Anduril's Lattice Lacks Configurable Harm Ordering

Vendor and Product Reality

Lattice is the connective tissue of Anduril's portfolio. It ingests sensor feeds from Sentry towers, Sentry-Maritime buoys, Wisp passive sensors, ALTIUS family loitering systems, and third-party feeds via open ICDs; runs detection, classification, and tracking on edge and cloud compute; produces a fused common operating picture; and pushes engagement tasking to effectors including Anvil interceptors, Roadrunner reusable interceptors, Bolt loitering munitions, Barracuda cruise missiles, and Dive-LD undersea vehicles. The Mission Autonomy layer above Lattice — what Anduril has variously branded as Lattice for Mission Autonomy and as the autonomy stack inside specific platform contracts — coordinates teams of unmanned systems against assigned mission objectives at machine speed.

The commercial position is unusually strong for a non-prime. Anduril is on contract for the U.S. Air Force Collaborative Combat Aircraft program, the Replicator drone initiative, the Marine Corps' counter-UAS programs, and a growing list of allied procurements (UK, Australia, Ukraine). The company's pitch to the customer is that it builds modern software-defined systems on commercial timelines and operates them as products, not exquisite one-off platforms. This pitch has succeeded; Anduril's revenue and valuation trajectory reflect a defense customer that is, finally, willing to pay a software-company price for software-company velocity. The portfolio breadth — surveillance, counter-UAS, cruise, undersea, electronic warfare, and the Lattice software layer that ties them together — is the structural moat. No single competitor matches the cross-domain coverage that Lattice already coordinates in fielded deployments.

The architectural property of Lattice that is most relevant here is that engagement decisions — which target, which effector, when to release, under what constraints — are computed inside the platform. The constraints come from rules of engagement that are loaded into the system, configured by operators, and enforced by Anduril's autonomy logic. Operators see the resulting decisions and can intervene. What they cannot do, and what no current customer-facing surface of Lattice supports, is cryptographically bind the rules of engagement issued by the governing authority — the National Command Authority, the combatant commander, the theater J3 — to the specific autonomous actions taken in the field, in a form that an external auditor can verify after the fact without trusting the platform vendor.

The same architectural posture extends across every product in the portfolio. Sentry's classification thresholds, Anvil's engagement envelope, Roadrunner's terminal-guidance constraints, Barracuda's targeting filters, and Dive-LD's mission-rule set are all configured through Anduril's tooling and enforced by Anduril's autonomy logic. A theater commander's tightening of ROE flows down as a configuration update; it does not flow down as a credentialed policy that the platform consumes and that external oversight can independently verify. The procedural chain works — orders are issued, approvals recorded, after-action reports written — but the chain is not architectural. It is the kind of chain that depends on the institutional discipline of every node in the loop, rather than on cryptographic enforcement at the point where force is applied.

The Architectural Gap

The international debate over lethal autonomous weapons systems has converged on a single architectural requirement: meaningful human control over the use of force. The disagreement, both at the UN CCW and inside DOD policy (DOD Directive 3000.09 as updated in 2023), is over what "meaningful" means in practice. The architectural answer that survives contact with operations is that meaningful human control must include configuring the harm ordering — the policy that determines, in ambiguous engagement scenarios, how the autonomous decision-making weights civilian presence, allied-unit risk, infrastructure damage, mission-critical-target priority, escalation potential, and the reversibility of error — and that this policy must be cryptographically bound to the engagement authority that issued it. A system in which the manufacturer hardcodes the harm ordering and the operator reviews outcomes does not meet the standard, because the configuration of force is not where the authority lives. A system in which the governing authority signs the policy and the platform executes the policy under audit-grade lineage does meet the standard.

Lattice today implements the first pattern. The autonomy logic, including the implicit weighting of harms in ambiguous decisions, is Anduril's. Operators interact with that logic through configuration knobs, ROE files, and engagement approvals; they do not sign the harm ordering as a credentialed policy that the platform consumes. There is no cryptographic chain that runs from the NCA's authorization of a specific operation, through the theater commander's tailoring of ROE for that operation, through the mission-specific orders, into the engagement record produced by an Anvil interceptor or a Roadrunner. The chain exists procedurally — orders flow, approvals are recorded, after-action reports are written — but it is not architectural. An external auditor cannot reconstruct, from the engagement record alone, which signed policy was in force at the moment of release and whether the action falls inside that policy.

