The Recall That Couldn't Find Its Own Decision

A crate of lettuce and a question nobody can answer

Picture a recall notice going out on a Tuesday. A batch of bagged salad is linked to illness across four regions. The supermarket pulls it. The processor traces the lot back to a single farm and a single washing line. Good. That part of the system works, and it works because two decades of effort went into produce traceability, lot codes, and one-step-back one-step-forward records. We can now follow a leaf to the field it grew in, and that is a genuine achievement that has saved lives and shortened outbreaks.

Then the harder question lands. Three days before that batch shipped, an automated grading system inspected the incoming crop and an artificial intelligence (AI) model flagged a sub-lot as borderline. A second model, optimising for waste reduction, downgraded the flag and let the produce continue. A routing system, balancing truck capacity against a forecast heatwave, sent it on a longer path through a depot where the cold chain wobbled for forty minutes. None of these were human decisions in the moment. They were model outputs, made in milliseconds, logged thinly or not at all. So when the investigator asks the only question that matters, which decision let this through and on what basis, the answer is a shrug. We traced the lettuce. We never traced the judgment that cleared it. And the judgment is the thing that made someone sick.

We solved the wrong half of traceability

Food traceability, as an industry discipline, was built to answer where. Where did this come from, where did it go, who handled it. That was the right problem for a world where the decisions about safety were made by people you could name and records you could subpoena. A quality manager signed off. An inspector stamped a form. If something went wrong, you found the human in the loop and you read what they wrote. The record was thin, but the decision-maker was a person who could be questioned, and the two together were usually enough.

That world is quietly dissolving. AI now sits at dozens of decision points between field and fork. Computer vision grades fruit for size, ripeness, and blemish. Models predict remaining shelf life and set dynamic markdowns. Demand forecasters decide how much gets harvested and when. Cold-chain systems decide which refrigeration unit gets priority power when a depot loses capacity. Pesticide and irrigation advisories are model-driven. Even the recall itself is increasingly scoped by an algorithm deciding which lots are statistically implicated. We have automated the judgment and kept the old records, which only ever tracked the goods. We solved the where. We left the why completely unguarded, and the why is what kills people or clears them.

Why this is worse than a normal blind spot

A missing record is annoying. A missing decision record in a safety-critical chain is a different category of problem, for three reasons that compound rather than merely add. First, AI decisions are dense and fast. A human grader makes a few thousand judgment calls in a shift and could, in principle, recall the unusual ones. A vision model makes millions, each one a real decision with real consequence, and remembers none unless something deliberately writes it down before it acts. The volume that makes automation valuable is the same volume that makes after-the-fact reconstruction impossible.

Second, the decisions interact. The grading model, the waste-optimisation model, and the routing model were each defensible alone. The failure emerged from their combination, and combinations are exactly what thin, per-system logs cannot reconstruct. You end up with three vendors each holding a partial, differently-formatted, possibly-edited log, and no shared spine to align them on. The recall investigator becomes an archaeologist with three incompatible maps and no way to confirm any of them is honest.

Third, and this is the part the industry has not internalised, logs that can be changed after the fact are not evidence. If a model made a bad call and the operator can quietly rewrite the log, or the log was simply overwritten on the next cycle, then the record proves nothing in a courtroom, to a regulator, or to a public that has stopped trusting comfortable explanations. A record you can edit after the harm is a record that exonerates whoever holds the pen. The volume problem and the interaction problem are hard. The tamper problem is fatal, because it means even a complete log is worthless the moment its keeper has a motive to alter it.

The four places AI already decides, and where the record dies

It helps to be concrete about where the gap actually opens, because this is not hypothetical and it is not five years away. It is in production now, across four broad stages. At the farm and harvest stage, models drive irrigation, predict optimal harvest windows, and increasingly govern automated picking and first-pass grading. A decision to harvest early to beat weather, taken by a forecasting system, propagates all the way to shelf life. The record, if it exists, lives inside a proprietary agronomy platform with no obligation to preserve it and every commercial incentive not to share it.

