There is a moment in every security incident that I have come to think of as the hinge. Someone senior asks what happened, and someone else offers an answer that sounds complete. The server was patched. The account was disabled. The vendor confirmed nothing left the network. The room wants to believe it, because believing it means going home.
The discipline of incident response is refusing that moment. You do not take the claim. You pull the logs.
I did this for the better part of fifteen years in enterprise security, and the logs disagreed with the confident answer more often than anyone would like to admit. The server was patched, but not rebooted, so the vulnerable code was still resident. The account was disabled, but its tokens were still valid for hours. The vendor's confirmation was sincere and wrong. Not lies, mostly. Just the natural gap between what people believe happened and what the evidence shows happened. Incident response is the practice of living inside that gap until it closes.
Promises Are the Native Currency of Business
Leave the security war room and walk into any commercial relationship, and you find the opposite discipline. Business runs on promises taken largely at face value.
A contract is a promise with penalties attached. A service level agreement is a promise with math attached. An invoice is a request for payment against a promise presumed kept. When the promise fails, we do not pull the logs; we open a negotiation. The customer believes the campaign underperformed, the vendor believes it overdelivered, and both arrive with slide decks instead of evidence. The dispute is settled by leverage, relationship, and fatigue, and rarely by anything I would recognize as ground truth.
We accept this because for most of commercial history, checking was more expensive than trusting. You could not audit every delivery. You could not instrument every outcome. So we built a civilization of proxies: brands, references, penalty clauses, professional trust. Reasonable engineering for a world where evidence was scarce.
That world is ending. The work is increasingly done by software, and software leaves logs by default. The outcome of a delivered service, the latency, the accuracy, the completion, the transformation of input into output, is increasingly a measurable fact rather than a matter of opinion. The evidence exists. What is missing is the discipline, and the machinery, to make the evidence the arbiter instead of the slide decks.
Proof Over Promises
Here is the transposition I keep making from my old work to my current one. In incident response, the log does not care about anyone's confidence. It shows what happened, and the investigation is over when the evidence is coherent, not when the most senior person in the room feels satisfied. Now apply that standard to a business outcome.
Instead of a promise to deliver, define the outcome in terms that can be checked mechanically: what constitutes done, measured how, evidenced by what. Instead of paying against an invoice and disputing later, condition settlement on the evidence itself. The payment does not follow the claim of completion. It follows the proof of completion. If the proof never materializes, the money never moves, and there is nothing to argue about, because nothing was surrendered on faith.
When the parties are AI agents, this stops being a preference and becomes a requirement. An agent cannot evaluate sincerity. It cannot weigh a counterparty's reputation over dinner. It can only check facts, so the facts have to be checkable, or the agent is simply exposed. Designing commerce this way, outcomes specified up front, evidence generated in the course of the work, settlement bound to the evidence, is the core of what I now spend my days on at Setix. It is incident response discipline applied before the incident: decide what the logs must show, then let the logs decide.
The Culture Underneath the Mechanism
I will admit the deeper lesson is not technical. Security taught me that the willingness to check is a culture before it is a tool. Teams that pull the logs do so because they have internalized that being wrong quickly is cheaper than being wrong slowly, and that evidence is a kindness, not an accusation. An economy that settles on proof will need the same temperament: parties who prefer a checkable fact to a flattering story, even when the story favors them.
I trust promises the way I trust an unverified alibi, which is to say provisionally, and with a strong urge to see the logs. It made me tiresome in meetings. I suspect it will make for much better infrastructure.