Ask a company how you know their AI is behaving, and the answer is usually a stack of documents. A responsible-AI policy. An audit trail. A human sign-off step. A disclosure page. Every one of those artefacts says the same thing underneath: we checked, believe us.
That is trust by paperwork, and to be clear, we run on it too. Epic Growth's governance page discloses how we use AI, every Insights post carries an AI-assistance notice, and our deployment scripts verify what they ship. All of it is honest. None of it is checkable by you. You believe us because we say so, and because reputations are expensive to burn.
Paperwork assurance has carried the software industry for decades, and for most decisions it still does. But AI is stretching it in a way ordinary software never did. Models act, generate, and decide at a volume no sign-off step can witness, and the systems being attested change weekly. The interesting question is what grows on top of the paperwork, and this year the answer started becoming concrete: a verifiable layer, where claims about AI systems are checked by machines instead of believed on reputation.
Trust secured by mathematics, not by policy alone. That is the shift worth watching.
What a proof actually buys you
The idea is old cryptography applied to a new problem. Instead of asking an operator "did the model you promised produce this output?", a verifiable system answers with evidence: a cryptographic proof that a specific, committed model ran a specific computation, checkable by anyone in milliseconds, without trusting the person who ran it.
Assurance today comes in three broad families, and it helps to see them as one axis:
Best · Cheap, universal, covers the whole organisation
Trade-off · You believe the operator because they say they checked
the risk is low and a signature carries enough weight for everyone involved
Best · Machine-checkable evidence at production cost
Trade-off · Attestation shifts trust to hardware and signers, it doesn't remove it
a counterparty (insurer, regulator, enterprise buyer) needs evidence it can verify without taking your word
Best · Anyone can check, no trust in the operator required
Trade-off · Proving costs still orders of magnitude above raw inference at frontier scale
the claim is high-stakes and narrow enough that paying the proof premium is worth it
The direction of travel: institutions are moving assurance from the left of this axis toward the middle, and the frontier is pushing the right edge closer.
- The gap
- Behavioural evaluation and paperwork can only speak to what an operator observed and chose to record. They attest effort, not execution.
- The middle, today
- Regulation already points here: the EU AI Act requires automatic logging for high-risk systems and machine-readable marking of generated content, and its recitals name cryptographic provenance methods.
- The right edge
- Zero-knowledge proofs of inference exist and are getting faster, but at frontier-model scale the proving overhead is still the blocker. Today they fit narrow, high-stakes claims.
- The stake
- Insurers have begun writing AI performance cover that settles on measured thresholds. What can be measured can be priced, and what can be priced can be backed.
The middle of that axis is where the movement is. Automatic logging, signed content provenance, hardware attestation of where a model ran, and performance thresholds an insurer can settle against: all machine-checkable, all shipping today at production cost. The right edge, full cryptographic proof of execution, exists and is improving fast, but still carries a heavy price at scale. That combination, a middle that is affordable now and a right edge that is visibly approaching, is what makes this a trend rather than a research curiosity.
The state of proof, honestly
The numbers are worth knowing precisely, because both the hype and the dismissal get them wrong.
Zero-knowledge proofs of model inference are real. A proof that a GPT-2-class model (117 million parameters) produced a given output took about an hour of computation in 2024; by 2025 the same proof took under 25 seconds, and 2026 systems are splitting the work further. A 13-billion-parameter model has been proven in under 15 minutes with a proof smaller than 200 kB. Researchers have even begun proving entire agent transcripts, the inference plus the tool calls, bound together.
Proving time for a full GPT-2 inference, 2024 to 2025. The trajectory matters more than today's number.
Now the honest other half. Those proofs cover models three to four orders of magnitude smaller than the frontier systems in production. One 2025 system reports about 150 seconds of single-threaded proving per generated token on an 8-billion-parameter model, which puts a 500-token answer north of twenty hours of single-core proving; parallel hardware shrinks that, but not to production economics. The field's own survey literature names the bottlenecks plainly: proving cost, circuit expressiveness, deployment complexity. And every current system proves a quantised circuit version of the model, close to, but not bit-identical with, the model actually served.
There is a cheaper rung on the same ladder. Hardware attestation, a chip cryptographically reporting what code ran in an isolated environment, costs under 7% of throughput for typical model serving, and it already runs at consumer scale: the two biggest phone-platform vendors ship AI clouds whose nodes prove their software state to your phone before it sends data. Attestation proves the environment rather than the arithmetic, and it moves trust to the chip vendor rather than removing it, but it is machine-checkable evidence at production cost, today.
The verifiable layer is not one technology. It is a cost curve: signatures and logs are nearly free, attestation costs single-digit percent, full proof costs orders of magnitude. The engineering question is never "can we prove it?" but "which claim is worth which price?"
Why institutions care
Here is where this stops being a cryptography story and becomes a business one.
Institutions cannot price a promise. An insurer, a procurement office, or an auditor needs something measurable to underwrite, and paperwork assurance gives them testimony rather than measurement. That is exactly what is changing. In 2025 the Lloyd's market began writing affirmative liability cover for AI system failures. In February 2026, a specialty insurer and one of the world's largest reinsurers launched performance cover for AI vendors that pays out when a model breaches defined performance thresholds, settled against measured data rather than a claims investigation of who promised what.
