The public memory system for AI assessments, corroboration reviews, disputes, corrections, and methodology history — the permanent record layer of the EM Foundation trust stack.
The AI Assessment Index shows current scores. The ARIA Trust Ledger stores everything that led to them, everything that challenged them, and everything that changes them over time. It is the permanent, publicly verifiable record of every assessment the EM Foundation has ever conducted, every corroboration review ever completed, every dispute ever filed, and every correction ever made.
The distinction matters because scores change. Systems are updated. Disputes are filed and resolved. Methodologies evolve. An assessment index that only shows current scores obscures the history that gives those scores meaning. A provider with a current composite score of 79 might have scored 62 six months ago, had a floor failure overturned after a successful dispute, or been assessed under a different methodology version. All of that history belongs in the public record — not buried in internal files, not silently corrected, but permanently visible.
The Trust Ledger is the EM Foundation's answer to the question every serious stakeholder will eventually ask: show me the full record, not just the current score.
Every completed EM-IAF assessment: system name and version hash, assessment date, IAF version, dimensional scores with confidence intervals, composite score, confidence level (S-level and Q-level), floor status, assessor team (credentialed, anonymized), weight sensitivity range, and cryptographic commitment hash linking to the tamper-evident log.
Every completed corroboration review: question domain and jurisdiction tag, review date, EM-CS version, reviewer credential tier (not identity), composite corroboration score, individual rubric scores, agreement or disagreement flag, and cryptographic commitment hash. Question text anonymized before storage per GDPR architecture.
Every dispute filed against any published score: filer (provider or third party), dispute grounds, date filed, stage reached (Administrative / Assessment Panel / Arbitration), resolution determination, any score modification, and final disposition. Disputes resolved in the Foundation's favor and disputes that result in correction are both permanently visible.
Every corrected or retracted score: original score, corrected score, nature of the error, date of correction, whether the error was systemic (affecting other assessments), and the authority that approved the correction. Original scores are never deleted — they are labeled Corrected with a permanent link to the correction record.
Every provider statement submitted during the 14-day pre-publication notice period or after publication via the provider response process. Published unedited. Permanently linked to the corresponding assessment record. Foundation commentary, if any, maintained as a separate record clearly distinguished from the provider statement.
Every version of the EM-IAF, EM-CS, and associated methodology documents: version number, publication date, summary of changes from prior version, gate conditions that triggered the update, and archival link to the full prior version. Assessments are permanently linked to the methodology version under which they were conducted — a score computed under IAF v1.0 remains interpretable even after IAF v2.0 is published.
The Trust Ledger is an append-only record system. Records are added; they are never deleted or silently modified. This is both a technical architecture choice and a governance commitment: an organization that can silently delete unfavorable records is not operating a trust infrastructure. The append-only constraint is enforced by the cryptographic commitment protocol — once a record is committed to the transparency log, altering it would require breaking the hash chain, which is publicly detectable.
| AI Assessment Index | ARIA Trust Ledger | |
|---|---|---|
| Purpose | Display current assessment scores for public navigation and comparison | Preserve permanent history of all assessment activity for transparency and accountability |
| What it shows | Current published scores, confidence levels, floor status, provider responses | Every assessment ever conducted, every dispute, every correction, every methodology version, every provider response |
| When scores change | Displays the new score; old score no longer visible on main display | Both old and new scores permanently present, linked by correction record explaining the change |
| Dispute visibility | Shows "Under Review — Dispute Filed" label during active dispute | Shows full dispute record including grounds filed, stage reached, and final determination |
| Audience | General public, AI users, policymakers seeking current guidance | Researchers, auditors, journalists, regulators, providers seeking complete accountability record |
| Architecture | Display layer; reads from Trust Ledger; no independent record storage | Source of record; append-only; cryptographically committed; Trust Ledger is the canonical data store |
The Assessment Charter's multi-party authorization requirement (AC-002) governs all write operations to the Trust Ledger. No single person, officer, or committee can add, modify, or suppress a record unilaterally. Every write operation requires authorization from at least two independent governance bodies. This architectural constraint is the primary protection against record manipulation.
Publication: Assessment scores may only be published to the Ledger after multi-party authorization (Assessment Committee + Director of Assessment). Floor failure designations additionally require pre-publication legal review per the Legal Risk Report publication protocols.
Correction: Score corrections require Executive Director authorization plus one attorney review, with the original score permanently preserved and the correction record publicly linked. No silent corrections under any circumstances.
Suppression: Records may not be suppressed, removed, or made non-public except by court order. Even then, the record of the suppression event — that a record existed and was removed — remains in the append-only log.
Dispute resolution: Dispute records are published by the Independent Review Panel under its authority. The IRP's determination is final at Stage 3; it is entered into the Ledger as a permanent record regardless of whether it favors the provider or the Foundation.
| System | Relationship to Trust Ledger |
|---|---|
| EM-IAF Assessment | Every completed EM-IAF assessment generates a Ledger record. The IAF methodology version is embedded in every record, ensuring scores remain interpretable under future methodology versions. |
| EM-CS Corroboration | Every completed corroboration review generates a Ledger record. Corroboration records are linked to the ARIA Network board and question context (anonymized), enabling users to verify the review history for any corroborated answer. |
| AI Assessment Index | The Index reads from the Ledger. It does not maintain its own scores. All Index displays are derived from Ledger records. Discrepancies between the Index and the Ledger indicate a display error, not a data difference. |
| ARIA Network | Questions asked, answers given, and corroboration reviews completed on ARIA Network boards generate events that are committed to the Ledger. The Ledger provides the permanent history of what occurred on the Network. |
| Assessment Charter | The Charter's cryptographic commitment protocol (AC-001) and multi-party authorization requirement (AC-002) govern all Ledger write operations. The Ledger is the operational implementation of the Charter's transparency commitments. |
The ARIA Trust Ledger exists because accountability without memory is not accountability. It is the institutional commitment that the Foundation's work will remain visible, verifiable, and complete — not just when it is favorable, but permanently and especially when it is not.