At processing and grading, computer vision sorts at speeds no human matches. The model that decides this batch is fine and that one is borderline is the single most safety-relevant AI in the chain, and it is typically the least documented. Its confidence scores, the exact model running that day, the threshold it was tuned to, all of this is precisely what a recall needs and almost none of it survives the week. At logistics and cold chain, routing and load-balancing models make temperature-critical trade-offs continuously. A forty-minute warm spell in a depot is the kind of event that determines whether a pathogen multiplies past a safe threshold, and the decision that caused the delay sits in a logistics optimiser whose logs were designed for billing, not for forensics.

At retail and recall, markdown engines decide what stays on shelves near its limit, and recall-scoping algorithms decide how wide to cast the net. Cast too narrow and people get sick. Cast too wide and you destroy food and public trust needlessly, and the next recall gets ignored because the last one cried wolf. Either way, the decision that set the boundary is the decision you most need to be able to defend, and it is made by a model whose reasoning evaporated the moment it ran. Four stages, one pattern. The goods are tracked. The decisions are not.

Regulation is arriving, and it asks for exactly what nobody kept

This is not only a moral or operational argument. The regulatory ground is shifting under the food sector specifically. Food safety law already demands traceability of product. The newer wave demands accountability of automated systems, and the two are about to collide in the food supply chain where both apply at once. A grading model that decides what is fit to eat is not a peripheral convenience. It is a system that affects the safety of a product people put in their bodies, and regulators are starting to treat it that way.

In the European Union (EU), the Artificial Intelligence Act brings high-risk obligations into force in stages, with significant duties landing in August 2026. Systems that affect safety, including AI woven into the safety of products people consume, attract requirements for logging, record-keeping, human oversight, and the ability to explain what the system did and why. Product safety frameworks and evolving liability rules are moving in the same direction, lowering the bar for a claimant to argue that an opaque automated system caused harm. The practical translation is blunt. If your AI made a decision in a chain that hurt someone, you will be expected to produce the record of that decision, and the absence of a record will increasingly be read as fault rather than as bad luck.

Add the post-quantum migration now under way across serious infrastructure. Records that must hold their integrity for years, which is exactly the horizon of food-safety litigation and regulatory review, need to be signed in a way that a future quantum computer cannot forge. A signature scheme that is secure today but breakable in a decade is not adequate for evidence meant to survive a decade. The sector is sleepwalking toward a moment where it is legally required to produce records it never designed itself to keep, in a cryptographic form it has not adopted. The deadline is not a surprise. It is on the calendar, and most of the chain is not building for it.

What an honest record would actually have to do

So define the target properly, because most proposed fixes quietly fail one of these tests. An adequate decision record for AI in the food chain has to satisfy a short and unforgiving list, and dropping any single item makes the whole thing collapse under pressure from a serious lawyer. It has to be written before the action, not after. A record created after the produce ships is a record created after the operator knows whether there was a problem, and that is precisely when the incentive to shade the truth is strongest. The decision must be sealed at the moment it is made, while the outcome is still unknown and nobody yet has a reason to lie.

It has to be tamper-evident across systems. Each link, grading, routing, markdown, must write into a chain where altering any past entry breaks every entry after it, so that a quiet edit is mathematically visible rather than invisible. One vendor cannot be trusted to guard their own log, because they are the party with the most to lose if it indicts them. It also has to be verifiable without trusting the vendor. A regulator, an insurer, a court, or a journalist must be able to check the record's integrity independently, ideally offline, in an ordinary browser, without asking the company that made the AI to vouch for it. Self-certified evidence is not evidence. The whole point of a record is that it constrains the person who wrote it, and a record only the writer can validate constrains nobody.

And it has to last. The signatures protecting it must remain unforgeable across the full lifetime of the food-safety and liability exposure, which means they must already be post-quantum, not scheduled for migration after the first quantum break makes a decade of records repudiable. Four properties, all required at once. Written before the act, tamper-evident in a chain, independently verifiable offline, and durable against future cryptographic attack. Anything missing one of them is a record that looks like evidence right up until the moment it matters.

