Decision Integrity is the runtime AI governance discipline that captures the attestation at decision time - authority record, awareness statement, decision
By Matthew Bertram · President of ModalPoint, CEO of EWR Digital · 2026
A capital-intensive operator runs an AI scoring engine that flags a deal as low-risk. Six months later, the deal goes sideways. A regulator, an auditor, or a plaintiff’s counsel walks in and asks one question: “Show us how that decision got made, who was authorized to make it, and what they understood about its governance implications at the time.”
If you can reconstruct the decision but cannot prove it was made with awareness of its governance implications by someone with the authority to make it, you have traceability without integrity. You have a record of what happened. You do not have a record of what should have happened.
Decision Integrity is the discipline that closes that gap. It is the runtime layer of AI governance - the part that captures the attestation at decision time, so that everything you build downstream (audit trails, technical files, defensibility binders) has something authoritative to reconstruct from.
This guide is for operators in regulated industries - energy, healthcare, manufacturing, financial services, professional services with EU clients - who are now making consequential decisions with AI in the room and need to defend those decisions later. The mechanism described here is the technical foundation behind a provisional patent filed by ModalPoint in December 2025 (US 63/948,546, “Authority-Hierarchical Validation”). It is also the discipline that distinguishes a defensible AI deployment from one that simply produces output.
Decision Integrity is the verifiable record that an AI-influenced decision was made with awareness of its governance implications, by a human with the authority to make it, at the moment it was made.
That is the full definition. Three components, all of which must hold simultaneously:
It is easier to understand DI by what it is not. Decision Integrity is not the same as Decision Traceability. Traceability reconstructs WHO/WHEN/WHY after the fact - it is forensic. DI captures the attestation AT decision time, so traceability has something authoritative to reconstruct from. Without DI, your traceability is a guess at past intent. With DI, traceability becomes evidence.
Decision Integrity is also not Audit Readiness. Audit readiness is the binder - the deliverable a regulator reads on day one. DI is what populates the binder. Without DI, the binder is a polished version of “we hope this is what happened.”
The four pillars of Digital Information Governance® (DIG®), the framework ModalPoint uses with regulated operators, are: Information Provenance, Decision Traceability, Representation Integrity, and Audit Readiness. Decision Integrity is not a 5th pillar. It is the runtime discipline that runs across the framework - specifically, the discipline that connects Decision Traceability to authorization, so the traceability you ship can survive scrutiny.
Three concrete examples, each one a decision an operator’s AI is making right now.
A drilling supervisor uses an AI tool that recommends shutting in a well based on a pattern in the production data. The supervisor follows the recommendation. Six weeks later, the production loss is material enough that the board asks how the call got made. Without DI, the operator can show the AI’s recommendation but cannot prove the supervisor had the authority to act on it autonomously, or what governance implications were surfaced before they did. The shutdown looks like an algorithmic decision a human rubber-stamped. With DI, the operator can show: this supervisor had delegated authority for this risk tier, the AI surfaced the production-loss range and the alternative-action options, and the supervisor attested to the decision in real time with a signed log entry.
A primary care practice deploys an AI scribe that summarizes patient encounters. The summary becomes part of the medical record. A year later, a malpractice claim references one of those summaries. Without DI, the practice can produce the summary but cannot prove which clinician reviewed it, when, or with what awareness of the AI’s known failure modes. With DI, every summary carries an attestation: this clinician reviewed this summary at this time, with this awareness statement on the AI’s known limitations, with the authority to accept or reject it for entry into the record.
A plant uses an AI system to flag quality issues on a production line. The AI sometimes flags false positives. The GM has authorized line supervisors to override the AI’s recommendations under defined conditions. Without DI, every override looks identical to a regulator: the AI flagged a problem, and a human ignored it. With DI, the override is structured - the supervisor was authorized for this override class, was shown the AI’s confidence level and the historical false-positive rate, and attested to the override with the specific reason category logged.
