Protocols & Rails — AI Voice & Wearables Integrity
If AI can speak in your ear, trust must be machine-checkable.
No Stamp → No Sponsored Speak
For sponsored or configured high-impact voice outputs, Good Proof verifies consent, disclosure, and context state at output time — with live revocation by link.
- Gate speak path by Status Link: if not VALID → sponsored/high-impact output blocked
- Context-aware controls: child mode, driving mode, sleep/privacy modes
- Evidence Pack (IDA): portable proof for disputes, regulators, procurement
Fail-closed•Append-only•Scope-bounded
Scope-limited verification. Not certification. Acceptance depends on counterparty or programme requirements.
What this rail is
Runtime verification of consent, disclosure, and context state at output time for sponsored or configured high-impact voice actions.
What this rail is not
Full conversation recording, recommendation quality scoring, certification, or replacement for legal/privacy/compliance functions.
Good Proof does not score ad quality. It verifies whether sponsored AI influence met defined controls at decision time.
Why voice & wearables buyers are moving now
Ambient trust anxiety, regulatory pressure, and enterprise procurement demands are converging.
Ambient capture anxiety is rising
Always-on devices face growing user backlash. Teams need portable proof that consent/disclosure state was valid at output time.
Sponsored suggestion ambiguity
Voice recommendations blur organic help and paid promotion. Regulators and partners demand verifiable disclosure.
Child/household authority ambiguity
Multiple users share devices. Proving whose consent applied and which context mode was active is operationally hard.
Device-edge/cloud boundary uncertainty
Processing shifts between edge and cloud. Users and regulators need to know where decisions were made.
No portable proof of consent at interaction time
Internal logs don't travel. Counterparties need a link they can check today, not a screenshot from last quarter.
Procurement/regulatory demand growing
Enterprise distribution partners and regulators increasingly require verifiable trust controls for voice AI.
Good Proof provides scope-limited verification evidence and stop-rely semantics. It is not a certification.
Trust risks unique to voice & wearables
Ambient AI interfaces create new categories of trust risk that screen-based systems don't face.
Ambient capture concerns
Always-on listening creates anxiety about surveillance. Users can't tell when data is retained vs discarded.
Sponsored suggestion ambiguity
Voice recommendations blur the line between organic help and paid promotion. Disclosure gets lost in speech.
Child/household context
Kids trigger actions; multiple users share devices. Consent and authority become ambiguous.
Device + cloud boundary issues
Processing shifts between edge and cloud. Users don't know where decisions are made or data is stored.
Good Proof provides a portable verification object: a Status Link + IDA Evidence Pack that proves consent, disclosure, and context state at interaction time.
What a Stamp proves (and what it doesn't)
Proves (within lane scope)
- Voice action class + outcome
- Interaction timestamp
- Consent state at output time
- Disclosure payload reference
- Context gate state (child/driving/sleep/privacy modes)
- Validity state (VALID / NEEDS_REFRESH / WITHDRAWN / NOT_VERIFIED)
Does NOT prove
- Audio recording contents
- User intent or satisfaction
- Recommendation quality
- Raw conversation transcripts
- Certification or regulatory compliance
In disputes: Status Link = reliance state now. IDA Evidence Pack = fileable interaction-time snapshot.
Scope-limited verification. Not certification. Acceptance depends on counterparty or programme requirements.
Integration in 3 touchpoints
1
Define
Sponsored/high-impact voice output requires pre-output Status check → block if not VALID
2
Gate
Verify Status Link at TTS/response generation gate; fail-closed enforcement
3
Evidence
Status Link + Evidence Pack ship for counterparty verification, disputes, and procurement
High-impact gating only. Everything else runs normally.
What gets stamped in Voice & Wearables lanes
High-impact voice action classes (define per programme):
Consent state reference
Reference to active consent binding at interaction time (not raw transcript).
Disclosure payload reference
Reference to machine-readable disclosure: sponsor, material connection, and regulatory flags.
Context gate state reference
Reference to context-aware restrictions: driving mode, child mode, sleep mode.
Retention boundary + policy version
Reference to what audio is retained, for how long, and under what legal basis.
Device/cloud boundary reference
Reference to where processing occurred (edge vs cloud) at interaction time.
