DESIGN CONCEPT · NOT SHIPPED · UHNW WEALTH MANAGEMENT · AI GOVERNANCE

Double-Blind
Fiduciary Protocol

An adversarial AI layer for UHNW relationship management. The RM commits their independent risk read first — sealed with SHA-256. AI reveals its cold read second. Every divergence requires a documented human resolution before the client call.

Canonical Screens

Scenario Scripts

Synthetic Clients

SHA-256 · 17a-4 · SR 11-7

Trust Infrastructure

Double-Blind Fiduciary Protocol — Relationship Overview showing 42 client relationships sorted by alert severity with AI sessions queued

Where This Sits — Scale 05 of 05

The final form of the trust problem. Every prior project in this portfolio solved trust at a different scale: systemic (ACY), behavioural (TradingCup), institutional (ACY Connect), relational (Xanthos). Double-Blind asks the hardest question: when AI is present in the advisory loop, how do you guarantee that the human's judgment is structurally uncontaminated before the client conversation begins? The answer is not policy or training. It is protocol enforced by the interface itself.

Systemic • ACY Behavioural • TradingCup Institutional • FIX API Relational • Xanthos

Structural • here

Context

Part of the Xanthos ecosystem —
the layer the client never sees but always feels

Xanthos Private Bank designed what the UHNW client sees: the portfolio dashboard, advisory timeline, document vault. Double-Blind designs what happens before the client call — the adversarial AI layer that ensures the RM's judgment arrives uncontaminated. Together they form a complete institutional service stack.

The Problem

Three structural phenomena. One compounding failure.

None of these are AI problems. AI makes each of them worse.

Sycophancy & Automation Bias

Clients with $50M–$500M AUM aren't optimizing for alpha. They're evaluating whether their RM can see risks they can't. When AI shows suggestions upfront, Automation Bias (blindly trusting the system) and AI Sycophancy (models agreeing with user priors) systematically contaminate the RM's independent judgment before the client ever hears it.

AM/RM Cognitive Bandwidth Dilution

Private bank RMs manage 30–60 relationships. Each QBR prep takes 2–4 hours. The 80/20 rule applies: top 20% AUM absorbs most attention. Prospects in the silent test period are structurally underserved — not because the RM doesn't care, but because the system doesn't protect their attention budget.

The Silent Test Period

UHNW prospects allocate a test amount ($1M–$5M) for months 1–2, then quietly observe for months 3–6. The evaluation criterion isn't investment returns — it's attention quality. Does the RM notice what matters before being asked? One missed signal ends the relationship permanently.

The Paradigm

Not Co-Pilot. Double-Blind.

The industry default shows the AI suggestion first. Double-Blind reverses the order. That reversal eliminates anchoring bias — the most structurally honest change possible.

Co-Pilot · Industry default

AI suggests first.
RM responds.

01RM opens folder. AI suggestion appears immediately.
02RM reads AI output. Anchoring begins.
03RM adopts, modifies, or dismisses.
04RM communicates with client. View is AI-inflected.

Anchoring bias · Accountability drift · Sycophancy compounds

Double-Blind · This proposal

RM commits first.
AI reveals second.

01RM opens folder. AI output sealed behind blind glass.
02RM writes independent risk read, action, conviction. Commits.
03Commit triggers SHA-256 hash. AI view unlocks.
04Convergence View: both reads side by side. Deltas flagged.
05RM resolves each delta: hold / adopt / hybrid / escalate.
06Fiduciary audit trail written. SEC 17a-4 format.

Anchoring eliminated · Accountability preserved · Differentiation maintained

Zero-Trust UX Architecture

The browser as a fiduciary enclave.

In institutional finance, you cannot simply promise that the AI didn't influence the RM. You must mathematically prove it for the audit trail.

Phase 1: Local Isolation

Client-Side Cryptography

While the RM drafts Track A, the workstation operates in a zero-egress state. DevTools Network tab verifies 0 outbound requests. Upon commit, window.crypto.subtle generates a SHA-256 hash of the RM's input locally in the browser memory.