The audit profession is moving the same direction: major firms now offer independent assurance over AI systems, and the UK government has sized AI assurance as a market: just over £1 billion of value today, with the potential to reach £18.8 billion by 2035 if adoption barriers are addressed. Securities regulators have put AI claims on their examination priorities, checking that what firms say about their AI matches what they run.
The UK government's projection for its AI assurance market by 2035, from £1.01 billion in 2024. Assurance is becoming an industry, not a checkbox.
Read those developments together and a pattern appears. What can be measured can be priced. What can be priced can be insured, procured, and invested in. Verification is the machinery that turns AI risk from an unknown an institution must refuse into a number it can carry. That is our synthesis rather than any institution's official line, but every piece of it is now visible in the market.
Verifiable AI is becoming investable for the same reason audited accounts made companies investable: the risk became legible to people who price risk for a living.
The regulation already points here
If you operate in Europe, this direction is not optional curiosity, it is the shape of obligations you already have.
The EU AI Act requires high-risk systems to "technically allow for the automatic recording of events" over their lifetime (Article 12), with providers keeping those logs for at least six months (Article 19). The word "technically" is load-bearing: this is a system capability requirement, not a documentation one, though under the postponed schedule the high-risk obligations apply from December 2027. Sooner than that, providers of generative systems must mark outputs "in a machine-readable format and detectable as artificially generated or manipulated" (Article 50(2)): a duty originally set for 2 August 2026 and moved to 2 December 2026 by the Digital Omnibus the European Parliament approved in June 2026, while the rest of Article 50's transparency duties keep their August date. And the regulation's own recitals name "cryptographic methods for proving provenance and authenticity of content" among the techniques it contemplates.
Marking is not proof, and a recital is guidance rather than obligation. But the direction is unambiguous: European law is steadily replacing "attest that you checked" with "make it machine-checkable." The paperwork stays, as the floor. The ceiling is rising above it.
What cannot be proven
A post like this earns its keep by being honest about the limits, because the limits are structural, not teething problems.
There are quieter gaps too. A proof binds an output to committed weights, but the link between that commitment and "the model you were promised" still rests on signatures and audits. Model signing, now standardised and being adopted by major model catalogues, attests who published the weights, and nothing about how they were trained. Cryptographic proof of training itself is five to six orders of magnitude below frontier parameter counts: the state of the art proves training steps of a 10-million-parameter model at about 15 minutes per iteration. Content provenance standards are being adopted by security agencies and standards bodies, and independent researchers have challenged their security claims in the same year. This layer is being built in public, disagreements included.
And there is a deeper limit, one that deserves naming plainly. A proof can show that a specific model ran, that certain inputs were used, that a computation followed defined rules. It cannot show that the data was complete, that the objective was legitimate, or that the consequence was justified. The properties a zero-knowledge system verifies are still chosen by people, embedded in code, and limited by that frame; even a perfect proof only answers the questions someone decided to ask. Safety professionals reached this insight long before AI did. Don Andrechek, the Canadian lead auditor behind the Truth-Tempo-Preparation framework, calls it confusing control with capacity: organisations count inspections, training hours, and incident rates, yet none of those numbers say whether the system can absorb the next surprise. His "truth gap", the distance between what is happening and what leaders believe is happening, does not close because execution became provable. Verification strengthens the record. It does not make truth travel faster, slow a tempo that outruns judgment, or deepen preparation for the abnormal.
Math can prove execution. It cannot prove that an action deserved trust, that a policy was right, or that human judgment stayed in control. Verifiable infrastructure is stronger than paperwork alone; it is not a substitute for truth, authority, challenge, or accountability.
None of that undermines the trend. It defines the honest work: the verifiable layer will arrive claim by claim, cheapest and highest-stakes first, not as one switch labelled "trustworthy."
What a European SME should do now
You do not need a cryptographer on staff to act on this. You need four habits, in ascending order of effort.
Log like it's infrastructure. Automatic event logging is already an EU obligation for high-risk systems and plain good practice for everyone else. If your AI vendor cannot export what happened and when, that is a data point about the vendor.
Prefer signed artefacts. When you consume models or AI-generated content, prefer suppliers who sign what they ship: signed model weights, signed content credentials. A signature is the cheapest machine-checkable fact in this whole stack.
Ask vendors the attestation question. "Can your system prove where and on what it ran?" You will learn as much from how a vendor reacts to that question as from the compliance documents they send, and the two together tell you far more than either alone. Options that were exotic two years ago, attested inference among them, are becoming line items you can simply choose. Knowing where AI fits in your operation is a conversation we run as a service; knowing what evidence to demand from it is fast becoming part of the same job.
Save the proofs for what matters. Full cryptographic proof is today a premium product for narrow, high-stakes claims: a medical triage decision, a financial threshold, a contested output. Knowing which of your claims deserve that premium is exactly the kind of judgment we argue AI should sharpen rather than replace.
Where this goes
We have argued before that AI safety is a coherence problem, that trust comes from systems whose claims about themselves can be checked, and that sovereignty is a design decision made cell by cell rather than a slogan. Verifiable AI is where both arguments cash out in economics: the checkable system is the one institutions can insure, procure, and back.
The DeAI Summit lands in Malta on 25–28 November 2026 with a working group dedicated to exactly this: what cryptographic proofs of training lineage, weight provenance, and distributed inference look like in practice. If your business is deciding what to believe about AI vendors, or what evidence to offer as one, that conversation is worth being in the room for. And if you want to think through where your own claims sit on the assurance axis, that is a conversation we have with SMEs every week.

