable that equation evaluates to an unpriceable infinity. The receipt makes Rc a number. That is the whole unlock.
Run the receipt forward into your own economics and the change is not cosmetic. The submissions you decline today are declined because the loss distribution is untractable — a risk you cannot independently measure is a risk you cannot quote. A runtime measurement signal generated by something the deployed system cannot mutate makes that distribution computable: a premium can be quoted, reinsurance can be syndicated, the cedent's risk register carries numbers the board can sign. The exclusion was the correct call given no instrument; the instrument changes the call.
The standard of care everyone keeps reaching for is just one of the implications, and not the largest. With a parametric trigger you also get clean apportionment — the receipt locates where in the role lattice the drift occurred, so liability lands on the actual failure coordinate instead of defaulting to the deepest pocket. You get severity grading — a drift that cascades widely prices higher than one that dead-ends, because the architecture ranks the downstream blast radius rather than treating every miss as total. And you get a demand-side flip: once the defect is provable, the deployer's incentive inverts from hiding drift to proving lane-adherence, so the receipt becomes the instrument the insured wants — their liability-transfer slip — which is how a coverage line actually grows.
This is the difference between writing AI risk as a sympathy line and writing it as a real book. The first prices a story and hopes. The second prices a trigger and recomputes.
Basis risk is the first and fairest. Every parametric instrument carries the gap between the trigger and the true loss, and this one is no exception: the receipt measures drift from the exact authorised intent, lexically, not paraphrase-equivalence. We report that boundary rather than hide it — there is a closeness term, and we publish it. The honest claim is not that the trigger is the loss; it is that the trigger is a deterministic, recomputable, tamper-evident proxy for the role boundary, which is strictly more than the discipline has today, which is nothing.
Can it be forged? This is the point of strength and of candour. Anyone can recompute the receipt — that is the design. What cannot be done in software is fake the underlying event, because the attestation is produced on-chip as a physical mismatch rather than asserted by a program that could be coerced. And we did not leave that at theory: the adversarial forge-test has been run under host-key pinning and accepts zero forged receipts — a measured 0-of-N you re-run yourself, not a result you take on faith. We do not dress that up as mathematical unforgeability; a 0-of-N is an absence, not an impossibility. We claim exactly what we measured — the check lives below the layer a prompt can reach, and the forgeries thrown at it have not landed.
Is this just the AI Act's logging in fancier dress? No — and the distinction is the whole thesis. A log is generated inside the failure domain and is admissible only if you already trust the system that wrote it. The receipt is generated by a witness outside that domain. The Act mandates that you keep a record; it does not, and cannot, mandate that the record be independent of the thing it records. That independence is the property we supply, and it is the property an actuary actually needs.
This is defensible because three independent vectors point at the same missing object, and none of them is our marketing. The legal vector: the EU made software a strictly-liable product (PLD 2024/2853, live across member states December 2026), so the defect is attached whether or not anyone was careful. The market vector: US carriers filed AI exclusions into the standard CGL form (CG 40 47/48), so the defect is un-transferred by default. The regulatory vector: the AI Act mandates logging and post-market monitoring (Articles 12, 19, 72), so an evidence trail is required — but left undefined exactly where independence matters.
The convergence is the argument. As the book frames it, "the American exclusion and the European directive are not competing readings of AI risk; they are the demand side and the supply side of the same instrument. The market will not insure a defect it cannot measure, and the statute will not excuse a defect it can attach." (Ch. 12). Both clear at the same moment — when the defect becomes a signed, recomputable, parametric fact. The polymorphism precedent the actuaries already pattern-match against (Ritonavir, 1996; McCrone's Law) says the failure modes are not exhausted, they are merely not yet found — which is precisely why a runtime trigger beats any pre-deployment certificate.
Do not trust this post — recompute it. Three load-bearing claims reproduce on your own hardware in one command (scripts/pmu/verify-all.sh): the chip-to-cloud weld diffs to exactly zero across all 144 lattice anchors — dyadic weights, bit-exact, not an epsilon; the adversarial forge-test accepts zero forged receipts under host-key pinning; and the membership signal is measured on real silicon, not modeled. Every number an underwriter would price came from a command, not a slide. That is the posture a reinsurer can stand behind: not "believe us," but "run it."
What we are not claiming is a clean place to stand. We do not claim the chip understands meaning, that drift is fully prevented, or that the receipt is provably unforgeable. We claim hardware-anchored tamper-evidence of role continuity, with a published closeness term and an open forge-test. A claim that names its own limit is the one a recompute-reviewer — and a reinsurer — can actually trust.
There is a specific position available here, and it is not "early adopter." The carrier who first prices against this evidence does not get a head start that others copy — they set the reference price every subsequent treaty is measured against, the way the first standardised peril always does. The comp is not a software vendor; it is the moment a new, measurable trigger turned an uninsurable exposure into a line, and the desk that defined the trigger owned the curve.
The instrument exists and the market has not yet priced it; the measure of what happens next is what you do in the pause between those two sentences. The submissions are queued, the exclusions are filed, the directive is dated. The only missing input was a number for the defect — and that number is now generatable. Holding it is not a matter of belief. It is a matter of being the one who recomputed the receipt before the renewal cycle made the position obvious to everyone else.
Do not take any of this on faith — that would contradict the entire claim. Verify a signed receipt in your browser: confirm the signature and recompute the deterministic projection yourself. Run the gate on your own hardware with npx thetacog-mcp pmu-demo. Read the Rice's Theorem argument for why no software path closes this, and Chapter 12 for the actuarial and strict-liability framing in full. The mechanism is filed as US 19/637,714; the closeness term and the open forge-test are stated in the post above, not buried.
If you underwrite, structure, or syndicate AI risk and you want to pressure-test whether drift-distance can be the parametric trigger your desk writes against, that is the conversation worth having — and it is more your turf than ours. The defect is now a number. The only question left is who prices it first.
