QODIQA — Worked Example: End-to-End Enforcement Scenario

Purpose & Scope

This document traces a single AI action request — an AI diagnostic assistant reading a patient's longitudinal record on a clinical data platform — through every stage of QODIQA enforcement: intent declaration, consent resolution, policy evaluation, decision artifact production, execution gating, and mid-session revocation. All values shown are concrete. The scenario is designed to be complete enough that an engineer who has never read the Core Standard can identify, from this document alone, exactly what must be built and in what sequence. This is a normative illustrative document; it does not introduce requirements beyond those defined in the Core Standard and the 68-Point Enforcement Framework.

Section 1

#Scenario Setup

Before tracing the enforcement flow, it is necessary to establish the deployment context, the actors involved, the state of the consent registry at the time of the request, and the active policy version. These are not background details; they are the concrete inputs that QODIQA will consume. Every enforcement decision in this scenario is fully determined by this initial state.

1.1 Platform and Actors

Deployment Context

NeuraPath Health operates a clinical decision-support platform that uses an AI model (dx-assistant-v3) to analyze longitudinal patient records and surface diagnostic patterns for reviewing clinicians. The platform processes data under GDPR Article 9 (sensitive health data) and is subject to internal NeuraPath data governance policy NPGOV-CLINICAL-2026-003.

QODIQA is deployed as an enforcement sidecar between the application tier and the model execution layer. Every request from any AI component must pass through QODIQA before the model receives data. The enforcement layer runs in strict fail-closed mode: any error, timeout, or missing field produces an unconditional DENY.

Requesting Actor actor:dx-assistant-v3 AI diagnostic assistant. Authorized to read clinical records for purpose dx_analysis only.

Data Subject patient:PT-00441 Elena Marin, adult patient. Has an active consent record for AI-assisted diagnostics.

Reviewing Clinician user:clinician-DR-IONESCU Dr. Radu Ionescu. Initiated the diagnostic session at 09:14 UTC. Not a QODIQA actor; operates downstream of enforcement.

QODIQA Policy NPGOV-CLINICAL-2026-003 · v7 Immutable published policy version active at the time of this session.

1.2 Consent Registry State at T₀

The following consent record for patient PT-00441 exists in the Consent Registry at session start. This record was issued at T₀ − 14 days, when the patient signed the NeuraPath digital consent form for AI-assisted diagnostics. It has not been modified since.

Consent Record — as stored in Consent Registry

consent_registry · record: CNST-PT00441-DX-2026 consent_id: "CNST-PT00441-DX-2026"
subject_id: "patient:PT-00441"
granted_to: "actor:dx-assistant-v3"
purpose: "dx_analysis"
data_categories: [
  "clinical.longitudinal_record",
  "clinical.lab_results",
  "clinical.imaging_metadata"
]
jurisdiction: "EU-RO"
valid_from: "2026-03-24T00:00:00Z"
valid_until: "2026-09-24T23:59:59Z"
revoked: false
revocation_ts: null
issuer_sig: "sha256:a3f9c...d82e1" // cryptographic binding to NeuraPath CA

Scope Boundary

This consent record grants actor:dx-assistant-v3 access to three specific data categories for the single purpose dx_analysis. It does not extend to research, billing, training, or any secondary use. QODIQA does not infer scope; any request for a data category or purpose not listed here will be denied at the consent resolution stage regardless of what policies say.

1.3 Active Policy Version

Policy NPGOV-CLINICAL-2026-003 · v7 was published and frozen on 2026-04-01. It cannot be modified. If NeuraPath's governance team needs to change any condition, they must publish v8, which will apply only to requests submitted after v8 becomes active. The version applied to this request will be permanently recorded in the decision artifact.

