Defense Engagement Authorization Through Multi-Level Confidence

Regulatory Framework

DoDD 3000.09 (January 25, 2023) is the most explicit national-level governance instrument for autonomy in weapon systems. It defines autonomous and semi-autonomous categories, mandates senior-level review prior to formal development and again before fielding for systems that fall within scope, and requires that operators retain the ability to exercise appropriate levels of human judgment over the use of force. The directive explicitly references rigorous testing, verification and validation, and a documented engagement-authorization framework. The accompanying CDAO Responsible AI Strategy and Implementation Pathway, the JAIC-era ethical principles, and the DoD AI Ethical Principles (2020) extend the policy surface from weapons specifically to AI-enabled defense capabilities generally.

International humanitarian law sits above the national directive. Article 36 of AP I obliges states to determine, in the study, development, acquisition, or adoption of new weapons, whether their employment would in some or all circumstances be prohibited by international law. The 1980 Convention on Certain Conventional Weapons hosts the GGE on Lethal Autonomous Weapons Systems, which since 2014 has elaborated guiding principles emphasizing human responsibility, accountability, and the applicability of IHL to all weapon systems. The REAIM ("Responsible AI in the Military Domain") summits in The Hague (2023) and Seoul (2024) produced multilateral declarations endorsing a similar set of principles. The ICRC's 2021 position calls for prohibitions on certain categories of autonomous weapons and strict regulation on the remainder, with a particular emphasis on predictability and explainability.

Layered alongside the IHL framework are doctrinal and acquisition instruments. Joint All-Domain Command and Control (JADC2) doctrine and the Combined JADC2 (CJADC2) overlay assume coalition-interoperable decision authorities operating at machine speed. AUKUS Pillar II identifies advanced autonomy and AI as priority capability areas, implying coalition-level interoperability of governance frameworks. MIL-STD-882E remains the system-safety backbone, requiring hazard analysis, risk classification, and mitigation traceability for every weapons program; its discipline applies to AI-enabled systems even when the hazard is software-induced rather than mechanical.

Architectural Requirement

The combined regulatory framework imposes an architectural requirement that conventional engineering practice does not fulfill. An engagement decision is not a single inference; it is a conjunction of independent assessments, each grounded in a different evidence base, each with its own failure modes, and each with its own legal weight. Target identification draws on sensor fusion, intelligence correlation, and pattern matching. Collateral assessment draws on environmental sensing, civilian-pattern modeling, and structural proximity. ROE compliance is a deductive evaluation against the current operational orders. Proportionality combines anticipated military advantage with anticipated incidental harm. Command authority is a question of whether the engagement falls within the authority delegated to the platform or its controllers.

The architectural requirement is therefore that each of these confidences be computed, represented, evaluated, and recorded independently. Collapsing them into a single composite — an "engagement score" — destroys precisely the structure that DoDD 3000.09 senior-review processes, Article 36 reviews, MIL-STD-882 hazard tracing, and IHL accountability all depend on. A composite of 0.85 that hides a 0.70 collateral-confidence subcomponent is not auditable; the auditor cannot tell whether the threshold was met on the dimension that matters legally.

A second architectural requirement is structural human-in-the-loop authorization, not merely advisory presence. The legal demand for "appropriate levels of human judgment" implies that for defined engagement classes the human authorization is a precondition for execution, cryptographically and operationally — not an override that can be bypassed under time pressure. A third requirement is integrity tracking: the system's behavior over a campaign must remain consistent with its declared principles, with structural detection of drift before drift produces a violation. A fourth requirement is bounded forecasting: the system must be able to model an engagement's projected effect, including collateral consequences, without that modeling itself authorizing the engagement.

Why Procedural Compliance Fails

The dominant procedural model — pre-mission ROE briefings, target lists vetted through legal review, collateral-damage estimation produced by separate tooling, and human authorization at engagement time — works at the pace of human decision-making in environments where engagement windows are minutes long. It fails in three specific regimes that current and projected defense systems increasingly inhabit.

First, machine-speed engagements. Counter-rocket-artillery-mortar systems, ship self-defense suites, and counter-UAS platforms operate within engagement windows measured in seconds or fractions of seconds. Procedural authorization cannot be inserted into those windows without forfeiting the protective function. The result, under existing procedural compliance, is either a blanket pre-authorization that erodes the meaningfulness of human judgment, or a refusal to field capabilities that legitimate self-defense doctrine would permit.

Second, scale. A JADC2-style operational picture may carry thousands of tracks across air, surface, subsurface, space, and cyber domains simultaneously. Procedural authorization scales linearly with operator attention; the operational tempo scales with the adversary's force structure. The mismatch is structural, and procedural patches — additional operators, additional review boards — do not close it.

Third, coalition operation. AUKUS Pillar II and CJADC2 doctrine assume that allied autonomous systems will operate alongside one another. Procedural compliance offers coalition partners no way to verify that an allied system applies engagement governance equivalent to their own; trust devolves to subjective assurances about the partner's AI program. This is not a posture the ICRC, REAIM declarations, or domestic legal-review communities will accept indefinitely. Without a structural primitive for engagement governance, every coalition deployment becomes a bilateral negotiation about what each partner's autonomy actually does.

Procedural compliance also fails the post-event audit. After an incident, investigators today must reconstruct the engagement decision from operator testimony, system logs of inconsistent fidelity, and indirect evidence. MIL-STD-882 hazard tracing, Article 36 retrospective review, and DoDD 3000.09 senior-review accountability all assume that the engagement-decision artifact exists in a form they can examine. Frequently it does not.