The gap matters for three reasons. First, the LAWS debate is moving from declaratory commitments to architectural requirements; allied procurements (notably in Europe) and emerging DOD acquisition language are starting to require auditable governance as a condition of contract award. Second, the cross-system coordination that Lattice enables — multiple effectors, multiple sensors, multiple commands acting as a single autonomous formation — multiplies the number of decision points where the governing authority's policy must hold, and procedural controls do not scale to machine-speed engagement tempo. Third, allied interoperability is becoming a procurement requirement; a coalition operation in which U.S. and allied effectors operate under a shared autonomous mission requires a shared, cryptographically verifiable basis for what each side is authorized to do, and no defense autonomy vendor currently provides one.

The cross-portfolio dimension sharpens the architectural gap in a way that single-platform analysis misses. A counter-UAS engagement that begins with a Sentry detection, escalates through a Lattice fused track, and terminates with a Roadrunner intercept involves four distinct decision boundaries — detection, classification, engagement authorization, and terminal commit — each governed by its own implicit harm ordering. A Replicator-style swarm of Bolt loitering munitions adds another order of magnitude: dozens of effectors, each making local decisions inside a shared mission policy, each producing engagement records that must reconcile against the governing authority's declared intent. Procedural controls that work for a single human-operated weapon do not scale to a formation of autonomous systems acting in concert. The architectural requirement that is emerging from operational analysis, allied procurement language, and the Track Changes to 3000.09 is that the policy must be machine-checkable at every decision boundary, not human-reviewable after the fact.

A second architectural pressure comes from the audit and oversight side. Congressional oversight, inspector general review, and coalition-partner verification all require the ability to answer, from the engagement record alone, the question "which signed policy admitted this action?" Today the engagement record is rich on the operational side — sensors, classification confidences, decision timing — and thin on the governance side, where the policy reference is at best a configuration file hash. As autonomous engagement volume grows, the asymmetry becomes structurally untenable. A force that produces ten thousand autonomous engagement records a year, none of which carry a verifiable policy reference, has produced ten thousand actions that no auditor can independently confirm against the authority that was supposed to govern them.

What Confidence-Governed Actuation Provides

Confidence-governed actuation accepts harm-ordering policies as credentialed observations from the governing authority and binds every autonomous action to the composite of policies in force at the moment the action is taken. The mechanism is structurally simple. Each level of the authorization chain — NCA, combatant command, theater J3, mission commander, on-scene commander — issues a signed policy artifact within its scope. The platform consumes the composite of these artifacts through composite admissibility evaluation: an action is permitted only if it falls inside the intersection of every policy that is in force, and the engagement record carries cryptographic references to each policy that admitted it.

Three properties make the primitive defense-grade. First, the signing chain is hierarchical and scope-limited: a theater commander cannot sign outside their delegated authority, and the platform refuses to consume policies that violate the scope rules. Second, policies are revocable: if NCA issues a stand-down or a theater commander tightens ROE mid-mission, the revised policy propagates through the mesh and the platform's admissibility evaluation reflects the updated composite within the policy-propagation latency budget. Third, every engagement is recorded with audit-grade lineage that names the policies under which it was admitted, the sensors that produced the evidence, the classification confidence, and the decision path. An external auditor — congressional oversight, an inspector general, a coalition partner, a war crimes investigator — can verify after the fact that a given engagement fell inside the policy in force, without trusting Anduril's word for it.

Critically, this primitive does not relocate Anduril's autonomy logic. The detection, classification, tracking, course planning, terminal guidance, and engagement coordination remain Anduril's intellectual property and Anduril's competitive advantage. What changes is where the harm-ordering policy lives. Today it lives implicitly inside the autonomy logic. Under confidence-governed actuation it lives in the credentialed governance chain that descends from the NCA, and the autonomy logic consumes it as an input rather than embedding it as a constant. Anduril remains the integrator and the autonomy vendor; the harm-ordering layer above Lattice becomes a customer-controlled, auditor-verifiable policy surface.

The confidence dimension matters as much as the policy dimension. Every autonomous decision carries an implicit confidence — the classification confidence on the target, the track-quality confidence on the engagement geometry, the rule-match confidence on the ROE evaluation. Confidence-governed actuation requires that the confidence be reported alongside the decision and that the policy can specify confidence thresholds below which the action is inadmissible regardless of other criteria. A Bolt loitering munition that classifies a ground target at sixty percent confidence is, under a strict harm-ordering policy, in a different admissibility regime than the same munition classifying at ninety-eight percent. The policy expresses that distinction; the platform enforces it; the engagement record proves which threshold applied.