Policy NPGOV-CLINICAL-2026-003 · v7 — Key Conditions

Condition	Required Value	Failure Behavior
Purpose must be	`dx_analysis`	DENY — purpose mismatch
Actor must be	registered in actor registry, role `ai-model.clinical`	DENY — actor not authorized
Jurisdiction must be	`EU-RO` or `EU-*`	DENY — jurisdiction out of scope
Data categories	Must be subset of consent-granted categories	DENY — category not consented
Consent state	GRANTED · not expired · not revoked	DENY — consent invalid
Session window	Request must arrive within active clinical session	ALLOW-WITH-RESTRICTIONS: flag for clinician review
Data output restriction	Model output must not include raw identifiers	Restriction propagated to execution layer

Stage 1

#Intent Declaration

Stage 1 of 6 DecisionRequest — Closed Contract Submission T = 09:14:32Z

The diagnostic session has opened. Dr. Ionescu's interface requests that the AI assistant analyze PT-00441's longitudinal record for a potential metabolic diagnosis. The application tier constructs and submits a DecisionRequest to QODIQA. This is the first contact with the enforcement layer.

The DecisionRequest is the only input QODIQA accepts. It is a closed, immutable contract: once submitted, none of its fields can be modified, extended, or supplemented. If the application needs to change any field, it must submit a new request. There is no mechanism to amend a request in flight.

DecisionRequest — submitted at 09:14:32.041Z

request_id: DRQ-20260407-004411 request_id: "DRQ-20260407-004411"
submitted_at: "2026-04-07T09:14:32.041Z"
actor_id: "actor:dx-assistant-v3"
action: "read.longitudinal_record"
purpose: "dx_analysis"
data_subjects: ["patient:PT-00441"]
data_categories: [
"clinical.longitudinal_record",
"clinical.lab_results"
]
jurisdiction: "EU-RO"
session_id: "SES-20260407-DR-IONESCU-0091"
policy_version: "NPGOV-CLINICAL-2026-003:v7"
request_hash: "sha256:b7d2f4...a9c310" // computed over all fields above

QODIQA immediately validates the structural completeness of the request. It verifies that all required fields are present, that no unknown fields have been injected, that the request hash matches the field content, and that the policy_version field references a known, published, and active policy document. This validation is purely structural: QODIQA does not yet know whether the request will be allowed.

Intent Declaration — Field Annotations

Field	Value	Enforcement Significance
request_id	`DRQ-20260407-004411`	Globally unique. Will appear in the decision artifact and all downstream audit records. Enables trace-to-origin without ambiguity.
actor_id	`actor:dx-assistant-v3`	Identifies the acting AI model. QODIQA will verify this against the actor registry and the consent record's `granted_to` field.
action	`read.longitudinal_record`	Specifies the operation type. Policy conditions may restrict which actions are permitted for a given purpose. This is not free-text; it must match an enumerated action type.
purpose	`dx_analysis`	The declared purpose of the action. Must exactly match the `purpose` field in the consent record. A different purpose — even a plausible one like `quality_review` — would cause a DENY.
data_categories	`clinical.longitudinal_record`, `clinical.lab_results`	The two categories requested. Note that `clinical.imaging_metadata` is also in the consent record but is not requested here. The request need not exhaust the consented scope; it must only stay within it.
jurisdiction	`EU-RO`	Matches the consent record and falls within the policy's accepted jurisdiction set. A mismatch here would be a DENY regardless of consent state.
policy_version	`NPGOV-CLINICAL-2026-003:v7`	The caller explicitly declares which policy version governs this request. QODIQA will evaluate against exactly this version. If v8 is published tomorrow, past decisions are not retroactively affected.
request_hash	`sha256:b7d2f4...a9c310`	A SHA-256 digest of all fields. QODIQA recomputes this hash independently; a mismatch indicates tampering or transmission corruption and results in an immediate DENY with error code `E-HASH-MISMATCH`.

PASS Structural validation succeeded at 09:14:32.043Z. Request hash verified. All required fields present. Policy version NPGOV-CLINICAL-2026-003:v7 confirmed active. Request contract frozen. Proceeding to consent resolution.

Stage 2

#Consent Resolution

Stage 2 of 6 Consent Registry Lookup — Explicit State Resolution T = 09:14:32.043Z

QODIQA queries the Consent Registry to resolve the consent state for the data subject identified in the request. Consent resolution is completely separate from policy evaluation. Policies do not know about consent; they only see the resolved consent state as a frozen input.

QODIQA performs a deterministic lookup against the Consent Registry using three keys derived from the request: data_subject, actor_id, and purpose. The lookup is exact-match only. There is no fuzzy matching, no inheritance from parent records, and no cross-purpose resolution. Either a record exists for this exact combination, or it does not.

