Continuity-Based Facility Access Control

Mechanism

The mechanism replaces the conventional access-control pattern of comparing a presented credential against a stored reference with a structurally different operation: the present individual is admitted to the facility when, and only when, the composite admissibility evaluation against their continuity record exceeds the facility's declared threshold for the requested access class. The continuity record is not a template; it is an open-ended history of attested encounters between the individual and recognized observation surfaces, each carrying its own credentialing lineage and validity window.

Admissibility is composite. No single observation, sensor reading, or attestation is dispositive. The evaluation aggregates contributions from the individual's continuity history (frequency, recency, and consistency of prior attested presence at this and federated facilities), from the present encounter's live observations (gait, voice, comportment, and other non-template behavioral and physiological signals admissible under declared policy), and from contextual factors recognized by the facility's governance (time of day, accompaniment, prior scheduling, declared purpose). The composite score is computed under a published function whose parameters are themselves under governance.

Critically, no biometric template is stored. The live observations are evaluated against the running continuity record by structural compatibility — does the present encounter cohere with the prior continuity? — rather than by template match. The continuity record itself is held as a sequence of signed attestations, each independently verifiable, rather than as a feature vector susceptible to reconstruction. An adversary who exfiltrates the record obtains an audit trail, not a key.

Within the facility, passive observation surfaces continue to extend the continuity record. Each new attested presence event is appended to the individual's record under the facility's credentialing authority, deepening the continuity available for future admissibility evaluation. The record is portable across federated facilities under declared inter-authority recognition rules, so an individual's continuity at one site contributes lawfully to admissibility at another.

Operating Parameters

Access classes are declared per facility. A given facility may admit multiple classes — visitor, contractor, employee, sensitive-area-authorized — each with a distinct composite threshold and distinct contributing-factor weighting. An individual may hold simultaneous admissibility against several classes, with the system selecting the class corresponding to the requested access at evaluation time.

Continuity decay parameters govern the temporal weight of historical attestations. Recent attestations contribute more strongly than distant ones; the decay schedule is published and is governance-controlled. An individual whose continuity has lapsed below threshold is not denied permanently — re-establishment through accompanied or supervised encounters is supported under declared re-onboarding policy.

Anomaly handling parameters govern the system response when live observations are inconsistent with the running continuity. Inconsistency is not, by itself, denial; it triggers escalation under declared procedure — additional observation, human review, or accompanied admission — calibrated to the access class and the magnitude of inconsistency.

Privacy parameters govern observation retention, federation disclosure, and individual access to one's own continuity record. The architecture supports continuity-record portability under individual control, including controlled disclosure to new facilities and revocation of recognition at facilities the individual no longer wishes to credential against.

Alternative Embodiments

In a corporate-headquarters embodiment, the facility admits employees, contractors, and visitors under three distinct access classes. Long-tenured employees develop deep continuity and are admitted with minimal live evaluation; new employees are admitted under accompanied or supervised continuity-building until threshold is reached.

In a research-laboratory embodiment, sensitive-area access requires not only continuity threshold but contemporaneous attestation by a second admitted individual, implementing a structural two-person rule under composite admissibility.

In a healthcare-facility embodiment, the same primitive governs both staff access and patient identification, with patient continuity records contributing to clinical care continuity (see related medical patient transfer disclosure) without exposing biometric templates to the broader healthcare information environment.

In a residential or hospitality embodiment, the primitive governs admission to private living or guest spaces, eliminating the lost-key and credential-sharing failure modes characteristic of physical and digital key systems.

In a transit-system embodiment, the primitive governs admission to controlled platforms or vehicles, with continuity portable across the transit operator's federated stations.

Composition

The continuity-based access primitive composes with the wider governance-chain lineage architecture. Each admission event generates a settlement record carrying the lineage of the admissibility evaluation — the credentialing authority of the facility, the contributing observation surfaces, the live encounter telemetry digest, and the composite score — supporting subsequent audit of who was admitted to what, when, and under what evidentiary basis. Composition with multi-party coordination supports admission events that require attestation from more than one party (the two-person-rule embodiment above).

The primitive composes with declared override procedures. Emergency access for first responders, subpoenaed access for lawful investigators, and accommodation access for individuals whose continuity is structurally disrupted (medical, post-incident, post-impersonation-recovery) are each handled under declared procedure rather than by exception to the composite evaluation.

Failure Modes and Recovery

Continuity loss is the principal failure mode the architecture must address gracefully, because individuals legitimately experience disruption of their attestable presence — illness, travel, leave, post-surgical recovery, life events that alter comportment. The system treats below-threshold continuity not as denial but as a structurally-recognized condition for which re-onboarding procedure is declared. An individual whose continuity has decayed below the access threshold is admitted under accompanied or supervised procedure for a configured re-establishment window, during which fresh attested presence events rebuild the continuity record. The procedure preserves access while protecting the integrity of the admissibility evaluation.