Audio excluded by default
Audio excluded unless explicitly scoped. Minimal disclosure is the default.
If it's spoken and can affect trust, consent, or safety, it must be verifiable and revocable before output.
Runtime status enforcement
Every high-impact voice output must pass a status gate before speaking. Non-VALID states trigger fail-closed behavior.
VALID
Output verified. Speak permitted.
NEEDS REFRESH
Re-verify before output.
WITHDRAWN
Stop output immediately.
NOT VERIFIED
No proof exists. Block.
Fail-closed: if status ≠ VALID at output time, the voice does not speak.
VALID = valid within scope (not a guarantee of recommendation quality or user satisfaction).
Output behavior when status is not VALID
VALID
Sponsored/high-impact output may speak.
Non-VALID
Block sponsored/high-impact output.
Optional fallback
Continue non-sponsored safe response where policy allows.
Always
Log state + timestamp for evidence.
What you get (two artefacts, one standard)
Status Link (authoritative now)
A counterparty-verifiable link that returns current validity within scope.
- Returns: status, scope, expiry, verified_at, signer, verify_url
- Fail-closed: unreachable = NOT_VERIFIED
- Built for runbooks, voice pipelines, tickets, and automated gates
IDA Evidence Pack (snapshot then)
View full details →A time-stamped snapshot you can forward, file, and cite.
- Built for disputes, regulators, and enterprise procurement
- Minimal disclosure by default (proof ≠ payloads)
- Audio excluded unless explicitly scoped
PDFs are great for filing. Status Links keep them current.
When status changes — and what it means
Status triggers define when a Status Link moves to NEEDS_REFRESH or WITHDRAWN. Understanding these ensures fail-closed enforcement at output time.
NEEDS_REFRESH
Re-verify before output.
Consent state changed (opt-in/opt-out toggle)
Retention policy updated
Context mode changed (child mode enabled/disabled)
Voice model or safety policy version change
Device/cloud processing boundary changed
Disclosure requirements updated (regulatory change)
Household membership changed
Third-party voice skill integration updated
NEEDS_REFRESH means "re-verify before you rely," not "schedule a meeting."
WITHDRAWN
Stop-rely signal. Output must not proceed.
Consent withdrawn or expired
Child safety violation suspected
Unauthorized purchase or action detected
Privacy breach or data leak confirmed
Regulatory takedown order received
Device compromise suspected
Materially misleading output confirmed under policy/regulatory determination
Fail-closed: Wherever the Status Link is checked, if WITHDRAWN → block output immediately.
What's inside the IDA Evidence Pack
Time-stamped snapshot for disputes, regulators, and enterprise procurement.
Voice interaction summary + lane scope boundary
Interaction timestamp + evidence window
Consent state reference (active/passive/withdrawn)
Disclosure payload reference (sponsor, material connection)
Retention policy boundary + legal basis
Context gate state (child mode, driving mode, etc.)
Model/policy version identifiers
Device/cloud processing boundary ref
Verification transcript + timestamps
Redaction matrix (what's excluded by design)
Minimal disclosure by default. Programme-gated access when required. Audio excluded unless explicitly scoped.
Integration touchpoints
Good Proof integrates at key points in your voice/wearable pipeline.
Voice assistant pipeline
Gate before voice output: verify Status Link at TTS/response generation. Block or escalate if not VALID.
Wearable app companion
Mobile companion app verifies status before triggering wearable actions. Sync state across devices.
Telemetry hooks
Event stream integration for consent changes, context transitions, and policy updates. Real-time status sync.
Verify API
Millisecond status checks at output time. Fail-closed enforcement with structured response for audit.
What counterparties can verify without logging into your perimeter
Current validity state: VALID / NEEDS_REFRESH / WITHDRAWN / NOT_VERIFIED
Scope boundaries and expiry window
Signer authority reference
Change triggers fired (refresh reason code) — without exposing payloads
Verification route and optional signed verify response (programme scoped)
Optional tamper-evident anchoring to Good Proof LIVE Ledger for high-assurance programmes
AI-Agent Era
AI-agent era controls
Prompts can drift. Consent can change. Reliance controls must not.
