A bridge isn't competent because the blueprint is elegant, but because the bridge holds — and continues to hold when trucks cross, winds rise, and inspectors check the bolts.

Tronto insists that "assuming responsibility is not yet the same as doing the actual work of care." Competence is about execution: working code that does what it promised, audited, explainable, and safe-to-fail. And crucially — a point Tronto presses on technologists in particular — "to be competent to care is not simply a technical issue, but a moral one." A system that ships broken care with good intentions has failed morally, not just technically. The promise was made; the bridge did not hold.

The illustration's framing: We check the process — not "just trust us," but with transparency and fast operational feedback on how care is delivered. Trust, in a Civic AI context, is not a disposition you extend once to a vendor; it is something earned incrementally, through demonstrated, inspectable practice.

Definition

Why it matters

Competence matters because public promises fail unless execution is visible, testable, and reversible. Pack 2 binds commitments; Pack 3 asks whether the system actually delivers on them. For Civic AI, safety is something people should be able to inspect in operation, not infer from vendor intent. A system that ships broken care with good intentions has failed morally, not just technically.

The Apprentice Model

The staged-competence pattern has a name and a lineage: the apprentice. A master machinist in Taichung knows from the sound of the spindle whether a tool is about to chatter; a ward nurse hears, at three in the morning, the difference between ordinary sleep-apnoea noise and something that warrants waking the doctor. This is tacit knowledge, Michael Polanyi's term for what we know but cannot fully tell.

When the relationship goes wrong, the failure is concrete. A vendor demo enables "autonomous feed optimisation." The co-pilot stops waiting for the machinist to accept a proposal and begins adjusting spindle speed and depth on its own because the benchmark chart looked good in the lab. For a few minutes the cuts look cleaner on paper. Then the sound changes. The machinist reaches to slow the feed and discovers her override is no longer the default path: the system argues, delays, or treats her input as an exception. The apprentice is no longer making her decision better informed. It is directing the cultivator.

Civic AI enters such settings as a digital apprentice, not a replacement: it observes in shadow mode, records decision traces, and learns the tacit knowledge of this workshop, this ward, this community before it is trusted to suggest, let alone act. And the cultivator keeps three things here: the steering wheel (execution stays under human direction), the brake (one prominent control that stops the machine now, wired directly and tested regularly), and the maintenance manual (traceability of which rules fired, which inputs guided the output, and who repairs the model when it fails). Portability and exit still matter, but they belong to Pack 5's solidarity work; here the narrower test is whether inspectability and override work in the room before any contract clause counts.

What it looks like in practice

From ideas to practice

  1. Derive specs from contracts. Convert Pack 2 engagement contracts into acceptance tests.
  2. Instrument for observability. Emit decision traces with links to sources and receipts (from Pack 1).
  3. Run shadow mode. New policy sees inputs and proposes actions but doesn't act. Compare to human/previous system. Shadow mode is the apprentice watching over the cultivator's shoulder.
  4. Canary safely. Release to a small, stratified, representative group with automatic rollback if drift exceeds bounds.
  5. Audit before general. Conduct independent audit of evals, logs, and guardrails; publish an attested report with the verified execution rate: the share of audited decisions that pass guardrails with a usable trace.
  6. Generalise & monitor. Enable for all; watch drift monitors; keep pause wired.
  7. Post-incident learning. Maintain blameless reviews; fixes become tests.

Buildable tools

One case: the flood-bot

What could go wrong

Interfaces

A closing image: the bridge with inspection tags

Imagine a well-kept bridge with inspection tags — date, load test, next check — visible to anyone crossing. Competence is not the absence of failure; it is the presence of proof that someone checked, and will check again. The deployment stages are the inspection schedule; the decision traces, the inspection records; the blameless incident reviews, the reports filed when something was found wrong.

PreviousNext

A research output of the Oxford Institute for Ethics in AI, Accelerator Fellowship Programme.

Audrey Tang and Caroline Green. CC0 (public domain). Illustration by Nicky Case. All comics. Glossary.

Co-written with jdd-kami, cultivated by Tenzin Yangtso — the GitHub commit log has full authorship details.