# The Zemi Method
### An evidentiary methodology for investigation and assurance

**Version:** 1.0  
**Status:** Published  
**Published:** July 17, 2026  
**Canonical home:** https://zemimethod.com  
**Copyright:** © 2026 Kevin V. Watson. All rights reserved.  
**Material changes from v0.4:** Correction clause broadened to cover unsupported, incomplete, or materially misstated findings. Preservation phase clarified to include automated contribution records. Published as Version 1.0.  
**Material changes from v0.3:** Conflicting-evidence rule added to Corroborate. Contrary-evidence disclosure added to Report. Preservation of automated contributions added. Proportionality clause added to Scope. Correction procedure added to version discipline.  
**Material changes from v0.2 (recorded at v0.3):** Premise elevated to the decision level. Governing role stated in Scope. Independence requirement restored to the premise. Title retained at investigation and assurance scope. Competing explanations requirement added to Frame. Stated-reasoning requirement added to Report.  

---

## Premise

Every important organizational decision is an evidentiary decision.

Courts, incident response, internal investigations, AI governance, board decisions, compliance, fraud, and digital forensics all eventually ask the same question:

**Can this claim be trusted, and what decision can be defended because of it?**

Most failures of evidence-based decision-making do not begin with a lack of tools. They begin because an assumption went untested. A system was trusted to record what happened. A log was read as complete. A control was believed to be working because it was documented as working. A summary was treated as the record instead of a path back to the record.

The Zemi Method starts from the opposite position. Every claim that matters to a decision, including claims produced by an organization's own systems, is a hypothesis until evidence from an independent source supports it.

This is not caution for its own sake. It comes from a specific and repeatable failure. An audit record can appear authoritative and still be incomplete in a way that only shows under corroboration. An application-layer log that captures most access will present as the full account, while a database-layer record shows access paths the application never wrote down. The application record is not false. It is partial, and partial in a direction no one flagged. The method exists to catch that failure before it becomes the basis for a decision.

## Scope

The Zemi Method applies wherever a decision depends on digital or machine-generated evidence. Its first applications are digital forensic examination, incident reconstruction, expert evidence, litigation support, AI governance, AI incident examination, and synthetic media assessment. Future applications may change as evidence changes, but the reasoning discipline remains the same.

The method does not replace engagement-specific procedures, legal advice, tool validation, chain-of-custody requirements, or professional judgment. It governs the reasoning above them: how claims are framed, how sources are tested, how automation is controlled, how conclusions are bounded, and how findings are reported. The depth of verification applied in an engagement is proportionate to the stakes of the decision it serves; where constraints of time, cost, or access limit verification, that limitation is stated and reported like any other.

The public method states the philosophy and control structure. Implementation detail, including tools, queries, templates, checklists, and internal review procedures, remains engagement-specific and proprietary.

For Zemi North, the method is not a service line. It is the governing discipline from which service lines, reports, assurance frameworks, software, training, and future research should derive.

## Principles

Five principles govern every engagement, on both the investigation side and the assurance side.

**1. Evidence over assertion.** A conclusion stands on what can be shown, not on what a system or a person states. A statement of fact from a stakeholder, a vendor, or a monitoring tool is an input to be tested, not a finding to be recorded.

**2. Corroboration across independent layers.** A single source is a lead. It becomes a finding when it is tested against a source that does not share the same failure mode and the sources agree. Two logs drawn from the same pipeline are not independent. A log and the artifact it claims to describe are. Where independent corroboration is unavailable, the finding is reported with that limitation attached rather than hidden.

**3. Bounded claims.** State what the evidence supports and no more. Where the evidence runs out, say where. Every material conclusion is separated into what is known, what is assumed, and what remains undetermined. A finding that overreaches is weaker than a narrower finding that holds, because the overreach is the part an opposing examiner will break first.

**4. AI-assisted, never AI-decided.** Automated systems retrieve, correlate, summarize, and draft. They do not adjudicate. A person owns every conclusion and can trace it to source. This is a line, not a preference.

**5. Defensibility by construction.** Build the case so a reviewer, an opposing expert, or a court can follow every step from raw evidence to conclusion without taking any part on trust. Defensibility is designed in from the first phase, not added at the end.

## The investigative lifecycle

Six phases carry an engagement from question to finding. The role of automation is stated at each phase, and it narrows deliberately as the work approaches a conclusion.

**1. Frame.** Define the question. Surface the assumptions the question carries. Write down what would have to be true for the working theory to hold, and what evidence would confirm it or break it. Where the evidence admits more than one explanation, competing explanations are framed and tested against the same evidence together, not sequentially, so that the surviving explanation is the one the evidence failed to break rather than the one considered first. A theory with no stated breaking condition is not yet an investigation.

**2. Preserve.** Acquire and protect evidence with integrity intact. Chain of custody, hashing, work from verified copies, and record the condition and source of each artifact. Where automated systems are used, preserve the inputs provided to them, the outputs they return, and the tool and version records needed to test their contribution later. Nothing downstream is defensible if this phase is weak, so it is not rushed.

