Cybersecurity Under Change: Proof-Carrying Assurance via Frozen Records and a One-Residual, One-Clock Certificate

Cybersecurity assurance drifts under change. Tooling updates, policy revisions, monitoring redesigns, and AI-enabled automation can silently change what is measured, how it is measured, and which differences are treated as “the same,” while human workflows adapt under staffing constraints, alert fatigue, incentives, and competing priorities. We introduce a human-centred, proof-carrying approach to security assurance: a certificate layer that freezes one operational record—system boundary, defect definitions, risk scoring ruler, neutrality conventions, audit window, upgrade path, and observation interfaces—so that “improvement under upgrades” has a precise and checkable meaning. Over time, the method combines multiple interacting risk channels into a single decision-ready assurance summary with an explicit improvement margin and an explicit disturbance allowance, designed to remain interpretable during incidents and operational spikes. Across versions and refinements, it enforces a vertical-coherence requirement: upgrade effects must have a finite total footprint so that claims do not drift without bound as systems evolve. We package the framework as four auditable obligations—controlling semantic and policy drift, maintaining a uniform improvement claim, ensuring upgrade coherence, and transporting guarantees to observable evidence—and prove a Master Certificate showing that passing these checks yields version-stable, mechanically verifiable assurance envelopes on the declared episode window. The resulting rates, budgets, and slack are human-centred objects: decision-ready summaries, governance-grade non-regression guarantees, and feasibility diagnostics under organisational constraints.