The Right to Be Forgotten, Cryptographically: Proof of Erasure Under GDPR Article 17
A signed tombstone can prove erasure of both data fragments and model weights without re-disclosing the very data being deleted.
In early 2026 a data subject exercised the right to erasure and received something most controllers still cannot produce: a signed tombstone. Not an email promising the work had been done, but a cryptographic artefact attesting that the relevant dataset fragments and the model weights learned from them had both been removed. The attestation was verifiable by the requester and by a regulator, yet it disclosed nothing about the record. The proof stood on its own without re-exposing the data it certified gone.
This matters now because the ground has shifted. The EU AI Act reaches full application on 2 August 2026, ISO/IEC 42001 is becoming a reference for AI management systems, and public bodies across the UK, guided by the Sovereign AI programme and by concern over where health data lives, are asking a harder question than before. It is no longer enough to be told that data was deleted. Supervisors want the seeing to be a matter of mathematics rather than trust.
Why deletion stopped being a database problem
For two decades, erasure meant a row disappearing from a table. Article 17 of the GDPR was drafted in that world, and most compliance tooling still assumes it. The difficulty is that the data has long since left the table. It has been copied into training corpora, sharded across storage tiers, embedded in vector indexes, and, most awkwardly, absorbed into the parameters of a model.
A model does not store its training records the way a database stores rows, but it does retain their influence. Membership inference and extraction attacks have shown that a subject can sometimes be recovered, or at least detected, from weights alone. Deleting the source file therefore satisfies the letter of a naive request while leaving the learned residue untouched. Honest erasure has to reach both the fragments on disk and the influence in the weights.
The second difficulty is evidential. A controller who deletes data has, by definition, destroyed the thing a sceptic would inspect to confirm it. Proving a negative without reconstructing the record is the central puzzle, and it is why so many erasure responses amount to a polite assurance.
What a cryptographic tombstone actually is
A tombstone, in this setting, is a signed record that a specific object no longer exists, bound to evidence that the removal took place. The object is never named in the clear. It is identified by a salted commitment, so the tombstone can be handed to a regulator without leaking the identity it concerns.
The evidence chained into it is threefold. First, a proof that the addressed dataset fragments were overwritten and that their prior commitments no longer resolve to live storage. Second, an attestation that the affected model was retrained or unlearned to remove the contribution of the subject, referenced by the before and after digests. Third, a signature over the whole assembly, timestamped and anchored so the erasure cannot later be back-dated or quietly reversed.
“Erasure that cannot be verified without re-disclosing the data is not erasure a regulator should accept, and erasure that can be verified is the standard controllers should now hold themselves to.”
Reaching the weights, not just the files
Removing influence from a model is the part the field has been slowest to confront. Full retraining from a cleaned corpus is the unambiguous route, and for smaller sovereign models it is tractable. Where retraining every time is impractical, approximate unlearning reduces the contribution of a subject and is paired with a measured bound on residual influence, so the tombstone stays honest about what it guarantees.
Whichever path is taken, the discipline is the same. The pre-erasure model is committed to a digest, the erasure procedure is recorded as a sealed step, and the post-erasure model is committed again. Anyone holding the tombstone can confirm that the new weights descend from the stated procedure applied to the stated starting point, with no access to the underlying data.
Verifiable offline, and without a trusted third party
The design choice that makes this credible for a regulator is that verification is local. In a Sovereign Intelligence Operating System, a SIOS, running offline on operator-owned hardware, every action is cryptographically sealed as it happens. Erasure is one such action, and its tombstone is a link in the same audit chain that records everything else.
That chain is signed with post-quantum algorithms, so an attestation issued today does not become forgeable when cryptographically relevant quantum computers arrive. Identity is hardware-attested, so a tombstone is bound to the specific machine and operator that produced it rather than to a revocable cloud credential. The verifier needs no live connection to the vendor and no continued goodwill from the controller. That self-containment is what makes it usable evidence.
Where consensus and a sealed perimeter come in
Erasure of this kind is a high-stakes action, and a system that can quietly un-erase is worse than one that cannot erase at all. Two structural safeguards address this. The inbound perimeter is zero-egress: work is accepted, but data is not silently shipped out, so a deleted fragment cannot be reintroduced from an unaudited channel. And attesting an erasure as complete can be gated by cross-model consensus, where independent sovereign models must agree the procedure and evidence are sound before the tombstone is signed.
These are governance mechanisms as much as technical ones, and they map onto the agentic-audit expectations now entering supervisory practice. An autonomous system acting on personal data should show not only what it did but that more than one internal check assented first. The mechanisms described here are covered by 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD, and are treated as filed capabilities under examination rather than settled law.
What this asks of controllers and regulators
For a CISO, the shift is from policy to proof. An erasure workflow that ends in a signed, offline-verifiable tombstone can be tested by internal audit and handed to a data protection authority without a further disclosure incident. It also narrows any dispute over whether a request was honoured, because the answer is an artefact.
For a regulator, supervision stops depending on self-attestation. A tombstone chain lets a supervisory authority confirm that erasures happened, in the stated order, without demanding the personal data itself. The alternative, handing over the data to prove it was deleted, is self-defeating.
None of this repeals the hard cases. Legal-hold obligations, backups outside the erasure boundary, and the tension between retention duties and deletion rights all remain live. Cryptographic proof does not resolve those conflicts. It makes each resolution auditable, so lawful retention can be shown for what it is.
The direction of travel
The 2026 request that received a signed tombstone will not stay exceptional. As the full application of the AI Act beds in and standards such as ISO/IEC 42001 harden into procurement requirements, the expectation that erasure be demonstrable rather than merely declared will move from good practice towards baseline. The organisations best placed for that shift are the ones already treating deletion as an audited, cryptographically sealed event.
The right to be forgotten deserves the same evidential seriousness as any other regulated control. A right that cannot be verified depends on trust, and personal data is the domain where trust has proven insufficient. The aim is erasure that is provable offline, bound to the hardware that performed it, and honest about its limits. That is the standard a serious buyer, and a serious regulator, is entitled to expect.