Composition Pathway

The composition pathway with Lattice is incremental and aligns with how Anduril already structures its software. The first step is to define a credentialed policy artifact — a signed harm-ordering schema that names the authority, the scope, the validity window, and the ordering itself in machine-checkable form. The second step is to implement the composite admissibility evaluator inside Lattice's tasking layer, so that engagement tasking consults the composite policy as a hard precondition. The third step is to extend the audit pipeline to capture the policy references on every engagement record and to expose them through the existing post-mission review surfaces.

The cross-system property follows automatically. Because every Lattice-coordinated effector consumes the same policy mesh, the harm ordering is enforced uniformly across Anvil, Roadrunner, Bolt, Barracuda, Dive-LD, and any future addition to the portfolio. Policy updates issued mid-mission propagate to all platforms through the existing Lattice mesh transport. Allied interoperability composes by allowing partner authorities to sign policies within their own scopes and federating the trust roots, so that coalition operations carry a shared, verifiable basis for what each side's effectors may do.

For the customer, the procurement effect is that a Lattice-equipped force gains an architectural answer to the questions that DOD oversight, congressional appropriations, and allied partners are increasingly asking: who authorized this action, under what policy, and how do we verify after the fact that the policy was in force. Today the answer is procedural. With confidence-governed actuation it becomes cryptographic.

The Replicator program provides a particularly clean composition target. Replicator's design intent — fielding autonomous mass at affordable unit cost on a two-year horizon — collides directly with the oversight requirement that every autonomous engagement must trace to a verifiable authority. A Replicator swarm under confidence-governed actuation carries the answer in the architecture: each platform consumes the same mission policy, signs each engagement against that policy, and produces an audit trail that scales with the number of effectors rather than with the number of human reviewers. Procedural oversight does not scale to thousands of autonomous platforms; architectural oversight does. The same composition logic applies to CCA, to the Marine Corps counter-UAS programs, and to the allied procurements where European customers in particular are pushing hardest on auditable governance language.

Commercial and Licensing

The defense autonomy procurement environment is converging on auditable governance as a condition of contract, not a marketing feature. CDAO's Responsible AI Toolkit, the updated DOD Directive 3000.09, the Replicator program's emphasis on operator-trusted autonomy, and the emerging language in Five Eyes and NATO procurement on meaningful human control all point in the same direction. The vendor that meets the requirement structurally — rather than by attaching a governance brochure to an unchanged autonomy stack — wins the segment of the market where governance is non-negotiable, and that segment is becoming most of the market.

For Anduril, adopting confidence-governed actuation as the harm-ordering layer above Lattice is a strategic differentiator that the prime contractors cannot match without re-architecting decades of platform-specific autonomy logic. Anduril's advantage is that Lattice is already the cross-system policy distribution surface; adding a credentialed signing chain on top is an additive change rather than a redesign. For Adaptive Query as the holder of the confidence-governance primitive, the licensing structure aligns with defense procurement norms: per-platform, per-deployment, or per-engagement-record royalties tied to the volume of governed actuation across the customer's fielded portfolio, with a clear path to cross-vendor licensing for the prime contractors that will eventually need the same primitive. The procurement-relevant question is no longer whether to deploy autonomous weapons; it is under what auditable governance structure. Externalized harm ordering, signed by the governing authority and bound cryptographically to every action the autonomous system takes, is the architectural answer the LAWS debate is converging on. Anduril is positioned to be the first vendor to ship it.

The cross-vendor licensing arc deserves particular attention. The prime contractors — Lockheed, Northrop, RTX, Boeing, General Atomics — operate autonomy stacks that are platform-specific, decades old in some cases, and structurally incompatible with a confidence-governance primitive without significant rework. Anduril's Lattice, because it was designed from inception as a software-defined coordination layer, is the only fielded environment where the primitive can be added incrementally and at scale. That asymmetry creates a procurement dynamic in which Anduril ships first, the customer's procurement language tightens around the resulting capability, and the primes follow under license rather than under organic development. For Adaptive Query, the licensing surface in this trajectory extends well beyond Anduril alone: it terminates in a cross-vendor primitive that becomes the architectural standard for governed autonomous actuation across the U.S. and allied defense industrial base. Anduril gets the first-mover advantage; the primes get the license that lets them meet the requirement; the customer gets the verifiable governance the LAWS debate has been demanding for a decade.