Confidence-Governed Execution for L4 and L5 Autonomy

Regulatory Framework

The regulatory surface for L4 and L5 deployment is now multi-jurisdictional and converging on common architectural expectations. SAE J3016 establishes the level taxonomy and the operational design domain (ODD) construct, with L4 defined by autonomy within a declared ODD and L5 defined by autonomy across all conditions a competent human driver could handle. NHTSA's Standing General Order on Crash Reporting and the AV TEST Initiative establish federal expectations for incident reporting and operational transparency. Functional-safety obligations are governed by ISO 26262 for E/E systems and extended by ISO 21448 (SOTIF) to address the limitations of intended functionality, including the foreseeable misuse and triggering-condition envelope that L4/L5 systems must demonstrate they have characterized. Cybersecurity obligations are governed by ISO/SAE 21434 with type-approval consequences under UNECE WP.29 R155.

Operational authority is granted at the state and national level. UNECE WP.29 R157 (Automated Lane Keeping Systems) establishes the type-approval baseline for automated driving in Contracting Parties and is the architectural precedent for higher-level rulemaking. The California Public Utilities Commission Phase 1 Driverless Deployment program, the California DMV autonomous-vehicle permitting framework, and the Texas, Arizona, and Nevada operational regimes each issue authority that is contingent on continued conformance with declared operational parameters. The European Union AI Act classifies driving-automation systems under Annex III as high-risk AI, imposing post-market monitoring, serious-incident reporting, and human-oversight obligations that operate alongside type approval. Across these regimes, the regulator's instrument of authority is increasingly fine-grained: route-restricted authority, time-of-day-restricted authority, weather-restricted authority, supervisor-presence-restricted authority. The architectural assumption that the actuation layer is binary is now in active tension with the regulatory assumption that authority is graduated.

Architectural Requirement

The architectural requirement that follows is a single one with several aspects. The execution layer of an L4/L5 stack must be capable of operating in modes that correspond to the granularity of regulatory authority. A vehicle authorized for full ODD operation under nominal conditions, restricted operation pending a fleetwide investigation, route-restricted operation in a specific city, or remote-supervised operation following an incident must each correspond to a structural mode of the actuation gate, not to a fleet-management overlay that deactivates the system entirely outside its narrowest authority. The selection of mode must be driven by composite admissibility — a function over the credentialed observations available to the vehicle at the moment of action, evaluated against credentialed governance policy issued by the relevant authority.

The architectural requirement extends to cross-system visibility. WP.29 R157 already requires data-storage-system-for-automated-driving (DSSAD) records that an authority can audit. SOTIF expects characterization of the triggering-condition envelope and demonstration that the system reduces residual risk to acceptable levels. The EU AI Act expects post-market monitoring that detects emerging risk before it manifests. None of these obligations are satisfied by a binary actuation log. They require that the actuation state of the fleet — current mode, recent mode transitions, the credentialed observations and governance evaluations that drove each transition — be observable to the authority and to neighboring fleet units in something close to real time. Mesh-broadcast actuation state is the architectural form that obligation takes.

Why Procedural Compliance Fails

The dominant industry pattern has been to layer procedural overlays onto fundamentally binary actuation. Operational design domain definitions are documented in policy manuals and enforced through pre-trip checks; incident response is handled through fleet-wide remote disable; regulatory restrictions are translated into geofencing and route-blacklisting at the mission-planning layer. Each of these is a procedural workaround for the absence of a structural primitive, and each fails under predictable pressure. ODD enforcement at the mission-planning layer cannot adjudicate edge cases that develop mid-mission — a fog bank rolling in, a construction zone appearing, a sensor degradation that crosses an ambiguous threshold — because the actuation gate downstream is binary and cannot accept a partial answer.

Incident response illustrates the failure most starkly. Cruise's October 2023 pedestrian incident produced a national suspension because there was no architectural mode between full deployment and full halt. The regulator's reasonable instrument — restrict the fleet to specific routes, require a remote supervisor for a defined period, require enhanced post-event reporting until a corrective action lands — was not consumable by the actuation layer. The fleet's choices were continued full operation or full suspension, and the regulator selected the only non-catastrophic option available. The same pattern repeats at smaller scale across every operating L4 fleet whenever a state DOT, a city authority, or a federal investigator wishes to apply graduated pressure. Procedural compliance fails because the actuation primitive does not admit graduation, and graduated authority is what the regulator now requires.

What the AQ Primitive Provides

Confidence-governed actuation provides a fixed family of graduated execution modes — full, conditional, stage-gated, deferred, advisory, supervised, restricted, observational, suspended, and intermediate variants — selected at each actuation decision by composite admissibility. The composite is computed from the credentialed observations available at the moment: perception confidence, localization integrity, sensor-health attestation, environmental-condition envelope, ODD residency, recent-incident state, supervisor-presence credential, route credential, and authority-policy credential. The selection is not a heuristic; it is a deterministic evaluation of the composite against credentialed governance policy that the authority has issued and that the vehicle has loaded as a first-class operational input.