Material change in consent/policy/model/configNEEDS_REFRESH
Integrity or consent boundary breachWITHDRAWN
Timeout/unreachable verification routeNOT_VERIFIED (fail-closed)
Exception lane requiring human finalityGuardian path (optional)
Good Proof does not decide outcomes; it controls whether high-impact voice actions are safe to rely on.
Who buys this in Voice & Wearables
Commercial platform teams and external verifiers with trust accountability.
Platform & commercial buyers
Privacy & Trust
Pain: Voice interactions get challenged and we can't prove consent state at output time.
Outcome: Status Link shows consent + disclosure state; withdrawal propagates instantly.
Book a Voice Integrity SprintLegal / Compliance
Pain: Regulators scrutinize ambient devices; no portable proof of disclosure or retention boundaries.
Outcome: Evidence Pack captures consent + policy version at interaction time.
Book a Voice Integrity SprintProduct / Voice Platform
Pain: Users distrust sponsored suggestions; no way to prove transparency at output time.
Outcome: Disclosure is verifiable; trust signals are portable.
Book a Voice Integrity SprintSecurity / Abuse Prevention
Pain: Unauthorized purchases, child safety incidents, and device compromise need verifiable closure.
Outcome: Fail-closed enforcement with withdrawal propagation and evidence trail.
Book a Voice Integrity SprintVoice Assistant Engineering
Pain: Integrating trust gates into real-time pipelines without adding latency or complexity.
Outcome: Millisecond status check at output gate; structured fail-closed response.
Book a Voice Integrity SprintProcurement / Enterprise Partnerships
Pain: Distribution partners demand verifiable trust controls before enterprise deployment.
Outcome: Procurement-ready clause with machine-checkable status and Schedule A template.
Book a Voice Integrity SprintExternal verifiers & partners
Regulators / consumer protection
Pain: Sponsored voice outputs and ambient capture face increasing regulatory review.
Outcome: Verifier-checkable status with portable Evidence Pack for cross-agency scrutiny.
Auditors / external reviewers
Pain: Trust control evidence is locked inside proprietary systems.
Outcome: Status Link returns scope, expiry, signer, and validity without login or portal.
Consumer advocates
Pain: No way to independently verify consent or disclosure claims at interaction time.
Outcome: Portable verification surface with minimal-disclosure evidence model.
Enterprise distribution partners
Pain: Deploying third-party voice AI without verifiable trust controls creates liability.
Outcome: Contract-linked verification with fail-closed enforcement and withdrawal semantics.
Where budget comes from
Usually funded from existing trust, safety, and compliance lines — not new category spend.
Privacy/Trust controls budget
Trigger: Consent challenge, regulatory inquiry, or user trust incident
Why it fits: Portable consent verification + fail-closed enforcement reduce exposure and response cost.
Safety / child-protection controls
Trigger: Child safety incident, household authority dispute, or policy audit
Why it fits: Context-gate verification with multi-review Guardian controls for high-risk edge cases.
Legal/regulatory defensibility
Trigger: Regulatory inquiry, disclosure complaint, or litigation risk
Why it fits: Decision-time Evidence Pack with redaction matrix for privilege-safe filing.
Sponsored-experience governance
Trigger: Advertiser/partner trust requirement or disclosure compliance review
Why it fits: Verifiable disclosure state at output time with live revocation by link.
Platform risk / incident response
Trigger: Device compromise, unauthorized action, or privacy breach
Why it fits: Immediate withdrawal propagation + fail-closed enforcement across all verification points.
Procurement / enterprise distribution
Trigger: Enterprise partner trust review or distribution agreement negotiation
Why it fits: Procurement-ready clause template with machine-checkable status and SLA placeholders.
Start with one high-impact voice action class and prove trust friction reduction before expansion.
How it works (simple)
1
Define action class + scope boundaries
Consent types, context modes, jurisdictions, and evidence window.
2
Require pre-output Status gate
No Stamp, NOT_VERIFIED, or NEEDS_REFRESH → sponsored/high-impact output blocked.
3
Generate Status Link + Evidence Pack
Portable proof ships automatically at output time.
4
Apply refresh/withdraw + optional Guardian path
Consent changes, policy updates, or safety incidents trigger status changes. Guardians handle edge-case appeals.
A Global Human Layer
Our Mind Chill Guardian Story
A global human layer that software can't fake.
When liability lands on a person, the sign-off should too.
