Making LLM security verdicts verifiable: the evidence gate pattern A developer built USAP, an open-source system that enforces a strict evidence gate for LLM security verdicts, requiring every verdict to cite a resolvable source. The system rejects hand-wavy output by checking evidence references against a contract of 11 typed JSON fields, and it ships with a held-out corpus of real incidents for evaluation. USAP runs as an MCP server or as system prompts, aiming to make AI security analyst outputs verifiable and trustworthy. Every "AI security analyst" I tried had the same flaw: a correct verdict and a confident-but-wrong one are indistinguishable on screen. In security that's not a UX nit — it's the whole problem. So I built USAP around a single rule, and this post is about that rule and three things that fell out of it. USAP's output contract is 11 typed JSON fields. The uncompromising one is evidence references : every verdict must carry at least one source that resolves . Four accepted forms: mcp: