QODIQA Residual Risk and
Assumption Disclosure Annex

#Executive Disclosure Statement

QODIQA is a deterministic runtime consent boundary enforcement layer for artificial intelligence systems. The following declarations constitute the authoritative characterisation of the standard and supersede any contrary representation in promotional, marketing, or secondary materials.

#Foundational Assumptions Register

QODIQA's deterministic enforcement properties hold only when the following assumptions are satisfied. Each assumption is accompanied by its failure mode and systemic consequence. Implementors bear responsibility for ensuring these assumptions hold within their operational environment.

#Deterministic Scope Boundary

The term deterministic runtime consent enforcement as used in the QODIQA standard has a precise and bounded meaning. This section defines that meaning and explicitly delineates what it does not encompass.

#Residual Technical Risk Surfaces

The following risk surfaces persist under conditions of perfect QODIQA implementation, perfect conformance, and perfect policy encoding. They are structural properties of the threat environment that QODIQA does not and cannot address.

Risk bands are assigned as follows: Critical - systemic failure with no internal mitigation pathway; High - significant impact, partial mitigation possible through external controls; Medium - meaningful but contained impact; Low - limited scope.

#Regulatory Interpretation Risk

QODIQA maintains a Regulatory Alignment Matrix that maps control points to provisions of GDPR, the EU AI Act, NIST AI RMF, and other frameworks. The following disclosures govern how that alignment matrix must and must not be interpreted.

4.1QODIQA Does Not Constitute Legal Compliance

The QODIQA Regulatory Alignment Matrix maps technical controls to regulatory provisions. This mapping does not constitute a legal determination that an organisation implementing QODIQA is compliant with any cited regulation. Legal compliance requires assessment by qualified legal counsel with jurisdiction-specific expertise. The alignment matrix is a technical reference instrument, not a legal opinion.

4.2QODIQA Does Not Substitute for Legal Counsel

No provision of the QODIQA standard, including this annex, constitutes legal advice. Organisations using QODIQA alignment documentation in regulatory submissions, compliance certifications, or legal proceedings do so at their own risk and must obtain independent legal review of such submissions.

4.3Jurisdictional Divergence

The regulatory landscape for AI governance is evolving at different rates across jurisdictions. Requirements under the EU AI Act do not necessarily correspond to requirements under US federal frameworks, national UK regulations, or emerging frameworks in other jurisdictions. The QODIQA alignment matrix reflects the state of regulation as understood at the time of document issuance. It does not predict, anticipate, or account for regulatory amendments, new guidance documents, or enforcement decisions issued after the document date.

4.4Regulatory Interpretation Variance

Regulatory authorities may interpret the provisions of AI governance frameworks differently from the interpretations reflected in the QODIQA alignment matrix. Enforcement actions, supervisory guidance, and judicial decisions may clarify or alter the requirements attributed to specific provisions. QODIQA alignment with a regulatory provision as documented does not guarantee that a supervising authority will reach the same interpretive conclusion.

#Organizational Risk Dependencies

QODIQA's technical controls are necessary but not sufficient conditions for effective consent enforcement. The following organisational capabilities must be maintained by the deploying entity. Absence or degradation of these capabilities constitutes residual risk that QODIQA cannot compensate for at the technical layer.

5.1Governance Maturity

Effective deployment of QODIQA requires a functioning governance structure capable of making, recording, and communicating policy decisions. Organisations with immature governance - undefined ownership, inconsistent approval processes, or absent policy review cycles - will produce unreliable consent policies regardless of the technical enforcement precision of the QODIQA layer.

5.2Internal Policy Hygiene

Consent policies must be reviewed on a defined cycle to remain current with changing operational requirements, regulatory developments, and model capability changes. Policy rot - the accumulation of stale, contradictory, or abandoned consent records - creates a surface for both unintended permissions and unintended restrictions. QODIQA enforces policy as encoded; it does not identify policy that has become obsolete.

5.3Incident Response Capability

Detection and response to enforcement anomalies, suspected bypass events, and audit log integrity failures require a functioning incident response capability. QODIQA generates the audit record and enforcement signals. Acting on those signals, investigating anomalies, and executing remediation procedures are organisational responsibilities.

5.4Audit Discipline

The value of QODIQA's tamper-evident logging is realised only if logs are reviewed on a defined schedule by personnel with the authority and competence to act on their findings. An unread audit log provides no protective value.

5.5Key Rotation Practices

Cryptographic key material used in QODIQA enforcement flows must be rotated at defined intervals and immediately upon any suspected compromise. Organisations that do not maintain a documented and practiced key rotation programme degrade the cryptographic assurance of the enforcement layer over time.

