AI Strategy · Trust Architecture
Trust Is a Link You Can Click (And Behind It, Another One)
Confidence scores are the system grading itself. The trust mechanism that actually works is a receipt you can click — and it’s trustworthy for the same reason the law of evidence has trusted business records for over a century: not because they read well, but because of when and why they were made.
📚 Read the full field guide
Every agent framework ships the wrong memory. Here’s the organ your stack is missing — and how to make it trustworthy. Institutional Memory: The Organ Your AI Stack Is Missing →
The argument
A confidence score asks you to trust the grader — and the grader is the thing on trial. The alternative is a two-click receipt: answer→page audits the retrieval, page→artifact audits the ingestion. It’s trustworthy because the pointer was born with the claim at compilation time, not hunted down to justify an answer already given. That’s precisely the standard evidence law applies to business records: made at the time, by someone who perceived the event, as a matter of routine.
Somewhere in your organisation right now, an executive is asking a vendor a very reasonable question: “Can we get confidence scores on the AI’s answers?”
It sounds like rigour. It is the wrong ask, and it’s worth being precise about why: a confidence score is the system grading itself. The same model that produced the answer produces the number that tells you how much to believe the answer. No court accepts a witness’s self-assessment as evidence. No auditor signs off on a ledger because the bookkeeper feels 94% good about it. Yet this is the trust mechanism most AI deployments reach for — a self-issued mark, attached to an answer you cannot check.
And people don’t check. In KPMG and the University of Melbourne’s 2025 global study of over 48,000 people, 66% reported using AI regularly while only 46% were willing to trust it1 — and 62% of employees admitted they rely on AI output at work without evaluating its accuracy, while 54% said AI had caused mistakes in their work.2 That combination — low trust, no verification, real errors — is not a paradox. It’s what happens when verifying an answer costs as much as re-deriving it. When checking is expensive, nobody checks; when nobody checks, errors compound quietly; when the first error surfaces publicly, trust in the whole programme dies at once.
There is a different mechanism, and it isn’t a score. It’s a receipt: a link under the answer that you can click — and behind it, another one.
An answer with a receipt
Start with a real, boring transaction — the kind internal AI actually spends its day on. An employee asks the assistant: “What’s the procedure for making an internal expense claim?” The assistant sits behind the organisation’s knowledge map — a compiled wiki of the company’s procedures and policies, built by an ingestion pipeline that reads the organisation’s actual documents. The answer comes back in a few seconds: the steps, the threshold that needs a manager’s approval, the form, a note that the policy was updated three weeks ago. And at the bottom: a link.
The two-click walk, on one real answer
The answer: “Claims under $500 go through the expense form with a receipt attached; over $500 needs pre-approval from your manager. This policy was updated three weeks ago.” Read it, use it, done — this is where almost every interaction ends.
Click one → the page: the wiki page on expense claims. The claim in context. The supersedes chain showing the old $300 threshold and when it changed. The caveats the summary didn’t carry.
Click two → the artifact: the finance policy PDF itself — the canonical source the page was compiled from, with the compilation date and the pass that read it.
It understands the provenance of the data because it originally saw it when it was being ingested. The receipt is easily human-auditable: click the wiki link, and the wiki page has a link to the original artifact. That’s the whole interface. No dashboard, no score, no explanation panel. Two links.
Two clicks, two trust boundaries
The design looks trivial. It isn’t — the reason it works is that the two clicks cross two different trust boundaries, and separating them is what makes verification cheap.
Click one — answer to page — audits the retrieval. The question it answers: does the map actually say this, in context, with its edges and caveats? Nearly all doubt dies here, because most wrongness in AI answers is not bad knowledge — it’s bad retrieval or bad synthesis at answer time. The assistant read the wrong page, or read the right page and compressed it carelessly, or blended two claims that shouldn’t blend. One click exposes all of those instantly: the page either says what the answer claims, or it doesn’t. You don’t need to be technical. You need to be able to read.