In each case, whether the AI was right or wrong is not the point. The point is whether the operator can prove the decision was made by someone empowered to make it, with awareness of what they were deciding. That is the discipline regulators, plaintiffs, and insurers will increasingly require.
Decision Integrity, in practice, is four artifacts. Build these four artifacts for your highest-stakes AI-influenced decision class and you have DI for that class. Most operators do not yet have any of them.
Who is empowered to make this specific decision, by what mechanism, under what delegation chain. Not “the supervisor decides.” This supervisor, on this decision class, under this delegation that traces back to a board-approved policy.
The authority record is not a policy document on a shared drive. It is a structured fact, available to the AI system at decision time, that the system can confirm before it accepts a decision input from a human. If a clinician without override authority tries to override an AI recommendation outside their delegation, the system should not produce a record that looks like a valid override. It should produce a record that flags it as outside delegation.
What governance implications were surfaced to the decision-maker before they decided. The AI’s known confidence level. The historical false-positive or false-negative rate for this decision class. The downstream effects of acting versus not acting. The override authority and the cure path.
The awareness statement is the part most current AI tools do not capture. They capture the input and the output. They do not capture what the human was shown about the limitations of the output before they made the decision. Without the awareness statement, you cannot distinguish a considered decision from a rubber-stamp.
What was decided, on what data, with what override authority. This is the part most operators recognize - it is the closest thing to traditional logging. The difference under DI is that the capture is structured around the decision itself, not around the system event. A traditional log says: “Model produced output X at timestamp Y.” A DI capture says: “Decision class A, made by authorized user B at timestamp Y, with awareness statement C surfaced, on input data D, with override option E available, resulting in decision F.”
If your existing logs cannot answer all six of those, you do not have decision capture. You have system telemetry.
So the record itself is defensible. A CSV exported from a database is not tamper-evident. A signed log entry tied to a specific user identity, written to an append-only store with a cryptographic chain, is.
This is the artifact that lets the binder survive a hostile audit. Without it, the other three artifacts are claims. With it, they are evidence.
For the technical reader. Decision Integrity is not a regulatory term in any of the four major frameworks. But the discipline maps to specific obligations under each.
Texas Responsible AI Governance Act (TRAIGA, HB 149, effective January 1, 2026). TRAIGA’s §552.105 creates a “rebuttable presumption of reasonable care” for deployers who can demonstrate substantial compliance with documented standards. Substantial compliance, in practice, requires the four DI artifacts above for any consequential decision class - without them, the deployer cannot demonstrate the reasonable-care defense. Section 552.056(c) creates an intent defense that depends on the awareness statement specifically.
EU AI Act (Regulation 2024/1689). Article 12 requires automated logging for high-risk AI systems “across the full system lifetime.” Article 14 requires human oversight that the deployer can demonstrate. Article 26(5) requires deployers to “assign human oversight to natural persons who have the necessary competence, training, and authority.” DI’s authority record + decision capture are the mechanism that operationalizes Article 26(5) - without them, the deployer cannot prove the human oversight was assigned to someone with the authority to exercise it.
NIST AI Risk Management Framework. The MANAGE function (specifically MANAGE 1.3 and 1.4) requires that “AI risks and their impacts are documented, monitored, and managed throughout the AI system lifecycle.” The Critical Infrastructure Profile, in active development across all 16 critical infrastructure sectors, is sharpening the documentation expectations for energy, manufacturing, water, and other operator-critical sectors. DI is the substrate that makes the MANAGE function operational rather than aspirational.
ISO 42001 (AI Management System Standard). Annex A.6.2.6 (AI system event logging) and A.6.2.4 (AI system documentation) require what amounts to DI’s tamper-evident log + decision capture, with a certification audit trail. ISO 42001 is the standard that buyers and insurers in regulated supply chains are starting to require for AI vendors in 2026 procurement cycles.
The four standards overlap in their expectations. None of them uses the term “Decision Integrity.” All of them require the underlying discipline.