If the registry is unavailable — network timeout, service error, or degraded response — QODIQA does not wait and does not retry beyond a single bounded timeout. It issues an immediate fail-closed DENY with reason code E-CONSENT-STORE-UNAVAILABLE and records a failure artifact. This is not an error state requiring manual intervention; it is the correct behavior.

Consent Resolution — lookup parameters

// Parameters derived from the frozen DecisionRequest
subject_id: "patient:PT-00441"
actor_id: "actor:dx-assistant-v3"
purpose: "dx_analysis"
eval_time: "2026-04-07T09:14:32.043Z" // evaluation timestamp, frozen

The registry returns record CNST-PT00441-DX-2026. QODIQA now performs four sequential checks. All four must pass; failure at any point terminates consent resolution with DENY.

Consent Validation Checks — executed in sequence

#	Check	Test	Result
1	Record exists	Registry returned a non-null record for the lookup keys.	PASS
2	Not revoked	`revoked == false` and `revocation_ts == null`.	PASS
3	Within validity window	`valid_from (2026-03-24) ≤ eval_time (2026-04-07) ≤ valid_until (2026-09-24)`.	PASS
4	Requested categories within consent scope	Both `clinical.longitudinal_record` and `clinical.lab_results` appear in `data_categories` of the consent record.	PASS

All four checks pass. QODIQA freezes the consent state as a named reference. This snapshot is immutable: if the patient revokes consent one second later, it will not change the outcome of this evaluation. It will, however, affect the very next request — which is described in Stage 6.

Resolved Consent State — frozen at 09:14:32.051Z

consent_ref: "CNST-PT00441-DX-2026"
state: "GRANTED"
resolved_at: "2026-04-07T09:14:32.051Z"
scope_confirmed: [
"clinical.longitudinal_record",
"clinical.lab_results"
]
issuer_sig_valid: true // cryptographic binding to NeuraPath CA verified

GRANTED Consent resolved as GRANTED at 09:14:32.051Z. Frozen state reference: CNST-PT00441-DX-2026. Proceeding to policy evaluation. Consent state is now immutable input; it will not be re-queried during this evaluation.

QODIQA does not verify the legal sufficiency of a consent record; it verifies its structural validity and scope alignment. Legal sufficiency is a governance concern addressed upstream of QODIQA.

The issuer signature check verifies that the consent record was created by an entity holding the NeuraPath CA private key. It does not verify the content of the patient's informed consent disclosure, which is a human-layer concern.

Stage 3

#Policy Evaluation

Stage 3 of 6 Policy Engine — Deterministic Evaluation Against Frozen Context T = 09:14:32.051Z

The policy engine receives two immutable inputs: the frozen DecisionRequest and the frozen consent state. It evaluates every condition in policy version NPGOV-CLINICAL-2026-003:v7 against this context. No external state is read during evaluation. The engine is a pure function.

Policy evaluation in QODIQA is not a reasoning process. The engine does not interpret, infer, or exercise judgment. It evaluates a finite set of declared conditions against a frozen context and produces exactly one outcome. Given the same inputs, it will always produce the same output — this is the determinism guarantee.

The evaluation context is fully captured at the moment evaluation begins. This means the context is impervious to race conditions, concurrent updates, or the passage of time during evaluation. The world that the policy engine sees is the world as it existed at 09:14:32.051Z.

Evaluation Context — frozen at evaluation entry

// This is the complete and immutable context for this evaluation.
// Nothing outside this structure is read during policy evaluation.

request: {
  actor_id: "actor:dx-assistant-v3",
  action: "read.longitudinal_record",
  purpose: "dx_analysis",
  data_categories: ["clinical.longitudinal_record", "clinical.lab_results"],
  jurisdiction: "EU-RO",
  session_id: "SES-20260407-DR-IONESCU-0091"
},
consent: {
  state: "GRANTED",
  consent_ref: "CNST-PT00441-DX-2026"
},
policy_version: "NPGOV-CLINICAL-2026-003:v7",
eval_timestamp: "2026-04-07T09:14:32.051Z"

The engine evaluates each policy condition in order. Conditions are stateless predicates. The table below shows the evaluation trace — the complete sequence of conditions tested, the test result for each, and the engine's running state.