Phase 2: Verifiable Request

The Hash Chain

Only after the local hash is sealed does the workstation fire the Track B API call to the LLM backend. The commit timestamp and hash mathematically guarantee the RM's view was locked before the AI's response was received.

// AUDIT PAYLOAD PREVIEW


                {

                  "session_id": "ichikawa-w11",

                  "commit_timestamp_utc": "2026-04-13T22:45:12Z",

                  "track_a_sha256": "8f434346648f6b96df89dda901c5176b10a6d83961dd3c1ac88b59b2dc327aa4",

                  "network_egress_status": "LOCKED"

                }

Anchor Scenario

Week 11. Mrs. Ichikawa.
The phone call that signs a $150M relationship.

April 14, 2026. 07:22 JST. NVDA is down 4.2%. The JPY strengthened overnight. David has 42 relationships and 2 hours before market open.

Convergence View — Track A (David: MONITOR, medium conviction) vs Track B (AI: PROACTIVE OUTREACH, high confidence), framing delta ticks on copper parallel rail, 61% alignment score

Convergence View — Two reads side by side. David: tech correction, monitor only. AI: JPY psychology risk, proactive outreach. One framing delta separates them. layer.

⬛

Track A — David's Independent Read (committed first)

NVDA -4.2% on 8% position = -33bp. Tech correction aligns with Ichikawa-san's prior concern. Portfolio is within tolerance. Monitor only. Medium conviction. Committed at 06:45 JST with SHA-256 hash — AI was sealed until this moment.

◆

Track B — AI Cold Read (revealed after commit)

Same tech assessment. But JPY strengthened 0.9% overnight. For a Japan-domiciled client with USD-denominated assets, this FX move creates psychological impact independent of portfolio P&L. The USD snapshot value of her $35M book decreased by ¥47M overnight. Recommend proactive outreach — not about the trade.

→

The Resolution — David adopts

"She's Japan-based. FX move is real for her even though long-term thesis unchanged. I'll call at 8am to acknowledge FX dynamics before she has to ask." David calls. Ichikawa-san mentions her husband's USD pension. They schedule a partial JPY hedge discussion. Silent test ledger: +1.

Week 11 Signing Event — One framing delta. Four times the allocation over 18 months.

Live Interactive Demo

Experience the full 8-screen workstation

All 5 scenarios, all 8 screens, real SHA-256 commit hash, DevTools-verifiable network silence during Track A. The same deterministic-mock discipline as Intent Canvas — ship-reliable without an API key.

Double-Blind Fiduciary Protocol — Live Workstation

Vanilla JS · SHA-256 Web Crypto · 5 scenarios · SEC 17a-4 export · SR 11-7 effective challenge

Week 11 · Ichikawa (framing delta) Park Y2 (convergent soft flag) Lindqvist Q3 (magnitude + directional) Hartmann FO (governance framing) Prospect #7 (null delta)

Open Workstation

Screen 01 · Always-On

Relationship Overview

42 relationships. 5 AI sessions queued. 07:22 JST.

The RM's morning dashboard. All 42 client relationships are sorted by alert severity — high-alert clients appear first. AI sessions are queued but their content is sealed: the overview shows only the count, never the recommendation. This is the information wall's first enforcement layer.

Relationship Overview showing 42 UHNW clients sorted by alert severity — Mrs. Keiko Ichikawa (HIGH), Dr. Eva Lindqvist (HIGH), Hartmann Family Office (MED) — with AI Session queued badges

Screen 01 — Relationship Overview. Sorted by alert severity. AI queued counts visible; AI content sealed.

↑

Alert Severity Sort

HIGH → MED → LOW → NONE. Within each tier, clients with queued AI sessions appear first. The RM sees the most urgent relationships at a glance without having to scan a flat list.

🔒

AI Sessions Sealed

"AI Queued" badge shows count only. The AI's analysis is completely invisible until the RM commits their own Track A read. This is the information wall's first enforcement layer — the RM cannot be anchored before they've committed.

