This paper specifies a reference architecture for detecting recursive contamination in production AI systems, with cross-vendor lineage attestation, divergence monitoring, and audit artifacts compatible with existing model-risk governance frameworks.
This is detection infrastructure, not a vendor product. The architecture complements existing model risk management programs governed by SR 11-7, the NIST AI Risk Management Framework, and ISO/IEC 42001:2023. It assumes contamination is real and operationally consequential, consistent with the distinction drawn by the Berryville Institute of Machine Learning: pollution is not collapse, but pollution is sufficient to produce measurable degradation in operational systems long before collapse.
The architecture is vendor-agnostic, runs on open substrates (OpenLineage, OWASP AIBOM, C2PA v2.3), and emits SR 11-7-compatible audit artifacts natively. Adoption does not require a parallel compliance project.
Existing model risk frameworks require lineage in principle but were written for parametric statistical models, not for AI systems whose inputs are continuously refreshed from third-party data products. SR 11-7 assumes a model whose training set is bounded and whose validation can be reperformed on demand. OCC Bulletin 2026-13, which rescinded the long-standing OCC Bulletin 2011-12, explicitly excluded generative and agentic systems from its scope and deferred their treatment to forthcoming guidance. The NIST Generative AI Profile (AI 600-1) identifies provenance as a control objective without prescribing how to verify it across vendor boundaries. EU AI Act Article 10, enforceable from August 2, 2026, requires data governance and traceability for high-risk systems but leaves the cross-vendor attestation question to implementing standards still in draft.
The academic literature confirms the failure mode. Shumailov et al. (Nature 631:755, 2024) demonstrated model collapse as a generational phenomenon: models trained on their own outputs lose tail distributions and converge toward degenerate means. Dohmatob et al. (ICLR 2025, "Strong Model Collapse") proved analytically that contamination as low as 0.1 percent of training data is sufficient to trigger collapse dynamics in scaling-law regimes. McGovern et al. (BIML, January 2026) distinguished collapse (a training-time phenomenon) from pollution (an inference-time phenomenon affecting deployed systems whose retrieval pipelines or fine-tuning loops ingest model-generated content). Pollution does not require collapse to produce material harm.
Provenance metadata is largely absent at the source. The MIT Data Provenance Initiative documents that roughly 70 percent of widely used training datasets have ambiguous or missing provenance metadata, with license terms frequently fabricated or misattributed downstream. This means that even when a deployer wants to verify the lineage of an input, the upstream record often does not exist.
The commercial tooling gap is the third pillar of the problem. Databricks Unity Catalog traces lineage within the Databricks boundary; its external-lineage feature entered Public Preview in 2026 and remains scoped to declared connectors. IBM watsonx.governance integrates with OpenLineage but does not yet support cross-vendor attribution of recursive reentry. Credo AI, Robust Intelligence, and Patronus address evaluation and policy mapping, not lineage. Snowflake, Collibra, and Atlan stop at the catalog boundary. No commercial tool traces cross-vendor recursive reentry as an operational concern. That is the gap this architecture addresses.
The architecture organizes detection into five tiers, ordered from cheap surface checks to expensive attribution analysis. Each tier produces a distinct class of evidence and routes to the next. Deployers should run all five in production; lower tiers gate higher tiers to control cost.
Tier 3 is the central innovation. Tiers 1 and 2 depend on upstream vendor cooperation; Tier 4 is expensive and runs in batch. Tier 3 runs continuously on input embeddings alone, requires no vendor cooperation, and produces actionable signal at minutes-level latency. KDS is the appropriate kernel because it is non-parametric, sensitive to multi-modal distributional shifts, and well-characterized for embedding spaces under the formulation of Kim et al. (arXiv:2502.00678, 2025).
Four principles govern the design. Each addresses a constraint that has caused prior lineage tooling to stall at the single-vendor boundary.
The architecture degrades gracefully. Tiers 1, 2, and 4 require some level of upstream emission or accessible API surface; Tier 3 does not. KDS divergence detection runs on input embeddings alone when upstream vendors emit no provenance metadata. A deployer with zero cooperating vendors can still operate Tier 3 plus Tier 5 and obtain useful signal. As more vendors emit OpenLineage and AIBOM records, the higher tiers light up and the system gains precision.
OpenLineage is the transport and event model; the architecture consumes OpenLineage events as the canonical interchange format. AIBOM records the AI system's bill of materials at the artifact level. C2PA v2.3 provides the cryptographic assertion format for signed content provenance. Vendors emitting none of these are flagged as opaque at Tier 1; they are not blocked, but their inputs carry a degraded confidence rating that propagates into the audit artifact.
Alerting uses two thresholds rather than a single binary cutoff. A "watch" alert fires when Tier 3 KDS divergence from baseline exceeds 2 sigma; a "halt" alert fires when divergence exceeds 3 sigma sustained across N inference windows, with N tuned per asset class. The watch threshold routes to the model risk officer for review; the halt threshold can trigger automated inference suspension where the deployer has authorized that hook. Two-tier thresholds avoid the well-documented failure mode of single-threshold alerting systems: either too noisy to be actioned or too coarse to detect early degradation.
