Can You Reconstruct What Your AI Did?

The Test That Shows Whether Governance Can Be Demonstrated

Many serious AI failures produce the same institutional silence.

A loan is denied, a benefit is clawed back, an automated system takes an action no one signed off on — and in the room afterward, the first question is not how to fix it. It is more basic, and more damaging: what actually happened, and who was responsible? Too often, no one can say. Organizations holding certificates, frameworks, and risk registers discover that none of it answers the only question that matters once harm has already occurred.

This is not hypothetical. Between 2013 and 2019, the Dutch childcare-benefits scandal exposed how algorithmic risk profiling, the discriminatory use of nationality, harsh anti-fraud policy, and fragmented institutional oversight could combine to produce large-scale harm. Tens of thousands of parents and caregivers were falsely accused of fraud, while the opacity of the risk-classification process and the surrounding decision chain made accountability difficult to establish. The official parliamentary inquiry found serious rule-of-law failures over this period. The deepest governance failure wasn’t only the discrimination itself — it was that, for years, no one could establish what had happened or why.

The core idea: the evidentiary test of governance

We usually treat AI governance as a stack of instruments — documentation, compliance, policy, risk scores. Each is useful, and governance rightly serves many ends: preventing harm, protecting rights, managing risk, enabling redress. But all of them share one dependency that only becomes visible after an outcome occurs — the ability to show what the system did and why. You can be fully documented, audited as compliant, carefully risk-scored, and richly principled, and still be unable to explain a single decision after it goes wrong.

So here is the reframe at the heart of this paper:

The ultimate evidentiary test of AI governance is whether significant outcomes can be reconstructed and accountability assigned. If an outcome cannot be reconstructed, governance over that outcome cannot be demonstrated.

A governance program that can’t survive contact with a real incident can’t demonstrate that it governed the incident at all.

Notice what this standard does not demand. It doesn’t require that you prevent every harm, predict every outcome, or perfectly understand a model’s internals — goals that may never be fully achievable. Reconstruction is different. Reconstruction capability can be deliberately designed, tested, and improved, even where complete causal explanation remains impossible. And that is exactly what makes it a usable test.

One honest caveat: reconstruction gives you an evidenced account of an event and the conditions around it — not automatic proof of a single cause. Where the evidence is incomplete, the most honest reconstruction may still be a probable explanation rather than a certain one.

(This builds directly on Paper III, which introduced reconstruction as the highest evidentiary level of the FairByDesign Doctrine. Paper IV isolates that idea, expands it into a six-question diagnostic, and proposes a maturity scale for assessing it.)

The diagnostic: six questions

Here is the part you can take and use today. For any significant AI-enabled outcome, ask whether your organization can answer all six:

1. What happened? — the event itself: outputs, logs, transactions, actions taken.
2. Why did it happen? — the rationale: inputs, context, prompts, the policies in force, the decision record.
3. What influenced the outcome? — the causal chain: data sources, external tools, upstream models, human inputs.
4. What controls existed? — the governance state: guardrails, approval gates, access limits, policy controls actually active at the time.
5. Could intervention have occurred? — the stop authority: escalation paths, override rights, human-review records.
6. Who is accountable? — the ownership: assignments, accountability maps, authorization records.

Call it the Reconstruction Test. Each question, unanswered, has a signature failure: an unknown event history, an outcome without a rationale, invisible influence chains, an unknown control state, no meaningful stop authority, and — the worst of them — an accountability vacuum, where the harm is understood but no one is identifiable as responsible.

Run the test against one real decision your system made — or one consequential scenario you expect it to handle. If you can answer only two or three of the six, that gap is the point.

One caution before you start logging everything: reconstruction is not a mandate for indiscriminate surveillance. Evidence should be proportionate to the significance of the decision, kept only as long as it is justified, and protected against reuse. A system that proves accountability by hoarding data is not well governed — it has simply traded one failure for another.

Why the stakes are public, not just internal

This is not a compliance nicety. As consequential decisions are handed to systems whose behavior their own operators cannot fully predict, a society has to decide what it will accept as an answer when one of those decisions hurts someone.

If the accepted answer is a certificate, a policy binder, or a risk score, then accountability becomes a performance — something an organization can claim without being able to show. If the accepted answer is a reconstruction — an evidenced account of what happened, why, under what controls, and on whose authority — then accountability stays real, and a harmed person has somewhere to stand. And that footing has to be real: a reconstruction only delivers accountability if it is intelligible, accessible, and contestable by the forum entitled to examine it — including the people affected by a consequential decision. A technically perfect reconstruction that no harmed person can follow is incomplete accountability.

Regulators are already moving this way. The European Union’s AI Act establishes event-logging and human-oversight obligations for covered high-risk systems. Under the provisional Digital Omnibus agreement reached in May 2026, the main Annex III high-risk obligations are scheduled to apply from 2 December 2027, while requirements for high-risk systems embedded in regulated products are scheduled from 2 August 2028, subject to formal adoption. The practical question behind the next decade of AI regulation is shifting from “Did you claim to have governance?” to “Can you reconstruct the event?” A claim can be manufactured. A reconstruction claim becomes much harder to sustain once an incident demands independently verifiable evidence.

What’s in the full Field Paper

This public edition gives you the doctrine and the diagnostic. The full Field Paper (the authority edition) develops the maturity model, stakeholder responsibilities, evidence logic, and series architecture:

• A proposed Reconstruction Maturity Scale — six levels from Opaque to Continuous — for locating any system, program, or enterprise, with the critical line at “Auditable,” where reconstruction becomes externally verifiable. It is offered as a directional diagnostic, not a scored audit standard.
• A stakeholder control translation assigning each of the six questions to an owner, an evidentiary artifact, and an escalation point across engineering, security, privacy and data governance, legal, audit, executives, and regulators — including the proportionality and evidence-integrity constraints that keep reconstruction both privacy-respecting and trustworthy.
• The FairByDesign Reconstruction Model, the chain from the Knowability Doctrine to Demonstrable Governance.
• Full Evidence Notes and verifiable APA 7 references.

A short note on sources

The argument is grounded in the established record on algorithmic accountability, including Andreas Matthias on the responsibility gap (2004); Raji and colleagues on internal algorithmic auditing, “Closing the AI Accountability Gap” (2020); Amnesty International’s Xenophobic Machines (2021) on the Dutch childcare-benefits scandal; the EU AI Act (Regulation 2024/1689); the NIST AI Risk Management Framework (2023); and the OECD AI Principles (adopted 2019, revised 2024). Full citations appear in the Field Paper.

Read the full Field Paper for the maturity scale, the stakeholder model, the Evidence Notes, and the references — and to see where Paper IV sits in the Project Sentinel series, which runs from The Accountability Gap (Paper I) toward The Demonstrable Governance Standard (Paper VIII).

Subscribe to the free Mercury Brief to follow Project Sentinel and receive future public field notes. Mercury Research members receive the full research archive and deeper operational materials as they are released.