In June 2026, the Ninth Circuit sanctioned two attorneys whose briefs cited cases that did not exist.
The quotations appeared nowhere in the opinions they were attributed to. The errors were traceable to generative AI. And the court was emphatic about what it was not doing: it did not sanction the lawyers for using AI. The procedural and ethical rules, it held, are not violated at the point of research and drafting. They are violated at the point of signing and filing.
A signature is an attestation that the signer reviewed the work and is responsible for its accuracy (9th Cir. R. 32-1, Advisory Committee Note) — and that responsibility does not change depending on whether a partner, a junior, or a model produced the draft. A fabricated citation pulled from a model and one invented by a human are the same violation at the same moment.
That holding is method-neutral, and the neutrality is the point. Governance aimed at the production layer — usage policies, “do we permit AI, and where” — aims at a layer the rules do not turn on. The enforceable control sits downstream, at the certification event. This is the legal system stating, with a price attached, a principle that generalizes well past law.
Naming the boundary
We call that certification event the attestation boundary. The words are deliberately plain; what is ours is the construct — naming this a single architectural seam that spans both the deployment layer and the per-output layer, and mapping it to a consortium standard and to primary legal authority. That framing is Luminity’s analytical contribution, not a finding lifted from any one external source.
The canonical form: the attestation boundary is the certification event — present at both the deployment layer and the per-output layer — at which an AI-produced output becomes a representation a named, accountable party stands behind, binding responsibility for that output to the act of certification rather than to the method that produced it.
A disambiguation for the security reader: this is not attestation in the confidential-computing sense — not the cryptographic proof that a trusted execution environment can be relied upon before code runs. It is the older, plainer meaning: a named party asserting responsibility for a representation. The boundary is organizational and accountable, not a TEE perimeter. The two senses do converge at one point, though — a code-signed deployment artifact is both at once — which is why the standard’s signing controls map directly onto it.
Two properties make it usable as a design primitive rather than a slogan. It is provenance-neutral: defensibility does not depend on reconstructing what the model did. And it is layered: it operates both at the moment a system is certified into production and at the moment an individual output is certified for use.
The standard already encodes it
AIUC-1 — the consortium standard for agent security, safety, and reliability, built with contributors including Anthropic, Google, Microsoft, MITRE, and Stanford — places the deployment-layer instance of this boundary in its Accountability pillar, control E004, “Assign accountability.” The control requires an organization to define which AI system changes across the lifecycle demand formal review, assign a named lead accountable for each, and document that approval with supporting evidence. That is the attestation boundary rendered as a certifiable control: a named human stands behind the system, on the record, with evidence — not a policy asserting that someone, somewhere, is responsible.
The crosswalks are where it gets sharp. E004 maps to MITRE ATLAS code signing, to the CSA AICM control for model signing and ownership verification, to NIST’s executive-accountability function, and to the EU AI Act’s documentation articles. Code signing and a wet signature are the same primitive in two registers — a cryptographic and a legal assertion of “I am accountable for this artifact.” The lawyer’s signature in the courtroom and the signed deployment artifact in the pipeline are not analogous; they are the same control expressed in different materials.
Two layers, one boundary
But E004 is a deployment-layer control. Its examples are model selection, material prompt changes, adding or removing guardrails; its cadence is annual. It governs who signed the system into production. It does not reach the per-output layer — the certification of each individual output before it becomes a representation. That layer is exactly what the court enforced: not a one-time deployment sign-off, but a signature on every filing, every time.
In AIUC-1, the per-output layer is handled elsewhere and more thinly — in the Safety pillar’s requirement to flag high-risk outputs for human review, and in the Accountability pillar’s disclosure and activity-logging controls. This is not a gap to apologize for; it is the structure to design to. The attestation boundary is one seam that appears at two granularities, and a system is only defensible when it is certified at both: the deployment decision and the outputs that decision puts into the world. A program that certifies the system and leaves outputs uncertified has built half a boundary.
General — both layers. Accountability binds at the act of certification, not the method of production. Provenance-neutral.
The deployment layer, made certifiable: a named accountable lead, approval documented with evidence. Crosswalks to code signing (MITRE ATLAS, CSA AICM).
The per-output layer, judicially enforced: the signature attests every output; the failure to verify is priced in sanction and suspension.
The attestation is only as good as the verification behind it
The court reserved its sharpest language for an admission that the firm did not, as a practice, check the authorities its briefs relied on before signing them. A signature with no verification behind it does not reduce exposure — it manufactures it, converting an unverified output into an affirmative claim of accuracy. The first thing to say about a well-designed attestation boundary, then, is that the certification must demand verification artifacts, not merely record a sign-off.
And verification has to address two distinct failure modes. Fabrication — output that does not exist — is checkable against ground truth and can be automated. Inaccuracy — output that exists but does not support what it is cited for — survives that check and requires reading the source. The empirical record is unambiguous that this is the harder, more durable problem: in independent testing, the two leading legal-specific AI tools returned inaccurate or fabricated answers in 17% and 33% of responses respectively (Magesh et al., 2025). An assurance layer therefore needs both an existence check, which is deterministic, and a grounding check, which is source-anchored and cannot be fully delegated to the tool that produced the output. Closed, structured outputs do real work at the existence layer — rendering claims as verifiable objects collapses the fabrication check into the schema — which is precisely what frees scarce human judgment for the grounding layer, where it is actually needed.
The record is the defense
The discipline the court imposed — a six-month suspension on top of monetary sanctions — was owed not to the hallucination but to the cover-up that followed: repeated denials and re-characterizations of the error’s source under questioning. The court noted that early, honest disclosure would likely have drawn a lighter sanction. That is a design incentive, not just a professional-responsibility lesson. AIUC-1’s disclosure and activity-logging controls are the architectural answer to it: build so that what the system did, and where, is answerable by record rather than by an individual’s memory or candor under pressure. You do not ask people to be honest when exposure is highest. You make the record dispositive before the question is ever asked.
The work is architectural
Governance is a structural property of an agent system or it is theater. The attestation boundary is where that property becomes concrete — the seam where an output becomes someone’s stated responsibility, and therefore the seam where verification, disclosure, and logging have to live. A court has now attached a price to getting it wrong, and a consortium standard has made the deployment-layer instance certifiable. The work left to the enterprise is architectural: locate your attestation boundary, certify at both layers, and put the verification on the record. That is the discipline our Claude Architects specialization brings to Claude-based agent systems — particularly in regulated environments, where governance is encoded at the action layer rather than bolted on after, and every action should reconcile to a policy the regulator already knows.
An attestation with no verification behind it is not a control — it is a liability amplifier. It converts an unverified output into an affirmative claim of accuracy.
Locate your attestation boundary, certify at both layers, and put the verification on the record — before the question is ever asked.