Why the obvious fixes fall short

The reflex answer is more logging, and more logging is necessary but nowhere near sufficient. A bigger log that can still be edited is a bigger pile of inadmissible text. A blockchain that anchors product movement but not the actual decision and its inputs anchors the wrong thing beautifully. A central database that every vendor trusts moves the single point of failure rather than removing it, and it asks competitors to trust a custodian, which they will not do, because the custodian is also a commercial party with its own exposure.

The honest engineering conclusion is that the record has to be a property of the decision itself, produced by the system that made the decision, sealed at the instant of action, in a chain no participant can rewrite, checkable by anyone with no privileged access. That is a high bar. It is also the only bar that survives contact with a real recall, a real regulator, and a real adversary who would very much like the inconvenient entry to disappear. Every fix that is easier than that is easier precisely because it leaves one of the four properties out, and the property it leaves out is always the one the adversary was hoping you would skip.

What we built, and why it points straight at this problem

I run Mickai, and I want to be precise about why this gap is one we built directly toward, because I am not interested in selling a vibe. Mickai is a Sovereign Intelligence Operating System (SIOS). It is built and in production. At its centre is something we call the Open Audit Record (OAR), and the design choices in the OAR map onto the four tests above almost line for line, which is not a coincidence, because those tests are the reason it exists. We did not retrofit an audit trail onto a working system. We started from the assumption that the record is the product and the intelligence is the thing that has to be held accountable to it.

In the OAR, every AI action is signed before it executes. The seal is created at the moment of decision, not reconstructed afterward, which removes the most dangerous gap in food forensics, the window between an outcome becoming known and a record being written. Each entry is hash-chained and append-only, so altering any past decision breaks the chain from that point forward and the tampering is visible to anyone who looks. The signatures are post-quantum, using the United States National Institute of Standards and Technology (NIST) standard FIPS 204, specifically the ML-DSA-65 scheme, so the record is built to remain unforgeable across the long horizon that food-safety liability actually runs to. And the record is verifiable offline, in an ordinary browser, with no trust placed in us as the vendor. That last property is the one I care about most, because it is the one that makes the record evidence rather than marketing.

Underneath sit fifty brains, twenty-five domain and twenty-five operational, on the Poseidon silicon substrate. These are Mickai models. We fine-tune and specialise open foundations such as Llama 3.2 and Qwen 2.5 and we are actively training our own models now, building a sealed corpus, with funding scaling that work toward fully native weights. Above and around all of it is the discipline of the portfolio behind the architecture, 101 filed United Kingdom patent applications covering roughly 2,234 claims, owned by Mickai LTD with myself as the named inventor. A sovereign Layer 1 called Pantheon anchors the audit root to Bitcoin, so the chain of decisions is rooted in something no single party controls, with a fixed-supply token, PAN, of five billion units. The Pantheon chain is the one piece still in build. I will not pretend otherwise, because the entire argument I am making collapses if I overstate what exists. The rest is live.

The leaf and the judgment

Here is the distinction I want to leave you with, because it is the whole essay in one line. We learned to trace the leaf. We never learned to trace the judgment that cleared the leaf. For a generation that was acceptable, because the judgment lived in a person you could find and a form you could read. Now the judgment lives in models that decide millions of times a day, faster than memory, and the records we kept were never built to hold a decision, only to hold a location. The shape of the problem did not change. The thing making the decision did, and our records did not follow it.

A food chain that can prove where a tomato has been but cannot prove why an automated system passed it is not a traceable chain. It is a chain that traces the easy half and hopes nobody asks about the hard half. The next serious recall will ask. The regulator landing obligations in 2026 will ask. The court applying lowered liability thresholds will ask. And the only good answer is a record that was signed before the action, that nobody can quietly rewrite, that survives the quantum horizon, and that a stranger can verify offline without taking your word for anything. Provenance of the product was the achievement of the last twenty years. Provenance of the decision is the work of the next ten, and it is the half that actually keeps people safe.