Mechanism
Quorum-based engagement authorization is the embodiment in which engagement actions in the defense domain require independent confirmation from multiple governance channels before the action is committed. The quorum comprises at least three channels: the system's own confidence governor, which must compute sufficient confidence across all engagement dimensions; the system's integrity engine, which must confirm that the engagement is consistent with the system's rules-of-engagement profile and does not produce an unacceptable integrity deviation; and the chain-of-command authorization channel, which provides human operator authorization at the appropriate command level. Each channel performs its own evaluation, and the engagement is committed only when the channels independently confirm authorization.
The defining structural property is that the channels do not share evaluation state. Each channel evaluates against its own criteria, and no channel can read or write the working state of another. This separation is what makes the quorum architecturally distinct from a simple approval chain: it prevents a confident but integrity-compromised system from biasing the integrity evaluation through shared state. The confidence governor cannot reach into the integrity engine to soften an unacceptable deviation, and neither can substitute itself for the chain-of-command channel. Independence of evaluation, not the mere presence of multiple approvers, is the disclosed mechanism.
The Three Governance Channels
The confidence governor is the same primitive instantiated elsewhere in the defense embodiment as a graduated escalation mechanism. Its confidence is computed from structured inputs comprising target identification confidence, rules-of-engagement compliance confidence, collateral damage assessment confidence, and chain-of-command authorization confidence. For the quorum, the confidence governor must compute sufficient confidence across all engagement dimensions before it contributes its confirmation.
The integrity engine tracks the system's adherence to declared engagement constraints: proportionality requirements, distinction requirements, necessity requirements, and precaution requirements. Within the quorum it must confirm that the engagement is consistent with the system's rules-of-engagement profile and does not produce an unacceptable integrity deviation. Because the integrity engine continuously records engagement deviations, a system that has accumulated deviations carries a restricted engagement posture into the quorum through the integrity-to-confidence pathway.
The chain-of-command authorization channel provides human operator authorization at the appropriate command level. This channel keeps a human in the authorization loop as a structural element of the quorum rather than as a procedural overlay, so that machine confidence and machine integrity assessment cannot together commit an engagement that command authority has not authorized.
Quorum Requirements by Engagement Class
The strictness of the quorum is set by the consequence of the engagement. For lethal engagement, the quorum requirements are maximally strict: all channels must independently authorize the engagement, and any single channel veto produces unconditional engagement prohibition. There is no weighted tally and no notion of one channel outvoting another; a lethal engagement proceeds only on the unanimous, independent confirmation of every channel, and the absence of any one channel's authorization is by itself dispositive against the action.
For non-lethal engagement, the quorum requirements may be relaxed according to the operational policy. The disclosure frames this as a policy-governed relaxation keyed to the lower consequence of non-lethal action, not as a change to the underlying independence of the channels. The channels continue to evaluate separately; what the operational policy adjusts is how many independent confirmations the class of action requires.
Continuous Re-Evaluation and Revocable Authorization
Authorization obtained from the quorum is not a one-time gate. The confidence governor operates continuously during engagement, not merely at the authorization point. Once engagement is authorized and initiated, the confidence governor re-evaluates confidence at each computational cycle based on updated sensor data, environmental changes, and target behavior changes. If confidence drops below a re-evaluation threshold during engagement, the confidence governor can revoke engagement authorization during execution, producing an engagement interruption that returns the system to the observation state.
This makes engagement authorization a revocable permission rather than a one-time gate: authorization obtained at one moment does not persist if the conditions that supported it change. The disclosure gives concrete triggers for revocation, including a change in the target's behavior, a change in environmental conditions that alters the collateral damage assessment, and the arrival of new information. The combination of the quorum at the authorization point and continuous re-evaluation during execution means the system can both refuse to begin an engagement and stop one already underway.
Position in the Graduated Escalation Pipeline
The quorum sits inside a graduated escalation architecture. The confidence governor in the defense embodiment exposes multiple confidence thresholds governing progressively consequential actions: at a first threshold the system is authorized to observe and classify a detected entity, at a second threshold to issue a warning, at a third threshold to recommend engagement to a human operator, and at a fourth threshold, applicable only in systems where autonomous engagement is legally and operationally authorized, to execute engagement. Each threshold requires progressively higher confidence.
Referring to the defense system graduated escalation architecture, an observation threshold feeds into a warning threshold, which feeds into an engagement threshold, which feeds into the quorum gate. The quorum gate requires independent confirmation from multiple governance channels before permitting engagement, and it feeds into the continuous re-evaluation stage that maintains revocable authorization during execution. Rules of engagement provide the policy constraints that govern all threshold evaluations and engagement actions throughout the pipeline. The quorum is therefore the binding step that the escalation chain must pass through, downstream of the confidence thresholds and upstream of execution.
Lineage and Accountability
Every confidence computation and engagement decision is recorded for post-action accountability. The confidence computation at each threshold is deterministically recorded in the system's lineage, producing a complete accountability chain from sensor data through confidence evaluation through escalation decision. Engagement deviations detected by the integrity engine are recorded as integrity deviations with full semantic context, and the redemption engine generates restorative actions, including recalibration of targeting parameters, restriction of engagement authorization, and submission of the deviation event to the chain-of-command accountability system.
The disclosure pairs the quorum with integrity-constrained planning. The forecasting engine produces multiple speculative engagement branches, including a primary approach, alternatives with different risk and collateral profiles, and non-engagement alternatives such as continued observation, warning escalation, and tactical withdrawal. The integrity engine prunes engagement branches whose projected consequences violate rules of engagement, so that an approach with projected collateral damage exceeding the proportionality threshold is pruned before it can be promoted to execution. Operator identity is established through behavioral continuity rather than static credentials, and detected operator impairment triggers the confidence governor to restrict autonomous authority and require additional chain-of-command authorization.
Prior-Art Distinction
The quorum is described as architecturally distinct from a simple approval chain. A conventional approval chain routes a request through successive approvers who may share context and influence one another; the disclosed quorum instead requires that each channel perform an independent evaluation using its own criteria and that the channels not share evaluation state. The motivating distinction is concrete: shared state would allow a confident but integrity-compromised system to bias the integrity evaluation, and the no-shared-state requirement closes that path. The novelty lies in the independence of the governance channels and in tying lethal engagement to unanimous independent confirmation with a single-channel veto, not in any cryptographic voting scheme.
The disclosed quorum also differs from a static pre-engagement check. Because the confidence governor continues to re-evaluate during execution and can revoke authorization mid-engagement, authorization is a revocable permission keyed to the persistence of the conditions that supported it, rather than a one-time gate that, once passed, cannot be withdrawn.
Disclosure Scope
Quorum-based engagement authorization, comprising the requirement that multiple independent governance channels independently confirm engagement before the action is committed, the channel set of confidence governor, integrity engine, and chain-of-command authorization channel, the no-shared-state independence of those channels, the maximally strict requirement for lethal engagement in which all channels must authorize and any single channel veto produces unconditional prohibition, the policy-governed relaxation for non-lethal engagement, the placement of the quorum gate within the graduated escalation architecture, and continuous re-evaluation during engagement producing revocable authorization, is disclosed in the cognition filing (U.S. Application No. 19/647,395 and its international counterpart) in the defense and national security applications. This article describes that disclosed mechanism. The scope contemplates use in systems where autonomous engagement is legally and operationally authorized, the recording of every confidence computation and engagement decision in the system's lineage for post-action accountability, and the composition of the quorum with integrity-constrained planning, moral trajectory forecasting, and biological-identity operator authentication with impairment detection.