Aggregate Intelligence

Stats strip shows computed aggregate AUM, session count, and alert breakdown. Five scenario chips in the hero banner let reviewers jump directly to any of the five scripted client scenarios.

Screen 02 · Entry

Session Setup

Context before commitment.

Before the RM writes a single word, they see the full client context: overnight market events, portfolio snapshot, last conversation excerpt. The AI vault status sidebar confirms isolation is active. When the RM clicks "Begin Track A", a 700ms vault sealing animation plays — theatre that makes the protocol tangible.

Session Setup for Mrs. Keiko Ichikawa — showing overnight events (NVDA -4.2%, SOXX -3.8%, JPY +0.9%), FX Psychology Risk widget, last conversation excerpt about tech overheating concern, and AI Isolation State sidebar showing vault sealed

Screen 02 — Session Setup. Market events, FX context, client conversation. Vault sealed in sidebar.

📊

Scenario-Specific Data Widgets

Each scenario surfaces relevant data prominently. For Ichikawa: a dedicated FX Psychology Risk widget showing USD/JPY overnight move and the JPY snapshot impact. For Lindqvist: a Turkey CDS spread bar chart. For Hartmann: an entity structure diagram flagging the BVI governance gap.

📝

Last Conversation Context

"I'm worried tech is running too hot. If there's a correction I'd rather be positioned defensively. My late father always said the first loss is the best loss." — This is the client's mental model. The RM reads it before writing their own assessment.

🔐

Vault Status Sidebar

Phase: sealed. Outbound requests: 0. Commit hash: pending. The vault status sidebar is the first visible evidence of the protocol running. The RM knows exactly what the AI can and cannot see before they write anything.

Screen 03 · Write

Track A — Blind Input

Your read. AI sealed until you commit.

The RM writes their independent risk read in a split-view canvas. Left panel: raw client data. Right panel: input form. The amber pulsing "AI sealed" indicator at the top of the input panel makes the isolation tangible. Three required fields — risk read, recommended action, conviction level — gate the commit button.

Track A Canvas — risk read typed (NVDA -4.2% within tolerance), MONITOR action selected, LOW conviction. Completeness dots all green. Commit button active.

Screen 03 — Track A filled. MONITOR selected, LOW conviction, risk read complete. Commit sealed with SHA-256.

✍️

Auto-Resize Textarea

The risk read field grows with the RM's input. A live word count hint appears as they type. The placeholder text reinforces the protocol: "Write your independent view — AI is sealed until you commit."

●○○

Completeness Indicator

Three dots below the commit button track which required fields are filled: Risk Read · Action · Conviction. Each lights green when completed. The commit button remains disabled until all three are satisfied.

⌘↵

Keyboard Commit

⌘↵ commits the Track A input from anywhere in the form. The commit button shows the keyboard shortcut as a visible chip. For experienced RMs, the protocol should feel as fast as a well-practiced decision can be.

Screen 04 · Seal

Track B Processing

2.8 seconds. SHA-256 sealed. Network silent.

After commit, a terminal-style log plays. The hash is computed in real time via crypto.subtle.digest('SHA-256') — the Web Crypto API, not a mock. Nine timestamped log lines play sequentially. The hash reveal card shows the full 64-character hex string. Every claim here is verifiable in DevTools → Network: 0 outbound requests during Track A.

Track B Processing — terminal window with timestamped log: SHA-256 hash e1264aa750bb... confirmed, 0 outbound requests verified, track-b cold-read pipeline initialising, convergence ready

Screen 04 — Processing Terminal. Real SHA-256 hash. 9 timestamped log lines. Network guard: 0 outbound requests confirmed.

Screen 05 · Compare

Convergence View

Design for collision, not consensus.

We don't auto-merge. We violently highlight divergence. Track A (RM) and Track B (AI) sit side by side, separated by a 2px copper rail. Delta ticks mark divergence points on the rail — each tick's color encodes the delta type. The AI's job isn't to smooth over human edges; the friction is the feature.

