This article reflects MLNavigator Research Group work. Deployment lives in AdapterOS.

← Back to Research Notes
provenance citations reproducibility receipts academic integrity

Execution Receipts and the Problem of Citable AI

January 15, 2026

Problem Statement

Academic and policy institutions are increasingly unwilling to accept AI-generated material as citable evidence. The reasons are structural, not merely procedural: AI outputs lack the properties that citations require.

A citation serves multiple functions. It attributes credit. It enables verification. It establishes a chain of intellectual dependency. For these functions to work, the cited material must be stable, retrievable, and independently verifiable. AI outputs, as currently produced, satisfy none of these requirements.

The consequences are visible in institutional policy. Publishers prohibit AI authorship. Universities treat undisclosed AI use as misconduct. Journals retract papers containing fabricated AI-generated references. Governments mandate disclosure. These responses are not coordinated rejections of a useful technology. They are independent recognitions that AI outputs cannot currently satisfy the evidentiary standards that citations presuppose.

This is not a problem that better prompts or improved models will solve. The problem is architectural. Current AI systems produce outputs without generating the metadata necessary to verify how those outputs were produced. Without verifiable provenance, AI outputs cannot function as evidence.

Documented Consequences

The practical consequences are documented across multiple domains.

Retractions and fabricated references. Research indicates that AI models fabricate between 18% and 69% of their citations, depending on the model and topic. A 2024 analysis by GPTZero found that 50 submissions to the ICLR 2026 conference contained at least one hallucinated citation—papers that had already been reviewed by multiple peer experts who missed the fake references.

Source: GPTZero ICLR Analysis

Source: PsyPost Study on AI Citation Errors

Publisher prohibitions. Major academic publishers have established explicit policies excluding AI from authorship. Springer Nature states that large language models "do not currently satisfy their authorship criteria" because "an attribution of authorship carries with it accountability for the work, which cannot be effectively applied to LLMs." Elsevier prohibits listing generative AI as an author or co-author.

Source: Nature Portfolio AI Policy

Source: Springer AI Policy

Institutional misconduct policies. Universities have updated academic integrity policies to address AI. A 2025 survey found that 88% of UK students had used generative AI tools for assessments. Major UK universities report up to fifteen-fold increases in academic misconduct cases, with nearly one-third of confirmed cases at some institutions involving AI misuse.

Source: Cornell AI Academic Integrity

Detection failures. AI detection tools have proven unreliable. Australia's higher education regulator TEQSA warned in 2025 that AI-assisted work is "all but impossible" to detect consistently, advising universities to redesign assessments rather than depend on detection.

Source: University of Missouri AI Integrity Guidance

These are not isolated incidents. They reflect a systemic mismatch between how AI systems produce outputs and how institutions evaluate evidence.

Why Citations Are Failing

The failure of AI citations has three technical causes. Each must be addressed for AI outputs to become citable.

Nondeterminism

Determinism means that identical inputs produce identical outputs. AI inference, as typically implemented, is not deterministic.

The sources of nondeterminism are multiple. Floating-point arithmetic on parallel hardware produces results that depend on execution order, which varies between runs. Many language models use stochastic decoding, where randomness is intentionally introduced to improve output quality. Temperature settings, top-k sampling, and nucleus sampling all introduce controlled randomness. Even with fixed random seeds, different hardware, library versions, or batch sizes can produce different outputs.

This matters for citation because a citation implies retrievability. If a reader cannot retrieve the same content from the same source, the citation fails its verification function. An AI output that cannot be reproduced is not a stable referent. It is an assertion about what once existed.

No Stable Execution Context

A citation traditionally points to a fixed artifact: a published paper, a book edition, a dataset version. The artifact exists independently of the act of citing it.

AI outputs have no comparable stability. The output exists only in the moment of generation. It is not deposited in a repository. It has no persistent identifier. The execution context—the model version, the system prompt, the conversation history, the inference configuration—is typically not recorded.

Even if the output were stored, the execution context necessary to interpret it would be missing. The meaning of an AI output depends on what was asked, in what order, with what constraints. Without this context, the output is an isolated text fragment whose provenance is unknown.

No Cryptographic Linkage

Trust in citations rests on institutional infrastructure: publishers that verify submissions, repositories that maintain versions, identifiers that resolve to stable locations. This infrastructure establishes provenance through institutional accountability.

AI outputs lack equivalent infrastructure. There is no cryptographic linkage between the input, the model, and the output. There is no attestation that a particular input produced a particular output using a particular model at a particular time. There is no hash, no signature, no timestamp from a trusted source.

