An institutional AI deployment is not a technology project. It is a transfer of trust — from the people who built the model to the institution that signs for its outputs. Where deployments fail, the failure almost always sits at that boundary, not inside the model.
The boundary problem
A central bank cannot answer a parliamentary committee with "the model said so." A hospital cannot defend a triage decision by pointing to a vendor's accuracy chart. A transmission system operator cannot explain a curtailment to a minister with a confidence score. The mandate of a public institution requires that every consequential output be attributable, contestable and reversible. Most procured AI systems are none of those by default.
The procurement teams know this. The vendors know it too. What is missing is the connective tissue: a way of writing the engagement so that the model's behaviour, the institution's mandate, and the chain of accountability between them are described in the same language.
What "trusted" means in practice
We use the word in a narrow, operational sense. A trusted AI system is one for which the deploying institution can answer four questions, in writing, on demand:
- Accountability. Who is responsible for this output, and through which legal instrument? "The vendor" is not an answer; "the data controller, under Article X of our enabling statute" is.
- Lineage. What data produced this output, and which steps are reproducible by an independent party with the same inputs?
- Failure mode. What does silent degradation look like for this system, and what is the recovery posture when it occurs — not "if".
- Sovereign dependency. Which infrastructure, weights and orchestration layers does the system rely on, in which jurisdictions, and what changes for the institution if any of them is reconfigured?
An institution that can answer these four can defend the deployment. An institution that cannot, regardless of the model's published benchmarks, has bought a liability.
The boundary, in practice
Three patterns recur across engagements where the boundary breaks:
- Procurement language that survives but does not bind. The contract speaks of "best efforts" where the mandate requires demonstrable assurance.
- Evaluation drift. The acceptance tests reflect the lab; the operating environment looks nothing like it. By month six, the institution is running an unevaluated system.
- Quiet sovereign exposure. The compute is European; the weights are not; the orchestration is. None of the three is, by itself, a contract violation. The combination is a continuity problem nobody owns.
Closing the boundary
Our practice runs every engagement through the UberConsul Resilience Audit — six dimensions, scored against the institution's own mandate rather than a generic maturity ladder: governance, data lineage, model risk, third-party dependencies, sovereign infrastructure, recovery posture.
The audit is deliberately boring. It produces a one-page institutional position, defensible in front of a regulator, a board, and — increasingly — a court. That document is the boundary, made operational.
First published April 2026 · Frankfurt am Main.