**3. Corroborate.** Test each claim against independent sources wherever they are available, and report the limitation where they are not. Where independent sources conflict, the conflict is treated as evidence in its own right and investigated, not averaged and not resolved toward the working theory; a conflict that cannot be resolved is classified as undetermined, with both sources shown. Automation earns its place here by pulling and aligning records across systems at a speed a person cannot match. The person decides what agreement means and where the sources fail to be independent.

**4. Analyze.** Reconstruct the sequence of events. This is where automation carries the most weight and where the discipline matters most. It proposes patterns. The investigator confirms or rejects each against the underlying evidence rather than against the summary.

**5. Adjudicate.** The human decision gate. Conclusions are set here, by a person, bounded to what the evidence supports. Findings are classified as known, assumed, or undetermined before they are relied on. No automated system crosses this line. This is principle four made procedural.

**6. Report.** State each finding, the evidence behind it, and its limits. Material evidence inconsistent with a finding is reported alongside it, not omitted. For each material finding, the reasoning that connects the evidence to the conclusion is stated, not left for the reader to reconstruct. A reader should be able to see where certainty ends and inference begins, and should never have to guess which is which. Reports identify the sources relied on, the assumptions made, the material limitations, and the role of automation where automation contributed to the work.

## The assurance practice

The same discipline applies to a different subject. On the investigation side the method tests claims about what happened inside a system. On the assurance side it tests claims about an AI system itself: that it does what it is said to do, within stated limits, with a person accountable for its outputs.

The five principles carry over without change. A model's own reporting about its behavior is a claim to be corroborated, not a finding to be accepted. A vendor's stated accuracy is an assertion until independent testing supports it. A control described in documentation is a hypothesis until an artifact shows it operating. The subject changes. The evidentiary standard does not.

For assurance work, the method does not ask only whether a system appears to perform. It asks whether the evidence supports the claims made about the system: what it does, where it fails, who remains accountable, and whether the controls around it can be shown to operate in practice.

## Why the principles exist

The method is not theoretical. Each principle exists because real investigations and assurance work fail in predictable ways when the principle is absent.

- **Evidence over assertion:** a stakeholder's confident account can be sincere, useful, and still wrong. The method treats that account as a lead until the record supports it.
- **Corroboration across independent layers:** an application log may show the ordinary route through a system while a lower-layer record shows a second path the application never captured. The first record is not false. It is incomplete.
- **Bounded claims:** a narrow conclusion with clear limits is more durable than a broad conclusion with one unsupported edge. The unsupported edge is where the finding will be attacked first.
- **AI-assisted, never AI-decided:** an automated summary can accelerate review, but it cannot explain itself under challenge, accept responsibility, or distinguish uncertainty from absence unless a person forces that distinction.
- **Defensibility by construction:** if the chain from source to conclusion is assembled only after the conclusion is written, the work is already vulnerable. The record has to be built while the work is being done.

## Where automation sits, and where it does not

Automation is allowed to touch retrieval, correlation, pattern proposal, drafting, and summarization. It is barred from the conclusion, the adjudication, and the sign-off.

The reason is not distrust of the tool. It is that a conclusion has to be owned by someone who can be questioned, who can trace the finding to source, and who can be held to account for it. A summary cannot be cross-examined. A person can. The line holds because accountability requires it.

The automated contribution is preserved as well as documented. The inputs provided to automated systems, the outputs they return, and the tool and version used are retained as part of the engagement record, so that the separation between automated contribution and human judgment can be demonstrated later rather than asserted.

## The defensibility check

Before a finding leaves the practice, it passes a standing test:

- Can every conclusion be traced to a source a reviewer could inspect?
- Are the claims bounded to what the evidence supports?
- Are known facts, assumptions, and undetermined matters separated?
- Would the finding hold if an independent examiner ran the work again from the preserved evidence?
- Is the contribution of automation documented and separable from human judgment?
- Are material limitations stated clearly enough that a decision-maker can account for them?

A finding that fails any of these returns to the phase where the gap opened. Nothing reaches a client on the strength of the method's reputation alone. It reaches them on the strength of the record behind it.

---

## Version discipline

The Zemi Method is maintained in dated, versioned form. Each public version records its publication date and material changes from the prior version. Engagement reports identify the version of the method in use where the method is relied on.

Versioning matters because the method is not written after the fact to fit a conclusion. It exists before the engagement, guides the work during the engagement, and constrains the finding at the end.

The same discipline applies to findings. If a finding issued under the method is later shown to be unsupported, incomplete, or materially misstated against the preserved evidence, a correction is issued that identifies the finding, the reason, and the evidence, with the same visibility as the original.

---

*The Zemi Method is maintained in dated, versioned form at its canonical home, https://zemimethod.com. Comments and scholarly correspondence are welcome and inform future versions.*