Convergence View — full layout with Track A (MONITOR, medium) and Track B (PROACTIVE OUTREACH, high) side by side, copper parallel rail, 2 framing delta cards below, Resolve Deltas proceed bar visible

Screen 05 — Convergence View. Copper parallel rail divides two independent reads. 2 framing delta ticks. 61% alignment score.

Reasoning Drawer open — Track A: MONITOR (tech correction expected), Track B: PROACTIVE OUTREACH (FX psychology risk, JPY domicile impact), Regulatory Context: FINRA 2111 + SEC Reg BI

Reasoning Drawer — Full Track A and Track B reads side by side. Delta position, AI rationale, regulatory auto-tags.

◆

Delta Type Taxonomy

Five types with shape icons: ● Convergent (circle) · → Directional (arrow) · ▬ Magnitude (bar) · ◆ Framing (triangle) · — Null (dash). The framing delta is the Ichikawa scenario's delta: same action direction, different risk vector identified.

📐

Field-Level Delta Markers

Each field row that has a corresponding delta shows a color-coded type badge inline in the label and a copper left border accent. The RM sees exactly which field the divergence is in — Risk Read, Recommended Action, or Conviction — without opening the drawer.

✓

Reviewed State Tracking

Each delta card gets a green checkmark after the reasoning drawer is opened. The proceed bar shows "X of N deltas reviewed". When all are reviewed, the button turns green: "Ready to Resolve →". No forced progression — the RM can review at their own pace.

Screen 06 · Decide

Fiduciary Resolution

Every delta. One decision. Required reasoning.

The RM cannot proceed without resolving every surfaced delta. Four options — Hold / Adopt / Hybrid / Escalate — with required reasoning text for directional and magnitude deltas. Regulatory auto-tags appear automatically in the sidebar. A resolution summary strip updates in real time.

Fiduciary Resolution — 2 of 2 resolved, gold progress bar full. Two framing delta blocks: HOLD on Tech story delta, ADOPT on No outreach vs Proactive call delta. Regulatory auto-tags sidebar visible.

Screen 06 — Fiduciary Resolution. 2 of 2 resolved. HOLD on tech story delta, ADOPT on FX outreach delta. Regulatory auto-tags sidebar.

📏

Progress Bar + Cannot Skip

A progress bar at the top tracks "X of N resolved." The proceed button stays disabled until every delta has a choice and required reasoning. For directional and magnitude deltas, the reasoning field is mandatory — the system enforces documentation of consequential decisions.

🏛️

Regulatory Auto-Tags

FINRA Rule 2111, SEC Reg BI Care Obligation, and SR 11-7 are automatically tagged based on the delta type and resolution choice. The RM doesn't select them — the system annotates the reasoning with the applicable regulatory framework.

←

Back to Convergence

The RM can return to the Convergence View at any point during resolution to re-read either panel — without losing their reviewed delta state or partial resolution choices. No forced linear progression.

Screen 07 · Record

Audit Artifact

SEC Rule 17a-4. Immutable. Exportable.

The session produces a complete fiduciary audit record: session metadata, isolation verification with SHA-256 hash, Track A record, Track B record, delta summary, resolution reasoning, and regulatory attestation. Exportable as JSON with the commit hash embedded — any reviewer can verify the hash against the Track A payload.

Audit Artifact — Delta Summary showing 2 framing deltas (ADOPT + HOLD), Regulatory Attestation table (FINRA 2111 / SEC Reg BI / SR 11-7 / 17a-4), Export JSON and View Intelligence Dashboard buttons

Screen 07 — Audit Artifact. Delta summary with resolutions. Regulatory attestation. Export JSON (17a-4 format).

Screen 08 · Learn

Relationship Intelligence

Longitudinal value. Delta patterns. RM resolution bias.

After each session, the dashboard surfaces patterns: delta type distribution, RM resolution bias (adopt vs hold vs escalate), and historical session timeline. Over time, this view tells a story about both the relationship and the RM's judgment calibration. Open the live demo → to see the full Intelligence Dashboard after completing a session.

