Abstract

Automated compliance-as-code tooling collapses a passing check into a claim of full control adoption. That collapse is the root cause of "fake green": a compliance dashboard that reports an application as governed when, in fact, the machine has only observed the presence of a shape — a file, a string, a field — and has proven nothing about adequacy. A present-but-inert authentication middleware (const requireAuth = () => (req,res,next) => next()), a database-facade bypass, a header-only tracker CSV, or a hardcoded credential can all satisfy naive presence checks and light the board green. This disclosure describes a coherent protocol that structurally cannot inflate. Every scanner rule is annotated with an epistemic evidence class. Positive machine evidence is capped at a non-committal partial — the machine is never permitted to assert adopted. Provable defects are treated asymmetrically: an anti-pattern that fires is a definite gap at full certainty, while an anti-pattern that stays silent proves nothing and yields either partial or no row at all. Negative rules promote inert code to a first-class violation. A structural source-precedence merge keyed on (app, control) lets a machine write overwrite only a prior machine write, so human judgment is immovable by the scanner. Finally, rollups divide adopted by an assessed-only denominator and render null (grey) when nothing has been assessed, so an unexamined application is never falsely green nor falsely red. The five ideas compose into a single fail-closed epistemic contract for automated governance.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Share

COinS