AI Run Identity
AI Systems Do Not Have Identity
Every AI run executes without a stable, verifiable identity. Not because systems are immature — because identity has never been defined. This is what that costs.
What an AI Run Is
An AI run is a bounded execution event. A model is selected. A configuration is assembled. Inputs arrive. Context is constructed. The system executes. An output is produced. The run ends.
This is not a function call. A function call has a fixed signature, a known implementation, and a deterministic relationship between input and output. An AI run has none of these. The model is a black box. The configuration is assembled at runtime from multiple sources. The context window is constructed dynamically. Two runs with identical inputs can produce different outputs.
This is not a database query. A query operates against a known schema with a known engine. The execution path is inspectable. The result is a function of the data. An AI run operates against a model whose internal state is opaque, with a context that includes everything from system prompts to retrieval-augmented fragments to conversation history.
This is not a web request. A request hits an endpoint with a known handler. The server's behavior is defined by code that can be read and audited. An AI run's behavior is defined by weights that cannot be read, instructions that may conflict, and context that may be silently truncated.
An AI run is a composite event. Its components are assembled from different sources, at different times, by different systems. The assembly itself is part of the execution. And when the run completes, the assembly is discarded. Nothing records what it was.
What Identity Means in This Context
Identity here does not mean authentication. It does not mean which user initiated the run. It does not mean which API key was used, which account was billed, or which team owns the deployment.
Identity here does not mean model versioning. Knowing that a run used GPT-4-0613 or Claude 3.5 Sonnet is a fragment of identity. It is not identity. The model is one component. The configuration, the system prompt, the retrieval context, the tool definitions, the temperature, the assembled context window — these are equally constitutive. A model version tells you what engine was used. It does not tell you what ran.
Identity, in this context, means the stable, independently-verifiable record of what executed. Not what the system logged. Not what the output implies. Not what the operator recalls. The record of what the run was — its full composition — captured at the point of execution, portable beyond the system that produced it.
No AI system produces this record today. Not because the engineering is hard. Because the category does not exist.
Why the Gap Is Structural, Not Incidental
This is not an engineering oversight. No team forgot to add identity to their AI platform. The category was never defined. There is no standard for what an AI run's identity would contain. There is no convention for when it would be captured. There is no expectation that it would exist.
Logs record events. A log entry says that a run happened, when it started, when it ended, and perhaps which model was called. But a log is produced by the system that ran the execution. It is an assertion by the operator, not a record of the run itself. If the log is incomplete, there is no way to know. If the log is modified, there is no way to detect it. If the log is lost, the run's existence becomes a matter of inference.
Outputs record results. An output tells you what the model produced. It does not tell you what produced it. Two different configurations can produce identical outputs. The same configuration can produce different outputs. The output is a consequence of the run, not a description of it.
Traces record call graphs. A trace shows you the sequence of operations — which tools were called, which APIs were hit, which functions executed. But a trace is a record of behavior, not of composition. It tells you what the system did. It does not tell you what the system was when it did it.
The gap is not that these tools are insufficient. The gap is that the thing they would need to capture has never been defined.
What the Absence Costs
Without identity, an AI run cannot be reproduced. Not in the strong sense — that would require deterministic execution. In the weak sense. You cannot even reconstruct what configuration was active, what context was assembled, what instructions were in effect. The run happened. It is gone. What remains is an output and, if you are fortunate, a partial log.
Without identity, an AI run cannot be verified across systems. When a run's output moves from one system to another — from an AI pipeline to a compliance database, from a generation service to a downstream consumer — there is no way for the receiving system to confirm what produced it. The output arrives with no provenance that can be independently checked. The receiving system must trust the sending system. There is no alternative.
Without identity, an AI run cannot be audited after the fact. An auditor can review logs, if they exist. An auditor can examine outputs, if they were retained. But an auditor cannot answer the question that matters: given this output, what exactly ran to produce it? Under what conditions? With what instructions? That question has no answer, because the information was never captured in a form that survives the run.
The State of the Field
There is no system today that produces a stable identity for an AI run. Not the major cloud providers. Not the open-source frameworks. Not the observability platforms. Not the governance tools.
There are systems that log. There are systems that trace. There are systems that monitor. There are systems that version models and tag deployments. None of them answer the question: what was this run? None of them produce a record that can travel with the output and be verified by a third party who was not present at execution.
The absence is not a missing feature in an existing category. It is a missing category. The infrastructure assumes that if you log enough, you know what happened. But logging is assertion. Identity is something else. And until the category exists, every AI system operates without it.
This gap has a name. Understanding it begins with understanding what an AI run actually is.
Frequently Asked Questions
+Is this a security problem?
It is broader than security, though it includes security failures. Without run identity, you cannot verify provenance, enforce policy compliance, or detect tampering. But the core issue is not unauthorized access — it is that the thing you would need to secure has never been defined. You cannot protect what does not exist as a category.
+Does this only matter for large AI systems?
It matters for any system where the output of an AI run is used by another system, reviewed by a person who did not initiate it, or subject to any form of accountability. A single-user chatbot has minimal exposure. An AI pipeline that generates content, makes decisions, or produces data consumed downstream has full exposure. Scale amplifies the problem, but does not create it.
+Is this already being addressed?
Observability platforms, logging frameworks, and model registries address adjacent problems. None of them define or produce run identity. They record events, traces, and metrics — all of which are produced by the executing system and cannot be independently verified. The category itself remains undefined. There is no standard, no convention, and no widely-adopted practice for establishing what an AI run was.