The five pillars feel right, and the dead man's switch on expiration is the most underrated idea -- flipping the default from "trusted until proven otherwise" to "trusted until actively renewed" is a much healthier baseline.
The part I keep circling is auditability. Logging actions is tractable. Logging why in a way that's interpretable to someone not deep in the stack is part interpretability research, part UX design, part org process, and we don't even have a clear picture of what "solved" looks like yet.
The open question is still: who actually enforces any of this? IETF and OWASP produce standards, not mandates. That gap is there.
Agree, this area is far from solved and at the same time open to pointed experiments and speculations.
I was explicitly excluding the black box problem and focusing more on logging actions.
We need the standards, enforcement I think it will be a more granular and bespoke approach where both existing and new institutions could have new roles and business models. Happy to talk more, thank you for reading through!
The distinction makes sense as a scope decision. Though I wonder if the two are harder to separate in practice - action logs without intent context can be gamed or misread pretty easily. The "what" needs at least some "why" to be meaningful as accountability infrastructure.
The granular and bespoke angle on enforcement feels right. Probably the only realistic path.
The five pillars feel right, and the dead man's switch on expiration is the most underrated idea -- flipping the default from "trusted until proven otherwise" to "trusted until actively renewed" is a much healthier baseline.
The part I keep circling is auditability. Logging actions is tractable. Logging why in a way that's interpretable to someone not deep in the stack is part interpretability research, part UX design, part org process, and we don't even have a clear picture of what "solved" looks like yet.
The open question is still: who actually enforces any of this? IETF and OWASP produce standards, not mandates. That gap is there.
Agree, this area is far from solved and at the same time open to pointed experiments and speculations.
I was explicitly excluding the black box problem and focusing more on logging actions.
We need the standards, enforcement I think it will be a more granular and bespoke approach where both existing and new institutions could have new roles and business models. Happy to talk more, thank you for reading through!
The distinction makes sense as a scope decision. Though I wonder if the two are harder to separate in practice - action logs without intent context can be gamed or misread pretty easily. The "what" needs at least some "why" to be meaningful as accountability infrastructure.
The granular and bespoke angle on enforcement feels right. Probably the only realistic path.