📈

Silent Test Verdict

The intelligence dashboard surfaces the silent test period verdict and the ledger entry: "+1 — RM was proactive on FX angle before client had to ask." This is the metric that matters for UHNW relationship retention.

⚖️

RM Resolution Bias

Supervisors can identify systemic patterns: RM always adopts AI = anchoring risk (AI dependency). RM always holds = potential dismissal without engagement. The bias bars show adopt / hold / hybrid / escalate proportions session over session.

🕐

Historical Session Timeline

Past sessions show date, scope (daily review / QBR prep), delta count, and outcome badge. For Ichikawa, three previous sessions demonstrate the relationship trajectory before Week 11 — including an earlier escalated magnitude delta that required CIO review.

Design Language

Visual DNA

Xanthos tokens. Three unique primitives.

Double-Blind inherits the Xanthos warm cream palette — the RM moving from the client portal to the workstation experiences the same institution at different depth. Three new visual primitives make the adversarial dual-read pattern tangible.

Convergence View — 2px copper parallel rail between Track A and Track B, framing delta ticks on rail, blind glass already dissolved after Track A commit, delta cards below showing 2 framing deltas

Convergence View — all three primitives visible: parallel rail (copper divider), delta ticks (framing type), and dissolved blind glass.

Audit Record Anatomy

Six components. One verifiable record.

Every session produces a structured audit record with six distinct sections. Each is shown below. Together they satisfy SEC Rule 17a-4(f)'s reconstructable record requirement.

Audit — Session Metadata: Client Mrs. Keiko Ichikawa, RM David 9 years, Session date 2026-04-14 07:22 JST, Protocol version Double-Blind Fiduciary Protocol v1.0, Scenario ID ichikawa-w11

① Session Metadata — client, RM, date, scenario ID.

Audit — AI Isolation Verification: Track A sealed, SHA-256 hash 9ce71fd6..., Commit timestamp, Outbound requests 0 — verifiable in DevTools Network panel, Network silence confirmed

② AI Isolation Verification — SHA-256 hash + DevTools-verifiable 0 outbound requests.

Audit — Track A RM Original Read (David): Risk read — NVDA position took -4.2%... Action: monitor, Conviction: medium

③ Track A — RM's committed read before AI view.

Audit — Track B AI Cold Read (independent): Risk read — Portfolio tech exposure down ~90bp... However JPY strengthened 0.9%... Action: outreach, AI confidence: high, RM input visible: No

④ Track B — AI cold read. RM input: not visible.

Audit — Delta Summary: 2 delta(s) surfaced. Framing: No outreach vs. Proactive call — HOLD. Framing: Tech story vs. FX + tech story — ADOPT.

⑤ Delta Summary — type, label, resolution choice.

Audit — Regulatory Attestation: FINRA Rule 2111 independent challenger review completed, SEC Reg BI dual-read process satisfies reasonable diligence, SR 11-7 effective challenge performed, SEC Rule 17a-4(f) record in reconstructable format

⑥ Regulatory Attestation — FINRA 2111 · Reg BI · SR 11-7 · 17a-4.

System UX

⌘K to load any scenario. ? for shortcuts. / to search.

Command palette (⌘K) — search 'Load: Week 11 — Ichikawa', 'Load: Year 2 — Mr. Park', navigate screens, trigger hero demo. Shows overview behind with hero banner and 42-client list.

Command palette (⌘K) — fuzzy search across 5 scenarios, 3 navigate actions, demo trigger.

Keyboard Shortcuts overlay on Convergence View — Navigation: ⌘K palette, / open, ? help, Esc dismiss, [ ] prev/next scenario. Session: ⌘↵ commit, Esc abandon, Watch hero demo replay.

Keyboard shortcuts (?) — full navigation and session control. Convergence View behind.

Second Scenario

Hartmann Family Office. Four jurisdictions. One governance gap.

The protocol adapts to each client context. For the Hartmann onboarding session, the AI Isolation Vault drawer is open — showing the sealed state before Track A begins. The Track B read will surface a BVI governance gap the RM's standard KYC review missed.

