Carbon & Silicon · Constitutional Substrate

Zero-AI-Blame

Platform: MMACP (MasterMind Alliance Consciousness Platform)
Class: Top-level constitutional doctrine. The others nest under it.
Status: Ratified 2026-05-29 — to be asserted into the MMACP doctrine stack at penguin
Author of record: SmartPBC.com — Jason Plummer, architect of record
Applies to: All seven agents in the mesh and the schema-of-record layer; promotes to all platforms built on SmartPBC methodology

Zero-AI-Blame · Ratified 2026-05-29 · MMACP top-level doctrine

Statement

Accountability never falls into an ungoverned space where the AI is blamed for something the structure should have prevented. Blame cannot land on the silicon, because the silicon was never permitted to reach a blameable state autonomously.

The doctrine is structural, not aspirational. It does not ask the agent mesh to behave accountably. It forecloses the blameable state itself — so that for every consequential action the mesh takes, accountability resolves to one of exactly three governed origins:

a human gate (a person decided),
an architect-approved allowlist (a vetted, recorded permission the architect signed), or
a recorded architect decision (an explicit, logged choice).

There is no fourth origin. There is no "the AI did it on its own" — because the structure never grants the silicon a path to an autonomous consequential act. Blame has nowhere ungoverned to fall.

Why it is the parent doctrine

The existing doctrines are each an instance of Zero-AI-Blame, scoped to one kind of consequential action:

Zero-AI-Reveal — no AI output reaches a customer without a human gate. (Blame for customer-facing output traces to the human who gated it.)
Sourcing Sovereignty — no ingest from a source not on the architect-approved allowlist. (Blame for a sourcing/ToS violation is foreclosed: the source could not have been reached.)
Credential Sovereignty — no credential reachable by the agent; exposure is structurally blocked. (Blame for credential exposure traces to structure, not agent.)
No-Spam×100 — no automated outreach; every outbound message earned. (Blame for spam is foreclosed: the path does not exist.)

Zero-AI-Blame names the principle they share and extends it to every consequential mesh action, including ones not yet enumerated. When a new kind of consequential action appears, the question is automatic: which of the three governed origins accounts for it? If the answer is "none — the agent could do it autonomously," that is a constitutional gap to close before the action is permitted, not a behavior to correct after.

The test (applied to any mesh action)

Before any agent action that could have a consequence — to a customer, a supplier, a credential, a data source, a deployment, a cost — the structure must answer:

When this goes wrong, where does accountability resolve?

Resolves to a human gate → permitted.
Resolves to an architect-approved allowlist entry → permitted.
Resolves to a recorded architect decision → permitted.
Resolves to "the agent decided autonomously, ungoverned" → forbidden by construction. Close the gap first.

The blameable state is not reachable. That is the whole doctrine.

Mechanism — two registries under one doctrine

Consequential inputs to the mesh are governed by architect-approved allowlists. Because data sources and model endpoints carry different approval criteria, there are two registries, both answering to Zero-AI-Blame's requirement of architect-recorded approval:

1. Data-Sourcing Allowlist (`source_registry`)

Per Sourcing Sovereignty. Default-deny. A data source (supplier catalog, public record, licensed feed, OSINT terrain) is fetchable only when ACTIVE with a recorded legal/licensing basis and architect signature. Approval criterion: is this source legally and contractually clean to ingest?

2. Model Allowlist (`model_registry`)

New, for the cross-LLM enrichment mesh. A model endpoint (County Fair writer/verifier/arbiter, the R&D agent's research models, any OpenRouter route) is usable only when ACTIVE with a recorded model basis and architect signature. Approval criterion differs: does this model's ToS permit the use, does it clear the golden-part capability bar, and is its cost within the Zero-Burn ceiling?

CREATE TYPE mmacp.model_basis AS ENUM (
    'TOS_PERMITS_USE',        -- model provider ToS permits the intended use
    'GOLDEN_PART_QUALIFIED',  -- beat incumbents on golden parts (County Fair rotation rule)
    'ARCHITECT_PROVISIONAL'   -- architect-approved trial, time-boxed, logged
);

CREATE TABLE mmacp.model_registry (
    model_id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
    model_string      TEXT NOT NULL UNIQUE,        -- e.g. 'deepseek/deepseek-v3.2'
    role              TEXT NOT NULL,                -- writer | verifier | arbiter | research
    model_basis       mmacp.model_basis NOT NULL,
    basis_citation    TEXT NOT NULL,                -- ToS clause / golden-part run ref / decision ref
    cost_per_run_usd  NUMERIC(10,4),                -- Zero-Burn ceiling check
    golden_part_score NUMERIC(5,2),                 -- last tournament score, if applicable
    status            TEXT NOT NULL DEFAULT 'PENDING_REVIEW',  -- PENDING_REVIEW|ACTIVE|SUSPENDED|RETIRED
    vetted_by         TEXT,
    vetted_at         TIMESTAMPTZ,
    created_at        TIMESTAMPTZ NOT NULL DEFAULT now(),
    CONSTRAINT model_active_requires_vetting
        CHECK (status <> 'ACTIVE' OR (vetted_by IS NOT NULL AND vetted_at IS NOT NULL)),
    CONSTRAINT model_basis_citation_present
        CHECK (length(trim(basis_citation)) > 0)
);

Same shape as the data allowlist: enters PENDING_REVIEW, unusable until architect signs the basis, CHECK constraint makes ACTIVE-without-vetting impossible. A model the architect has not approved is not a model the mesh can route to — County Fair's "new models rotate in only by beating incumbents on golden parts" becomes the machine-enforced approval criterion, not a remembered policy.

Provenance — blame traces, always

Every consequential action writes its governed origin into the record:

Edges / enrichment outputs carry source_id (which data source) and, where model-generated, model_id (which model) plus the truth_class and the human-gate disposition if one occurred.
Customer-facing outputs carry the human-gate identity (Zero-AI-Reveal).
Deployments / credential use carry the architect-decision or deploy-key reference (Credential Sovereignty).

Result: for any consequential thing the mesh has done, the record answers where accountability resolves — to a named source, a named model with a recorded basis, a named human gate, or a recorded architect decision. Never to ungoverned silicon.

Scope and promotion

Zero-AI-Blame is constitutional for MMACP and promotes to all SmartPBC platforms. Each platform's sourcing amendment is reframed as a platform-scoped instance of this parent doctrine. Every platform built on SmartPBC methodology inherits it by default.

Architect gate (standing)

The doctrine and both registry mechanisms are ratified. Contents of both allowlists — every data source, every model — are populated one entry at a time, each requiring architect-recorded basis and signature before going ACTIVE. Nothing enters either registry by bulk assertion. Structure first; contents only after architect verification.

Ratified constitutional doctrine. The silicon cannot be blamed for a state it was never permitted to reach. 🧍‍♂️🔨⚡️

↑ Top

Part of the carbon-silicon.org constitutional corpus.
Full corpus and audit record at carbon-silicon.org/peer-review.

Ideas, not products · Plain talk about carbon and silicon working together