The architecture emits SR 11-7-compatible documentation natively, including the lineage DAG, KDS time series, attribution scores, and threshold history at the moment of any incident. Adoption does not require a separate compliance project or a parallel governance workstream. The model risk officer can present the audit artifact to examiners or to the EU AI Act notified body without additional reconciliation work.
The reference deployment is an air-gapped on-prem variant suitable for intelligence-community use cases and bank-secret deployments. Cloud-resident variants are supported but not the focus of this section, because the constraints that govern air-gapped deployment are strictly more demanding and serve as the architectural worst case.
Per the 2026 DoD generative AI procurement directive, the air-gapped variant requires three properties: signed offline manifest updates with cryptographic provenance, an immutable audit log suitable for after-action review, and identity passthrough to existing access-control infrastructure. The deployment runs entirely within the air gap; updates to the AIBOM registry, the C2PA trust list, and the KDS baseline are delivered via signed offline bundles and verified before ingestion.
The cryptographic baseline follows the NSA, CISA, and FBI joint Cybersecurity Information Sheet on AI Data Security (May 22, 2025): ECDSA P-256 for signatures, SHA-256 for content hashing, and Merkle trees for lineage attestation. Merkle structure permits efficient verification of any single input's lineage path without exposing the full provenance graph, which is operationally important when the lineage graph itself is classified or contains commercially sensitive vendor relationships. A Framework for Cryptographic Verifiability of End-to-End AI Pipelines (arXiv:2503.22573, 2025) provides the formal verification model that the air-gapped variant implements.
Multimedia inputs are handled per CISA's January 2025 guidance on multimedia integrity: C2PA manifests are verified at ingest, content credentials are preserved through the lineage DAG, and any input lacking a content credential is flagged at Tier 1.
The ATLAS-FX scenario, documented in the "$14 Billion Hallucination" red team briefing, replays a financial AI signal that triggered a $14B portfolio reallocation based on recursively contaminated inputs. The scenario is constructed but the failure mode is empirically documented across the academic literature. Replayed tier by tier through the reference architecture, the contamination is caught.
Of the eleven principal sources feeding the ATLAS-FX signal, two lack AIBOM records. Both are flagged opaque at ingest and surfaced to the model risk officer's morning queue with a degraded confidence rating attached.
The lineage DAG reveals that four of the eleven sources route through a single upstream vendor data product. That product, on inspection of its OpenLineage emission, retrained on syndicated ATLAS-FX commentary during a quarterly refresh. The DAG visualization makes the convergence immediately visible to the reviewer.
Kernel Divergence Scoring on the cross-asset correlation embedding spikes to 2.4 sigma above the pre-deployment baseline in the 72 hours preceding the signal. This crosses the "watch" threshold and fires an alert to the MRO queue, with the lineage DAG from Tier 2 automatically attached.
Membership inference using Min-K% and ReCaLL confirms that three of the eleven inputs contain content the model itself produced and that was syndicated, ingested by a third-party aggregator, and routed back as an independent signal. The attribution score for these three feeds exceeds 0.85.
The Tier 5 incident record fires to the model risk officer at confidence 0.94 with the full lineage DAG, KDS time series, and attribution scores attached. The trade-halt hook is presented as an option; the MRO can suspend reliance on the ATLAS-FX signal pending review without disrupting other model outputs. The SR 11-7-compatible audit artifact is generated automatically.
The scenario also exposes what the architecture would not have caught absent Tier 3. Tiers 1 and 2 alone would have flagged the opaque sources and the convergent path, but neither would have triggered escalation in the absence of an explicit policy threshold; the convergent path is an architectural smell, not a violation. Tier 4 confirms what Tier 3 detects, but it runs in batch with hours of latency. Without continuous KDS monitoring, the signal would have fired before the contamination was detected.
The architecture splits cleanly into two operational concerns: what the deployer builds and operates, and what the deployer requires from upstream vendors. The procurement-language column is the lever for adoption. Model risk officers can paste these clauses into RFPs.
Procurement language alone will not produce coverage on day one. Deployers should plan for staged rollout: cooperating vendors lit up first via Tiers 1, 2, and 4; non-cooperating vendors monitored via Tier 3 from the outset. The architecture's value compounds as vendor coverage grows, but it produces actionable signal from day one.
This architecture is a detection layer. It does not address every failure mode in the model lifecycle and should not be marketed as if it did.
Future work centers on three problems. First, joint optimization of Tier 3 and Tier 4 to reduce membership-inference cost without sacrificing detection sensitivity. Second, formal verifiability of the lineage DAG itself using the cryptographic framework of arXiv:2503.22573, extended to multi-hop vendor chains. Third, integration with the implementing standards under development for EU AI Act Article 10 enforcement, expected in 2027.
References are organized by category and numbered consecutively. Hyperlinks point to the canonical source where available.
This white paper is available as a PDF for offline reading and citation. The reference architecture, procurement language, and audit artifact templates are released for adoption without restriction. Deployers, regulators, and vendors are encouraged to extend the specification.
This white paper is also available as a PDF for offline reading and citation. Cite as: Anna R. Dudley, "The Lineage Audit Reference Architecture: Detecting Recursive Contamination in Production AI," annardudley.com, May 2026.