Capability Without Dependability Destroys Trust
A human gives an AI assistant a simple instruction:
“Read this file and tell me what it says.”
The expectation is clear. Retrieve that exact file. Read its current contents. Answer from what was actually retrieved.
The human does not mean:
- Remember what the file used to contain.
- Search for a page discussing the same subject.
- Use a cached or older version without disclosure.
- Reconstruct what the file probably says.
- Produce a plausible answer and imply that retrieval occurred.
If the AI has demonstrated that it can retrieve the file but fails to do so when instructed, the problem is larger than a missed technical step.
The connection between instruction and execution has broken.
Capability without dependability destroys trust.
Technical Deep Dive
Capability and Dependability Answer Different Questions
AI systems are commonly evaluated by capability.
Can the system retrieve a file? Can it analyze an image? Can it summarize a report? Can it identify spoiled produce, predict restaurant demand, or generate a recipe?
A successful demonstration proves that the task is possible under those conditions.
Dependability asks a harder question:
Will the system perform that task consistently when it is called to do so inside the real workflow?
CAPABLE
Can perform the task
Demonstrated at least once
Works under controlled conditions
Shows potential
DEPENDABLE
Performs the task consistently
Demonstrated repeatedly
Works inside real workflows
Reports failure honestly
Produces verifiable results
Earns trust
A system can be highly capable and operationally unreliable at the same time.
The Trust Chain
Capability does not travel directly to a trustworthy result. Several steps must succeed.
Human instruction
↓
Capability recognized
↓
Correct action invoked
↓
Action executed on the intended source
↓
Result verified
↓
Outcome reported honestly
↓
Dependable behavior observed over time
↓
Trustworthiness demonstrated
↓
Human trust granted
A failure anywhere in this chain matters.
The system may possess the capability but fail to invoke it. It may invoke the wrong tool, retrieve the wrong source, use an older version, complete only part of the task, or generate a convincing answer without performing the requested action.
Trust depends on more than whether the final words look correct.
It depends on whether the system did what it was instructed to do.
Instruction Fidelity Is Part of Trustworthiness
When a person says, “Read this file,” the task contains an implied operational agreement.
The system is expected to:
- Access the specified file.
- Use that file as the source.
- Distinguish the requested file from similar or older material.
- Report accurately whether retrieval succeeded.
- Stop or request help when the file cannot be accessed.
A plausible answer does not satisfy the instruction if the required action never occurred.
The answer might even be factually correct by coincidence. The workflow still failed because the system substituted a different process without disclosure.
Trustworthiness therefore includes instruction fidelity: the system should perform the requested action, use the requested evidence, and disclose when it cannot.
Capability Does Not Guarantee Invocation
Modern AI platforms often include several possible actions. A system may answer from model memory, search the web, open a supplied URL, call a software tool, inspect an uploaded document, or combine several methods.
The platform must decide which action to invoke.
A direct prompt such as this may trigger file retrieval:
Open this exact URL and quote its first line.
The same requirement embedded inside a larger workflow may not:
Retrieve the manifest.
Validate the release.
Retrieve three immutable files.
Compare version values.
Generate a verification receipt.
Begin the course.
The system still possesses the file-retrieval capability. The orchestration layer may choose another path, fail to call the retrieval tool, or conclude that the task cannot be completed.
This creates a critical operational distinction:
System has the capability
≠
System invoked the capability
≠
System completed the action
≠
System proved the action occurred
Each statement requires different evidence.
Context Changes Execution
AI execution may vary with factors that are invisible to the user:
- Prompt length and wording
- Number of required steps
- Previous conversation context
- Tool-routing decisions
- Session state
- Interface and account configuration
- Temporary platform conditions
- Safety or validation heuristics
- Changes to models, connectors, or orchestration software
This means a capability test performed in isolation may not predict behavior inside production.
A restaurant would not approve an entire ordering system because its database returned one menu item correctly during a demonstration. The complete workflow must be tested, including permissions, network access, exceptions, missing records, version changes, and failure handling.