Click two — page to artifact — audits the ingestion. The question it answers: did the map compile this correctly from the source? This is the rare, deep dispute — the page says the threshold is $500, but does the actual policy document? Click two exists for the sceptic who wants ground truth, and for the auditor, who is really the answer’s third audience.
The employee reads the answer. The sceptic clicks once. The regulator clicks twice. One artifact serves all three.
Decomposing the audit path at that seam is the load-bearing design move. A monolithic “audit trail” — a hundred-line trace of everything the system did — is verifiable in principle and unverifiable in practice, because nobody has the hour it takes to read it. The two-click receipt is trust engineering as latency engineering: the first check costs four seconds and resolves almost everything; the second check costs a minute and resolves the rest. Verification finally costs less than re-derivation, which is the threshold at which people actually verify.
Key Insight
Trust isn’t a number the machine reports — it’s a link the human can click, and behind that link, another one. Confidence is the system grading itself; the receipt hands the grading to the reader.
Born with the claim, or bolted onto the answer
Here’s the objection every RAG vendor will raise: “Our system already shows citations.” Most of those citations are decoration, and there’s now a research literature that says so precisely.
Systems that generate an answer first and then hunt for supporting links produce what the attribution researchers call post-rationalization — citations that reflect “superficial alignment with prior beliefs” rather than “actual reference use.” A 2024 study of RAG attribution found that even when citations were correct — the cited document genuinely supports the statement — the citations were frequently unfaithful: up to 57% of citations did not reflect what the model actually relied on.3 The model answered from its weights, then dressed the answer in citation-shaped decoration. In the wild it’s worse: when the Tow Center tested eight AI search engines on identifying the sources of verbatim excerpts, they collectively answered more than 60% of queries incorrectly — confidently citing the wrong article, the wrong publisher, or a link that didn’t exist.4
A citation that was found after the answer tells you one thing: a document exists that plausibly matches what the model already said. That is not provenance. That is a lawyer hired after the fact to argue whatever the client already did.
The receipt in our expense-claim answer is a different species, and the difference is when it was born. The pointer from page to artifact was not generated in response to the question. It was created at compilation time — it is the residue of the ingestion event itself. The claim on that wiki page exists because the ingestion pass read that finance policy, on that date; the pointer records the reading. The ingest agent’s transcript — which file it opened, what it extracted, what it linked — is sitting in the archive like a witness statement, written at the moment of perception, available if anyone ever asks.
This is what “born with the claim” means. Provenance is a property of the compilation process, not a garnish on the output. The W3C’s provenance standard defines provenance as exactly this — “a record that describes the people, institutions, entities, and activities involved in producing” a piece of data, and notes it is “crucial in deciding whether information is to be trusted”5 — a record of production, not a justification of conclusions. You cannot retrofit it, because its entire value is that it predates the question.
I’ve written elsewhere about the governance-grade version of this idea — cognitive provenance, in The Model Is Not the Memory: reconstructing exactly which pages, claims and edges an AI observed at decision time. And the decision-side twin is the attestation package that is born at decision time rather than assembled for the enquiry. This article is the user-facing version of the same doctrine. The reader doesn’t need the cryptography or the audit tooling. The reader needs two links that load.
The law already trusts this shape
If “trust the record because of when and why it was made” sounds like an engineering novelty, it isn’t. It is one of the oldest and most heavily litigated ideas in the law of evidence: the business records exception.
