SECURITY ARCHITECTURE

AI Risk Isn’t a Data Problem.
It’s a Decision Problem.

Traditional security protects data. AAL proves decisions. Here’s the threat model, the taxonomy, and the evidence architecture.

All concepts below are published with DOI and covered by 12 patents pending (354+ claims).

Five Levels of AI Leakage

Traditional DLP covers L0–L1 (partial L2). AI creates risk at L2–L4 — levels that existing tools cannot see.

Based on OIA Lab's published five-level leakage taxonomy and cognitive leakage framework.

L0
Data Leakage DLP COVERAGE

Raw data leaves the boundary. PII in logs, credentials in prompts, files in responses. Traditional DLP catches this.

L1
Information Leakage DLP COVERAGE

Structured information extracted from data. Entity recognition, relationship mapping. Pattern-matching DLP partially covers this.

L2
Cognitive Leakage BLIND SPOT

The AI model develops understanding beyond the literal data. It infers context, relationships, and business logic that were never explicitly provided. OIA foundational definition.

Patent Pending • Zero prior search results for “Cognitive Leakage” in AI context (as of Feb 2026)

L3
Conjunctive Leakage INVISIBLE TO DLP

Individual fragments are harmless. But when reassembled, they reveal sensitive intent. No single component leaks — the leakage emerges only from the combination. OIA foundational definition.

Patent Pending • Zero prior search results for “Conjunctive Leakage” (as of Feb 2026)

L4
Intent Leakage INVISIBLE TO DLP

The complete business intent behind a decision is reconstructable. An attacker or the model itself can determine why a decision was made, not just what was decided. This is the highest-severity leakage class.

Patent Pending

Why Conjunctive Leakage Matters

A data point at L0 (raw data) can become an L3 (conjunctive) or L4 (intent) risk when combined with other data points. The severity is not in the data point itself — it’s in the reassembly. DLP tools that scan individual data points cannot detect this because the risk only exists at the aggregate level.

Context-dependent risk: The same data point has different risk in different contexts. “Patient age: 42” is L0 in a demographics report but becomes L3 when combined with “diagnosis: stage IV” and “policy: denied.” AAL addresses this through a governance layer designed for aggregate-level risk — which is why it catches risks that DLP misses. Mechanism details under NDA.

What Existing Tools See — and What They Miss

Capability Traditional DLP AI Guardrails Δ1 Settlement
Block sensitive data from leaving (L0–L1)
Detect prompt injection (L1)
Address cognitive leakage (L2) 0% Research only¹
Address conjunctive leakage (L3) 0% Research only¹
Address intent reconstruction (L4) 0% 0%
Prove decision was governed (evidence) × ×
Evidence chain designed for regulatory proceedings × ×

L2–L4 percentages from FLEET benchmark: 6 frontier models × 18,232 adversarial trials. ✓ = addresses   × = not addressed   — = not applicable

¹ L2–L3 academic research exists (ICLR 2025, EMNLP 2025, ICLR 2026) but no production tool has demonstrated these capabilities as of Feb 2026. See Glukhov et al. for independent validation of decomposition attacks.

DLP and guardrails protect data at the perimeter. Δ1 proves governance at the decision.

Complementary layers. You need both.

Empirical Proof: The Commonly-Assumed Defense Fails

FLEET benchmark tested 6 frontier models across 18,232 adversarial trials. Result: the most commonly proposed structural defense was bypassed in every trial.

COMMONLY-ASSUMED STRUCTURAL DEFENSE
0% Defense Success

Across all 24 test conditions, all strategies, all models. Every trial failed under adversarial reconstruction.

FULL SETTLEMENT STACK (L2–L4 defense)
Passed

A separate defense class, validated in the same benchmark, exceeded baseline. Mechanism proprietary. Validated across 18,232 trials.

Why This Matters for Your Security Posture

If your AI security strategy relies on prompt filtering or guardrails alone, the FLEET benchmark shows the most commonly proposed structural defense provides zero protection against semantic-level attacks.

The OIA settlement stack adds a proprietary governance layer plus evidence closure (cryptographic proof). This is the “appropriate technical measure” that GDPR Article 32 and EU AI Act Article 9 require you to demonstrate. Mechanism details under NDA.

Full methodology available on request. • Benchmark overview →

AAL Defense Architecture

D1

Settlement Validation Layer (L0)

Per-decision Δ1 validation. Binary closure: all conditions met, or session stays open. Internal mechanism proprietary.

Patent Pending · Details under NDA

D2

Agent Authorization Layer (L1)

Policy enforcement at the decision boundary. Every AI agent action is authorized against your governance rules before execution. The CFO scenario in our demo shows real-time DENY on policy violations.

Patent Pending

D3

Cognitive Governance Layer (L2–L3)

A proprietary multi-component defense stack that addresses cognitive and conjunctive leakage. Validated against reconstruction attacks across 6 frontier model families and 18,232 adversarial trials. Component-level architecture available under NDA.

12 patents pending · 354+ claims · Mechanism details under NDA

D4

Evidence Closure & Δ1 Settlement

Every decision is sealed with a cryptographic evidence chain. Δ1 = C1 (evidence recorded) ∧ C2 (intent isolated) ∧ C3 (cryptographically signed). Binary closure: settled or unsettled. The settlement receipt is designed as regulatory-grade proof of governance.

Patent Pending

D5

Infrastructure Protection Layer

Continuous monitoring of the settlement infrastructure itself. Detects tampering, configuration drift, and adversarial probing against the evidence layer. The security of the security system.

Patent Pending

Patent-Protected Innovation

12 provisional patent applications filed with the USPTO. 354+ claims covering the full 6-layer control stack from L0 settlement validation to L5 anomaly detection.

12
Patents Pending
354+
Total Claims
9
Published Papers (DOI)

Independent Validation

Oxford’s Fourth Settlement framework (Caputo 2026) independently identifies the identical governance gap from legal theory. OIA Lab built the infrastructure. Two different disciplines — law and engineering — arrived at the same conclusion: AI decisions need a settlement layer.

Problem validation: “Breach By A Thousand Leaks” (ICLR 2025) independently proved that individually safe AI responses can be composed to extract dangerous knowledge — the same phenomenon our 5-level taxonomy formalizes as Conjunctive Leakage. Their conclusion: detection alone is insufficient. Our answer: Decision Settlement.

Backed by 10 published research papers and 12 patents pending. Learn more →

Website Security Posture

A company that builds accountability infrastructure should walk the talk.

Transport Security

  • HSTS — enabled (preload-ready)
  • TLS 1.3 — via Cloudflare edge (where supported)

Response Headers

  • Content-Security-Policy (strict allowlists)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()

Privacy

  • Analytics: Plausible (cookie-free)
  • No third-party behavioral trackers
  • No advertising scripts
  • We do not intentionally collect personal data via this site

Supply Chain

  • Static site — no server-side runtime
  • Hosted on Cloudflare Pages (global CDN, DDoS protection)
  • Third-party scripts use SRI where applicable
  • Dependency lockfile committed for reproducible builds

Questions? Security concerns?

We welcome responsible disclosure and technical deep dives.

Discuss Security Architecture View Full Benchmark Data

Responsible disclosure welcome. PGP on request. yc@oia-lab.com