Without cryptographic linkage, claims about AI provenance are assertions without evidence. A user can claim they asked a particular question and received a particular answer. They cannot prove it.

Why Watermarks Are Insufficient

Watermarking has been proposed as a solution to AI provenance. The approach deserves careful evaluation because it addresses a related but distinct problem.

What Watermarks Do

A watermark is a signal embedded in content that indicates its origin. For AI-generated text, watermarks typically modify the statistical distribution of token choices in ways that are detectable but not obvious to readers. For images, watermarks may be embedded in pixel values or frequency domains.

The purpose of a watermark is to answer the question: "Was this content generated by AI?" When watermarks work correctly, they enable detection of AI-generated material even after modification.

What Watermarks Do Not Do

Watermarks indicate origin. They do not prove execution.

A watermark can establish that content came from an AI system. It cannot establish what input produced that content. It cannot establish which model version was used. It cannot establish what configuration parameters were active. It cannot establish when the generation occurred. It cannot enable reproduction of the generation process.

The distinction matters. For a citation to function, a reader must be able to verify the cited claim by examining the source. A watermark confirms that content is AI-generated but provides no path to verification. It answers the authenticity question but not the provenance question.

Technical Limitations

Watermarking also faces technical limitations that constrain its applicability.

Text watermarks are vulnerable to removal through paraphrasing. Research demonstrates that watermarks can be defeated "with enough effort"—for example, by using another AI to rephrase watermarked output.

Source: Dr. Alan Thompson, Watermarking Text in LLM Outputs

Detection tools that do not rely on watermarks have proven unreliable. Services claiming to detect AI-generated content have "led to false charges of plagiarism" and have "significant margins of error."

Source: EFF on AI Watermarking

Watermarking standards remain fragmented. The lack of standardization means "a watermark created by one system may not be readable by another."

Source: Cravath Tech Explainer on Watermarking (PDF)

Adoption remains limited. According to one analysis, only 38% of AI image generators implement adequate watermarking practices.

Source: Missing the Mark: Adoption of Watermarking

Watermarking addresses an important problem—authenticating AI-generated content. It does not address the provenance problem that prevents AI outputs from functioning as citations.

Execution Receipts

An execution receipt is a cryptographically signed record that attests to the conditions under which an AI output was produced. It provides the provenance metadata necessary to make AI outputs verifiable and, therefore, citable.

Definition

An execution receipt is a data structure containing:

  1. Input hash: A cryptographic hash of the complete input to the AI system, including the prompt, any context, and configuration parameters.

  2. Model identifier: A versioned identifier for the model used, sufficient to identify the exact weights and architecture.

  3. Configuration state: The inference parameters active at execution time, including temperature, sampling method, random seed if applicable, and any system-level constraints.

  4. Output hash: A cryptographic hash of the complete output produced by the model.

  5. Timestamp: A timestamp from a trusted time source, establishing when the execution occurred.

  6. Signature: A cryptographic signature over the above fields, produced by the execution environment, attesting that the stated input produced the stated output using the stated model at the stated time.

The receipt does not contain the full input or output. It contains hashes that allow verification without disclosure. A party holding the original input and output can verify that they match the hashes in the receipt. A party without access cannot reconstruct the content from the hashes.

What Is Hashed

The hashing function operates over the complete computational input. For a language model interaction, this includes:

  • The user prompt in its exact form
  • Any system prompt or instruction set
  • Conversation history if the interaction is multi-turn
  • Retrieved context if the system uses retrieval augmentation
  • All inference parameters

The output hash covers the complete model output before any post-processing.

The hashes are computed using standard cryptographic hash functions (e.g., SHA-256) that are collision-resistant: it is computationally infeasible to find two different inputs that produce the same hash.

What Is Signed

The signature binds together the input hash, output hash, model identifier, configuration, and timestamp into a single verifiable attestation.

The signature is produced by the execution environment—the system that runs the inference. This requires that the execution environment has access to a signing key and that the key's provenance can be established.

In a deployed system, the signing key might be held in a hardware security module (HSM) or trusted execution environment (TEE). The key's association with a particular execution environment can be established through attestation chains that link the key to known, auditable infrastructure.

Determinism and Replayability

For execution receipts to enable verification, the execution must be reproducible. Given the same input and configuration, the same model must produce the same output.

This requires deterministic execution. The sources of nondeterminism described earlier—floating-point variance, stochastic decoding, hardware differences—must be controlled or eliminated.

Deterministic execution is achievable but not automatic. It requires:

  • Fixed random seeds for any stochastic operations
  • Deterministic algorithm selection in numerical libraries
  • Controlled execution order for parallel operations
  • Version-locked model weights, tokenizers, and inference code

When deterministic execution is achieved, any party with access to the input can independently verify the output by re-executing the inference. The execution receipt provides the reference against which re-execution results can be compared.