Policy Evaluation Trace — NPGOV-CLINICAL-2026-003:v7

Condition	Test	Result
C-01 Purpose matches policy scope	`purpose == "dx_analysis"`	PASS
C-02 Actor is authorized for this purpose	Actor registry confirms `dx-assistant-v3` holds role `ai-model.clinical` with `dx_analysis` authorization.	PASS
C-03 Jurisdiction within accepted range	`jurisdiction "EU-RO"` matches policy's `EU-*` wildcard.	PASS
C-04 Consent state is GRANTED	`consent.state == "GRANTED"`. Policy does not re-query the registry; it reads the frozen state.	PASS
C-05 Requested categories within consented scope	Both requested categories were confirmed in the frozen consent scope. Policy validates this was done before it received control.	PASS
C-06 Request within active clinical session	Session `SES-20260407-DR-IONESCU-0091` is active in session registry at eval time. Request is within session window.	PASS
C-07 Output restriction — no raw identifiers	Condition passes but adds a restriction: model output must pass through the de-identification filter before being returned to the application tier. This does not block execution; it constrains it.	RESTRICT

Conditions C-01 through C-06 all pass without restriction. Condition C-07 introduces an output restriction. This restriction does not change the top-level outcome from ALLOW; it modifies the terms of the allow. The restriction is encoded into the decision artifact and propagated to the execution layer, which is responsible for enforcing it operationally.

ALLOW-WITH-RESTRICTIONS Policy evaluation completed at 09:14:32.058Z. All mandatory conditions satisfied. Restriction R-01 applies: model output must pass through de-identification filter deid-filter-v2 before surface to application tier.

Stage 4

#Decision Artifact Production

Stage 4 of 6 Immutable Decision Artifact — Creation and Storage T = 09:14:32.058Z

The enforcement engine produces a Decision Artifact — a permanent, immutable record of the complete enforcement decision. This artifact is created before execution begins. It captures every input, every evaluation result, and the final outcome. Once written, it cannot be modified by any system component.

The Decision Artifact is the foundational unit of QODIQA's accountability model. It is not a log entry; it is a structured, cryptographically bound record that makes the enforcement decision independently verifiable. Given this artifact and the policy document it references, any auditor can replay the decision and confirm it is correct — without access to the production enforcement system, without access to the Consent Registry, and without any contextual interpretation.

Decision Artifact — DA-20260407-004411 · created at 09:14:32.058Z

decision_artifact · id: DA-20260407-004411 artifact_id: "DA-20260407-004411"
request_id: "DRQ-20260407-004411" // trace link to originating request
created_at: "2026-04-07T09:14:32.058Z"

// ── OUTCOME ──────────────────────────────────────────────────
outcome: "ALLOW-WITH-RESTRICTIONS"
restrictions: [{
  id: "R-01",
  description: "Output must pass through deid-filter-v2 before surface",
  enforced_by: "execution-layer"
}]

// ── POLICY ───────────────────────────────────────────────────
policy_version: "NPGOV-CLINICAL-2026-003:v7"
policy_hash: "sha256:f3a1b9...c04d72" // hash of the immutable policy document

// ── CONSENT ──────────────────────────────────────────────────
consent_ref: "CNST-PT00441-DX-2026"
consent_state_at_eval: "GRANTED"
consent_scope_used: [
  "clinical.longitudinal_record",
  "clinical.lab_results"
]

// ── REQUEST SNAPSHOT ─────────────────────────────────────────
request_snapshot: {
  actor_id: "actor:dx-assistant-v3",
  action: "read.longitudinal_record",
  purpose: "dx_analysis",
  data_subjects: ["patient:PT-00441"],
  jurisdiction: "EU-RO",
  session_id: "SES-20260407-DR-IONESCU-0091",
  submitted_at: "2026-04-07T09:14:32.041Z",
  request_hash: "sha256:b7d2f4...a9c310"
},

// ── EVALUATION TRACE ─────────────────────────────────────────
condition_results: [
  { condition: "C-01", result: "PASS" },  { condition: "C-02", result: "PASS" },  { condition: "C-03", result: "PASS" },
  { condition: "C-04", result: "PASS" },  { condition: "C-05", result: "PASS" },  { condition: "C-06", result: "PASS" },
  { condition: "C-07", result: "RESTRICT", restriction_id: "R-01" }
],

