Privacy Governance and Revocation for Biological Identity

A Layered Privacy Architecture

Privacy in the biological identity architecture is not a single control. It is layered across three levels of the pipeline, each supplying a different kind of protection. At the representation level, the stable sketching mechanism provides structural non-invertibility: the sketch is produced through dimensional reduction, projection, and band-based quantization, so it carries enough information for continuity validation but not enough to reconstruct the biological signal, the normalized feature stream, or the intermediate representations from which it was derived. At the identifier level, the domain separation mechanism provides structural unlinkability: biological hashes generated from identical biological signals but within different domain contexts are computationally unlinkable. At the operational level, the governance controls described here provide policy-enforced restrictions on when, how, and under what conditions biological identity resolution is permitted, audited, and revoked.

The first two layers are structural rather than policy-dependent. Non-invertibility is a property of what the dimensional reduction, projection, and quantization discard, not an assumption about computational difficulty. Unlinkability follows from the domain separation tag producing a structurally different hash output for each domain. The governance layer adds the operational discipline on top of these structural guarantees: even where the structure permits a resolution, policy decides whether it is allowed to occur.

Resolution Authorization Before Signal Processing

The governance framework begins with a resolution authorization policy. The policy specifies which entities, individuals, organizations, devices, or agents, are authorized to initiate biological identity resolution, against which populations, in which resolution modes, and under what conditions. The defining property of this control is its position in the pipeline: resolution authorization is evaluated before any biological signal processing occurs. An unauthorized resolution request is rejected without capturing or processing any biological signal data. The protection is therefore not a filter applied to a result that has already been computed; it is an admission point that prevents the biological signal from being acquired or processed at all when the request is not authorized.

Consent-Gated Resolution Modes as Structural Constraint

The mode in which the system resolves identity is governed rather than chosen freely by the operator. The architecture supports one-to-one verification, one-to-many identification, and hybrid narrowing, and the mode the system is permitted to apply is consent-gated by the nature of the individual's interaction with the identity infrastructure. A deliberate identity assertion, presenting a badge, entering a username, tapping an identity token, signals consent to one-to-one verification and constrains the system to that mode. An individual who enters an environment with ambient acquisition but performs no deliberate assertion is governed by that environment's policy, which may permit one-to-many identification or may be restricted to anomaly detection that reports inconsistency with any authorized trust-slope without resolving a specific identity.

This gating is enforced as a structural constraint, not as a software policy check that could be misconfigured, bypassed, or overridden. The resolution mode determines which index queries, which trust-slope comparisons, and which response formats are structurally available. A one-to-one verification request structurally cannot access the population index; it can only access the trust-slope associated with the claimed identity. A privacy-preserving anomaly detection request structurally cannot return an identity resolution result; it can only return a binary anomaly assessment. Because the mode bounds what the engine can do rather than instructing it what to refuse, governance does not depend on the correct implementation of a check.

Audit and Retention

An audit policy specifies which identity resolution events are recorded, what information is included in the audit record, who has access to the records, and how long they are retained. The audit record does not include the raw biological signal, the stable sketch, or the biological hash. It records the resolution request parameters, the resolution outcome, the confidence level, and the policy justification for the resolution. The audit therefore captures the governance and decision context of a resolution without itself becoming a store of biological data.

A retention policy specifies how long biological trust-slope data, hashes, helper data, and metadata, is retained and under what conditions it is purged. Retention periods may vary by trust-slope component: biological hashes may be retained for the lifetime of the identity, while helper data may be retained only for the duration required to support the current stable sketch configuration. This component-by-component retention reflects that different parts of the trust-slope carry different privacy weight and serve different functional lifetimes.

Domain-Scoped and Full Revocation

Biological identity is revocable. An individual may revoke a biological identity by instructing the identity system to invalidate the trust-slope associated with that identity within a specified domain. Revocation permanently invalidates the trust-slope: subsequent biological signal captures that would have been continuity-consistent with the revoked trust-slope are rejected, and capabilities bound to the revoked trust-slope are immediately invalidated. Because capability tokens are bound to the trust-slope and are continuously re-evaluated rather than granted once, invalidating the trust-slope withdraws the authorizations that depended on it.

Revocation is domain-scoped by default. Revoking a biological identity in one domain does not affect biological identity chains in other domains, because the domain separation mechanism makes trust-slopes in different domains structurally independent. Full revocation, across all domains, requires explicit invocation and is subject to governance approval, a safeguard intended to prevent accidental or coerced full revocation. The default scoping means an individual can sever a relationship with one relying party without collapsing every other context in which their biological identity operates.

Right to Explanation

The governance framework includes a right-to-explanation mechanism that enables any individual to request an explanation of any identity resolution event in which that individual's biological identity was resolved. The explanation includes the resolution mode that was applied, the consent-gating basis for the mode selection, the policy authorization for the resolution, the confidence level of the resolution, and any downstream actions, capability grants, access decisions, state inferences, that the resolution triggered. The mechanism is enforced by the audit infrastructure and does not require disclosure of the biological signal data or the trust-slope contents. It discloses the governance and decision context that led to the resolution and its consequences, which is consistent with the same separation observed in the audit record, where the decision context is retained but the biological data is not.

How Governance Builds on the Structural Layers

The operational controls are designed to rest on, rather than substitute for, the structural privacy of the lower layers. Stable sketching makes the representation non-invertible regardless of how the governance policy is configured, so a leak of sketch data does not yield the underlying biological signal. Domain separation makes identifiers unlinkable across contexts, which is what allows revocation to be meaningfully domain-scoped and what makes cross-domain correlation infeasible without cooperation from the individual or the identity infrastructure. The governance layer then decides, per request, whether resolution may proceed, in what mode, what is recorded, how long it is kept, and how it may be revoked or explained. Each layer addresses a failure that the others cannot: structure cannot decide who is authorized to ask, and policy cannot by itself prevent reconstruction of a signal that was structurally invertible.

Disclosure Scope

The privacy and governance architecture disclosed here, comprising the three-level layering of structural non-invertibility at the representation level, structural unlinkability at the identifier level, and policy-enforced controls at the operational level; the resolution authorization policy evaluated before any biological signal is captured or processed; consent-gated resolution mode selection enforced as a structural constraint on which queries, comparisons, and response formats are available; the audit policy whose records carry the resolution context but not the raw signal, sketch, or hash; the component-varying retention policy; domain-scoped revocation with governance-approved full revocation; and the right-to-explanation mechanism, is disclosed in the cognition filing (U.S. Application No. 19/647,395 and its international counterpart) in the chapter on biological identity. This article describes that disclosed mechanism. The scope extends to deployment configurations and policy parameterizations consistent with the disclosed controls, provided the structural non-invertibility and unlinkability layers continue to underlie the operational governance controls described above.