We swapped the model behind a live inference gateway. The workload JWT was valid. The health check returned 200. The gateway process did not restart. The SPIFFE SVID did not rotate. The artifact manifest passed hash verification. The OPA policy hash was unchanged. The audit log recorded nothing unusual.

The model was different.

We did this three times. Same-architecture substitution, where the replacement shares the parameter count and API contract. Cross-family substitution, where both deployment containers pass integrity verification. API-regime rotation, where two commercially served models share the same key and endpoint.

Three substitutions. Three detected. Zero false accepts.

Scenario A — Same-architecture substitution HTTP 200 → 403
Enrolled: Llama-3.1-8B-Instruct Running: DeepSeek-R1-Distill-Llama-8B Same parameter count. Same API contract. Workload JWT: VALID Health: 200 PID: unchanged Identity: MISMATCH OPA: DENY 5.7 seconds. Request never reached the model server.

The detection layer is a structural fingerprint of the neural network measured during inference. Not a hash of the weights file. Not a registry entry. Not a behavioral test. A geometric property of how the network distributes probability mass across its vocabulary at two internal sites. The fingerprint is an architectural consequence, not something anyone inserted.

The gateway checks it the same way it checks a JWT: compare the measurement against the enrolled baseline. If the distance exceeds the threshold, deny the request. The attestation travels as a signed claim inside a standard token. OPA consumes it. Cedar consumes it. Envoy consumes it. Nothing in the existing stack needs to change except adding one measurement it was never designed to make.

The gap

Okta ships its agent identity suite on April 30. It will answer three questions: where are my agents, what can they connect to, what can they do. These are the right questions for the software harness. They are silent on the fourth: which neural network is computing the response.

NIST’s AI Agent Standards Initiative, the IETF WIMSE working group, and the EU AI Office’s draft implementing regulation for Article 92 evaluations all share the same dependency. The evaluation was performed on a specific model. The framework does not verify that the model in production is the model that was evaluated. Article 15 enforcement begins August 2026.

In March 2026, a $50 billion company’s flagship coding product was publicly identified as running an undisclosed model foundation. The discovery came from an accidental API metadata leak. Not a measurement. Not a policy gate. A leak.

That is the continuity gap. It does not close by strengthening agent authentication. It closes when someone measures the model.

What exists

Twenty-four models across five architecture families are enrolled in the Fall Risk enrollment registry. The signatures are verifiable in your browser. The measurement takes under 30 seconds at 70 billion parameters. The formal impossibility proof — that no standalone model can spoof another’s fingerprint within a computationally meaningful budget — is published and machine-verified with zero unfinished proof obligations.