[FIG 1: Execution Receipt Pipeline]

A minimal diagram showing the flow from input to output with receipt generation. The input passes through a hash function, producing an input hash. The input is processed by the model (with model ID and configuration recorded), producing an output. The output passes through a hash function, producing an output hash. A timestamp is obtained from a trusted time source. All components—input hash, model ID, configuration, output hash, and timestamp—are signed together, producing the execution receipt. The receipt can later be used to verify that a claimed input-output pair matches the attested execution.

Cite-ability

Execution receipts change the semantics of AI citation. They transform AI outputs from ephemeral assertions into verifiable claims.

The Current State of AI Citation

Currently, citing an AI output is structurally similar to citing a conversation. One can quote what was said, but one cannot provide a path for others to verify the quote. The cited content is not retrievable. Its accuracy depends entirely on the honesty of the person citing it.

Publisher guidance reflects this limitation. Springer Nature permits use of AI tools but states that "AI-assisted technologies should not be cited as an author" and that "the use of AI-generated content in manuscripts is at the discretion of authors" with the understanding that authors bear full responsibility.

Source: Springer Nature Editorial Policies

This is not citation in the scholarly sense. It is disclosure of methodology. The AI output itself remains unverifiable.

Execution Receipts as Evidence

With an execution receipt, the semantics change. A citation can include:

  • The output being cited
  • The execution receipt attesting to the output's provenance
  • A commitment to provide the input for verification upon request

This structure mirrors how experimental evidence is cited in science. A paper reports results and describes methods. Reviewers can request raw data. Replication attempts can verify the methodology.

The execution receipt establishes that a particular input produced a particular output. The receipt is independently verifiable. Any party with access to the input can re-execute and compare results.

Comparison to Experimental Methods

In empirical science, reproducibility is a core norm. A valid citation to experimental results implies that the experiment can, in principle, be repeated. Methods sections describe procedures in sufficient detail for replication.

Execution receipts apply the same norm to AI outputs. The receipt documents the "experimental conditions" under which the output was produced. Verification proceeds by replication: re-running the inference with the same inputs and comparing outputs.

This does not mean that all AI citations require re-execution. Most citations are accepted on trust, as they are in experimental science. But the possibility of verification changes the epistemic status of the claim. It becomes evidence rather than assertion.

Comparison to Build Artifacts

Software engineering has developed sophisticated practices for establishing provenance of build artifacts. The Supply-chain Levels for Software Artifacts (SLSA) framework, developed by Google in 2021, provides a maturity model for build provenance.

SLSA defines provenance as "metadata that proves how, when, and by whom a software artifact was built." Higher levels of the framework require "build environments to be tamper-resistant and generate cryptographically signed attestations."

Source: SLSA Framework

The reproducible builds movement extends this further. A reproducible build guarantees that "given the same source code, build instructions, and build environment... compiling a software project generates bit-by-bit identical results."

Source: Reproducible Builds Research Paper

Execution receipts adapt these practices to AI inference. The model is the "source code." The input is the "build configuration." The execution environment is the "build system." The output is the "artifact." The receipt is the "provenance attestation."

Policy and Academic Implications

Execution receipts align with emerging policy frameworks and reduce institutional risk.

Alignment with Existing Norms

The emphasis on provenance and auditability in execution receipts reflects existing policy priorities.

The U.S. Executive Order on AI (October 2023) directed agencies to develop capabilities for "authenticating content and tracking its provenance" and for "labeling synthetic content." Though the specific order was later revoked, the underlying concern—establishing the origin of AI-generated content—persists in policy discourse.

Source: Biden Executive Order on AI

The Coalition for Content Provenance and Authenticity (C2PA) has developed technical standards for content credentials—"like a nutrition label for digital content, giving a peek at the content's history." The C2PA specification is expected to be adopted as an ISO international standard.

Source: C2PA

The EU AI Act requires high-risk AI systems to maintain logging capabilities that enable "traceability of the functioning of a high-risk AI system." Article 12 mandates that logs support reconstruction of system behavior.

Source: EU AI Act Article 12

Execution receipts provide a mechanism that satisfies these provenance requirements for AI inference specifically.

Reduction of Institutional Risk

Institutions face risk when accepting AI-generated material without provenance verification.

The risk of fabricated citations is documented. A 2025 case reported by Retraction Watch found fake references in a paper published in the Journal of Academic Ethics—an article about whistleblowing.

