Supplement · Explored, not pursued

SLF Supplement · A pressure-test on the edge of the protocol

Stress-testing SLF against
concentrated power.

SLF exists to give individuals control over their own data. Alex and I took it somewhere it was not designed to go, reducing the risk that AI lets a small group concentrate power with no one left to object, to see how far the same primitives bend. They bend a long way. The exercise strengthened the core, and it has limits worth stating plainly.

What this is, and what it is not

This is a write-up of a pressure-test, not a change of direction. SLF's home is personal data sovereignty: people owning and controlling their own data when they engage with anything, including AI. We explored whether the same protocol could also help hold automated power to account, decided that lane is not ours to pursue, and are publishing the work anyway. It reinforced the core design, and someone better placed than we are may want to carry it further.

What we tested against

A · The mechanism

Concentrating power has always taken many human hands: clerks, officers, auditors, judges. Each of those hands could refuse, resign, or report what they saw, and that friction quietly spread power out. As AI agents take over those roles, the friction thins. An action can be taken against a person with no human in the loop who could have objected, and no record that anyone was required to create. The field calls this coalition substitution (the mechanism set out in Forethought's 2025 study, AI-Enabled Coups).

The one-paragraph version of where we landed: power is increasingly exercised on people by AI agents that leave no contestable trace. SLF makes the contestability the law already requires actually enforceable, by recording what was done to you, in your hands, somewhere the acting party cannot quietly erase. It does not ask whoever holds your data to give up custody. It makes their automated decisions answerable.

The same primitives point in two very different directions, and the difference is the whole story.

You share your data on your terms

Your medical record, your ticket, your history, disclosed under consent, with provenance, control, and erasure. This is SLF's home, and Lexenne's focus.

An institution's AI acts on you

A benefits denial, a watchlist entry, and SLF forces a contestable record of the action. Accountability for automated power. This is the direction we explored and are not taking forward.

Same gates, scoped grants, payload-free receipts, contestation, and erasure, pointed the opposite way.

It is tempting to think the fix for concentrated power is simply to hand everyone their data back. That version asks incumbents to surrender power they will not give up voluntarily. The workable version never asks them to. It keeps custody where it sits and makes the exercise of power answerable, the way worker safety was never adopted out of goodwill but through inspection, liability, and mandatory incident records. Read SLF here as the incident-record-and-inspection layer for automated decisions.

One idea is worth surfacing on its own: the witness, kept separate from the advocate. For a record to constrain a powerful party, it has to land somewhere that party cannot quietly alter, an impartial witness. A witness only needs to attest that the record exists and was not changed. It does not have to act on your behalf; that is the job of an advocate, and a separate problem. Keeping the two apart lets the witness be a cheap, cryptographic, scalable thing (publish the proofs in the open, keep the contents private and encrypted, the model the web already uses for its certificates under Certificate Transparency), while the harder, human work of advocacy sits elsewhere. A credible witness is cross-jurisdiction and cryptographic, with no single institution able to capture it.

A worked example: Maria

B · The human story

The abstraction is easier to hold onto through one person. Maria receives an unemployment benefit. A government agency runs an AI agent that reviews her records, cross-checks her reported income against an employer data feed, and decides she was overpaid $3,000 and has to repay it. (This is the shape of Australia's Robodebt program, which a Royal Commission later found unlawful.)

With SLF in place, five things change.

The decision must leave a receipt. A signed, payload-free record of which agent acted, under what authority, when, what it decided, which inputs it used (as references, not Maria's raw data), for what purpose, and whether a human reviewed it.
The receipt lands in three places at once. The agency's records, Maria's own copy, and an independent witness the agency does not control, so the embarrassing ones cannot be deleted later.
Maria is notified. An automated decision was made about you, here is your reference, you may ask for human review and appeal. For someone without a smartphone this can be a paper letter with a code. The protection does not depend on an app.
Maria, or an advocate, contests using the receipt. She finds the decision used an old income figure she had already corrected. Because SLF keeps contradictory facts with their history rather than overwriting them, she can point to exactly that.
An oversight body audits the pattern. Show every overpayment decision that used the data match with no human review, and the systemic failure is visible without reading any individual's private income. The witness lets them prove the agency did not quietly scrub the bad cases.

An automated decision that would otherwise be silent and deniable becomes recorded, held by the affected person, and contestable.

There is a hard question worth keeping in view. These receipts do not always favor the individual, and the record that an action was taken on you is not something you can simply delete. Holding the powerful party to account is its whole purpose, the way a court record or a body-cam recording is. What you can erase is your underlying personal data; the accountability record is payload-free precisely so it survives that erasure. Sovereignty here is the right to contest, and to erase the payload, not a right to delete the fact that power was exercised.