5.6Personnel Competence and Continuity

Correct configuration, maintenance, and operation of QODIQA deployments requires personnel with appropriate technical competence. Staff turnover, knowledge transfer failures, and inadequate training create operational risk that manifests as misconfiguration, policy errors, or delayed incident response.

#Non-Coverage Declaration

The following domains are explicitly and entirely outside the scope of QODIQA. No provision of the QODIQA standard, and no implementation conformant with it, provides coverage in these areas. This declaration is not a statement of future roadmap. These domains are structurally distinct from boundary enforcement and are not subject to expansion into QODIQA scope.

#Cryptographic Assumption Disclosure

QODIQA's enforcement integrity depends on cryptographic primitives. The security of the standard is computationally bounded, not unconditional. The following disclosures govern the cryptographic trust basis of QODIQA.

7.1Dependence on Cryptographic Primitives

QODIQA relies on hash functions, digital signature algorithms, and authenticated encryption schemes as specified in the Security and Cryptographic Profile. The integrity guarantees provided by QODIQA - including consent attestation, token non-repudiation, and log tamper evidence - are conditional on these primitives remaining computationally infeasible to break under current and near-term adversary capabilities.

7.2Risk of Future Cryptanalytic Breakthrough

Mathematical advances may render currently approved cryptographic primitives insecure before end-of-life dates assigned by standards bodies. Such advances may occur without warning and may pre-date their public announcement by adversaries with classified research capabilities. QODIQA does not provide a mechanism for detecting cryptographic compromise after the fact; the audit record itself would be untrustworthy if the underlying cryptographic primitives were broken.

7.3Quantum Threat Exposure

Current QODIQA cryptographic specifications use algorithms based on the hardness of problems assumed to be computationally infeasible for classical computers. Sufficiently capable quantum computing systems would break widely deployed asymmetric cryptographic algorithms including RSA and elliptic curve schemes. The timeline for such capability remains uncertain. Organisations operating under long-term security requirements should monitor NIST Post-Quantum Cryptography standardisation outputs and assess migration requirements accordingly. QODIQA will issue post-quantum migration guidance under formal change control when relevant standards are ratified.

7.4Key Custody Exposure

The security of QODIQA's cryptographic layer is bounded by the security of key management practices. Keys held in software-only key stores, shared across environment boundaries, or managed without hardware security module controls are materially more exposed than keys managed under high-assurance key custody procedures. QODIQA specifies minimum key management requirements; organisations that fail to implement them degrade the cryptographic assurance of their deployment below the standard's stated security model.

7.5Implementation Flaw Exposure

Correct selection of cryptographic algorithms does not ensure correct implementation. Side-channel vulnerabilities, padding oracle attacks, timing attacks, and random number generator weaknesses have historically compromised otherwise sound cryptographic designs in their implementation. QODIQA does not certify the implementation quality of cryptographic libraries used by conformant deployments.

#Operational Misuse Risk

QODIQA may be misconfigured, partially deployed, or misrepresented in ways that produce either inadequate enforcement or false confidence in enforcement coverage. The following misuse scenarios are identified as material risks arising from operational rather than adversarial sources.

8.1Improper Policy Configuration

Consent policies encoded with ambiguous scope parameters, incorrect principal bindings, or missing temporal constraints may produce enforcement decisions that do not reflect the intent of the consenting principal. QODIQA enforces policy as encoded. Garbage-in-garbage-out failure modes apply: technically correct enforcement of incorrect policy produces incorrect outcomes.

8.2Over-Restrictive Enforcement Blocking

Overly conservative policy encoding may block legitimate requests and create operational friction that incentivises bypass, shadow deployment, or informal workarounds. Organisations that respond to over-restrictive enforcement by routing around the QODIQA layer create the very bypass surfaces that enforcement is intended to prevent.

8.3Under-Restrictive Enforcement

Permissive policy encoding, broad scope parameters, or absent expiry controls may result in consent records that provide effective permission to all requests. An enforcement layer that permits everything provides no enforcement value and creates false confidence in governance coverage.

8.4Shadow Deployments

Organisational units or teams that deploy AI capabilities outside the QODIQA enforcement perimeter create unmonitored execution surfaces. Such deployments may occur deliberately, through ignorance of the enforcement requirement, or through procurement of third-party AI services that bypass the enforcement gateway. Shadow deployments are not detectable by QODIQA; they require organisational controls including procurement governance and network access controls.