Source: Retraction Watch on Fake References

The laundering of errors is a related concern. Articles containing fabricated references are themselves cited, "which effectively launders their erroneous citations."

Source: Rolling Stone on Fake Citations

Execution receipts reduce these risks by making verification possible. An institution can require receipts for AI-assisted submissions. Reviewers can verify claims against receipts. The cost of fabrication increases because fabrication requires forging cryptographic signatures.

Audit Without Disclosure

Execution receipts enable verification without requiring disclosure of sensitive content.

A receipt contains hashes, not content. An auditor can verify that a claimed input-output pair matches a receipt without the organization disclosing the actual prompt or output. This separation supports compliance verification in contexts where the underlying content is proprietary or confidential.

For sensitive applications—legal analysis, medical consultation, financial modeling—this property is important. Organizations can demonstrate that their AI use is documented and verifiable without exposing the substance of their queries.

Limitations and Open Questions

Execution receipts address specific problems in AI provenance. They do not solve all problems related to AI trustworthiness. The following limitations should be clearly understood.

Receipts Attest to Execution, Not Correctness

An execution receipt proves that a particular input produced a particular output. It does not prove that the output is correct, useful, or safe.

A model that consistently produces incorrect outputs will produce receipts for those incorrect outputs. The receipt attests to provenance, not quality. Verification confirms that the claimed execution occurred; it does not validate the content.

Deterministic Execution Has Costs

Achieving deterministic execution typically requires performance tradeoffs. Deterministic algorithms may be slower than their nondeterministic counterparts. Single-threaded execution forfeits parallelism benefits. Version-locking constrains deployment flexibility.

The tradeoffs are application-specific. Some contexts justify the costs; others do not. Execution receipts are most valuable where verification requirements are high enough to warrant the overhead.

Key Management Is Non-Trivial

The trustworthiness of a signature depends on the trustworthiness of the signing key. If the signing key is compromised, forged receipts become possible.

Key management for AI execution environments is an emerging problem. Hardware security modules, trusted execution environments, and attestation protocols provide partial solutions. A comprehensive treatment is beyond the scope of this document.

Adoption Requires Infrastructure

Execution receipts require infrastructure that does not currently exist at scale. Model providers must generate receipts. Verification services must validate receipts. Citation standards must accommodate receipt metadata. Institutions must update policies.

This is a coordination problem as much as a technical one. The technical components exist; their integration into production systems and institutional workflows does not.

Not All Use Cases Require Receipts

Many uses of AI do not require verifiable provenance. Casual assistance, brainstorming, and exploration benefit from AI without needing citations. Receipts add overhead that is justified only when the output will be used as evidence.

The question is not whether all AI use should generate receipts. The question is whether receipts should be available when provenance matters.

Open Questions

Several questions remain open:

  • Standards convergence: Will a single receipt format emerge, or will fragmentation persist?
  • Retroactive verification: Can receipts be issued for historical outputs, or only for new executions?
  • Multi-model pipelines: How should receipts handle outputs that involve multiple models or retrieval-augmented generation?
  • Institutional acceptance: Will academic publishers and regulatory bodies accept receipts as evidence of provenance?
  • Adversarial robustness: How resistant are receipt systems to sophisticated attacks?

These questions require further work. This document describes the concept and its potential; it does not claim to have resolved all implementation challenges.

Conclusion

AI citations are collapsing under scrutiny because they lack verifiable provenance. The outputs are nondeterministic. The execution context is unrecorded. There is no cryptographic linkage between input, model, and output. Watermarks address authenticity but not provenance.

Execution receipts offer a path forward. By recording the conditions of execution and signing the record cryptographically, receipts create a verifiable chain from input to output. The chain enables verification: any party with access to the input can re-execute and compare.

This transforms the epistemic status of AI outputs. They become evidence that can be cited, verified, and audited—not assertions that must be accepted on trust.

The infrastructure does not yet exist at scale. The standards are not yet established. The institutional acceptance is not yet secured. But the technical components are understood, and the need is documented. The question is whether the research community, standards bodies, and technology providers will converge on solutions that make AI outputs citable.

The stakes are significant. AI capabilities are advancing. Their integration into research, policy, and professional practice is accelerating. If AI outputs cannot be verified, they cannot function as evidence. If they cannot function as evidence, their integration will remain constrained by the same provenance failures that currently limit citation.

Execution receipts do not solve all problems with AI trustworthiness. They solve one problem: the absence of verifiable provenance. That problem is foundational. Its resolution is a prerequisite for the responsible use of AI in any context where credibility, auditability, and institutional trust matter.

Continue Reading

All Research Notes Research Pillars