Impersonation attempts produce composite-evaluation inconsistencies that the architecture is designed to detect. An adversary mimicking an authorized individual's gait, voice, or comportment might satisfy any single live observation, but composite admissibility against a deep continuity record exposes the inconsistencies that template-match systems would miss — irregularity in the historical pattern, contextual factors inconsistent with the present encounter, accompaniment patterns that differ from the authentic individual's history. Detected inconsistency triggers escalation rather than silent denial, supporting both security response and the legitimate individual's eventual remediation if the encounter was authentic but anomalous.

Observation-surface compromise — sensors tampered, encrypted feeds intercepted, attestation pipelines corrupted — is bounded by the lineage of the attestations themselves. Each contributing observation carries its surface's credentialing lineage; surfaces whose lineage is revoked have their contributions discounted or excluded from composite admissibility. The architecture supports forensic reconstruction of which surfaces contributed to which past admissions, enabling targeted re-evaluation when a surface is found compromised rather than broad facility lockdown.

Loss of network connectivity to federation peers is handled through declared graceful-degradation policy. The local facility continues to admit on the basis of its locally-held continuity records and live observations, with federated-continuity contributions deferred until reconnection. The deferral is itself bound into the resulting admission lineage so that subsequent audit can identify admissions made under degraded federation visibility.

Prior-Art Distinction

Conventional access control falls into three families: possession-based (keys, cards, tokens), knowledge-based (PINs, passwords), and template-based (biometric match against a stored reference). Each family has a single point of failure: the credential or template, once compromised, opens the facility. Multi-factor combinations reduce but do not eliminate the failure mode, and template-based systems introduce a privacy liability — the stored template — that does not abate.

The continuity-based primitive differs by storing no secret and no template. Compromise of the continuity record yields an audit history, not access. Identity is established by structural coherence with an accumulated history rather than by match against a fixed reference. The system improves with use rather than degrading with credential aging, and the privacy posture improves correspondingly because no extractable identifier exists to exfiltrate.

Implementation Considerations

Deployment of the continuity-based access primitive in a production facility involves several considerations encompassed by the disclosure. Observation-surface selection is facility-specific; the surfaces appropriate to a corporate lobby differ from those appropriate to a research clean-room or a hospital ward, and the architecture supports declared per-facility surface configuration with surface contributions weighted in composite admissibility according to declared reliability and admissibility characteristics. New surface types may be introduced to the deployment under governance approval without restructuring the underlying primitive.

Initial enrollment of an individual produces no template and stores no extractable identifier; the enrollment is the establishment of the individual's continuity record root and the binding of that root to the individual's credentialing authority. Subsequent attested presence events build the record from this root. Enrollment may be conducted at the facility itself, at a federated facility whose enrollment is recognized, or under an organizational identity authority whose recognition is governance-declared.

Audit and reporting requirements applicable in regulated facilities — financial-services workplace controls, defense-cleared facilities, healthcare HIPAA-covered settings — are addressed by the lineage-bound admission record produced for each entry. The record supports audit query without exposing biometric content because none was stored; audit response is reduced to demonstrating the bound admissibility evaluation and its contributing observation lineage.

Integration with legacy access infrastructure is supported through declared interoperation profiles. A facility transitioning from credential-based to continuity-based access may operate the two systems concurrently, with the continuity primitive serving as the primary admissibility input and the legacy credential system serving as a fallback or supplementary factor under declared composite policy. The transition may complete gradually as continuity records mature, without a single cutover event.

Cross-facility federation is governed by inter-authority recognition agreements that themselves take the form of governance attestations bound into the lineage of contributing continuity records. An organization operating multiple facilities under a single corporate authority recognizes its own facilities mutually by default; cross-organizational recognition (a contractor's continuity at the contractor's home facility contributing to admissibility at a client site, for example) proceeds under explicit recognition attestation with declared scope, validity, and revocation handling. The federation structure scales without producing cross-organizational template propagation, because no template exists.

Disclosure Scope

The disclosure encompasses the use of the continuity-based biological identity primitive as the governing admissibility input for facility access; the composite admissibility evaluation aggregating continuity-record contributions, live encounter observations, and contextual factors under declared policy; the absence of stored keys, cards, PINs, or biometric templates; the per-class threshold and weighting structure; the temporal decay and re-establishment procedures; the anomaly-handling escalation procedures; the privacy and portability parameters; and the embodiments in corporate, research, healthcare, residential, and transit settings. The disclosure further encompasses composition with governance-chain lineage for audit, with multi-party coordination for structural two-person admission, and with declared override procedures for emergency, lawful, and accommodation access.