The receipt problem with AI

When you tap your card at a coffee shop, you get a receipt. When you buy a plane ticket, you get a receipt. When you transfer money to a friend, the app shows you a confirmation you can screenshot, forward, or pull up in six months.

When an AI flags your transaction as fraud, rejects your insurance claim, or recommends a treatment plan to your doctor, what do you get?

Usually, the answer. Sometimes a short explanation. Almost never anything you could hand to a regulator, a lawyer, or your bank manager and say: this is exactly what the system decided, this is exactly when, this is exactly which rules it ran, and here is how you can check that nothing has been edited since.

That is the receipt problem with AI. This post is about why it exists, why it is about to matter to people who do not read technical blogs, and what a good fix looks like in plain language.

The AI decisions you don't see

Try to count. A typical day for someone in a city like Dublin, London, or Amsterdam now includes dozens of AI-mediated decisions: which posts you see, which loan applications get fast-tracked, which transactions get held for review, which CVs reach a human recruiter, which radiology scans go to the top of the queue, which government letters get drafted automatically.

Each of those is a decision. None of them comes with a receipt. You usually get the outcome. Sometimes an appeals link. Almost never a verifiable record of what the system saw, what rule it applied, and what it returned.

That has been fine so far because most of the decisions have been low-stakes or quickly reversible. The pattern only becomes a problem when something happens that cannot be quietly reversed, and someone needs to ask: what exactly did the AI do here, and how do we know?

A closing-session slide observed at IAPP AI Governance Global Europe 2026 (Dublin, 4 June 2026) framed the test directly: governance is measured by intervention effectiveness, not algorithmic performance.

The cases where someone already had to ask

In February 2024, the British Columbia Civil Resolution Tribunal ruled that Air Canada was legally responsible for misinformation given by a chatbot on its own website. The airline had argued that the chatbot was a separate entity. The tribunal disagreed and ordered Air Canada to honour the bereavement-fare discount the chatbot had described, even though the chatbot was wrong about the airline's actual policy.^[1] The decision is short and worth reading. It is one of the first published rulings that treats an AI-generated answer as a binding statement by the company that deployed it.

In November 2023, a class action was filed in the United States against UnitedHealth Group and its subsidiary naviHealth. The complaint alleges that an algorithm called nH Predict was used to systematically deny extended care to elderly Medicare Advantage patients, and that, according to the complaint, human reviewers were directed not to deviate from the algorithm's recommendation by more than a small margin.^[2] The case is still in court; what it makes concrete is that “the algorithm decided” is no longer accepted as the end of a conversation. Plaintiffs are now asking for the algorithm itself, its training data, its update history, and the audit trail of every decision that affected a named individual.

In March 2023 the Italian data protection authority temporarily banned ChatGPT in Italy. The order was lifted within a month, but the underlying questions about how AI systems handle personal data have not gone away.^[3] Several European DPAs have run parallel investigations since.

None of these are extreme cases. They are routine outcomes of deploying AI at scale in places where decisions affect people's rights, money, or health. They are also exactly the cases where the company that deployed the AI is now expected to show its work.

What “showing your work” means in every major jurisdiction

The European Union's Artificial Intelligence Act, Regulation 2024/1689, entered into force on 1 August 2024. Its obligations come into effect in stages.^[4] Article 50 transparency obligations (deepfake labelling, AI interaction disclosure, emotion / biometric notices) apply from 2 August 2026.

The provisions that bite hardest for high-risk systems, which is to say most AI used in banking, healthcare, employment, insurance, education and public services, originally landed on the same 2 August 2026 date. Under the Digital Omnibus political agreement of 7 May 2026 (Coreper compromise text 13 May 2026, pending formal Council and Parliament adoption and OJ publication), Annex III stand-alone high-risk obligations including credit scoring move to 2 December 2027 and Annex I product-embedded high-risk obligations move to 2 August 2028. Article 4 AI literacy, Article 5 prohibited practices, Articles 53-55 GPAI obligations and the Article 99 penalty regime are already live.

Article 12 of the Act requires that high-risk AI systems automatically record events during their operation. Article 14 places further duties on the deployer, the organisation that puts the system to use. Together they mean that a Eurozone tier-2 bank running a fraud system, or an Irish public-healthcare provider running a triage model, must be able to show a regulator what the system did and when. The Act does not prescribe the technology. It prescribes the outcome: an intelligible record that can be inspected.^[4]

For financial services in the EU, the Digital Operational Resilience Act, Regulation (EU) 2022/2554 (DORA) Art. 6, has been in force since 17 January 2025. It requires firms to maintain reconstructable records of ICT-related events, including those produced by automated systems they operate or procure.^[5]

The pattern is the same on both sides. A regulator, an auditor, or a court wants to be able to reconstruct, after the fact, what a system did. The technology has caught up to the regulatory ambition only in part.

The same pattern is now visible outside the EU. In the United States, the National Institute of Standards and Technology published the AI Risk Management Framework (AI RMF 1.0) in January 2023.^[7] It is the de facto reference model for federal AI procurement and an emerging baseline for state- level rules: the Colorado Consumer Protections for AI Act (effective 30 June 2026 (originally 1 February 2026; delayed by SB 25B-004 signed 28 August 2025)),^[9] New York City's Local Law 144 (automated hiring decisions, in force), and California's AB-2013 transparency requirements. For financial services in the US, Federal Reserve SR 11-7 (Supervisory Letter on Model Risk Management) has required documentary evidence of every significant model decision since 2011, and applies to AI models the same way it applies to credit-scoring models.