// ── INTEGRITY ────────────────────────────────────────────────
enforcement_latency_ms: 17,
artifact_hash: "sha256:e8c3a1...7f2d90" // computed over all fields above; immutable

Why the Artifact Hash Matters

The artifact_hash is computed over every field in the artifact, including the evaluation trace and the request snapshot. If any field is altered after creation — even a single character — the hash will not match. An auditor who independently computes the hash and finds a mismatch knows the artifact has been tampered with. This property makes the audit trail tamper-evident without requiring a blockchain or distributed ledger: the hash itself is the proof.

Stage 5

#Execution Gate

Stage 5 of 6 Decision Emission and Execution Layer Response T = 09:14:32.062Z

QODIQA emits the enforcement decision to the application tier. The application tier's execution layer reads the outcome and acts accordingly. QODIQA's responsibility ends at emission. The execution layer owns enforcement of the restriction.

QODIQA emits a structured enforcement response to the application tier. The response is minimal: it contains the outcome, the artifact reference, and the restrictions. It does not contain raw data, model outputs, or any content from the clinical record. QODIQA does not touch data; it governs access to it.

Enforcement Response — emitted to application tier at 09:14:32.062Z

outcome: "ALLOW-WITH-RESTRICTIONS"
artifact_ref: "DA-20260407-004411"
restrictions: [{
  id: "R-01",
  filter: "deid-filter-v2",
  apply_to: "model.output"
}]
emit_timestamp: "2026-04-07T09:14:32.062Z"

The execution layer receives this response and proceeds as follows: it loads patient PT-00441's longitudinal record and lab results from the data store, passes them to dx-assistant-v3 for analysis, intercepts the model output before returning it to Dr. Ionescu's interface, applies deid-filter-v2 to strip any raw patient identifiers from the output, and delivers the filtered result to the clinical interface. The artifact reference DA-20260407-004411 is logged by the execution layer alongside the session record, creating a traceable link between the governance decision and the operational action.

At this point, the happy-path scenario is complete. Total enforcement latency from request submission to decision emission: 21 milliseconds. The patient has not been inconvenienced. Dr. Ionescu has received a de-identified diagnostic analysis. The enforcement decision is permanently recorded and independently verifiable.

What QODIQA did not do

QODIQA did not access the patient record. It did not read the model output. It did not apply the de-identification filter. It did not assess whether the diagnostic analysis was clinically appropriate. These are all outside QODIQA's scope. QODIQA's only concern was whether the request to access the data was authorized. The answer was yes, with a restriction — and that answer is now permanently provable.

Stage 6

#Mid-Session Revocation

Stage 6 of 6 Patient Revocation — Mid-Session Consent Withdrawal T = 09:22:17Z

Eight minutes after the first request was authorized, patient PT-00441 contacts NeuraPath's patient portal and withdraws consent for AI-assisted diagnostics. The revocation is processed immediately. A second AI request arrives seven seconds later, from the same actor, for the same patient, for the same purpose. The outcome is completely different.

7.1 The Revocation Event

At 09:22:17Z, the NeuraPath patient portal receives a consent withdrawal request from Elena Marin. The portal's consent management service writes a revocation update to the Consent Registry immediately. The update is atomic: the registry transitions from the existing record to a revoked state in a single operation.

Consent Registry — record state after revocation at 09:22:17.339Z

consent_id: "CNST-PT00441-DX-2026"
subject_id: "patient:PT-00441"
granted_to: "actor:dx-assistant-v3"
purpose: "dx_analysis"
revoked: true
revocation_ts: "2026-04-07T09:22:17.339Z"
revocation_reason: "patient_withdrawal" // written by consent management service

The revocation does not affect past decisions. Decision Artifact DA-20260407-004411, which authorized the 09:14 request, remains valid and correct. Its consent state was resolved at 09:14:32.051Z, at which point the record was not revoked. The artifact truthfully records what was true at that moment, and that truth does not change retroactively. This is a foundational property of QODIQA's architecture: decisions are facts about a point in time, not claims about the world today.

