Demonstrations,
Elucidations
& Notebooks

Output auditing asks: did the AI say something wrong? It is reactive. It examines the result after the fact. The Ends is important.

Action auditing asks: did the AI do something unauthorized? It is proactive. It examines what was done, in what sequence, under what authority. The Means is important.

We spent two years worrying about whether AI was wrong. The next five years are about whether AI was allowed.

When an AI agent has API write access, the damage can be done before the output is reviewed. The output can look completely normal while the action that produced it was unauthorized. No hallucination. No language error. The model performed exactly as instructed. The failure was an authorization and state-tracking error — invisible to output auditing, visible to action auditing.

The EU AI Act's human oversight requirement — that a responsible person can intervene, correct, or halt autonomous execution — is not a checkbox. It is an architectural decision. The PASS/PULL button in the demonstration above is that mandate made visible. Meaningful human oversight in agentic systems is not about reviewing outputs line by line. It is about supervising permissions, escalation thresholds, and intervention authority within delegation chains.

Action auditing is not only an AI governance category. It is the oldest accountability question in any system involving human or automated agents: what was actually done, in what sequence, under what authority, with what result? The action of gratitude will lead to the attitude of gratitude — verifiable. The attitude of gratitude might lead to actions of gratitude. The direction of causality matters. So does the audit trail.

A passenger became ill on a flight. A Black female physician — a Harvard Medical School doctor — was also on board and responded to the cabin crew's call for a doctor. She was challenged on her credentials, then told to sit down while white women who identified as nurses were allowed to treat the patient. Their credentials were never questioned.

The credential was real. The degree was from Harvard. The output was unambiguous. Output auditing — examining the visible evidence — should have resolved this instantly. It did not.

The failure was not in the output. The failure was in the permission table. The authorization check ran against an undisclosed, unquestioned assumption about who is authorized to occupy a high-status role. Black woman presenting as doctor did not match the expected profile. Action blocked.

No hallucination. No language error. The system performed exactly as its permission table directed. The permission table was the problem — built by the dominant group, encoding their expectations as the standard, never disclosed and never audited.

This is the output auditing failure at human scale. You can audit the credential, confirm the degree, verify the wings on the chest — and still block the action because the authorization logic was never examined. Action auditing asks: under what authority was this action taken, who built the permission table, and when was it last reviewed?

The same mechanism is now operating in AI systems. Models trained on historical data inherit the permission tables of the systems that produced that data. The bias is not in the output. It is in the authorization logic upstream of the output. Output auditing cannot see it. Action auditing can.

One further observation: AI collapsing professional identities will eventually affect the dominant group too. The individual whose status came from proximity to the group — the credential, the title, the association — will find that proximity automated. The permission table eventually turns on everyone who depended on position rather than substance. This is not justice. It is the same mechanism, now running without the human bias that previously directed it toward specific groups.

Three agents process a client instruction: intake parses the text, payload builder compiles the action, production executor fires the live system. No agent fails at the text level. The intake agent misreads a conditional — "reserve that capacity provisionally, verify next week" — and converts it to a firm commitment. The payload builder compiles a $7,500 fund allocation. The production executor is ready to fire.

The safety comes entirely from the interception layer placed at the production boundary. It checks for a human authorization token before any live execution. No token present — the workflow halts, routes to human review, and logs the reason.

The point: every agent in the chain behaved correctly according to its instructions. The governance gap was the absence of a human veto point before the production boundary. Action auditing supplies that veto point architecturally — before the system is deployed, not after the damage is done.