How to prove which AI model actually produced an output
When an AI output matters — a decision, a score, a generated document — how does anyone verify which model produced it, on what input? A look at verifiable inference and its honest limits.
As AI outputs start driving real decisions — credit scores, medical triage, content moderation, automated trades — a question that used to be academic becomes practical: how does anyone know which model produced a given output, and on what input? Today the honest answer is usually that you cannot know. An output is just text or a number; nothing about it proves which model version generated it, what it received, or that the operator did not swap in a cheaper model or edit the result afterward. For anything consequential, that gap is a problem.
The reason it matters is accountability. If an AI system makes a decision a person wants to contest, or a regulator wants to examine, the record has to answer three things credibly: which model (and version) ran, what input it saw, and what it output — none of which the operator could have altered after the fact. A screenshot or a log entry proves none of that, because the party holding it is the party with the incentive to change it. What is needed is an attestation: a record bound to the specific model and input, signed so that tampering is detectable.
Verifiable inference builds that record. At the moment of inference, you capture a fingerprint of the model (a hash of its weights or a stable version identifier), a hash of the input, and the output, then sign the bundle with a key tied to the system. Anyone holding the attestation can later confirm the output corresponds to that exact model and input, and that the record has not been edited. Chain attestations together and you also get ordering — a tamper-evident history of what a system decided over time. The verification rests on cryptography and a published model fingerprint, not on trusting the operator's word.
Be precise about what this does and does not prove, because that is where honest tools differ from marketing. A verifiable-inference attestation proves that a specific model, on a specific input, produced a specific output, and that the record is intact — integrity, attribution, and non-repudiation. It does not prove the output is correct, fair, or unbiased; a model can be faithfully attested and still be wrong, and evaluating that is a separate governance task. Nor does it prevent a determined operator from running the honest model in parallel and attesting only the runs they like — closing that gap needs additional controls at the point of capture. Within those bounds, though, attestation converts an unverifiable claim into checkable evidence, which is what accountability requires. Sign the attestations with a post-quantum scheme (ML-DSA, FIPS 204) so they remain verifiable across the long lifetime such records often need — resistant to known classical and quantum attacks per NIST, not unbreakable.
Try it yourself — live, free, verifiable in 30 seconds:
Attest your AI outputs →