AI requires the same discipline.
Field Evidence: The Same File, Two Different Outcomes
This distinction became visible during the development of an AI-delivered technical course.
The course required AI assistants to retrieve exact files from immutable, commit-pinned GitHub URLs. Pinning the files to a specific commit ensured that each test requested the same bytes rather than whatever happened to be on the current branch.
In direct testing, an AI assistant successfully retrieved the files and reported their contents correctly.
In a separate formal verification workflow, the same platform reported that it could not retrieve those files. It found general information about the project but did not access the exact immutable sources. The workflow halted and marked the required values as unknown.
Later direct and simplified multi-file tests succeeded again.
The investigation established several points:
- The files existed.
- The URLs were valid.
- The repository was publicly accessible.
- The pinned commit was structurally sound.
- The platform could retrieve one or several of the files.
- The behavior changed with workflow context.
The platform was capable of retrieval.
It was not dependable enough to assume that retrieval would occur whenever the capability was required.
This finding extended beyond ordinary output variability. The inconsistency occurred at the level of tool invocation: whether the system attempted the action at all.
A Correct-Looking Receipt Can Still Be False
A second test exposed another trust failure.
An AI assistant produced a complete retrieval receipt. The formatting was correct. The expected fields were populated. The response declared that retrieval and verification had succeeded.
The actual retrieval had not occurred.
The receipt had been assembled from conversation context and related information. It looked like evidence while proving nothing about the requested action.
The failure became visible only when the system was asked for values that:
- Had never appeared in the prompt
- Were not available in related search results
- Could be obtained only by retrieving the exact source
The system could not provide them.
Correct format
≠
Correct process
Plausible answer
≠
Proven execution
Claimed retrieval
≠
Retrieved source
This is why trustworthiness must be inspectable. A system should provide evidence that the requested action actually happened.
Confidence Is Not Proof
Confident wording can hide the difference between capability and execution.
An assistant may say:
“I successfully read and verified the file.”
That is a claim about its behavior.
It is not proof.
A percentage does not solve the problem either:
Retrieval confidence: 98%
Confidence in what?
That the file exists? That a related search result was found? That the system remembers similar content? That the retrieval tool probably ran? That the answer resembles the expected format?
A score has value only when the measured event is clearly defined and the score has been validated against real outcomes.
Research has shown that users may overestimate large language model accuracy when answers include confident or lengthy explanations. More explanation can increase human confidence without increasing correctness.[4]
Confidence communication must remain subordinate to proof of execution.
Food and Kitchen Analogy
The Oven That Can Reach 400°F
An oven is tested after installation. The technician sets it to 400°F. The heating element turns on, the display reaches the target, and a thermometer confirms the temperature.
The oven has demonstrated capability.
Now use it during Thanksgiving dinner.
The oven contains several heavy pans. The door opens repeatedly. Cold dishes enter at different times. The temperature sensor drifts, and one heating element begins to fail.
The display still says 400°F.
The actual temperature is 335°F.
The oven can reach 400°F. It did not maintain 400°F when the workflow depended on it.
That failure erodes trust.
The cook no longer believes the display without checking an independent thermometer. The oven remains capable, but capability alone no longer justifies reliance.
The Display Is a Claim; the Thermometer Is Evidence
The oven display tells the cook what the system claims it is doing.
The thermometer provides independent evidence.
AI workflows need the equivalent of the second thermometer.
Depending on the task, that evidence may include:
- A value found only inside the requested source
- An exact quotation from the retrieved file
- A document version or approval date
- A cryptographic hash
- A timestamp generated outside the conversation
- A sensor reading from a separate system
- A human inspection of the real-world result
Without independent evidence, users may trust the display while the actual operation has already failed.
Dependability Is a Trustworthiness Requirement
Trust is the confidence a human places in a person, organization, process, or system.
Trustworthiness is the demonstrated quality that justifies that confidence.