Conflict-checked · Rotation-based · Audit-traceable · Programme-scoped
When Guardians are used (only when required)
Most voice output decisions remain automated. Humans step in only where human finality is required: edge-case harm review, child safety appeals, and high-risk override disputes.
Mind Chill Guardians provide programme-scoped human finality for exception lanes only, with anti-rubber-stamp controls: conflict checks, rotation, multi-review for child safety, sampling audits, and minimal disclosure by default.
From calming minds to defending outcomes
Mind Chill began in 2017 as immersive art built to reduce anxiety and create calm at scale. Then the same feeds that buried calm and rewarded outrage started training the systems that now make real decisions. We didn't want more rhetoric. We wanted receipts.
The moment it clicked
A message arrived: someone's child felt safer because of what they experienced. Around the same time, lived experience inside our own community made one thing obvious: the nuance that matters in high-impact decisions can't be reliably reduced to a prompt. So we designed a human layer for the edge cases—structured, scope-bound, and auditable.
Guardians are not a "panel." They're a network.
Mind Chill Guardians come from different countries, backgrounds, and lived realities. That diversity is not branding—it's risk reduction. It makes decisions harder to game, easier to challenge, and more credible under scrutiny. Guardians do not "run the system." They review only what the lane requires humans to own.
Receipts over rhetoric
Operational Guardians plug into Good Proof lanes as a controlled finality mechanism: conflict checks, rotation, multi-review where required, and an audit trace tied to a Status Link. Minimal disclosure by default. If a decision is appealed months later, you can show what happened, within scope, without dumping sensitive payloads.
Scope-limited verification. Not certification. Acceptance depends on counterparty or programme requirements.
Procurement-ready clause
Template language for your legal team.
"For [High-Impact Voice Action Classes], Supplier shall issue a Good Proof Stamp prior to output. Buyer may verify status via the Status Link. Stamps returning NOT_VERIFIED, NEEDS_REFRESH, or WITHDRAWN shall block sponsored/high-impact output or escalate per programme runbooks."
Schedule A (template — programme terms)
Definitions + operating rules procurement teams can copy/paste.
1. Definitions
- High-Impact Action Class: a voice/wearable output type designated for Stamp gating (e.g., sponsored output, purchase, child-context action).
- Status Link: the verification endpoint returning validity state + scope boundaries at output time.
- Scope Boundary: the defined limits of what a Stamp covers (action class, consent type, context mode, expiry).
- Evidence Window: the time period during which supporting materials are retained for review.
- Evidence Pack: time-stamped snapshot for filing/disputes (IDA format).
2. Required states
- VALID→ may proceed within scope.
- NEEDS_REFRESH/ NOT_VERIFIED / WITHDRAWN → must block or escalate per lane rules.
- Fail-closed:timeout/unreachable ⇒ NOT_VERIFIED.
3. Withdrawal / stop-rely semantics
- WITHDRAWN is returned wherever the Status Link is checked.
- No sponsored/high-impact output may proceed on WITHDRAWN.
- Optional: programme hooks/notifications for stop-rely distribution.
4. SLA placeholders (complete per programme)
Verifier availability target: [___]%. P99 verify latency: [___] ms. WITHDRAWN propagation time: [___] seconds. Support turnaround: [___] hours.
5. Retention defaults
Evidence Pack retention: [___] days (programme-defined). Status Link availability: [___] days post-expiry. Audio excluded by default unless explicitly scoped.
Not legal advice. Template language for your legal team. Bracketed placeholders to be completed by parties in Order Form or Exhibit.
Procurement pack available: architecture summary, data handling overview, subprocessors, retention options.
What you get in 30 days
One voice/wearable action class, production-ready controls.
One voice/wearable action class defined (e.g., sponsored output, purchase)
Scope boundaries documented (consent types + context modes + jurisdictions)
Pre-output gate integrated (Status Link check at TTS/response generation)
Refresh/withdraw triggers configured
Counterparty verification route tested with validated latency budgets
One redacted IDA Evidence Pack specimen generated
Go/no-go rollout recommendation
Due Diligence FAQs
No Stamp → No Speak.
Make voice and wearable AI outputs verifiable, consent-bound, and revocable by link.
Scope-limited verification. Not certification. Acceptance depends on counterparty or programme requirements.