ICVS: Forensic AI Auditing. Training Data to Deployed Output

ICVS protects AI systems at every stage, from the data they learn from, to the inputs they receive, to the outputs they produce. Each pillar operates independently. Together, they eliminate the blind spots that no single-layer solution can reach.

DCAP

Data Consistency Assessment Protocol

The foundation. DCAP performs forensic analysis of AI training data at 100% coverage. Every token, every pixel, every metadata field. It detects biases, steganographic poisoning, adversarial contamination, demographic proxy encoding, and narrative manipulation that sampling-based tools are mathematically guaranteed to miss. If the data is compromised, everything built on it is compromised. DCAP finds the disease before the model is trained.

AIDE

Adaptive Intelligence Defense Engine

The front door. AIDE monitors live AI systems in real time, intercepting adversarial prompt injections, jailbreak escalation campaigns, and coordinated attacks before they reach the model. It profiles threat actor methodologies, detects invisible coordination between attackers using behavioral analysis, and evolves its defenses automatically through a continuous feedback loop. Every attack it catches makes every system it protects stronger.

The output gate. VERA verifies that what the AI tells people is accurate, logically consistent, and epistemically sound. It anchors conclusions to primary source evidence before any consensus or narrative can influence the analysis, monitors for retracted sources still circulating as fact, and formally verifies claim-evidence relationships. If the AI's output can't survive scrutiny, VERA catches it before it reaches the user.

VERA

Verification and Epistemic Reasoning Architecture

Why ICVS

• The Consensus Problem: AI systems don't think. They calculate consensus. When an AI answers a question, it isn't reasoning from evidence. It's reproducing the statistically dominant pattern from its training data. If 10,000 sources say something and 3 sources say the opposite, the AI treats the 10,000 as truth regardless of which side has the actual evidence. This is consensus weighting, and it is the foundation every major AI system is built on. It means whoever controls the weight of the data controls what the AI believes. A retracted medical study cited by 500 articles overwhelms the 3 articles reporting the retraction. A coordinated influence campaign flooding training data with favorable framing shifts the AI's worldview without a single false statement. The AI doesn't know it's been compromised because it was never designed to question the consensus, only to reproduce it.

• The Training Data Problem: Every major AI system is built on training data that has never been fully audited. The industry standard is sampling, examining 1-5% and assuming the rest is clean. But adversarial contamination, embedded biases, steganographic encoding, and narrative manipulation are specifically designed to survive in the 95% that nobody checks. Invisible Unicode characters encode binary payloads that no human eye can see. Pixel-level modifications in image datasets install backdoors that activate on command. Demographic proxy correlations teach the AI to discriminate without ever using an explicit demographic variable. These aren't theoretical attacks. They are technically feasible today, and no deployed AI system has been audited at the depth required to detect them.

• The Runtime Problem: Once a model deploys, it faces a second wave of threats. Adversarial prompt injections bypass safety guardrails through escalation campaigns that erode boundaries over multiple sessions. Persona injection attacks convince the AI it has a different identity with different rules. Intent fragmentation splits a prohibited request across dozens of innocent-looking prompts that only become dangerous when assembled. Sophisticated actors probe safety boundaries systematically to map exactly where the AI will refuse, then exploit the gaps. Coordinated campaigns use multiple accounts to attack from angles that appear independent but are invisibly synchronized. Current defenses rely on pattern matching against known attacks. They cannot detect novel techniques, coordinated campaigns, or attacks that evolve across sessions.

• The Output Problem: Even when training data is clean and inputs are legitimate, AI outputs can still fail. Models hallucinate citations that don't exist. They present retracted research as current fact. They treat the absence of evidence as evidence of absence. They reproduce consensus without verifying whether the consensus was manufactured. They apply formality bias, treating elevated vocabulary as more credible than plain language regardless of actual substance. They carry institutional sentiment contamination that frames government, military, and authority figures with default negativity absorbed from entertainment media in their training data. No widely deployed verification system anchors AI conclusions to primary source evidence before consensus can influence the analysis.

• The Mandate: The FY2026 National Defense Authorization Act recognizes these threats. Sections 1512 and 1513 require the Department of Defense to secure AI systems against adversarial tampering, certify AI training data supply chains, and establish governance frameworks for AI deployment, with compliance deadlines beginning June 2026. The EU AI Act, Colorado's AI Act, and Texas TRAIGA impose parallel requirements on commercial AI systems making consequential decisions. The regulatory landscape has shifted from voluntary best practices to legal mandates with enforcement teeth.

• The Solution: ICVS is the only framework that addresses the entire AI lifecycle, not just one layer. DCAP audits training data at 100% forensic coverage before the model is trained. AIDE defends live systems against adversarial inputs, jailbreak campaigns, and coordinated attacks in real time. VERA verifies output accuracy, epistemic integrity, and source reliability before results reach the user. Three pillars, operating independently, eliminating the blind spots that no single-layer solution can reach. Two US provisional patent applications filed. Built by a 10-year US Army Military Intelligence veteran who identified the consensus weighting vulnerability firsthand.

  Every token. Every pixel. Every byte. No sampling. No exceptions.

Stay Informed

Get updates on audits and findings