THE PROBLEM

AI Risk Has Five Levels.
Existing Tools Cover Two.

Traditional DLP and guardrails protect data at L0–L1. AI creates risk at L2–L4 — levels that require different infrastructure.

Why AI risk has five levels

2 min · Audio overview

When most people think about AI security, they think about data leakage — sensitive information leaving the system. And that’s a real risk. Traditional DLP tools handle it well.

But AI creates risk at levels that data-focused tools can’t see.

At Level 2, the model develops understanding beyond the literal data. It infers business logic, relationships, and context that were never explicitly provided. We call this cognitive leakage.

At Level 3, individual fragments that are each harmless become dangerous when reassembled. No single piece leaks — the risk only exists in the combination. This is conjunctive leakage.

At Level 4, the complete business intent behind a decision becomes reconstructable. An attacker can determine why a decision was made, not just what was decided. This is intent leakage.

Existing tools cover L0 and L1 — data and information. L2 through L4 require fundamentally different infrastructure: a proprietary governance stack plus formal settlement closure.

That’s what OIA builds.

The Five-Level AI Risk Taxonomy

Based on OIA Lab's five-level leakage taxonomy. Full paper available on request.

Data Leakage DLP COVERS

Raw data leaves the boundary. PII in logs, credentials in prompts. Traditional DLP catches this.

Information Leakage GUARDRAILS COVER

Structured information extracted from data. Entity recognition, relationship mapping. Pattern-matching tools partially cover this.

EXISTING TOOL BOUNDARY

Cognitive Leakage OIA GOVERNANCE

The model develops understanding beyond the literal data. It infers context, relationships, and business logic never explicitly provided. OIA foundational definition.

Defense class: Session-bounded inference. Mechanism proprietary — available under NDA.

Conjunctive Leakage OIA GOVERNANCE

Individual fragments are harmless. When reassembled, they reveal sensitive intent. No single component leaks — the risk emerges from the combination. OIA foundational definition.

Defense class: Multi-boundary governance. Mechanism proprietary — validated across 18,232 adversarial trials. Details under NDA.

Intent Leakage OIA SETTLEMENT

The complete business intent behind a decision is reconstructable. An attacker or the model can determine why a decision was made. This is the highest-severity leakage class.

Defense class: Procedural closure (Δ1). Settlement records that C2 (Intent Isolated) was satisfied — without exposing how it was satisfied or what the intent was.

L0–L1

Recording and basic governance. Mature market, established solutions. Essential infrastructure.

L2–L4

Advanced governance and settlement. A proprietary multi-component defense stack plus procedural closure. OIA infrastructure.

Complete AI governance requires coverage at all five levels.

What OIA covers: governance + settlement

90 sec · Audio overview

OIA starts at Level 2. We don’t replace DLP or guardrails — they handle L0 and L1, and they do it well.

At L2, a proprietary governance layer addresses cognitive leakage. Mechanism details are under NDA.

At L3, a separate governance layer addresses conjunctive leakage. The FLEET benchmark validated the approach across 18,232 adversarial trials — one widely-assumed defense class fails completely, the OIA defense class passes. The passing method is proprietary.

At L4, the Delta-1 closure condition records a binary verdict on three procedural conditions — evidence integrity, intent isolation, and cryptographic signing — without exposing how each condition was satisfied or what the underlying intent was.

That verdict is a machine-verifiable settlement receipt. It’s what regulators and courts will ask for. It’s what recording alone cannot provide.

L0 through L1: existing tools. L2 through L4: OIA governance and settlement. Together: complete coverage.

L2–L4: Governance + Settlement

OIA provides advanced governance at L2–L3 and procedural settlement at L4. Together with L0–L1 infrastructure, this completes the governance stack.

Advanced Governance Layer (L2–L3)

A proprietary multi-component defense stack that addresses cognitive and conjunctive leakage. Validated against reconstruction attacks across 6 frontier model families and 18,232 adversarial trials.

Component-level architecture available under NDA for enterprise evaluation.

12 patents pending · 354+ claims · Mechanism details under NDA

Settlement (L4)

Intent Isolation (C2)

A boolean settlement condition. The receipt asserts C2 was satisfied without disclosing the underlying intent or the isolation mechanism. Verifiable; not reconstructable.

Evidence Closure (C1)

Every step sealed into a tamper-evident, hash-chained evidence pack.

Δ1 Procedural Closure (C3)

Cryptographically sealed with timestamp authority. Binary verdict: SETTLED or UNSETTLED.

Patent Pending · Machine-verifiable receipt · Designed for regulatory proceedings

Governance constrains AI behavior at L2–L3. Settlement proves procedural completion at L4. OIA provides both.

A Regulatory Scenario

Under Colorado SB 24-205, deployers must demonstrate “reasonable care” as an affirmative defense.

Scenario

An organization deploys recording infrastructure, governance controls, and risk monitoring systems. Opposing counsel asks:

“Can you demonstrate that Decision #37,291 met your procedural governance requirements?”

Recording (L0–L1)
shows what happened. Events, timestamps, hashes intact.

Governance (L2–L3)
shows constraints existed. Governance layer attested at decision time.

Settlement (L4)
determines procedural completion. Binary closure verdict.

With Complete L0–L4 Coverage

A settlement receipt for Decision #37,291:

✓ C1 — Evidence integrity confirmed (recording)

✓ C2 — Intent isolation verified (governance)

✓ C3 — Cryptographic seal applied (settlement)

SETTLED

The receipt is self-contained, machine-verifiable, and cryptographically signed. Dispute scope narrows to the defined closure conditions.

Recording provides the evidence base. Governance provides the behavioral constraints. Settlement provides the procedural conclusion.

Colorado SB 24-205 effective June 30, 2026. EU AI Act Article 9 effective August 2, 2026.

The Closure Condition

Δ1 defines the procedural closure condition for AI decision settlement.

Δ1 = C1 ∧ C2 ∧ C3 → SETTLED

C1: Evidence

Every step recorded in a tamper-evident, hash-chained evidence pack. Built on L0–L1 recording infrastructure.

C2: Intent Isolated

Boolean assertion that the L2–L3 governance layer was satisfied. Mechanism is not exposed in the receipt.

C3: Signed

Cryptographically sealed with timestamp authority. Independently verifiable. Irreversible.

If any condition fails, the decision is UNSETTLED — a machine-verifiable signal that procedural governance was not completed.

Published with DOI. Covered by 12 patents pending (354+ claims). Publications →

L0–L1: Recording & basic governance.
L2–L4: Advanced governance & settlement.
Complete coverage requires both.

See the full stack in action. Review the architecture. Apply when you’re ready.

Try the Demo Apply for Pilot Access

Currently onboarding select organizations in finance, healthcare, and legal.

Building recording or governance infrastructure?

OIA’s settlement layer interoperates with existing L0–L1 systems.

yc@oia-lab.com

AI Risk Has Five Levels. Existing Tools Cover Two.