2  The Provenance Problem

2.1 The Missing Provenance Layer

Supply chains can verify objects better than histories. The missing layer is a continuous record of who approved, objected, signed, transferred, or certified what, when, and under whose responsibility.

Provenance belongs in the operating layer, not the reporting layer. Certificates, inspection results, MRB decisions, and every revision along the way derive their business value from the actions around them. When those actions live as PDFs, emails, and platform-specific records, the digital thread becomes a reconstruction exercise rather than evidence any party can verify.

Physical checks answer point-in-time questions; they do not preserve custody. A PUF scan, stable isotope analysis, or spectral fingerprint can confirm identity or origin at one moment. None preserves the trail between origin, inspection, shipment, receipt, and resale.

Organisations paper over this gap with trust: a manufacturer trusts a supplier’s database, a regulator trusts a certificate, and a customer trusts a label. That trust is now eroding — generative AI makes convincing documents trivial to fabricate, and the signals organisations once relied on to detect forgery are losing reliability. Each assumption becomes a point where the connection between physical reality and digital record can break without warning.

2.2 Why Existing Systems Fall Short

Broken provenance turns complete-looking files into incomplete evidence. Illegal logging, counterfeit pharmaceuticals, conflict minerals, mislabelled food, and safety-critical equipment failures share one pattern: documents may look complete while no external party can verify the event history, revision path, comment trail, or approval sequence behind them. In long-lived industrial assets, contractors, fabricators, laboratories, logistics providers, operators, insurers, and regulators handle records for decades. One missing correction, objection, or handoff can turn a compliance file into a liability dispute.

Regulation raises the cost of that ambiguity. Digital Product Passport mandates, deforestation regulations, circular-economy rules, food safety regimes, and product-liability frameworks all assume durable provenance that external parties can verify (European Parliament and Council 2024). Most enterprise systems still produce platform-bound records that satisfy internal workflows but fail external scrutiny.

Each generation of trust infrastructure solved one problem and exposed another. Relationships worked at local scale. Paper made records explicit but forgeable. Databases improved speed but concentrated control in operators. Distributed ledgers spread control across participants, then added node infrastructure, governance, consensus latency, upgrade coordination, and costs many supply-chain actors cannot absorb (Caldarelli 2024).

Table 2.1: Each generation of trust infrastructure closes one gap but leaves another open
Solution Persistent record Scales Tamper-evident Operator-independent Lightweight
Relationships
Paper Records
Shared Databases
Blockchains/DLT

No row achieves all five — this is the provenance gap.

The core mistake treats provenance as a shared-computation problem. Supply chains need evidence that events entered the record in order, stayed unaltered, and carry accountable authorship. Most do not need every participant to execute the same business logic on replicated infrastructure. Consensus can strengthen shared computation; provenance needs durable proof.

2.3 What Provenance Must Provide

A provenance layer must provide five properties at once.

Table 2.2: Provenance requirements and their practical meaning
Requirement Practical Meaning Failure Without It
Tamper-evidence Any alteration, deletion, or insertion becomes detectable by any verifier Records can change after the fact with no reliable signal
Attribution Each event binds to a specific accountable actor Responsibility diffuses across departments, vendors, or service accounts
Independent verifiability Any authorised holder can check the record without relying on the system that produced it Auditors must trust the operator they are auditing
Lightweight operation Participation fits existing storage and workflow costs Smaller actors fall outside the record, breaking continuity
Continuity Physical checks and digital events bind into one sequence Strong inspections remain disconnected from custody history

Tamper-evidence is about detection — alteration creates an obvious cryptographic failure. A provenance record gains practical integrity when alteration creates an obvious cryptographic failure. Attribution adds the accountability layer: a hash chain proves record integrity; identity-bound signatures show which actor attested to each event. Its value comes from removing anonymity and plausible deniability.

Independent verification gives the record life beyond the platform that produced it. A regulator, insurer, customer, or downstream partner should not need a live service to confirm integrity. Lightweight operation keeps the network complete: suppliers with limited IT capacity can receive, store, and verify the evidence. Continuity binds the physical and digital halves of provenance into a single chain.

EventChain fits between architectures that are too heavy and systems that are too weak. Helios supplies the business logic that decides which lifecycle actions deserve evidentiary weight; EventChain supplies the connective substrate: a hash-chained, append-only provenance infrastructure that participants can write to, distribute through access policies, and verify without the Hub.