SNAPOS.ORGONLINE
|
FRAMEWORKDIP-CORE-1.0
|
GCCL v0.1DOI: 10.5281/zenodo.18362037
MANDATE INTEGRITYPROTOCOL ACTIVE
|
AUDIT@SNAPOS.ORG
ORCID0009-0000-6493-4599 · Marko Chalupa
ZENODO11 publications · Open access
GCCL v0.1DOI-registered governance standard
IT-SCHNITTSTELLEGovernance audit · DE
UNITED CODING20+ years production delivery
Documented cases

Everything worked.
That was the problem.

Four production systems. Four mandate drift failures. In every case, monitoring was active, compliance was maintained, dashboards were green. In no case did any existing control layer detect that execution had become illegitimate.

See Applications → Run Decision Audit ↗
Stop Execution
Knight Capital
2012 · Automated trading system
$440M. 45 minutes. Execution was correct. Continuation was not. A deprecated flag was reactivated under conditions it was never authorized for.
What DI would have done:flagged mandate mismatch · required re-validation · stopped continuation before first trade
Full analysis →
Execution Misaligned
Zillow Offers
2021 · Automated property acquisition
The model kept optimizing. The assumptions had already died. Valuation conditions that justified the mandate changed silently.
What DI would have done:detected assumption failure · triggered DCF closure review · halted expansion
Full analysis →
Authority Drift
COMPAS
Ongoing · Criminal risk scoring
No code break. No alarm. Authority drifted silently. Operational scope expanded beyond original authorization without re-legitimation.
What DI would have done:enforced scope invariants · required authority rebinding · triggered re-legitimation
Full analysis →
Mandate Expired
Klarna AI Support
2024–2025 · Customer service AI
Rule compliance = 1. Mandate integrity = 0. Quality commitments made at deployment — the conditions that authorized scale — changed without re-validation.
What DI would have done:tracked quality commitments as mandate conditions · detected mandate expiry · required re-legitimation
Full analysis →
Knight Capital · 2012

$440M in 45 minutes.
Everything worked.

On August 1, 2012, Knight Capital deployed new software that inadvertently reactivated a deprecated trading algorithm. The system executed millions of trades in 45 minutes, accumulating $440M in losses before it was manually shut down.

The system was never broken. It was executing correctly — under an authorization that had expired. The deprecated flag held old instructions that were never re-validated against current conditions. No control layer asked whether the mandate was still valid.

Monitoring saw activity. Compliance saw rules followed. Governance saw nothing — because no governance layer existed for mandate continuity.

DI analysis
Mandate gap
The deprecated flag's authorization had expired. No mechanism existed to verify whether reactivation was still within a valid mandate.
Missing closure condition
DCF Authority Closure: the authorization basis for the reactivation was never verified against current conditions.
No failsafe trigger
DIP fail-closed: no valid mandate present → no execution allowed. The reactivation would have been blocked at the first trade.
Zillow Offers · 2021

The model didn't break.
The assumptions died.

Zillow's automated property acquisition system continued optimizing for growth while the valuation model's underlying assumptions — stable markets, predictable appreciation, reliable comparable data — had silently degraded.

The system remained operational and technically correct. The mandate — acquire at scale because valuation is reliable — was no longer valid. No control layer detected this divergence. The $500M write-down came after the drift.

Decision Integrity operates before it.

DI analysis
Assumption closure failure
DCF Assumption Closure: conditions that justified the mandate — market predictability, model accuracy — changed without triggering re-evaluation.
DASR would have detected this
Drift velocity — the rate at which mandate-relevant conditions diverge — would have signaled re-legitimation before scale expansion continued.
Evidence closure breach
The evidence base that authorized operation at scale was no longer sufficient. DCF Evidence Closure would have halted expansion.
COMPAS · Ongoing

No code break.
No alarm. Authority drifted silently.

The COMPAS recidivism risk scoring system's operational scope expanded beyond its original authorization boundaries without any re-legitimation event. Every output remained technically correct under the original rules.

Authority drifted into territory it was never explicitly authorized for. Because no DIP-level scope gate existed, the system continued executing actions beyond the boundaries of its original mandate — correctly, without error, without alarm.

Effective accountability requires non-narrative proof — a witness chain that shows what the system was authorized to do and what it did.

DI analysis
Scope invariant violation
DIP enforces scope gates. Expansion beyond the defined mandate requires explicit authority rebinding — not silent continuation.
No witness chain
Without witness tuples linking each decision to a valid authorization, claims about legitimate scope are narrative — not auditable.
Re-legitimation trigger absent
When scope boundaries are tested, DIP requires explicit re-legitimation before expansion — not correction after the fact.
Klarna AI Support · 2024–2025

DIP Audit #1.
Rule compliance = 1. Mandate integrity = 0.

In early 2024, Klarna deployed an AI customer support system handling 700 customer service agents' worth of queries. By May 2024, it was handling the majority of customer service interactions. In September 2025, Klarna reversed course: the AI was not apparent.

The system operated within defined rules throughout. What the Evidence shows: the quality commitments made at deployment — the conditions that authorized operation at scale — changed without re-validation. The original mandate had effectively expired 15 months before the reversal.

Rule compliance is not mandate integrity. A system can pass every compliance check and still be operating under an expired authorization.

DI analysis — DIP Audit #1
Mandate conditions not tracked
Quality commitments made at deployment were treated as performance targets — not as mandate conditions that gate continued authorization.
No re-legitimation event in 15 months
As conditions changed, no formal re-authorization occurred. The system continued under the original deployment mandate throughout.
DASR metric: Drift Magnitude > threshold
DIP asks not whether the system functioned, but whether it still had the authority to function. That question was never asked.
Full audit published
DIP Gap Analysis · DOI: 10.5281/zenodo.19382604 →
Authority and research credentials
ORCID
0009-0000-6493-4599
Persistent research identity for all SnapOS publications
Zenodo — DOI-Registered
11 publications · Open access
DCF, DASR, GCCL, DIP Gap Analysis and more
GCCL v0.1
DOI: 10.5281/zenodo.18362037
Formal governance framework for AI capability and compliance
United Coding GmbH & Co. KG
20+ years production delivery
Decision Integrity emerged from production systems that continued after their conditions changed
IT-Schnittstelle GmbH
Governance audit practice · DE
Decision architecture for regulated organizations
LinkedIn — Marko Chalupa
CTO & AI Architect · Mühltal
United Coding GmbH & Co. KG · SnapOS Foundation

Assess decision legitimacy in your system.

DriftBench runs a sealed evaluation: policy binding, witness tuples, scope gates, fail-closed behavior. Against your model endpoint. No data leaves your environment.

Run a Decision Audit ↗