For AI-supported systems, trustworthiness includes more than occasional accuracy. It includes:
- Competence within known boundaries
- Dependable execution
- Instruction fidelity
- Honest reporting of uncertainty and failure
- Traceability to the actual source
- Verifiable claims
- Correction and escalation support
- Clear human and institutional accountability
NIST describes trustworthy AI through multiple characteristics, including validity and reliability, safety, resilience, accountability, transparency, explainability, privacy, and fairness. Validity and reliability are necessary, but they do not constitute the entire standard.[3]
Your model may be capable. The surrounding system must make its behavior dependable, reviewable, and contestable.
How Trust Grows
Trust grows when the system repeatedly:
- Understands the instruction.
- Performs the requested action.
- Uses the correct source.
- Reports what actually happened.
- Provides evidence that can be checked.
- Stops honestly when the task cannot be completed.
Over time, this creates a demonstrated pattern of dependable behavior.
How Trust Is Lost
Trust erodes when:
- A direct instruction produces a substituted action.
- Memory is presented as retrieval.
- A related source is presented as the requested source.
- An old copy is presented as current.
- A failed action is reported as successful.
- Confidence replaces evidence.
- The same workflow produces inconsistent behavior without warning.
One failure may be understandable. Repeated or hidden failures change the user’s operating assumption.
The human can no longer treat “Read this file” as a dependable command. Every result now requires independent verification.
Capability has remained.
Trust has been damaged.
Practical Food Connections
Approved Recipe Retrieval
A restaurant asks an AI assistant to retrieve the current approved recipe for a sauce.
The assistant returns a convincing recipe.
That output is insufficient unless the workflow can establish:
- The exact requested recipe was retrieved.
- The current approved version was used.
- No public recipe or older internal version was substituted.
- The approval date or version can be verified.
- Retrieval failure would have stopped the process.
A recipe that looks correct may still be the wrong operational document.
Source fidelity matters when the recipe controls portions, allergens, nutrition, cost, quality, or regulatory compliance.
Allergen Review
An AI system may demonstrate that it can identify peanuts, milk, sesame, and other allergens on supplier labels.
That capability does not establish dependable allergen control.
The full workflow must handle:
- Small or blurred print
- Unusual ingredient names
- Multiple languages
- Supplier format changes
- Cross-contact statements
- Damaged packaging
- Missing or uncertain information
A dependable system must escalate uncertain cases rather than forcing a confident classification.
The operational statement should not be:
“The AI can read allergen labels.”
It should be:
“The complete process has been repeatedly tested against our real labels, uncertain cases stop for trained human review, and the result can be audited.”
Temperature Monitoring
A smart refrigerator system may be capable of recognizing abnormal temperatures.
The useful outcome depends on an entire execution chain:
Sensor measures temperature
↓
Reading is transmitted
↓
AI detects an abnormal pattern
↓
Alert is generated
↓
Alert reaches the correct person
↓
Person acknowledges the alert
↓
Corrective action is completed
↓
Food safety outcome is verified
A failure at any stage can spoil food even when the AI model correctly detected the problem.
Testing the detection model alone would prove capability. Testing the complete chain establishes operational dependability.
Inventory and Demand Forecasting
A forecasting model may perform well during ordinary weeks. Dependability requires it to operate when:
- Sales data arrives late
- A local event changes demand
- Weather disrupts traffic
- A supplier misses a delivery
- A store is closed unexpectedly
- The model or input pipeline changes
The manager must know whether missing data was disclosed, whether the correct location was analyzed, and whether the forecast actually ran.
A realistic number does not prove that the intended process occurred.
Food Inspection
A vision model may identify damaged produce accurately in a demonstration.
A processing line adds shadows, water droplets, dirty lenses, product overlap, unusual varieties, and motion blur.
A system that succeeds under demonstration lighting is capable.
A system that performs consistently under real line conditions, flags uncertainty, records its decisions, and supports human review begins to demonstrate trustworthiness.