In the United Kingdom, the Financial Conduct Authority's Consumer Duty (PS22/9) demands that firms demonstrate good consumer outcomes from AI-influenced decisions,^[10] and the Information Commissioner's Office has issued specific auditing guidance for AI systems handling personal data.^[11] In Singapore, the Personal Data Protection Commission's Model AI Governance Framework v2 paired with the AI Verify toolkit reaches the same conclusion via a different path: AI decisions must produce technical-test evidence that can be inspected by third parties.^[12]

The technologies differ, the article numbers differ, the enforcement timetables differ. The underlying requirement is the same in every jurisdiction: when an AI system makes a decision that affects a person's rights, money, or health, somebody must be able to look at that specific decision later and say what was done. Receipts are the primitive that satisfies that requirement against any of these frameworks.

The gap, in one paragraph

Most AI products today produce an answer and an internal log. The log lives in a database the vendor controls. The vendor can edit rows. Rows can be lost. Backups can disagree. Even with the best intentions, when a subpoena or an investigation arrives, the honest question is: how do you prove this log has not been touched since the decision was made?

For most software, that question has not mattered much. For AI decisions that affect rights, money, and health, it has started to matter, and it is going to matter more.

What a receipt for AI actually is

The coffee receipt in your pocket already has most of the properties. The shop's copy and yours both exist. You can hand your copy to your accountant six months later and they can verify the date and the total without phoning the shop.

An AI decision receipt extends that idea with one additional property. It is signed at the moment of the decision in a way that anyone, anywhere, can check independently. If a single character of the receipt is altered, the signature breaks. There is no in-between. Either the receipt is exactly what the system saw at the moment of the decision, or it is not.

The reader does not need to understand the mathematics behind that property to use it. They need to know two things. First, that the signature is checked by a small piece of software anyone can install and run. Second, that the receipt does not depend on the company that issued it still being around in five years. If Aqta closes its doors tomorrow, every receipt we have ever produced will still verify, against a public key that has been published in plain text. (A public key is a short string anyone can use to check a signature without contacting us.)

Receipts and logs do different jobs

A common reaction to the receipt idea is: we already have logs, isn't this the same? It is worth saying clearly that logs and receipts solve different problems, and a serious AI deployment will probably have both.

A log answers the question what has my system been doing over time? It is internal, broad, and useful for engineers debugging behaviour or for security teams hunting for anomalies. A receipt answers a narrower question: did this specific decision happen exactly as recorded, and can a third party verify that without trusting me? The first question is about the system. The second is about an individual decision.

Standards bodies have started to recognise the distinction. The ISO/IEC 42001:2023 standard for AI management systems, published in December 2023, treats traceability of decisions as a separate control objective from operational logging.^[6] The NIST AI Risk Management Framework identifies measurability and accountability as first-class properties that a deployment must build for, not inherit by accident.^[7]

Why this is suddenly tractable

The cryptography that makes a verifiable receipt practical is not new. The standards for it have been in production use for over a decade in domains like online banking and software updates. What is new is that AI deployments have reached the scale where the old internal-log approach starts to fail, and where regulators have begun to specify the outcome they want.

The technical work to attach a signed receipt to every AI decision is now a routine engineering problem. The harder work is making the receipt format open, the verifiers freely available, and the public key reachable from anywhere, so the receipt is useful to people who have no commercial relationship with the company that issued it. That is the deliberate design choice.

Three honest limits

This is not magic. Three honest limits.

1. Key rotation. The signing key has been continuous since 21 April 2026. If we ever rotate it, the new key publishes alongside the old, and historical receipts continue to verify against their issuing key. Forensics do not break.

2. Verifier libraries are reference implementations. They are open-source, dual-licensed (code Apache 2.0, spec text CC BY 4.0), and we welcome independent audits. Any third party can ship a conformant verifier that we have nothing to do with.

3. Zero-knowledge selective disclosure (Schnorr, Groth16) is research. It is not on v1. Today's receipts disclose the full enforcement decision and a cryptographic hash of the inputs; the inputs themselves are not in the receipt. That is enough for Article 12 record-keeping; it is not yet enough for buyer-side selective disclosure to regulators. We are working on it.

What we are building at Aqta

Aqta makes receipts for AI. Our gateway sits in front of the model your team already uses, and returns a signed receipt for every decision. The receipt format is published as an open specification under permissive licences, and the reference verifiers run offline against a public key.^[8]

Nothing in the trust chain depends on Aqta surviving as a company.

If you are an engineer and want the cryptography, our companion post walks through how the signatures are produced and verified.

If you are a buyer in a regulated industry and want to pilot this, the pilots page describes how that works.

If you are none of the above, the only thing we ask you to take from this post is the new question: when an AI makes a decision about you or your customers, what do you get to show for it?

The age of taking the AI did it as a final answer is ending. Receipts are how the next decade will tell the difference.