Resolution Modes for Biological Identity: Confirm, Recover, Fork

Mechanism

The three modes derive from a single underlying primitive: a governed comparison between an observed identity signature and a stored identity lineage. The mode is determined not by the comparison's outcome but by the structural relationship between the observation and the lineage's most recent prior entry. If the observation falls within the lineage's continuity envelope — the temporal, contextual, and evidentiary bounds within which continuity is presumed — the resolution operates in confirm mode. If the observation lies outside the continuity envelope but matches the lineage's identity signature within recovery tolerance, the resolution operates in recover mode. If the observation matches the lineage's identity signature but diverges from the lineage in a structurally significant way (a context, role, or capability change that the governance class treats as a fork-event), the resolution operates in fork mode.

Confirm mode is the ordinary path. Its evidentiary requirement is the smallest of the three: the observation need only fall within the continuity envelope and match the lineage signature above the confirm-mode threshold. Confirm mode produces a single lineage entry that extends the existing lineage by one step, carrying forward the identity's prior governance class, capability set, and consent state. The credential surface is correspondingly minimal: the resolving agent need only present the credential that authorized the most recent prior entry, since no structural change to the lineage is being requested.

Recover mode handles continuity gaps. A gap may arise from sensor unavailability, jurisdictional handoff, deliberate quiescence, or system outage. Recover mode's evidentiary requirement is strictly higher than confirm mode's: the observation must match the lineage signature above the recover-mode threshold, and supplementary evidence — additional modalities, contextual corroboration, or governance attestations — must satisfy the recovery rule attached to the lineage's governance class. The credential surface includes both the resolving agent's credential and a recovery credential issued by the governance authority that owns the lineage. The recover-mode lineage entry explicitly names the gap interval, the recovery evidence, and the recovery credential, so that subsequent confirm-mode resolutions can be evaluated against an unambiguous post-recovery state.

Fork mode handles structurally significant divergence. The disclosed system does not assume that identity is monolithic; many real lineages legitimately split — a single biological subject may operate in distinct role-capacities, a single legal entity may delegate, a single device may serve multiple principals. Fork mode records the divergence as two lineage entries each pointing back to a common ancestor entry, each carrying a fork-credential issued by the governance authority that authorized the split. The fork-credential names the rationale (role separation, delegation, capacity-bounded operation) and the audit obligations attached to each branch. Subsequent resolutions on each branch operate independently in confirm or recover mode against that branch's lineage, but the fork ancestor remains structurally reachable for cross-branch audit.

Operating Parameters

The continuity envelope is parameterized per lineage. A high-frequency-observation lineage (for example, a biological subject under continuous attended observation) carries a tight envelope and reverts to recover mode after even a short gap; a low-frequency-observation lineage (an enrolled subject seen episodically) carries a looser envelope and remains in confirm mode across longer intervals. The envelope parameters are set by the governance authority that owns the lineage and are revisable only through credentialed governance action.

Recovery tolerance is similarly parameterized. A safety-critical lineage may require recover-mode evidence equivalent to original enrollment, with no shortcuts permitted; a low-stakes lineage may admit recovery on the basis of a single supplementary modality. Recovery tolerance is independent of confirm-mode threshold; raising one does not raise the other, and the disclosure treats the two as separately governed parameters so that policy can tune for false-confirm and false-recover risk independently.

Fork-event recognition rules determine which structural changes constitute a fork as opposed to an ordinary lineage update. Some role changes are recorded as confirm-mode entries with an annotation; others trigger fork-mode by structural rule. The fork-recognition table is governance-credentialed and revisable, and its current revision is named in every resolution event so that retroactive policy changes can be reasoned about by forensic reviewers.

Audit obligations attach differently to each mode. Confirm-mode entries are retained under ordinary lineage retention. Recover-mode entries carry extended retention because the recovery evidence must remain reviewable for the lifetime of the lineage. Fork-mode entries carry the longest retention and the broadest audit-visibility, because cross-branch audit may need to reach the fork ancestor years after the fork itself.

Alternative Embodiments

In a lineage-centric embodiment, the lineage is the canonical object and resolution events are appended to it. In a subject-centric embodiment, the subject identifier is canonical and lineages are derived views; mode determination operates identically because the structural relationship between observation and prior entry is preserved either way.