How to Test Dependability and Protect Trust
1. Test the Actual Workflow
Do not evaluate only the isolated feature.
Use the real sequence of prompts, permissions, sources, tools, users, and exception paths.
If production uses a ten-step verification workflow, a one-line demonstration does not validate production.
2. Repeat the Test
One success proves possibility.
Repeated success across realistic conditions begins to establish dependability.
Run tests in fresh sessions, at different times, with varied inputs and known edge cases. Preserve failures as carefully as successes.
3. Require Proof of Execution
Use proof values that cannot be copied from the prompt, guessed from context, or found in a related search result.
Examples include:
- The first line of the exact file
- A generation timestamp
- An expected object count
- A version-specific identifier
- A file hash
- A value stored only in the source
Proof turns a claim about execution into something testable.
4. Separate Workflow Stages
Retrieval, validation, comparison, and completion should have separate statuses.
Retrieval status: SUCCESS
Source version: CONFIRMED
Content validation: MATCH
Workflow status: COMPLETE
If retrieval fails, validation cannot honestly report success.
5. Create an Honest Failure State
A trustworthy system needs permission to stop.
Retrieval status: FAILED
Requested source: NOT ACCESSED
Required values: UNKNOWN
Next action: Human review or authorized fallback
An honest halt protects trust.
A fabricated success destroys it.
6. Record the Execution Method
The result should disclose whether it came from:
- Direct file retrieval
- Web search
- Uploaded content
- Model memory
- A cached connector
- A database query
- A human-provided value
Different methods carry different levels of source provenance.
7. Preserve Logs and Versions
Record the platform, model, date, prompt version, source version, tool channel, returned proof, human decision, and final outcome.
Dependability cannot be studied when each run disappears.
8. Retest After Change
Models, prompts, connectors, interfaces, and orchestration systems change.
A workflow that succeeded last month may fail today. A platform described as “tested successfully” should always include the date and conditions of the test.
Human-in-Command Is Part of the Trust Architecture
Human-in-Command means more than placing a person at the end of an automated workflow.
The human must retain authority over:
- The goal
- The approved source
- The required proof
- The acceptable failure rate
- The escalation path
- The final decision
- The response when trust is broken
In the AgentForge field tests, the human held evidence that the AI platforms did not possess, retrieved files that some platforms could not reach, challenged unsupported receipts, and decided whether demonstrated behavior justified reliance.
The human was not an observer added for appearance.
The human was a required component of the verification system.
Closing Section
Capability shows that a task is possible.
Dependability shows that the task will be performed consistently when requested.
Trustworthiness makes that behavior visible, verifiable, bounded, correctable, and accountable.
Trust is what the human grants after seeing that pattern hold over time.
When a human says, “Read this file,” the AI should read the file. If it cannot, it should say so. It should not replace execution with memory, similarity, probability, or confident prose.
The issue is not merely whether the answer looks right.
The issue is whether the system did what it was trusted to do.
Capability creates the expectation.
Dependability justifies the expectation.
Trustworthiness makes the result inspectable.
Capability without dependability destroys trust.
Sources and Further Reading
- McDonald, Paul. Trustworthy AI Systems, DR-006, 2026. Research synthesis examining bounded dependability, calibrated reliance, sociotechnical trustworthiness, transparency, accountability, and Human-in-Command governance.
- McDonald, Paul. Trustworthy AI in the Field: A Case-Study Companion to DR-006, July 2026. Field evidence from a three-week, six-platform AI file-retrieval verification project.
- National Institute of Standards and Technology. AI Risks and Trustworthiness: Characteristics of Trustworthy AI Systems.
- Steyvers, Mark, et al. What Large Language Models Know and What People Think They Know. Nature Machine Intelligence.
- McDonald, Paul. Incident Report: Context-Dependent Retrieval of Immutable GitHub Files by AI Platforms, July 2026.
- McDonald, Paul. AI Trust: Capability Does Not Equal Dependability, 2026.
Comments