Mechanism
Capability, as the term is used in the cognition disclosure, answers a categorically different question from permission, authorization, and access control. Permission, authorization, and access control each answer whether an operation is allowed: an external authority has declared an agent may perform an operation, an agent has been authenticated and its credentials verified against a policy, a set of rules determines which agents may access which resources. Capability answers whether an operation can structurally exist: whether an executable form of a given objective can be constructed on a given execution substrate. The distinction is not merely terminological. It is architecturally enforced and carries structural consequences for system behavior.
The disclosure makes this concrete by maintaining capability envelopes and governance policies in architecturally separate subsystems with no bidirectional dependency. The capability envelope subsystem does not consult governance policies when computing capability determinations, and the governance subsystem does not consult capability envelopes when evaluating permission requests. The two subsystems produce independent determinations that are subsequently combined at the execution synthesis gate, where both conditions must be satisfied for execution synthesis to proceed.
The Four Operational Quadrants
Because capability and permission are independent, the system recognizes and handles four distinct operational quadrants. In the first, an agent is both authorized and capable: the agent has permission to execute the objective, and the substrate possesses the structural characteristics required to produce an executable form. This is the standard case in which execution synthesis proceeds. In the second, an agent is authorized but not capable: permission exists, but the substrate lacks the required structural characteristics, so no executable form can be constructed. In the third, an agent is capable but not authorized: the substrate can produce an executable form, but the agent lacks governance clearance, so the system recognizes the structural possibility of execution yet withholds synthesis pending governance resolution. In the fourth, an agent is neither authorized nor capable: both conditions are unsatisfied.
The second quadrant, authorized but not capable, is the case conventional systems handle poorly or not at all. When the substrate lacks the required characteristics, the disclosure does not treat the objective as prohibited. It treats execution as structurally impossible and the system must route, defer, or decompose the objective rather than report an authorization failure.
Structural Incapability Versus Transient Shortage
Conventional systems collapse two different conditions into a single failure code. When an authorized agent submits a task to a node lacking the required resources, the node returns a timeout, a resource-exhaustion exception, or a generic error, without distinguishing a structural incapability from a transient resource shortage. The disclosure makes this distinction explicit. A structural incapability is a capability determination: no amount of waiting, retrying, or resource reallocation will produce an executable form on this substrate, because the substrate's structural characteristics do not encompass the objective's requirements. A transient resource shortage is a temporal determination: an executable form could exist on this substrate, but the temporal window during which the required resources are available has not yet arrived or has already passed.
By distinguishing these conditions at the architectural level, the system avoids the pathological behavior of retrying an operation on a structurally incapable substrate, and instead routes the objective to a substrate whose capability envelope encompasses the requirements. The distinction also rests on the disclosure's broader point that capability is not a metric, score, or probability but a computed determination resolving to a bounded set of outcomes: execution is structurally possible, structurally impossible, structurally deferred, or must be rerouted to an alternative substrate.
Architecturally Separate Subsystems
The independence of capability from permission is enforced by maintaining capability envelopes and governance policies in separate subsystems that do not read each other's state. This separation ensures that capability evaluation is not contaminated by governance state: a substrate does not become more capable because an agent is highly authorized. It equally ensures that governance evaluation is not contaminated by capability state: an agent does not become more authorized because a substrate is highly capable. Each subsystem produces its own determination, and the two are combined only at the execution synthesis gate.
This is the structural guarantee behind the distinction. Because there is no bidirectional dependency, neither dimension can manufacture the other. A strong credential cannot conjure substrate capacity, and an abundant substrate cannot confer authorization. The conjunction at the synthesis gate is the only place the two converge.
What Capability Is Matched Against
The capability side of the gate is evaluated against the substrate's capability envelope: a structured data object describing the substrate's current structural characteristics along defined dimensions including compute class, memory architecture, model access, locality, execution guarantees, and sensor and actuator interfaces. The envelope is not a permission list, a service catalog, or a self-reported performance benchmark; it is a formal description of the substrate's affordances. It is a dynamic object, updated when hardware is provisioned or deprovisioned, when models are loaded or unloaded, when network conditions change, or when other agents consume or release shared resources.
