HEINI
DE Book demo Choose plan
Start Features
Solutions Managing directorsCFO & financeIT leadershipTax advisorsTradesFreight & logisticsAll industriesEnterprise
Pricing Integrations
Customers All customersPSE TechnikKnowledge staysSupplier with HeiniGroup & holdingAgencies & partners
Resources All resourcesFAQBlogCustomers & casesStories
Login Book demo Choose plan
← Back to blog SME & AI

The Proof Layer for Autonomous Software

Why the next layer of the enterprise stack does not need more intelligence — it needs provability. On logging, tamper resistance and external verifiability for autonomous software.

HEINI · April 25, 2026 ·6 min
#proof-layer#ai-act#compliance#enterprise#governance

Why the next layer of the enterprise stack does not need more intelligence — it needs provability.

Over the last twelve months, a quiet consensus has formed in board rooms: autonomous software will become part of value creation. Copilots, reasoning engines, digital colleagues — the market terms vary, the promise is similar everywhere: close tickets, place orders, review contracts, move liquidity.

A question rarely spoken in pitches: Who is liable when an autonomous system decides incorrectly?

Not in the abstract. Concretely: when a digital colleague in procurement releases a batch that gets recalled later — who proves on which data the decision rested? When a compliance function waves through a transaction later flagged as suspicious — who reconstructs the decision chain? When two autonomous systems negotiate with each other — which log file counts in dispute?

The answer typically given today is: “we log everything.” That is not an answer. It is a request to trust a record that the vendor writes, stores and analyses on their own. In dispute, that is roughly as load-bearing as a diary kept by the defendant.

Three layers emerging now

Looking at the stack of the next ten years soberly, three layers stand out:

Data Layer. Where data moves reliably between systems, including between on-chain and off-chain worlds. A category has emerged here over the last few years — oracles, cross-chain protocols, the corresponding compliance logic. In May 2026 SAP consolidated this layer with the acquisitions of Dremio (Apache Iceberg-native lakehouse) and Reltio (master data management).

Application Layer. Where autonomous systems take decisions. The big platforms are building here — and this layer gets most market attention today. SAP Joule, Microsoft Copilot, Google Gemini Enterprise, Salesforce Einstein — all of them target this layer.

Proof Layer. Where decisions become cryptographically verifiable. Hash chains, sidecar attestations, proof points per action. This layer is structurally underbuilt today. That is exactly where HEINI works.

Why logging is not enough

Logging is an internal convenience. It answers: “what did we record?” It does not answer: “what can I prove in court or before a regulator?”

Provability has three properties classical logging does not deliver:

  1. Tamper resistance. A hash chain only has value if every link seals the previous one. A retroactively edited log file is not one.
  2. External verifiability. The party that checks must not be the vendor itself. Otherwise the mark-to-self problem we know from the financial crisis emerges — a valuation only the valuer can reconstruct is worthless in conflict.
  3. Selective disclosure. A regulator does not want to see the entire enterprise log file. They want to prove that this one decision at this point in time was based on this data. Data protection requirements and trade secrets allow nothing else.

Three properties that do not exist in classical observability — because those tools were never built for regulatory proof, but for performance monitoring.

What changes in 13 weeks

On 2 August 2026 the EU AI Act becomes fully effective in its core provisions for high-risk systems. End-to-end traceability stops being a voluntary compliance exercise and becomes a legal requirement. Fines up to 35 million euros or 7 percent of global annual revenue.

Anyone without an external, tamper-resistant proof trail for their autonomous systems by then will fight the first legal dispute against a weakness in their own log file architecture. That is a hard learning curve with expensive tuition.

What HEINI does

HEINI is not another platform for autonomous software. We are not building a competitor to the large vendors rolling out digital colleagues today. We build the layer underneath: the sidecar attestation that seals every action with a hash, that produces proof points, that can be selectively disclosed, that works in regulated single-tenant contexts — exactly where banks, law firms and critical industries have to operate.

The architecture works on a clear approval principle: every action by a digital colleague passes a pre-flight permission check against a stored competence profile before it is executed. A three-stage deletion cascade under GDPR Article 17 demonstrates forgetting not by claimed deletion, but by an irrefutable difference record. An external attestation anchor records the order of decisions, admissible under German law.

What this is about

The category “Proof Layer” will be claimed in the coming months — either with a precise, legally load-bearing term that gives the market a clear standard, or with a marketing label that hides the actual gap.

We are betting on the first option. If you want to talk to us — as a regulated industry, as a law firm with compliance mandates, or as a platform looking to make its application layer audit-ready — you can reach us through the channels on this site.

HEINI Operations UG. Questions and feedback are explicitly welcome.