Courts are professionally suspicious of second-hand assertions — that’s the hearsay rule. But for over a century they have carved out an exception for business records, and the elements of that exception are startlingly specific. Under the US Federal Rules of Evidence, Rule 803(6), a record earns admission if it “was made at or near the time by — or from information transmitted by — someone with knowledge”; it “was kept in the course of a regularly conducted activity”; and “making the record was a regular practice of that activity.”6 Australia’s Evidence Act 1995 runs the same logic: the hearsay rule does not apply to a business record where the representation was made “in the course of, or for the purposes of, the business” by a person who “had or might reasonably be supposed to have had personal knowledge of the asserted fact” — knowledge “based on what the person saw, heard or otherwise perceived.”7
Why do courts trust these records when they distrust nearly everything else said outside a courtroom? The Advisory Committee’s answer has been quoted for fifty years: their “unusual reliability” is supplied by “systematic checking, by regularity and continuity which produce habits of precision, by actual experience of business in relying upon them, or by a duty to make an accurate record as part of a continuing job.”8
Read that list slowly. Not one element is about the record being well-written, or the clerk being confident. The trust comes entirely from the circumstances of creation: made at the time, by someone who perceived the event, as routine practice, in a system that relies on its own records. Contemporaneity, perception, regularity, reliance. Now lay the ingestion pipeline against those elements.
| What the rule requires | What the pipeline does |
|---|---|
| Made at or near the time of the event | The pointer is written at compilation time — the moment the source was read, timestamped |
| By someone with knowledge — who “saw, heard or otherwise perceived” | The ingest pass literally read the artifact; its transcript is the witness statement |
| Kept in the course of a regularly conducted activity | The nightly pipeline — ingestion and consolidation as ordinary course, not special occasion |
| Making the record was a regular practice | Every claim carries provenance because every ingestion writes it — no exceptions, no retrofits |
| Trusted because the business relies on its own records | The same map answers thousands of staff queries a day — the system runs on what it recorded |
The mapping isn’t a metaphor stretched to fit. It’s the same trust logic, arrived at independently, because it solves the same problem: how do you trust an assertion you didn’t witness? Answer: you don’t trust the assertion — you trust the process that recorded it, and you verify the process is the kind that produces accurate records as a side effect of doing its job. A citation hunted down after the answer fails every element of the rule. A pointer written at ingestion passes all of them.
Your ingestion pipeline, run properly, is generating business records about knowledge.
What the receipt does to the room
There’s a predictable objection to all of this: “Nobody will ever click the links.”
Mostly true — and it doesn’t matter, because the receipt does most of its work unclicked. The reader who could check behaves differently from the reader who can’t, and so does the system that knows it will be checked. A claim that ships with its own verification path gets challenged at the claim, not at the category — “this page is out of date” instead of “the AI is wrong.” Wikipedia has run the largest knowledge base in human history on precisely this norm: any challenged material “must include an inline citation to a reliable source that directly supports the material,” or it can be removed.9 The receipt culture, not the accuracy rate, is what lets strangers trust the artifact.
And when people do click, something compounds. Every answer that survives its first click deposits trust — not in that answer, in the system. The employee learns that the receipts are always there and always load. Twenty clicks in, the wiki has stopped being “the AI’s opinion” and has become the reference — the thing you check against. That status was never available to a confidence score, no matter how well calibrated, because a score asks you to trust the grader, and the grader is the thing on trial.
When an answer doesn’t survive its click — the page doesn’t say what the answer said, or the page itself is stale — the receipt converts frustration into something with an address: this page, this claim, this owner. Every wrong answer becomes a repair ticket instead of a reputation event. That repair loop is its own story, told in the ebook this article belongs to.
What to demand from your architecture
If you’re deploying an internal assistant — or buying one — this is the checklist the two-click receipt implies. None of it is exotic. All of it is structural, which means you can’t bolt it on later.
Every answer carries a link to the page it drew from. Not “sources consulted” — the page the claim lives on, with its context, edges and version history. Every page carries a link to the artifact it was compiled from. The original document, untouched, in place. The pointer is written at ingestion, never at answer time. Ask your vendor this question directly: is the citation created when the knowledge is compiled, or when the answer is generated? If it’s generated with the answer, you have citation-shaped decoration — post-rationalization with a nicer UI. The ingestion transcript is kept. The witness statement behind every claim, for the one dispute a year that goes deep. And version changes are visible at click one. “Updated three weeks ago” in the answer is the difference between a knowledge base and a rumour mill.