The evidence

C · External sources

None of this rests on our say-so. The findings below come from three adversarial research passes; claims that did not survive scrutiny were dropped. They are public, primary sources, and the links go to them directly.

The mechanism is seriously argued

Forethought Institute, AI-Enabled Coups: How a Small Group Could Use AI to Seize Power (Davidson, Finnveden, Hadshar, April 2025). States the coalition-substitution mechanism directly. Read ↗

Government AI is outpacing oversight

US GAO-25-107653 (July 2025): across the agencies reviewed, federal generative-AI use cases rose roughly ninefold in a year, from 32 to 282. Read ↗

Brennan Center for Justice (Patel & Toomey, April 2024): national-security AI is exempted from US AI-oversight guidance, and the relevant oversight board had a single technologist. Read ↗

The law already demands contestability, with no tool to deliver it

US OMB Memorandum M-25-21 (April 2025): even this deregulatory memo keeps a human-review-and-appeal right and a traceability duty for people subject to high-impact civilian AI decisions. Read ↗

CJEU, Dun & Bradstreet (Case C-203/22) (February 2025): a person subject to an automated decision is entitled to an explanation that lets them understand and challenge it; disclosing the algorithm alone is not enough. Read ↗

Italy's Garante fined Foodinho €2.6M (2021) for leaving workers no way to contest algorithmic decisions that shut them out of work. Read ↗

Worked examples of contestability failing

Australia's Robodebt (Royal Commission, 2023): recommendations 17.1 and 17.2 read almost as a specification for a contestation system. Read ↗

The Dutch childcare-benefits scandal, the toeslagenaffaire (peer-reviewed: Fenger & Simonse, 2024): a discriminatory algorithm, more than 30,000 families harmed, a government brought down. Read ↗

SyRI (Hague District Court, 2020): a welfare-fraud detection system struck down as a human-rights violation. Read ↗

A privacy-minimizing approach a regulator already endorses

EDPB Statement 1/2025 on age assurance (February 2025): prove an attribute (over or under a threshold) without storing identity, using user-held data, on-device processing, single-use credentials, zero-knowledge proofs, and no logs. Read ↗

The Discord breach of October 2025 (around 70,000 government-ID photos collected for age checks) is the live cautionary example. Read ↗

The strongest objection, named plainly

AI Now Institute, Algorithmic Accountability: Moving Beyond Audits: audit-centered approaches risk "entrenching power within the tech industry." The SLF response is contestation the affected person holds and oversight can use, rather than an audit a company runs on itself, a distinction AI Now's own work leaves room for. Read ↗

A few adjacent efforts are sometimes mistaken for this one. OpenTelemetry's GenAI traces are operator-facing diagnostics. C2PA certifies the history of a piece of media, not its truth. The UK's Algorithmic Transparency Recording Standard is a registry that omits everyday tools. SLF is the per-action, purpose-limited, payload-free, contestable trace that could feed a register like that, and is none of those things itself.

Where it stops

D · The limits

The candor is the point of publishing this at all, so the limits go here in full.

It defends the slide, not the cliff.

SLF raises the cost and visibility of backsliding inside a working rule-of-law system. It does not defend inside a finished authoritarian state, and no software does. "Irrevocable defense" is the wrong bar to hold it to.

Its dependable value is evidence, not rescue.

What it preserves reliably is evidence, deterrence, and eventual accountability. The real-time rescue of one person in the moment still needs an advocate, which the witness deliberately is not.

The novelty is the layering, not the signature.

The signed-receipt primitive is now commodity. What is new here is the combination: purpose limitation, contradiction preserved rather than overwritten, erasability, and a record that faces the subject of the decision instead of only the operator.

Why publish a tangent

E · Handoff

Two reasons. The exercise made the core stronger: testing the protocol against a difficult, adversarial case sharpened the receipt design, surfaced the witness idea, and clarified the line between what SLF guarantees and what it only makes visible. And the work stands on its own. If you work on AI accountability, digital welfare, or oversight, and the witness layer or the contestation record looks useful, I would rather it move than sit in a drawer.

The personal-sovereignty work is where Lexenne is going. This is the boundary we found while testing how far the same idea reaches, written down so it is not lost. If you want to argue with the framing, or pick the thread up, the contact options are in the header.

← Back to the SLF overview

Stress-testing SLF againstconcentrated power.