8.5Partial Implementation Represented as Full Conformance

Implementation of a subset of QODIQA control points, followed by public representation as QODIQA-conformant, constitutes a misuse of the standard. Partial conformance provides partial protection and partial compliance evidence. It does not constitute the assurance level associated with full conformance. The QODIQA Certification Framework specifies conformance tiers; representations must accurately reflect the tier achieved.

8.6Delegation Misuse

Delegation chains in QODIQA allow principals to delegate enforcement authority to agents. Improperly scoped delegations, expired delegations not removed from the registry, or delegation to untrusted agents create authority transfer paths that were not intended by the original principal.

#Abuse and Adversarial Exploitation Scenarios

The following scenarios represent deliberate attempts to defeat or circumvent QODIQA enforcement. Detection limits are noted where relevant.

9.1Direct Model Access Bypass

An adversary with credentials or network access sufficient to reach the AI execution environment directly - bypassing the QODIQA enforcement gateway - may interact with the model without any consent evaluation occurring. This attack surface requires operational controls at the infrastructure layer. QODIQA cannot detect bypass events that do not traverse the enforcement boundary; no log entry is generated for requests that circumvent the enforcement layer entirely.

9.2Token Replay

A valid, unexpired enforcement token that was legitimately issued for one purpose may be replayed by an adversary for a different purpose if token scope binding is insufficiently specific or if token revocation is not enforced at verification time. Token replay attacks result in QODIQA treating replayed requests as legitimate. Detection requires log analysis to identify statistically anomalous token usage patterns; QODIQA does not implement automated replay detection as a default control point.

9.3Registry Tampering

An adversary with write access to the consent registry may modify, delete, or insert consent records to expand or restrict permitted execution scope. Such tampering would cause subsequent enforcement decisions to be made against altered policy, with no indication at the enforcement layer that the registry has been modified. Log immutability and registry integrity monitoring are required compensating controls.

9.4Log Suppression

An adversary with access to the logging pipeline may suppress, delete, or alter enforcement log records. If log suppression is achieved before cryptographic commitment of log entries, the tamper-evidence property of the audit trail is defeated. Post-commitment suppression is detectable through log gap analysis if an independent record of expected log entry volume is maintained. QODIQA specifies log integrity requirements; their effectiveness depends on implementation and monitoring discipline.

9.5Cross-Domain Request Smuggling

An adversary may craft requests that are evaluated by the enforcement layer as belonging to a permitted scope category while being processed by the model as belonging to a different category. This attack exploits differences between the metadata evaluated by the enforcement layer and the semantic content interpreted by the model. QODIQA evaluates consent based on request metadata and scope parameters; it does not perform semantic analysis of request content.

9.6Identity Claim Forgery

Forgery of principal identity claims at the enforcement boundary results in consent evaluation being performed against the wrong principal's consent record. Effective detection requires cryptographic identity binding and the integrity of the key management infrastructure. An adversary able to forge valid cryptographic credentials defeats identity binding entirely.

9.7Detection Limits

QODIQA's detection capabilities are bounded by the enforcement boundary. Events that occur outside that boundary, attacks that achieve access below the enforcement layer, and bypass events that produce no enforcement-layer artefacts are not detectable by QODIQA. External monitoring, network anomaly detection, and independent audit of AI system usage patterns are required to identify exploitation scenarios that operate outside QODIQA's observation horizon.

#Residual Societal Risk

This section addresses the scope of risk that persists at a societal level even under conditions of universal QODIQA adoption with full conformance.

10.1AI Misuse Risk Persists

AI systems may be misused within the scope of consent that has been granted. A principal who consents to broad AI-enabled processing retains the ability to direct that processing toward harmful ends. QODIQA enforces that the processing occurred within consented scope; it does not evaluate whether the consented scope was appropriate or whether the consented use is harmful.

10.2Model Misuse Risk Persists

AI models with the capacity to produce harmful outputs - disinformation, manipulation, dual-use content - retain that capacity when operated within QODIQA-enforced consent boundaries. The enforcement layer governs access; it does not govern capability. Harmful outputs produced within consented scope are not addressed by QODIQA.

10.3Strategic AI Competition Risk Persists

The deployment of AI systems in strategic competition between state and non-state actors involves risk surfaces - capability asymmetry, surveillance infrastructure, autonomous decision systems, information operations - that are not addressed by consent boundary enforcement. These risks require responses at levels of governance, international coordination, and policy that are beyond the scope of any technical standard.

