Concept
Declarative vs. Inferred Identity in AI Runs
Inferred identity reconstructs what ran from logs and outputs. Declarative identity records what a run claimed before it ran. Only one can be independently verified.
The Two Approaches to Knowing What Ran
There are two fundamentally different ways to establish the identity of an AI run. You can reconstruct it after the fact. Or you can record it before execution. These are not two implementations of the same idea. They are different categories with different properties, different limitations, and different failure modes.
Inferred identity works backward. It starts with what is available — logs, outputs, metrics, traces — and attempts to reconstruct what the run was. Declarative identity works forward. It captures what the run is at the moment of composition, before the model executes.
Every AI system in production today uses inference. Not as a deliberate choice. As a default. Because the alternative — declaration — requires a concept of identity that has not been defined. You cannot declare something that has no definition. So systems log what they log, and analysts reconstruct what they can.
Inferred Identity: What It Is and Why It Fails
Inferred identity is built from artifacts that the executing system chose to produce. Log entries. Trace spans. Metrics. Output records. Each artifact captures a fragment of the run, selected by the operator, in a format the operator defined.
The first failure is completeness. Logs capture what the operator configured them to capture. If the system prompt was not logged, it is gone. If the retrieved context was not stored, it is gone. If the tool definitions were not recorded, they are gone. The absence of a log entry is silent. There is no way to distinguish between "this component was not part of the run" and "this component was part of the run but was not logged."
The second failure is independence. Every artifact used for inference originates from the system being investigated. The logs are the operator's logs. The traces are the operator's traces. The metrics are the operator's metrics. A third party reconstructing the run's identity is working entirely with evidence provided by the party whose claims they are trying to evaluate.
The third failure is integrity. Logs can be modified. Entries can be deleted. Timestamps can be adjusted. In most systems, log modification leaves no trace. An inferred identity built from tampered logs is indistinguishable from one built from authentic logs. The reconstruction succeeds either way. It produces an identity. Whether that identity corresponds to reality is unknowable.
The fourth failure is timing. Inference happens after execution. The run is over. The assembly has been discarded. What remains is a collection of partial records that may or may not cover the full composition. Reconstructing identity from post-execution artifacts is forensics. It has the same limitations as all forensics: it works with what survived, not with what existed.
Declarative Identity: What It Would Require
Declarative identity would reverse the relationship between the run and its record. Instead of reconstructing identity from whatever artifacts survive execution, the run would produce its own identity as an explicit act — at the boundary between assembly and inference.
For this to work, the system would need to pause at a specific moment. After configuration is assembled. After the context window is constructed. After parameters are set and tools are defined. Before inference begins. At that boundary, the run's full composition is known and has not yet been influenced by the model's output. The declaration would capture that composition.
Any valid declarative identity would need to be complete by definition. Not complete because the operator chose to include everything. Complete because the structure requires it. If a component is missing, the declaration is malformed. There is no valid partial declaration, because partial composition cannot be distinguished from a different partial composition.
Any valid declarative identity would need to be tamper-evident. If the declaration can be modified after creation without detection, it offers no advantage over a log entry. The structure must be such that any alteration is visible to any party who inspects it — without requiring access to the producing system.
Any valid declarative identity would need to bind to the output it precedes. A declaration that exists but cannot be connected to a specific output is an orphaned record. An output that exists without a connected declaration is an unattested result. The binding must be structural and verifiable.
Why Current Systems Use Neither Correctly
Current systems do not use declarative identity. The concept does not exist in any major AI framework, orchestration library, or deployment platform. There is no standard for what a declaration would contain. There is no convention for when it would be created. There is no mechanism for binding it to an output.
Current systems use inferred identity, but not deliberately. They log operational data for debugging and monitoring. When someone needs to know what a run was, they attempt to reconstruct it from these operational records. The reconstruction is partial, operator-dependent, and unverifiable. It is treated as identity because nothing better exists.
The result is a field that has neither approach working. Inference fails because logs are incomplete and unverifiable. Declaration fails because it has never been attempted. Every AI run executes in a gap between what is recorded and what would need to be recorded. The gap is not getting smaller. As AI systems grow more complex — more agents, more tools, more chained executions — the composition of each run grows, and the fraction captured by inference shrinks.
For this to change, the category would need to exist first. What constitutes the identity of an AI run. When it is captured. How it is structured. How it is verified. None of these questions have answers today. Not because the answers are hard. Because the questions have not been formally asked.