In an embodiment with strict mode separation, an attempt to perform a fork resolution under a credential that authorizes only confirm mode is rejected at the credential surface and the rejection is itself recorded. In a permissive embodiment, the system may degrade a requested mode to a lower-credential mode where structurally permissible (a fork request that fails fork-credential check may be downgraded to a recover request if recover-credential is satisfied), with the degradation recorded explicitly.

In an embodiment with synchronous fork, both branches of a fork are recorded simultaneously and the fork-credential authorizes both at once. In an asynchronous embodiment, one branch is recorded as a fork-from event and the sibling branch is materialized later by a separate fork-into event referencing the same ancestor; this supports lineages whose splits are recognized only after one branch has independently progressed.

In an embodiment with revocable forks, governance may collapse a fork by issuing a merge-credential that records the two branches as a single rejoined lineage going forward; the historical fork is preserved in the lineage but no longer governs subsequent resolutions. In an immutable-fork embodiment, fork-events are permanent and merging is not available; rejoining is modeled instead as a new fork from each branch into a shared successor.

Composition With Other Components

The three modes compose with the trust-slope mechanism by contributing differently to slope updates. Confirm-mode resolutions extend the slope under ordinary update rules; recover-mode resolutions reset portions of the slope that were stale during the gap and may impose a probationary post-recovery interval; fork-mode resolutions instantiate two slopes from a shared ancestor and thereafter evolve them independently. A consumer reading a slope can therefore distinguish between an identity that has been smoothly attested and one that has just emerged from a recovery, even when both currently sit above the same authorization threshold.

The modes compose with consent governance because each mode has its own consent surface. Confirm-mode consent is typically standing — granted at enrollment and not re-prompted for each ordinary observation. Recover-mode consent is per-event because the recovery itself is a structurally distinct act from continuous observation. Fork-mode consent is tied to the fork rationale and may require both branches' principals to attest, depending on the fork class.

The modes compose with downstream authorization because authorization rules can name modes as preconditions. A high-stakes operation may require not only that the resolving identity sit above an authorization threshold, but that its most recent resolution have been a confirm-mode entry rather than a recover-mode entry, on the grounds that recover-mode carries residual uncertainty even after evidentiary thresholds are met. The mode is a first-class authorization input, not just a record of how the identity was last seen.

Distinction From Prior Art

Conventional biometric verification systems treat each authentication as an independent match-or-fail event against a stored template. There is no concept of a continuity envelope, no structural distinction between confirming an ongoing identity and re-establishing one after a gap, and no recognition of legitimate identity divergence as anything other than enrollment of a new principal. The resolution-modes mechanism differs by classifying every resolution event into one of three structurally distinct modes with distinct evidentiary, credential, and lineage consequences.

Account-recovery flows in conventional identity systems address the gap problem partially, but they typically operate as out-of-band procedures rather than as a structural mode of the identity surface itself. The recovery is performed, an account is re-enabled, and the system thereafter cannot distinguish recovered authentication from ordinary authentication. The disclosed recover mode differs by recording the recovery as a first-class lineage entry that downstream consumers can inspect.

Identity-federation and delegation systems handle some forms of legitimate divergence, but they generally model delegation as a separate credential issued by the original principal rather than as a structural fork in the identity lineage with its own audit trail back to a common ancestor. The disclosed fork mode differs by treating divergence as a structural event in the lineage itself, with cross-branch audit reachability preserved.

Disclosure Scope

The disclosure covers any biological identity system in which resolution events are classified into a confirm mode for continuity verification, a recover mode for post-gap re-establishment, and a fork mode for structurally audited lineage divergence, where each mode carries distinct evidentiary thresholds, distinct credential requirements, and distinct lineage and audit consequences, and where the mode is itself a first-class output of the resolution recorded in the lineage entry.

The disclosure is not limited to biological signatures in the narrowest sense; it covers any identity whose lineage is observable, including device-bound, behavioral, contextual, and hybrid identities, provided that the three-mode structural classification is preserved. The disclosure covers embodiments in which the modes are strictly separated by credential, in which mode degradation is permitted under credentialed rules, in which forks are immutable, and in which forks are revocable through governance merge. The three modes are exhaustive of the disclosed mechanism; additional modes (suspend, terminate) may be supported as administrative operations on a lineage without departing from the three-mode resolution surface.