Learn · The layered model

The layered model, at the concept level.

The model has two layers, and keeping them separate is the point. One layer is the account an action leaves behind. The other is the ability for an outsider to check that account later, without taking your word for anything. Here is what each layer is for, and why the line between them matters.

Think of it as two jobs that are easy to blur together and better to keep apart. The first is producing a durable account of what an automated system did. The second is confirming that account holds up when someone who was not there wants to look. GeoClear calls these L0 and L1.

L0 What each action leaves behind

The operational evidence record

When an automated system takes an action, that action should leave behind a durable, self-contained account of what happened: which policy governed it, and what the outcome was. That account is the operational evidence record. It is created at the moment of the decision, not reconstructed afterward from scattered logs. Most importantly, the customer holds it. The record travels with the action rather than living only inside the system that produced it, so the organization keeps the account of how its AI systems behaved regardless of what happens to any one platform.

L1 Checking that record without trusting the actor

Independent verification

A record is only useful if someone can confirm it holds up. That is the job of the second layer. Independent verification is the act of checking an operational evidence record on its own terms: offline, with no live call back to whoever issued it, and without having to trust the system that made the original decision. A reviewer works from the record itself. They do not need your dashboards, your personnel, or your goodwill in the loop. The check is theirs to run, on their own machine, at a time of their choosing.

Why the separation matters

Two jobs, deliberately not the same job.

When the record and the check are the same system, a reviewer is really auditing your platform, not your decisions. Splitting them removes that dependency. The record is designed to stand on its own, and the verification is designed to run on its own, so neither leans on the other being trusted.

The record can outlive the platform

AI stacks change quickly. Runtimes get replaced, vendors get swapped, models get retired, and cloud arrangements get renegotiated. Because L0 is a portable account the customer holds rather than a view inside a live system, it stays useful even after the platform that created it has moved on. A review that arrives years later still has something concrete to examine. The five action outcomes an operational evidence record can carry stay stable and legible over time: accept, hold, reject, block, escalate.

The check needs no insider access

Because L1 works from the record itself, verification does not require a live call back to the issuer or a seat inside the reviewed organization. That is what makes independent review independent. A reviewer free of any relationship with you can still reach their own conclusion, which is exactly the standard modern oversight is moving toward.

This page stays at the level of what each layer is for. The specifics of how a record is formed or how a check is carried out are implementation details that sit below this conceptual line, and they are not the point of the model. The point is the separation itself: an account you hold, and a check anyone can run.