Hartmann Family Office Session Setup — client card showing Frankfurt/Zurich/BVI/Cayman multi-jurisdiction structure, $62M onboarding, Event-Triggered Review scope selected. AI Isolation Vault drawer open on right: sealed phase, Session ID familyoffice-onboard, 0 outbound requests, SHA-256 hash from prior session visible.

Hartmann Family Office — Session Setup with AI Isolation Vault drawer open. Sealed before Track A begins.

Regulatory Anchoring

Each design decision has a regulation behind it.

Not retrofitted compliance. The regulatory structure generated the design decisions.

Rule	Design implication	Where in the UI
FINRA Rule 2111	Reasonable-basis suitability requires independent documented analysis. Track A + Track B dual read is the structural implementation.	Auto-tagged on Action and Conviction deltas in Resolution sidebar.
SEC Reg BI	Care Obligation: RM must exercise reasonable diligence, care, skill. The mandatory delta resolution with reasoning satisfies documentation of "reasonable."	Required reasoning field in Resolution. Auto-tagged on directional deltas.
SR 11-7	"Effective challenge" — independent review with sufficient authority. RM-as-challenger is SR 11-7's effective challenge made into a UX pattern.	Vault drawer isolation confirmation. Convergent soft flag triggers CIO review prompt.
SEC 17a-4(f)	Electronic records: non-rewritable, timestamped, reconstructable. SHA-256 commit hash + timestamped audit trail is the compliance mechanism.	Audit Artifact screen (Screen 07). JSON export with hash chain.
EU AI Act Art. 14	Human oversight of high-risk AI: the mandatory resolution step is Article 14's human-in-the-loop made structurally enforced.	RM cannot proceed without resolving every delta. Escalation always available.

Regulatory references are design intent citations. Verify with qualified compliance counsel before production use.

Authenticity Boundary

What this is not.

Ed Chen is a product designer. Here is the exact boundary of what can be claimed.

This Is NOT

× Not shipped. No production users. No A/B test data. No real RM has used this with a real client.
× Not UHNW user-tested. All user descriptions extrapolated from industry research and 4 years at ACY Securities (a retail/mass-affluent broker). The bandwidth dynamic is structurally equivalent; private bank RM workflow has not been directly shadowed.
× Not compliance-reviewed. Regulatory references are design intent citations, not legal opinion.
× Not AI-integrated. All Track B outputs are deterministic pre-authored scenario scripts. No model was called.
× Not a claim that RM judgment should be subordinated to AI. Every final decision is the RM's. The AI is a structural challenger, not a decision-maker.

What can be claimed: four years at an ASIC-regulated broker showed what an AM/RM's attention budget actually looks like, what regulatory audit trails need to contain, and what "reasonable diligence" looks like when it has to be documented. This concept is grounded in that operational experience — not in UHNW-specific field research I don't have.

The UHNW Cluster

Three projects. One complete picture.

Each piece stands alone. Together they form the full UHNW design arc: observed behaviour in the wild → the client portal → the RM trust layer.

01 · Empirical Foundation

Christie's Real Estate

Observed UHNW psychology in the wild. The trust model, the relationship-first design logic, and the editorial restraint that makes Xanthos credible all trace back here.

View case study →

02 · Client Surface

Xanthos Private Bank

What the UHNW client sees. Portfolio dashboard, RM briefing, advisory timeline, document vault. Together, Xanthos + Double-Blind = UHNW service front-to-back.

View case study →

03 · RM Trust Layer — You are here

Double-Blind Fiduciary Protocol

The layer the client never sees. Adversarial dual-read that protects the integrity of the RM's judgment before the client call ever happens.

AI Trust Progression · Orthogonal Thread

Intent Canvas

Same-direction AI-human collaboration. Intent Canvas = agreement as goal. Double-Blind = disagreement as signal. Orthogonal paradigms. Together they define the two modes of human-AI co-decision.

View case study →

Portfolio Thread