About

Invariant Systems builds cryptographic infrastructure for AI-era engineering. AIIR is our first product: free, open, and standalone. The same receipt primitive extends to inference and to trusted edge compute.

Mission

AI is writing an increasing share of the world's code. That creates a simple question: how do you create a durable record of which changes declared AI involvement?

Invariant Systems builds infrastructure to answer that with cryptography, not policy documents.

Our first product, AIIR (AI Integrity Receipts), is free, open-source, and runs entirely on your machine. It creates cryptographic receipts for every commit, recording declared AI involvement. One command. Zero dependencies.

AIIR is the current product surface. The same receipt model extends to inference and to trusted edge compute. See Directions below for the broader thesis and Foundations for the public research line.

By the numbers

0
Dependencies
2499
Tests passing
Apache 2.0
License
3 OS × 5 Py
CI matrix
  • PyPI package: pip install aiir, zero runtime dependencies on the CLI core, Python 3.9–3.13
  • GitHub Action: one-line integration, Sigstore signing on by default
  • GitLab CI/CD Catalog: published component with 4 templates (GitLab CI, GitHub Actions, Azure Pipelines, Bitbucket)
  • Sigstore integration: keyless signing via OIDC, public transparency log, cryptographic non-repudiation
  • Delaware C-Corp: incorporated 2025, standard post-incorporation structure

Why now

AI-assisted coding is becoming common across engineering teams. The basic engineering question that follows is also becoming common: which changes involved AI tools, and what record do you keep with the commit?

Some teams arrive at that question because they want better local provenance and release hygiene. Others arrive there because customers, auditors, or policy teams eventually ask for a durable audit trail. The EU AI Act is part of that broader backdrop, but it is not the whole story.

AIIR is an open-source tool that answers that question for commits with declared AI markers, with cryptographic receipts instead of policy documents.

What we believe

  • AI provenance is infrastructure, not a feature. Teams using AI code generation need an audit trail. It should be as automatic as version control.
  • Trust requires cryptography, not promises. Compliance documents are necessary but not sufficient. Tamper-evident receipts are.
  • Open source builds trust. The core tool is Apache 2.0 because auditors need to inspect the mechanism, not just the output.
  • Zero dependencies is a security decision. Every dependency is an attack surface. We chose none.
  • Policy matters, but the product has to stand on its own. Teams should be able to adopt AIIR because the local workflow is useful even before formal governance requirements show up.

Team

Noah Erlwein, Founder & CEO

I started Invariant Systems to remove obstacles for the people doing the most consequential engineering work and to put a new generation of audit tooling in their hands. Research, careful scope, and respect for human judgment are the culture I am building around that.

noah@invariantsystems.io

Want to join?

We're a small team building critical infrastructure. If you care about cryptography, developer tools, or AI accountability, we'd like to hear from you.

No open roles posted yet. Reach out anyway: noah@invariantsystems.io

Need help or want to engage?

Bug reports

File reproducible product bugs in the public tracker so fixes, regressions, and workarounds stay visible.

Open a GitHub issue →

Questions and ideas

Use discussions for implementation questions, rollout feedback, and community conversation around AIIR.

Join the discussion →

Security reports

Do not post vulnerabilities publicly. Use the coordinated disclosure path with our published policy and response target.

View security reporting options →

Foundations

Public papers and reproducibility capsules behind the broader receipt program. These links point only to public Zenodo records and public claim boundaries.

Inference Receipts: Lightweight Cryptographic Commitment Chains for Auditable Generative AI

Canonical public evidence capsule for inference receipts: manuscript, figures, benchmark summaries, example receipt chains, zero-dependency verification scripts, validation transcripts, checksum manifests, and the receipt that binds the capsule itself. The public claim boundary is narrow and explicit: model identity, sampling configuration, and emitted token or output payloads can be committed into low-cost, tamper-evident receipts under an honest-emitter trust model.

Current version DOI: 10.5281/zenodo.20010777
Stable DOI: 10.5281/zenodo.18888733
Record type: Preprint · Open Zenodo record →

Receipted Actions: A Reproducible Audit Capsule for Rewarded-Action Payout Adjudication

Reproducible audit capsule for rewarded-action payout adjudication. The public surface combines a typed claim, evidence references, a machine-readable verdict, bundle-level receipt binding, an appeal path, a deterministic synthetic benchmark, a release-local validator, checksum manifests, and a receipt trail. The record is explicit about what it does not claim: no partner traffic, no hidden reviewer state machine, and no claim of live fraud lift or production transfer from the synthetic benchmark.

Current version DOI: 10.5281/zenodo.20008486
Stable DOI: 10.5281/zenodo.20008485
Record type: Publication · Open Zenodo record →

Version DOIs point to a specific published Zenodo record. Stable DOIs follow the full version line and resolve to the latest public version.

Directions

Three lanes share one core idea: produce a deterministic, content-addressed record of what happened, and let anyone verify it independently. AIIR is the shipped product; the rest are stated directions, not shipped products on this public surface.

AI provenance receipts

Deterministic receipts for declared AI involvement in source changes. This is what AIIR ships today. Install AIIR →

Receipted inference and actions

Apply the same receipt model to model outputs and to actions taken by AI agents. Active public research line. See Foundations above.

Trusted edge compute

Receipt-style evidence for bounded computations that run close to the sensor or signal, including FPGA coprocessors and other constrained surfaces, so operators can verify what ran without trusting the runtime. Direction, not a shipped product.

If you are evaluating these lanes for a specific deployment, write to noah@invariantsystems.io and say what you are trying to verify. We will be explicit about what is in the public repo today and what is not.

Last reviewed: 2026-05-22 · License: Apache 2.0 · Source on GitHub · Trust posture