What AQ Primitive Provides

Adaptive Query's cognitive primitive, parameterized for defense engagement authorization, provides multi-level confidence governance as a structural object. For each engagement candidate, the system maintains independent confidence computations across the legally distinct domains: target identification confidence (TIC), collateral-assessment confidence (CAC), rules-of-engagement compliance confidence (RCC), proportionality confidence (PC), and command-authority confirmation (CAC-AUTH). Each is computed from its own evidence sources, with its own model lineage, its own threshold, and its own audit record.

Authorization is conjunctive. Engagement proceeds only if every domain independently satisfies its threshold; high confidence in one domain cannot compensate for marginal confidence in another. A target-identification confidence of 0.97 paired with a collateral-assessment confidence of 0.62 does not authorize engagement, regardless of any composite arithmetic. The structural rule is preserved at the policy layer and cannot be relaxed by the inference layer.

Integrity tracking observes the system's behavior over time against its declared principles. If the campaign-level distribution of authorized engagements is drifting toward marginal collateral confidence — a pattern indicative of either degraded sensing, an evolving operational environment, or an emergent model-behavior issue — the integrity field surfaces the deviation as a structured signal before any individual engagement crosses a threshold. The signal is routed to the responsible commander as a governance event, consistent with DoDD 3000.09's expectation that operators retain meaningful judgment.

The forecasting engine models projected outcomes within a containment boundary. For each engagement candidate, the system produces a forecast: expected effect, expected collateral footprint, expected consequence on the operational picture. The forecast is evaluated against the same governance constraints that the engagement itself would face; speculative reasoning about "what would happen if we engaged this target" is structurally distinguished from authorization. The model that imagines engagements does not pull the trigger.

Command-authority integration is structural rather than advisory. Engagement classes that require human authorization carry a policy-level binding to a designated authority's signing key; the platform cannot transition to an engagement state without a current, validly signed authorization that matches the engagement's class, ROE, and time window. Quorum-based authorization is supported for classes that legal review or coalition policy require to be co-signed. The cryptographic discipline produces an artifact that survives the engagement and is available to MIL-STD-882, Article 36, and DoDD 3000.09 reviewers.

The lineage of every engagement-authorization decision — every domain confidence, every threshold, every input evidence reference, every authority signature, every integrity event — is recorded immutably. Post-event audit becomes a replay rather than a reconstruction.

Compliance Mapping

The primitive maps onto the regulatory framework with explicit per-clause traceability. DoDD 3000.09 sections specifying senior review map to lineage-evidence packages tied to the system's declared engagement classes; the directive's "appropriate levels of human judgment" requirement maps to the structural human-authorization binding for the relevant classes. Article 36 review obligations are supported because the system's structural governance — its domains, thresholds, integrity declarations, and authority bindings — is documented in a form that the legal reviewer can examine before fielding and reproduce after.

The CCW GGE LAWS guiding principles — that IHL applies fully, that human responsibility is retained, that accountability is preserved — are honored by the conjunctive-authorization rule, the structural human-authority binding, and the immutable lineage. The REAIM call letters, particularly those urging predictability and verifiability, are satisfied directly by the per-domain confidence decomposition. The ICRC ethical position's emphasis on predictability is supported by the integrity-tracking field; its emphasis on attribution is supported by the lineage. JADC2 and CJADC2 doctrinal expectations of machine-speed coalition decision-making are satisfied because the primitive runs at inference speed while remaining auditable. AUKUS Pillar II coalition interoperability is supported because two partners' systems can verify each other's governance structure as data, replacing subjective trust with structural verification. MIL-STD-882 hazard analysis maps onto the per-domain confidence and integrity fields; software-induced hazards become first-class entries in the hazard tracking matrix.

Adoption Pathway

Adoption begins with non-lethal and defensive systems, where the legal and political stakes of structural change are lowest. A counter-UAS platform, an electronic-warfare system, or a perimeter sensor suite is reconfigured to expose its decision logic through the multi-level confidence primitive. The immediate effect is improved auditability, a clean Article 36 review package, and a measurable reduction in the time required to produce DoDD 3000.09 senior-review evidence. No combat behavior changes; the structural object simply exists where previously only logs existed.

The second phase expands to semi-autonomous engagement systems where human authorization is already procedurally required. The structural human-authorization binding replaces procedural authorization, with the operator's existing role preserved but the artifact upgraded. Engagement-class policies are encoded explicitly, integrity tracking is enabled, and the lineage becomes the primary post-mission evidence. Command and legal staff gain a single authoritative artifact for after-action review.

The third phase addresses autonomous defensive engagements operating at machine speed. The primitive's conjunctive-authorization rule, integrity tracking, and contained forecasting make it possible to satisfy DoDD 3000.09's "appropriate human judgment" requirement structurally — the human's judgment is encoded in the governance policy and the authority bindings, exercised in advance and exercised in real time on out-of-bound conditions, rather than as an in-loop bottleneck on every engagement. Coalition deployments under AUKUS Pillar II and CJADC2 become possible because partners can verify each other's governance as a structural object.

The fourth and final phase is doctrinal. As the primitive accumulates fielded evidence, the CCW GGE LAWS, the REAIM successor instruments, and any future binding agreement on autonomous weapons can reference it as a baseline architectural standard. At that point, engagement authorization is no longer a procedural assurance grafted onto opaque systems; it is a property of the systems themselves, expressed in a structure that operators, commanders, lawyers, allies, and regulators can all read.