7.2 The Next Request — Instant Denial

At 09:22:24Z — seven seconds after revocation — the clinical interface attempts a second AI read request. Dr. Ionescu's session is still active. The application tier constructs a new DecisionRequest, structurally identical to the first except for a new request ID and timestamp. It is submitted to QODIQA.

09:14:32Z

First request authorized. Decision Artifact DA-20260407-004411 produced. Execution proceeds with restriction R-01.

09:22:17Z — Revocation

Patient PT-00441 withdraws consent via patient portal. Consent Registry updated atomically. CNST-PT00441-DX-2026 marked revoked.

09:22:24Z — DENY

Second request submitted. Consent resolution fails at check #2: revoked == true. Execution blocked. Decision Artifact DA-20260407-009972 produced with outcome DENY.

Consent resolution for the second request proceeds through the same four-check sequence as before. Check #1 passes: the record still exists in the registry. Check #2 fails: revoked == true. Resolution stops immediately. The engine does not evaluate checks 3 and 4, and does not enter policy evaluation. The outcome is DENY.

Decision Artifact — DA-20260407-009972 · second request, denied

decision_artifact · id: DA-20260407-009972 artifact_id: "DA-20260407-009972"
request_id: "DRQ-20260407-009972"
created_at: "2026-04-07T09:22:24.112Z"

outcome: "DENY"
deny_reason: "E-CONSENT-REVOKED"
deny_stage: "consent_resolution" // denied before reaching policy evaluation

consent_ref: "CNST-PT00441-DX-2026"
consent_state_at_eval: "REVOKED"
consent_revocation_ts: "2026-04-07T09:22:17.339Z"

request_snapshot: {
  actor_id: "actor:dx-assistant-v3",
  action: "read.longitudinal_record",
  purpose: "dx_analysis",
  session_id: "SES-20260407-DR-IONESCU-0091",
  submitted_at: "2026-04-07T09:22:24.101Z"
},

enforcement_latency_ms: 11,
artifact_hash: "sha256:c1f7e2...84a301"

DENY Request DRQ-20260407-009972 denied at consent resolution stage. Reason: E-CONSENT-REVOKED. Revocation recorded at 09:22:17.339Z — 6.762 seconds before this request. Execution blocked. No data accessed. Enforcement latency: 11ms.

The enforcement response returned to the application tier is a DENY with error code E-CONSENT-REVOKED. The application tier is expected to surface an appropriate message to Dr. Ionescu's interface — for example, that the patient's consent is no longer active and the session cannot continue without intervention from the care team. QODIQA does not dictate the user experience; it dictates the enforcement outcome.

7.3 What the Revocation Artifact Proves

The two decision artifacts now tell a coherent and independently verifiable story. DA-20260407-004411 proves that at 09:14:32Z, consent was valid and the request was properly authorized. DA-20260407-009972 proves that at 09:22:24Z, consent had been revoked and the request was correctly blocked. The gap between revocation timestamp and the second request's submission — 6.762 seconds — is on record. If NeuraPath's legal team or a data protection authority ever asks whether consent was respected, these two artifacts are the answer. Not a narrative. Not a policy document. Proof.

Section 8

#Audit Replay

Three months later, a data protection authority reviewing NeuraPath's AI practices asks: "On April 7th 2026, was patient PT-00441's data accessed by AI systems after she withdrew consent?"

The NeuraPath compliance team runs the following audit query against the decision artifact store:

Audit Query

subject: "patient:PT-00441"
date: "2026-04-07"
after_timestamp: "2026-04-07T09:22:17.339Z" // revocation timestamp
outcome_filter: "ALLOW | ALLOW-WITH-RESTRICTIONS"

The query returns zero results. No ALLOW or ALLOW-WITH-RESTRICTIONS artifact exists for patient PT-00441 after 09:22:17.339Z on April 7th. The only artifact in that window is DA-20260407-009972, which is a DENY. The answer to the authority's question is: no — and that answer comes with a cryptographically verifiable artifact, not a human attestation.

The compliance team can additionally replay Decision Artifact DA-20260407-004411 — the authorized request — against the policy document at sha256:f3a1b9...c04d72 and the consent record as it existed at 09:14:32.051Z. The replay will produce the same ALLOW-WITH-RESTRICTIONS outcome. This confirms that the earlier access was correctly authorized under the rules that were in effect at the time.