The pattern generalises well beyond expense claims. Any organisation that compiles its documents, decisions and procedures into a governed knowledge layer — with provenance written at compile time — gets the same three-audience artifact: fast answers for staff, one-click checks for sceptics, two-click depth for auditors. The trust arrives with the architecture. It cannot be added afterwards, for the same reason a business record reconstructed the week before trial is worth nothing: the value was never in the words. It was in when they were written.
The oracle asks for faith. The receipt offers a link — and behind it, another one.
Go deeper: Institutional Memory — the full field guide
This article is one chapter of a larger argument: that every agent framework’s “memory” is the wrong organ — episodic, first-person, dying with the agent — and that organisations need the other one: semantic, institutional memory that outlives every employee and every model. The ebook covers the memory split, the trust receipts, the culture shift (“what does the wiki say?”), the navigator-not-oracle positioning, the four-class failure triage, and the as-at temporal record.
Read Institutional Memory: The Organ Your AI Stack Is Missing →
References
- [1]KPMG & University of Melbourne. “Trust, attitudes and use of artificial intelligence: A global study 2025.” — “although 66% of people are already intentionally using AI with some regularity, less than half of global respondents are willing to trust it (46%).” kpmg.com/xx/en/media/press-releases/2025/04/trust-of-ai-remains-a-critical-challenge.html
- [2]KPMG & University of Melbourne. “Trust, attitudes and use of AI: Country Insights Report (2025).” — “relied on AI output at work without evaluating its accuracy 62% … made mistakes in their work due to AI 54%.” mbs.edu/-/media/PDF/Research/Trust-attitudes-and-use-of-AI_Country-Insights-Report.pdf
- [3]Wallat, Heuss, de Rijke & Anand. “Correctness is not Faithfulness in RAG Attributions.” — “reflecting actual reference use rather than superficial alignment with prior beliefs, which we call post-rationalization… current attributed answers often lack citation faithfulness (up to 57 percent of the citations).” arxiv.org/abs/2412.18004
- [4]Jaźwińska & Chandrasekar, Columbia Journalism Review / Tow Center. “AI Search Has a Citation Problem” (March 2025). — “Collectively, they provided incorrect answers to more than 60 percent of queries.” cjr.org/tow_center/we-compared-eight-ai-search-engines-theyre-all-bad-at-citing-news.php
- [5]W3C. “PROV-DM: The PROV Data Model” (W3C Recommendation). — “provenance is defined as a record that describes the people, institutions, entities, and activities involved in producing… a piece of data… crucial in deciding whether information is to be trusted.” w3.org/TR/prov-dm
- [6]Legal Information Institute, Cornell Law School. “Federal Rules of Evidence, Rule 803(6) — Records of a Regularly Conducted Activity.” — “the record was made at or near the time by — or from information transmitted by — someone with knowledge… kept in the course of a regularly conducted activity… making the record was a regular practice of that activity.” law.cornell.edu/rules/fre/rule_803
- [7]Federal Register of Legislation. “Evidence Act 1995 (Cth), s 69 — Exception: business records.” — representation made “in the course of, or for the purposes of, the business” by a person with “personal knowledge of the asserted fact… based on what the person saw, heard or otherwise perceived.” legislation.gov.au/C2004A04858/latest/text
- [8]Legal Information Institute, Cornell Law School. “Advisory Committee Notes to FRE 803(6).” — “The element of unusual reliability of business records is said variously to be supplied by systematic checking, by regularity and continuity which produce habits of precision, by actual experience of business in relying upon them, or by a duty to make an accurate record as part of a continuing job or occupation.” law.cornell.edu/rules/fre/rule_803
- [9]Wikipedia. “Wikipedia:Verifiability.” — “All quotations, and any material whose verifiability has been challenged or is likely to be challenged, must include an inline citation to a reliable source that directly supports the material.” en.wikipedia.org/wiki/Wikipedia:Verifiability
Discover more from Leverage AI for your business
Subscribe to get the latest posts sent to your email.
Previous Post
Your Organization Has Source Code (And You Can Finally Read It)