10.4Consent Framework Limitations at Scale

Consent as a governance mechanism has known limitations at population scale. Informed consent requires genuine understanding of the consequences of the decision being made. At scale, the cognitive demands of evaluating AI consent decisions may exceed practical human capacity, consent may be aggregated and transferred in ways that no longer reflect individual intent, and the power asymmetry between consent-requesting entities and consenting individuals may render consent formally valid but substantively non-autonomous. QODIQA enforces the technical expression of consent; it does not resolve these structural challenges in consent theory.

10.5Coordination Failure Risk

Jurisdictions, organisations, and actors that do not adopt QODIQA or equivalent standards create unmonitored AI execution environments that represent potential competitive advantages for actors willing to operate without consent boundaries. Partial adoption of consent enforcement standards does not eliminate the incentive for non-adopting actors to exploit the absence of constraints.

#No Guarantee Clause

11.1Scope of the No Guarantee Clause

The no guarantee clause applies to all representations of QODIQA made by: the issuing authority; implementing organisations; certification bodies issuing QODIQA conformance certificates; regulatory bodies citing QODIQA conformance as evidence of compliance; and any third party characterising QODIQA capabilities in any medium.

11.2What QODIQA Does Provide

QODIQA provides a structured, auditable, cryptographically attested boundary enforcement mechanism. Within the scope of that mechanism - and subject to the assumptions enumerated in Section 1 - QODIQA provides deterministic enforcement decisions, tamper-evident audit records, and a conformance framework for third-party assessment. These properties are bounded by the technical and operational conditions set forth in this annex.

11.3Liability Disclaimer

The QODIQA standard is issued as a technical reference framework. The issuing authority makes no warranty, express or implied, regarding the fitness of QODIQA for any particular purpose, its effectiveness against any specific threat, or its sufficiency for any regulatory requirement. Organisations implementing QODIQA bear full responsibility for the adequacy of their implementation, the correctness of their policy configuration, and the completeness of their governance arrangements.

#Transparency Commitment Statement

The QODIQA issuing authority commits to the following transparency obligations with respect to the disclosures contained in this annex. These commitments are normative and are subject to oversight under the QODIQA Governance Charter.

12.1Periodic Risk Re-Evaluation

The assumption register, residual risk surfaces, and non-coverage declarations in this annex will be reviewed at intervals not exceeding twelve months from the date of issuance, and additionally upon: any material change to the QODIQA core specification; any significant development in the AI threat landscape that materially alters the risk assessment; any cryptographic standard deprecation affecting the primitives used in QODIQA deployments; and any regulatory development that materially alters the interpretive risk described in Section 4.

12.2Versioned Disclosure Updates

All revisions to this annex will be issued as versioned documents under the QODIQA document identifier scheme. Revision history will be maintained and publicly accessible. Prior versions will be retained in the document archive. No version of this annex will be suppressed, and no revision will reduce the scope or rigor of the disclosures without publication of a formal rationale under the Governance Charter change process.

12.3Formal Change Control

Amendments to this annex are subject to the change control procedures defined in the QODIQA Governance Charter v2.0. All proposed revisions must pass the designated review process. Emergency revisions - required in response to a critical security finding - follow the expedited process defined in the Governance Charter and are subject to retroactive formal review.

12.4Publicly Documented Assumption Revisions

If a foundational assumption in Section 1 is revised - whether because the assumption has been strengthened by new technical controls, weakened by new threat intelligence, or determined to be invalid in specific deployment contexts - the revision will be publicly documented with a rationale explaining the change and its implications for existing QODIQA conformant deployments.

12.5Disclosure of Known Limitation Instances

If the QODIQA issuing authority becomes aware of a confirmed exploitation of a residual risk surface identified in this annex, or a failure mode in a foundational assumption that has materially impacted a conformant deployment, the issuing authority will issue a formal advisory under the QODIQA advisory process. Such advisories will not identify affected organisations without consent but will provide sufficient technical detail for the broader implementing community to assess their own exposure.

#Closing Statement

The QODIQA standard is a technical instrument of bounded scope. Its value lies in what it precisely and reliably delivers: deterministic, auditable, cryptographically attested consent boundary enforcement at the AI execution layer. That value is best protected by accurate characterisation of its limits.

Organisations, regulators, and auditors who treat this annex as a constraint on QODIQA's utility misunderstand the function of disclosure. Accurate scope definition does not diminish the value of deterministic enforcement; it locates that value correctly within a broader architecture of AI governance in which QODIQA is one necessary component among several.

• QODIQA enforces consent boundaries. It does not resolve the harder problems of AI governance.
• The harder problems of AI governance remain open. They require different instruments.
• This annex documents both what QODIQA addresses and what it does not. Both are required for honest assessment.

#Document Status and Classification