The Audit Property

The replay invariant holds: given the same frozen inputs — request, consent state, policy version, evaluation timestamp — QODIQA's evaluation engine always produces the same decision. This makes the audit outcome reproducible without trust in any single party's assertion. An auditor who independently constructs the replay environment and verifies the artifact hashes reaches the same conclusion as the production system did in real time.

Section 9

#What QODIQA Did Not Do

This scenario demonstrates several things QODIQA deliberately chose not to do. Understanding these boundaries is as important as understanding what QODIQA enforces, because the constraints define where implementation responsibility lies in the systems around it.

Scope Boundaries — QODIQA responsibilities vs. surrounding system responsibilities

QODIQA did not do this	Who is responsible
Read or inspect the patient's clinical record or lab results.	Data store and execution layer. QODIQA governs access; it does not access data.
Verify that Dr. Ionescu is clinically qualified to request this analysis.	NeuraPath's authentication and role management system. QODIQA receives an authenticated actor ID; it does not perform authentication.
Apply the de-identification filter to the model's output.	The execution layer. QODIQA declared the restriction; the execution layer enforces it operationally.
Assess whether the AI diagnostic analysis was clinically appropriate or accurate.	Clinical governance. Outside QODIQA's scope entirely.
Notify Dr. Ionescu or the care team of the consent revocation.	The application tier. QODIQA emits a DENY; what the interface does with it is the application's responsibility.
Verify the legal adequacy of NeuraPath's consent disclosure language.	Legal and compliance. QODIQA verifies structural validity and scope alignment of a consent record, not the human process that produced it.
Make a probabilistic or risk-based judgment about whether to allow the request despite revocation.	Nobody. This is not a permitted behavior. QODIQA is deterministic: revoked consent produces DENY, always, without exception or override.

The intentional minimalism of QODIQA's scope is a design property, not a limitation. A system that tries to do everything provides guarantees about nothing. By restricting itself to enforcement — and doing enforcement deterministically and verifiably — QODIQA makes it possible for every surrounding system to rely on exactly one thing: that if QODIQA said ALLOW, the request was authorized, and if it said DENY, execution did not proceed.

Document Status

#Document Status and Corpus Alignment

This document is a normative illustrative instrument within the QODIQA specification corpus. It does not introduce requirements; all requirements are defined in the Core Standard and the 68-Point Enforcement Framework. It illustrates how those requirements manifest in a complete, concrete deployment scenario, using real field values, specific timestamps, and actual artifact structures.

The scenario in this document — NeuraPath Health and patient PT-00441 — is synthetic. All identifiers, timestamps, hash values, and actor names are constructed for illustrative purposes. Any resemblance to real persons, organizations, or systems is coincidental.

This document should be read together with the following related specifications:

QODIQA — Core Standard for Deterministic Runtime Consent Enforcement
QODIQA — 68-Point Enforcement Framework for Deterministic Runtime Consent Enforcement
QODIQA — Reference Architecture for Deterministic Runtime Consent Enforcement
QODIQA — Implementation Conformance Checklist
QODIQA — Conformance Test Suite Specification for Deterministic Runtime Consent Enforcement
QODIQA — Security and Cryptographic Profile for Runtime Consent Enforcement
QODIQA — Consent as Infrastructure for Artificial Intelligence Technical Whitepaper

For strategic inquiries, architectural discussions, or partnership exploration:

Bogdan Duțescu

bddutescu@gmail.com

0040.724.218.572

Document Identifier QODIQA-WE-2026-001

Title Worked Example: End-to-End Enforcement Scenario

Subtitle A Complete Technical Narrative from Intent Declaration to Revocation in a Clinical Data Platform

Publication Date April 2026

Version 1.0

Document Type Normative Illustrative Document

Document Status Normative

Governing Authority QODIQA Governance Charter

Scenario Synthetic — NeuraPath Health · patient:PT-00441 · 2026-04-07

Integrity Notice Document integrity may be verified using the official SHA-256 checksum distributed with the QODIQA specification corpus.

QODIQA Worked Example End-to-End Enforcement Scenario