Every output assertion is classified into four categories: FACT, INFERRED, UNKNOWN, and WITHHELD ON GAP. The system halts rather than speculates when evidence is insufficient.
Every output claim is evidence-governed. The system classifies each assertion against source material before it reaches the user. Unknown gaps are surfaced, not hidden.
Every assertion in every output carries exactly one of four evidence labels. The system does not release assertions without classification. This is enforced at the architecture level, not as a post-processing step.
The assertion is directly traceable to one or more documents, records, or data points in the Evidence Kernel. The source reference is included in the technical deep-dive output. This is the highest confidence classification.
The assertion is not directly stated in the evidence but is a logical conclusion drawn from multiple evidence sources through the parallel reasoning pipeline. The inference chain is documented in the reasoning trace and available for audit.
The system has identified a relevant question but cannot classify the answer with sufficient confidence. The gap is surfaced explicitly in the output. The system does not generate a plausible-sounding substitute.
The system has determined that the evidence base cannot support the assertion and has declined to make it. This is the strongest form of fail-closed reasoning: the system protects the decision-maker from its own uncertainty by withholding rather than speculating.
In safety-critical systems, "fail-closed" means the system defaults to a safe state when it encounters conditions it cannot handle. Applied to decision infrastructure, fail-closed reasoning means: when the evidence base is insufficient to support an assertion, the system withholds the assertion rather than generating a plausible-sounding substitute.
This is the architectural response to the $67.4 billion annual cost of AI hallucination in enterprise environments. The platform does not eliminate uncertainty - it makes uncertainty visible, auditable, and actionable. A decision-maker who knows where the evidence gaps are can act on that knowledge. A decision-maker who receives confident-sounding outputs from an ungoverned system cannot.
Each parallel branch independently flags evidence gaps. A branch that cannot support its conclusion surfaces the gap rather than forcing a result.
When branches converge, contradictions between branches trigger evidence augmentation - not suppression or averaging.
Every assertion in the final output carries an evidence label. [WITHHELD ON GAP] labels are never hidden or downgraded.
ECIA-7 seven-lens gating can halt output release if compliance requirements are not met, independent of evidence quality.
The Evidence Kernel implements differential privacy with a default epsilon of 0.7 - a value that provides strong privacy guarantees while maintaining analytical utility. This is enforced at the data layer, not as an application-level configuration. Jurisdiction-aware Evidence Kernel sharding ensures that data sovereignty requirements are met by design: evidence from one jurisdiction is not accessible to processing in another without explicit governance authorization.
The next layer: blockchain-anchored audit trails with post-quantum signatures and non-repudiable chain-of-custody.
