Why Ontario Digital Service Couldn’t Accept ‘98% Safe’ LLMs for 15M Citizens

TL;DR

Ontario Digital Service leaders say regulated institutions reject probabilistic safety claims because decision-makers must be able to defend deployments. The author built a proof-of-concept ‘Authority Boundary Ledger’ that enforces persistent, hierarchical constraints by filtering model capabilities rather than blocking attempts after they occur.

What happened

While leading product for the Ontario Digital Service — responsible for services used by roughly 15 million people — the author encountered repeated procurement refusals for AI tools that were described as high‑accuracy but still probabilistic. In high‑stakes public services, executives require defensible, auditable governance rather than average‑case performance. To address this, the author developed a reference implementation called the Authority Boundary Ledger: a governance primitive that treats organizational constraints as persistent state, enforces a ringed authority hierarchy, and removes disallowed capabilities from a model’s available toolset before the model reasons. The ledger produces audit trails and deterministic conflict resolution across turns and sessions. The repository is published as a proof of concept, while the implementation is explicitly described as not production‑ready and not jailbreak‑proof in the source.

Why it matters

• Regulated organizations prioritize defendability and auditability over probabilistic accuracy, limiting procurement of cutting‑edge models.
• A governance primitive that enforces persistent authority state can address institutional risk concerns without changing model internals.
• Filtering forbidden capabilities out of a model’s visible tools changes failure modes, reducing the chance of policy‑violating hallucinations.
• A reusable, domain‑agnostic pattern could make it easier for healthcare, finance, legal and government entities to adopt AI under existing accountability frameworks.

Key facts

• The author led Product for Ontario Digital Service and managed 20 senior PMs and services used by about 15 million citizens.
• High‑stakes public services (e.g., COVID screening and vaccine booking) required every user to receive correct information on first contact, blocking typical experimentation.
• Decision‑makers in regulated institutions prefer governance primitives with persistent, auditable properties to probabilistic safety claims like ‘98% safe’.
• The Authority Boundary Ledger is a reference implementation that models constraints as persistent state and supports ring‑based authority levels.
• Ring examples in the pattern: Ring 0 (constitutional, immutable), Ring 1 (organizational/compliance), Ring 2 (session/user preferences).
• The ledger filters unavailable tools from a model’s vocabulary before generation, contrasting with RBAC that typically blocks attempted actions after the model reasons about them.
• The implementation demonstrates persistent constraint tracking, hierarchical control, and complete audit trails but is not production‑ready and not jailbreak‑proof.
• A GitHub repository for the reference implementation is published as a proof of concept.

What to watch next

• Whether institutions adopt the Authority Boundary Ledger beyond the reference implementation — not confirmed in the source.
• Development of a production‑grade version with hardened storage and scalable auth — not confirmed in the source.
• Vendor or standards uptake of ring‑based authority primitives for regulated sectors — not confirmed in the source.

Quick glossary

• Authority Boundary Ledger: A governance primitive that records and enforces persistent organizational constraints and removes forbidden capabilities from an AI agent’s available tools.
• RBAC (Role‑Based Access Control): An access control approach that grants or denies permissions based on user roles; traditionally functions as a post‑request permission check.
• Probabilistic safety: A characterization of system behavior based on statistical likelihoods of correct or safe outputs rather than deterministic guarantees.
• Audit trail: A logged record showing who made what decisions and when, used to support accountability and post‑incident review.
• Ring‑based authority: A hierarchical model of privileges where different layers (e.g., constitutional, organizational, session) have differing immutability and override rules.

Reader FAQ

Did Ontario deploy this ledger in production?
not confirmed in the source

Is the reference implementation available publicly?
Yes. The author published a GitHub repository as a proof of concept.

Is this just role‑based access control?
No. The source describes a mechanical difference: the ledger filters forbidden capabilities out of the model’s vocabulary before reasoning, rather than blocking them after an attempt.

Does this eliminate model hallucinations and jailbreaks?
The ledger changes certain failure modes and reduces the model’s ability to consider disallowed actions, but the source states it is not jailbreak‑proof and is not production‑ready.

authority-boundary-ledger The Institutional Trust Problem in AI Deployment I led Product for Ontario’s Digital Service, managing services for 15 million citizens. Here’s why AI agents fail institutional adoption—and one architectural…

Sources

• Why Ontario Digital Service couldn't procure '98% safe' LLMs (15M Canadians)
• Why Ontario Digital Service couldn't procure '98% safe …
• UvA-DARE (Digital Academic Repository)
• Success Stories | Life Sciences Ontario

Related posts

• Anthropic unveils Claude for Healthcare with HIPAA-compliant integrations
• Ireland urged to fast-track law criminalising harmful voice and image misuse
• Reproducing DeepSeek’s mHC: When Hyper-Connections Cause Explosions