Three patterns frequently sold as decision integrity that are not.
Tools that monitor AI system behavior for drift, jailbreaks, or policy violations capture what the system did. They do not capture what the human was authorized to do, or what governance implications they were shown. Runtime security logs are necessary for AI security. They are not sufficient for AI decision governance. The tell: if your logs can show “the model output an unexpected token at timestamp X” but cannot show “user Y, with delegation Z, attested to using that output for decision class W,” you have security logs, not DI.
Most AI vendors provide some form of activity export. These exports are not tamper-evident, are typically not tied to specific user identities, and almost never capture awareness statements or authority delegation. They satisfy the appearance of an audit trail without satisfying the substance. The tell: if the export can be edited in Excel and re-imported without anyone noticing, it is not an audit trail.
Dashboards that show model accuracy, fairness scores, and drift alerts are useful operational tools. They are not decision integrity. They tell you how the AI is performing in aggregate. They do not tell you, for any specific past decision, who was empowered to make it and what they understood about it. The tell: if the dashboard cannot answer the question “for this specific decision on this specific date, show me the authority record, the awareness statement, the decision capture, and the signed log entry,” it is monitoring infrastructure, not governance infrastructure.
You do not need to retrofit DI across every AI-influenced decision in your organization. You need to start with one decision class and build outward.
Step 1 - inventory your AI-influenced decisions. Most operators cannot produce a complete list of where AI is currently influencing decisions in their workflows. Shadow-IT LLM use is near-universal, and embedded AI in vendor tools (CRM scoring, vendor-due-diligence engines, customer-service routing) often slips below governance attention. The first step is the inventory. ModalPoint runs this as a five-day Governance Readiness Assessment for operators who want a structured pass.
Step 2 - pick the highest-stakes decision class for the first DI pilot. Not the most common decision. The most consequential one. Rules of thumb: any decision that, if challenged in litigation or regulatory enforcement, could be material to the company; any decision that already requires human sign-off; any decision where AI input is binding on the output.
Step 3 - capture the four artifacts for that one class first. Authority record, awareness statement, decision capture, tamper-evident log. Build the discipline for one class. Pressure-test it on real decisions for 90 days. Iterate. Then expand.
The operators getting this right in 2026 are not the ones with the most AI tools. They are the ones who can answer one question for any consequential AI-influenced decision in their organization: “Show us the four artifacts.”
If you sit on a board, run an industry association, or program executive education for operators in regulated industries, this is a board-level conversation your members are increasingly going to need to have. Speaking on Decision Integrity for board-relevant audiences is currently scheduling for Q3 2026.
Decision Integrity is the technical mechanism behind a provisional patent filed by ModalPoint in December 2025 (US 63/948,546, “Authority-Hierarchical Validation”). It is also a member of the runtime discipline pattern claimed in a second provisional (US 63/993,851, “Governance Control Plane,” filed March 2026). Both provisionals are part of ModalPoint’s IP foundation for the productized governance framework.
Authority signals for this work: I am a member of the NIST AI Safety Institute Consortium (Cyber AI Profile and Zero Trust Communities of Interest), an IAPP member with an AIGP candidacy in progress (cert ~July 2026), and a Goldman Sachs 10,000 Small Businesses graduate (April 2026 cohort, Houston). I publish on AI governance from inside an operator practice, not from a vendor or compliance-tool perspective.
For published thought leadership and institutional affiliations, see matthewbertram.com/press/. For the canonical Digital Information Governance® framework that this discipline runs across, see modalpoint.com/about-dig/.
For practitioners building related material:
If your organization is building toward defensible AI governance and you are weighing where Decision Integrity fits in your operator stack, contact me directly or request a Governance Readiness Assessment through ModalPoint.
Statutory and regulatory text is the controlling authority; nothing on this page is legal advice. Consult qualified counsel for any specific compliance question.
Matthew brings this to mainstage keynotes and closed-door board briefings. Check availability → · More insights