A provenance layer for non-financial disclosure.

Two jurisdictions — California (SB 253, SB 261) and the European Union (CSRD) — now require corporate non-financial disclosures to be subject to the same audit standards as the financial statements they accompany. The data underwriting these disclosures has historically been generated by a chain of self-reported portals, manager approvals, and downstream aggregation. We argue this chain does not satisfy the evidentiary standard now demanded of it, that a verifiable evidence layer is structurally necessary, and that the boundary at which verifiability must be established is the moment of capture, not the moment of disclosure.

The financial reporting stack converged decades ago on a model in which every figure that appears on a balance sheet is traceable to a primary record — a transaction, a contract, a signed instrument. The non-financial disclosure stack has no such anchor. The figures that appear in a sustainability report are typically derived from a sequence of free-form data entries by field operators, validated by other humans, normalized into spreadsheets, and uploaded into reporting tools that perform aggregation but not provenance.

Until 2024, the consequences of this gap were largely reputational. The reports were voluntary; the assertions were soft; the cost of inaccuracy was a press cycle. Beginning in calendar year 2026, the same assertions become statutory, the same reports become assurable, and the same chain of self-reported telemetry must satisfy a Big Four auditor's evidence test. It does not.

A workable evidence layer must answer four questions for every recorded fact: (i) where the event occurred, (ii) when it occurred, (iii) who or what recorded it, and (iv) whether the recording has been altered since capture. The portal-and-spreadsheet stack answers none of these questions in a form that survives adversarial review. Location is asserted by the entrant. Time is the time of data entry, not the time of action. The recording device is unknown, or known only through reputational trust in the operator. The integrity of the record after entry is preserved only by the access controls of the SaaS vendor that hosts it.

The economic literature on this kind of market — assets whose value depends on assertions the buyer cannot independently verify — is well established. In every analogous case (carbon offsets pre-VCS 2020, voluntary plastic credits, conflict minerals reporting before CMRT), the dominant equilibrium has collapsed under audit pressure within a single regulatory cycle.

Independently of any specific implementation, a viable evidence layer for non-financial disclosure has the following structural properties. We sketch them at a level of abstraction sufficient to evaluate any candidate system.

1. Capture-time provenance. The record's evidentiary properties must be established at the moment of capture by a device whose integrity can itself be attested. Provenance added retroactively is not provenance.
2. Hardware-anchored attestation. The capture device must produce a signed manifest that binds the recorded payload to a specific physical instrument, a specific moment, and a specific spatial context. The signing key must reside in tamper-resistant hardware.
3. Open credential schema. The output of the evidence layer must be a portable, vendor- neutral artifact. A buyer should be able to verify a record without trusting the issuing platform. Closed schemas recreate the lock-in that doomed the prior generation of tooling.
4. Schema mapping at the boundary. The same primitive record must be expressible against every disclosure regime the buyer is subject to. The cost of answering n regimes from one capture is bounded by the cost of authoring n mappers, not by n separate captures.
5. Adversarial review. An auditor unaffiliated with the issuer must be able to re-verify any record from first principles, without cooperation from the platform. If the platform is the only party that can prove the record is valid, the platform is the audit, and the audit is circular.

The economically tractable instrument for capture in this domain is the same instrument that has already become ubiquitous: a modern smartphone. Its sensor stack — camera, GNSS, accelerometer, secure element — is sufficient to bound the four provenance questions for the class of events that drive corporate social- impact reporting (volunteer hours, in-kind contribution, milestone-linked construction, beneficiary verification).

The novel work is not in the sensor stack. It is in the disciplined construction of an attestation pipeline that treats the device output as a primary source rather than a starting point for human translation. The intermediate human in the prevailing stack — the operator who types numbers into a portal — is the failure point. Removing the intermediate human is the wedge.

Three adjacent domains have completed substantially the same transition over the past decade:

1. Carbon accounting. The shift from self-reported to sensor-anchored CO₂ telemetry under VCS 4.0 and CDP integration created the assurance market that platforms like Watershed and Persefoni now serve.
2. Identity and credentials. The W3C Verifiable Credentials specification has become the reference architecture for portable, signed, vendor-neutral digital claims across finance, education, and trade documentation.
3. Media authenticity. The C2PA standard, jointly developed by Adobe, Microsoft, the BBC, and others, has emerged as the industry baseline for cryptographically signing photographic and video media at the point of capture.

The thesis here is not that any of these architectures is novel; it is that they have not yet been composed and applied to the non-financial disclosure surface, and that the regulatory window within which their composition becomes economically necessary opens this calendar year.

The system sketched above raises a set of questions which remain non-trivial and which we treat as research rather than engineering:

1. The minimum sufficient set of disclosure mappings for first- order coverage of the regulated population, and the cost function of expanding that set.
2. The legal weight of a hardware-anchored attestation under each jurisdiction's evidence rules. The audit firms will accept what the regulator accepts; the regulator's posture in 2026 is not yet settled.
3. The handling of beneficiary identity. Capture-time provenance for the operator does not require, and should not produce, capture-time identification of the people the operator serves. The negative space here matters as much as the affirmative schema.
4. The economics of a two-sided market in which one side (the corporate buyer) carries the regulatory cost and the other side (the field operator) carries the capture cost. The equilibrium under which the second side adopts the system at scale is the load-bearing assumption.

This is the why and the what — the argument for why an evidence layer for non-financial disclosure is now necessary, and the shape such a layer must take. The how — the engineering decisions that make it work in production — is what we are building. We will share it as we ship it.