Matching is performed dimension by dimension between the objective's capability requirements and the substrate's envelope. Each dimension resolves to satisfied, unsatisfied, or conditionally satisfiable, and the specific unsatisfied dimensions are recorded and propagated to the routing, deferral, and decomposition subsystems. This is what gives the second quadrant its constructive character: the determination identifies which dimensions blocked execution, so the system can decide where to route the objective or how to decompose it, rather than collapsing to an undifferentiated failure.
Recorded Determinations
Capability-native computation produces a structured capability determination record that is persisted in the agent's lineage and made available to governance infrastructure. The record includes the identity of the evaluated substrate, the capability requirements extracted from the objective, the capability envelope retrieved from the substrate, the per-dimension match results, the aggregate determination, the uncertainty bounds associated with the determination, and, for deferred or rerouted determinations, the forecasted conditions under which the determination may change.
Because capability and permission are evaluated by separate subsystems, an auditor can reconstruct after the fact why a particular objective was routed to a particular substrate, or why execution was deferred rather than attempted, and can see whether a non-execution reflected a governance condition or a structural one. The two determinations remain legible as distinct records rather than being conflated into a single opaque outcome.
The Distinction Across Substrate Types
The same separation extends to embodied and human substrates. For an embodied robotic system, the capability envelope encompasses physical affordances: degrees of freedom of the manipulators, force and torque limits of the actuators, reach envelope, locomotion capability, sensory modalities, and power budget. A motor objective carries physical requirements matched against this envelope in the same formal manner as computational requirements.
For human operators in hybrid systems, the disclosure enforces a strict separation between biological capability assessment and governance authorization. The biological capability envelope describes what the operator can do; governance authorization describes what the operator is permitted to do. A surgeon whose biological signals indicate fatigue-induced motor imprecision may be governance-authorized to perform a procedure, holding the requisite credentials and institutional authorization, yet biologically incapable at the present moment because assessed motor precision falls below the procedure's requirement. The system detects this through the same four-quadrant model, recognizing the operator as authorized but not capable, and defers the objective until the operator's envelope recovers or routes it to an alternative operator whose envelope currently satisfies the requirements.
Prior-Art Distinction
Conventional distributed computing architectures assume capability, implicitly infer it from resource availability, or conflate it with authorization. A task is dispatched to a node, and the node either executes it or returns a failure, with the determination of whether the node can execute made through resource-availability checks or static, manually maintained capability registries. These approaches share several deficiencies the disclosure addresses: resource availability is necessary but insufficient for capability, since a node may have ample memory and compute yet lack the instruction set, accelerator type, model weights, sensor array, or physical actuator required; static registries do not capture the temporal dynamics of capability as hardware, models, and shared resources change; and the inability to execute is treated as an error requiring retry or escalation rather than as a structurally valid result. Where prior systems separate capability and permission at all, the separation is typically informal. The disclosure makes it enforceable by holding capability envelopes and governance policies in subsystems with no bidirectional dependency, combined only at the execution synthesis gate.
Disclosure Scope
The capability-permission distinction, comprising the categorical separation of whether an operation can structurally exist from whether it is allowed, the four operational quadrants of authorized-and-capable, authorized-but-not-capable, capable-but-not-authorized, and neither, the explicit distinction between structural incapability and transient resource shortage, the maintenance of capability envelopes and governance policies in architecturally separate subsystems with no bidirectional dependency combined at the execution synthesis gate, and the structured capability determination record persisted in lineage, is disclosed in the cognition filing (U.S. Application No. 19/647,395 and its international counterpart) at Chapter 6. This article describes that disclosed mechanism. The scope extends to computational, embodied robotic, and human-operator substrates in which capability is matched dimension by dimension against a capability envelope, provided the separation between capability evaluation and governance authorization is preserved.
