Every governance system rests on one question: who did this? Whose spend, whose request, whose decision. Get that wrong and everything downstream, the audit trail, the attribution, the policy, is built on sand.
So here is the uncomfortable bit. A surprising number of AI setups answer that question by asking the AI itself. And that is exactly the thing you must never do.
Models guess. Identity isn't a guess.
A language model is a probabilistic system. Ask it the same thing twice and you can get two different answers, and neither comes with a guarantee. That is fine, useful even, when the task is genuinely open: draft this, summarise that, suggest an approach. There is no single right answer, so a best effort is exactly what you want.
Identity is the opposite. "Which team does this request belong to?" has exactly one correct answer. "Which API key made this call?" is a fact, not an opinion. The moment you ask a model to assert its own identity, you have taken something with one right answer and handed it to a system that deals in likelihoods. Most of the time it will be right. Occasionally it will be confidently, plausibly wrong, and you will have no way to tell which.
A confidently wrong identity is worse than no identity at all. At least a blank you can catch.
Everything hangs off this
In a governance layer, identity is not a nice-to-have field. It is the spine.
Attribution depends on it: whose spend is this? The audit trail depends on it: who made this call, under what policy? Enforcement depends on it: which rules apply to this key, which limits, which team's budget? Tagging, reporting, per-team caps, every one of them assumes you know, for certain, who is acting.
If that foundation is fuzzy, everything built on top inherits the fuzz. Your spend numbers become estimates. Your audit trail becomes a story rather than a record. Your policy fires against the wrong actor. You do not have a governance system at that point. You have a governance-shaped thing that looks right until the one time it matters.
The rule: if it's deterministic, never ask the model to do it
There is a simple principle underneath all of this, and it is worth stating plainly. If a task has exactly one correct answer that your code can work out reliably, do not hand it to the model.
Identity is the cleanest example. The system already knows who is acting, because the request arrived with a credential: an API key, a token, some piece of auth. That credential is the identity. You resolve it in code, deterministically, before the model does anything at all. The model is never asked who it is. It cannot get it wrong, because it is never in the loop for that decision.
This is not a limitation you are working around. It is the correct design. The model is for the fuzzy, generative, judgement-shaped work where a best effort is genuinely the goal. Deterministic facts belong in deterministic code. Mixing the two, letting a probabilistic system decide things that have one right answer, is how you build software that fails in ways you cannot predict.
It goes beyond identity
Once you see it, the same logic applies across a whole governance layer.
Logging should be deterministic. A hard block on a specific piece of data should be deterministic, which is the same reason I keep prevention as a hard block separate from oversight. Auth, attribution, the record of what happened, all of these are facts the system owns, not questions you put to the model. Reserve the model for the parts that are genuinely uncertain, and keep everything with a single correct answer in code where it belongs.
The failure mode is always the same. Someone hands a model a job that was never probabilistic in the first place, the model gets it right ninety-nine times, and the hundredth time it is wrong in a way nobody notices until the numbers do not add up.
Where this leaves you
This is how SpendLil is built. Identity is resolved from the key on every request, deterministically, before anything else happens. The model never asserts who it is and never could. Every figure, every attribution, every policy decision rests on a fact the system owns, not a guess the model made.
Because a governance layer is only as trustworthy as its most basic assumption. And the most basic assumption of all is knowing, for certain, who is acting. Do not ask the AI. It does not know, and it should never be the one to say.
Governance that rests on facts, not guesses
SpendLil tracks every AI request with identity resolved deterministically from the key, so your spend and your audit trail rest on facts.
See SpendLil →Get the newsletter
Weekly updates on AI governance, costs, and practical guides for UK businesses.
Subscribe →