1 Why This Matters
AI and algorithmic systems are increasingly deployed in high-stakes environments—financial markets, healthcare, autonomous vehicles, and critical infrastructure. These systems often operate as "black boxes," making decisions at speeds and scales that exceed human comprehension.
Traditional audit mechanisms rely on mutable logs and trust-based assertions. Such approaches are insufficient when:
- Decision-making processes are opaque and difficult to reconstruct
- Log integrity cannot be independently verified
- Regulatory bodies require evidence, not mere assertions
Emerging regulatory frameworks—including the EU AI Act (Article 12), MiFID II record-keeping requirements, and SEC expectations for algorithmic trading transparency—increasingly emphasize the need for verifiable, tamper-evident audit trails.
Core Principle: "Verify, Don't Trust"—audit evidence should be cryptographically verifiable by independent third parties, without reliance on the system operator's assertions.
2 What is VSO
VeritasChain Standards Organization (VSO) is an independent, non-profit technical standards body dedicated to developing open specifications for verifiable audit evidence in AI and algorithmic systems.
VSO operates under the following principles:
- Non-profit: VSO does not operate for commercial gain
- Vendor-neutral: Specifications are designed to be implementation-agnostic
- Open development: Technical work is conducted transparently with public documentation
Important Clarifications:
- • VSO does not endorse or recommend specific products or vendors
- • VSO does not grant regulatory approval or certification of regulatory compliance
- • VSO does not provide investment, legal, or financial advice
3 What is VCP v1.0
VeritasChain Protocol (VCP) v1.0 is an open technical specification designed to enable cryptographically verifiable audit evidence for algorithmic and AI-driven systems.
VCP is intended to function as a "flight recorder" for algorithmic decisions—capturing not just outcomes, but the context and parameters that led to those outcomes, in a format that can be independently verified.
Core Technical Components
- Cryptographic hash chaining: Events are linked using cryptographic hashes, creating a tamper-evident sequence
- Merkle proofs: Efficient verification of individual records within large datasets
- Digital signatures: Each event is signed to establish authenticity and non-repudiation
- Tamper-evident event logs: Any modification to historical records becomes detectable
- Third-party verifiability: Audit evidence can be verified without access to the original system
Integration Approach
VCP is designed for sidecar integration—it aims to capture audit evidence without requiring invasive modifications to existing trading or decision-making systems. This approach is intended to minimize integration complexity and operational risk.
4 What Makes It Different
| Aspect | Traditional Logging | VCP Approach |
|---|---|---|
| Integrity Model | Trust-based (assumes logs are unmodified) | Cryptographically verifiable (tampering is detectable) |
| Verification | Requires access to internal systems | Third-party verifiable without system access |
| Evidence Type | Assertions by system operator | Cryptographic proofs |
| Audit Scope | Typically outcomes only | Decision context, parameters, and outcomes |
| Modification Detection | Difficult or impossible | Mathematically detectable via hash chain breaks |
5 Current Status & Public Engagement
VSO is engaged in ongoing efforts to advance the development and adoption of verifiable audit standards:
- Technical documentation: VCP v1.0 specification and supporting materials are publicly available
- Standards body engagement: Technical notes have been shared with relevant public-sector and international standards organizations
- Research publications: Position papers and technical analyses have been published for public review
- Open tools: Reference implementations and evaluation tools (such as the VAP Scorecard Explorer) are available for public use
- International dialogue: VSO maintains ongoing engagement with regulatory and standards communities across multiple jurisdictions
6 Relationship to VAP Framework
VCP operates within the broader context of the Verifiable AI Provenance (VAP) Framework:
- VAP Framework: A high-level framework defining general requirements for verifiable AI decision provenance across multiple domains
- VCP v1.0: A domain-specific profile of VAP, initially focused on financial services and algorithmic trading
This modular architecture is designed to allow future extensions to other high-risk domains—such as autonomous vehicles, healthcare AI, and critical infrastructure—while maintaining a consistent approach to verifiable audit evidence.
Note: Domain-specific profiles beyond VCP are under consideration for future development, subject to community input and resource availability.
7 Important Clarifications
To ensure accurate understanding of VSO and VCP, the following points are explicitly stated:
This specification is non-normative unless formally adopted by a recognized standards body or regulatory authority.
VCP does not constitute regulatory guidance. Compliance with applicable laws and regulations remains the responsibility of implementing organizations.
Implementation of VCP does not imply compliance or certification by default. Formal compliance assessment requires separate evaluation.
Use of VCP does not guarantee regulatory acceptance. Regulatory outcomes depend on jurisdiction-specific requirements and interpretations.
For details on VSO's organizational design and governance principles, see our Distributed Organization policy.