Two consequences follow. First, a regulator can express graduated authority as policy that the actuation layer consumes directly, without a procedural overlay. A state DOT issuing route-restricted authority pending investigation issues a credentialed policy that admits full mode on the approved routes and stage-gated or supervised mode elsewhere. A federal investigator imposing enhanced post-event reporting issues a policy that admits full mode but requires actuation-state broadcast at finer granularity. The vehicle, the fleet operator, and the authority share a single object — the policy — that determines what the actuation layer will do. Second, mesh-broadcast actuation state makes the resulting behavior observable to neighboring fleet units, V2X infrastructure, and the authority itself. A vehicle entering supervised mode following a sensor degradation broadcasts that transition; neighboring vehicles consume the broadcast as a credentialed observation that may modulate their own admissibility evaluation; the authority receives the same broadcast through its credentialed channel without a separate fleet-management integration.

Configurable harm ordering completes the primitive. The composite-admissibility evaluation is parameterized by a harm-ordering credential that the authority issues and the operator can refine within authority constraints — for example, a jurisdictional preference for protecting vulnerable road users above smooth flow under degraded conditions, or for elevating remote-supervisor confirmation above autonomous decision under ambiguous-pedestrian-intent conditions. Harm ordering is a credentialed input to the same evaluation, not a separate ethics layer that operates outside the actuation gate.

Compliance Mapping

The mapping from confidence-governed actuation to specific regulatory artifacts is direct. WP.29 R157 DSSAD records are emitted as the actuation-state stream, with each mode transition bound to the composite-admissibility evaluation, the credentialed observations that drove it, and the governance policy under which it was authorized. The auditor's question of whether a specific actuation was within the type-approved envelope is answered by reading the record rather than reconstructing it. ISO 21448 SOTIF triggering-condition characterization is supported structurally: the modes that the system enters under degraded perception, degraded localization, or out-of-ODD conditions are observable in the actuation-state stream, and the residual-risk argument is grounded in the recorded distribution of mode transitions across operational hours.

ISO 26262 functional-safety claims are unaffected at the lower levels and strengthened at the system level, because the safety case can reference the actuation gate as a structural element rather than as a procedural assertion. ISO/SAE 21434 cybersecurity obligations are met by the credentialing of governance policy and observations: a tampered policy or a forged observation is not admissible into the composite-admissibility evaluation. NHTSA Standing General Order incident reporting is satisfied by a scoped query over the actuation-state stream around the incident time, including the modes the vehicle was in, the policies under which those modes were authorized, and the observations that drove transitions. CPUC Phase 1 Driverless Deployment reporting and California DMV operational reporting consume the same stream under the policies the relevant authority has issued. EU AI Act post-market monitoring and serious-incident reporting under Annex III are scoped queries over the same stream filtered by the EU operator's policy envelope.

Adoption Pathway

The adoption pathway is brownfield-compatible and incremental. The first phase introduces actuation-state recording: every actuation decision in the existing stack emits a credentialed observation describing the current mode (initially binary), the composite of observations that supported the decision, and the policy under which it was taken. No mode graduation is yet exposed, but the stream and the credentialing are now in place, and DSSAD-, SOTIF-, and SGO-aligned reporting can already be served from the stream rather than from ad-hoc telemetry. The second phase introduces graduated modes for a constrained slice of the operational envelope — typically the modes corresponding to perception or localization degradation, where the safety case is most clearly improved by stage-gated or supervised operation rather than by binary disengagement.

The third phase introduces credentialed governance policy as a first-class operational input. The authority — state DOT, federal investigator, EU type-approval authority — issues a policy object that the fleet loads, and the actuation layer consumes the policy directly in admissibility evaluation. This is the phase at which graduated regulatory authority becomes architecturally available: route-restricted, time-restricted, supervisor-restricted, and weather-restricted modes are not procedural overlays but credentialed-policy-driven mode selections. The fourth phase opens mesh-broadcast actuation state to neighboring fleet units, V2X infrastructure, and the authority's monitoring channel, completing the cross-system visibility that the EU AI Act and the post-WP.29-R157 rulemaking trajectory expect. At the end of the pathway, the operator's relationship with regulators is mediated by a shared, credentialed substrate; an incident produces a policy adjustment rather than an operational catastrophe; and the commercial path from constrained L4 deployment to broader L4 and eventually L5 operation runs through accumulating policy-mediated authority rather than through binary regulatory boom-bust cycles.