Confidence-Governed Lethal Autonomous Weapons

Regulatory Framework

The legal and policy surface for LAWS is denser than for almost any other autonomy domain. United States Department of Defense Directive 3000.09, reissued in January 2023, establishes the policy that autonomous and semi-autonomous weapon systems "shall be designed to allow commanders and operators to exercise appropriate levels of human judgment over the use of force," and it imposes a senior-review requirement before development and again before fielding for systems that fall within its scope. Allied policy frameworks — the United Kingdom's Joint Doctrine Publication on autonomous platforms, Australia's Defence Artificial Intelligence Ethics Framework, and the NATO Principles of Responsible Use — track the same structural requirement under varying terminology.

Article 36 of Additional Protocol I to the Geneva Conventions imposes a freestanding obligation on states parties to determine, in the study, development, acquisition, or adoption of a new weapon, means, or method of warfare, whether its employment would in some or all circumstances be prohibited by international law. The Article 36 review is not procedural; it is a substantive predicate to lawful fielding, and an autonomous weapon whose engagement decisions cannot be cryptographically tied to a credentialed rules-of-engagement (ROE) policy cannot be the subject of a credible Article 36 finding. The UN Convention on Certain Conventional Weapons Group of Governmental Experts on LAWS has produced a sustained negotiating record converging on principles of human responsibility, accountability, and meaningful human control, and the REAIM 2023 and 2024 summit declarations endorse those principles at head-of-state level.

The International Committee of the Red Cross's ethical position calls for the explicit prohibition of autonomous weapon systems designed or used to target persons, and for stringent constraints on the use of autonomous weapons against materiel targets, on the grounds that the unpredictability of machine engagement decisions is incompatible with the principles of distinction, proportionality, and precaution. Civilian-side AI risk frameworks — the NIST AI Risk Management Framework, the EU AI Act's military-exclusion clause notwithstanding, and the OECD AI Principles — establish complementary expectations for traceability, contestability, and human oversight that defense procurement cannot ignore in dual-use components.

The Architectural Requirement

The international debate has produced a working consensus that lethal autonomous systems must operate under "meaningful human control." The phrase is structurally underspecified: it is variously read to mean human-in-the-loop authorization for every engagement, human-on-the-loop oversight with intervention authority, or human-by-the-loop policy authorship with autonomous execution under that policy. Each reading places different weight on the human, the policy, and the machine, and each produces different architectural consequences.

The reading that produces structural enforcement rather than process compliance is the third: humans configure the harm-ordering policy, the non-combatant prioritization, the engagement rules, the geofences, and the abort criteria; the autonomous system executes within that credentialed policy with audit-grade lineage; deviation from the policy is structurally impossible, not merely prohibited. This reading is the only one compatible with operational tempos at which human-in-the-loop authorization becomes a fiction and with the Article 36 obligation to characterize the weapon's behavior across its design envelope rather than at a single authorization moment. It is also the reading that civilian autonomy architectures — driver-monitoring systems, fleet-management platforms, surgical-robotics governance — converge toward independently, because the same operational-tempo problem governs them.

Why Procedural Compliance Fails

Process-based LAWS governance produces audit trails that document who said yes but not what the system was structurally permitted to do. The operator authorized; the supervisor approved; the chain of command sanctioned; the after-action review verifies that authorization happened. None of these can verify that the system would have refused had authorization not been present. None of them can verify that the engagement actually executed within the ROE the authorizer believed they were applying. The procedural record is forensically reconstructable; it is not architecturally enforced.

The failure mode becomes acute under three operational conditions that are increasingly characteristic of contemporary LAWS deployment. First, communications-denied or communications-degraded environments break the human-in-the-loop assumption: the system continues to operate while the authorizing human is structurally unable to intervene, and the audit record collapses to "the operator launched the platform." Second, swarm and multi-platform engagement compresses decision tempo below the threshold at which per-engagement authorization is operationally feasible; the audit record collapses to "the swarm was tasked." Third, contested-attribution scenarios demand post-incident reconstruction at a fidelity that procedural records cannot supply: when an engagement is alleged to have struck a non-combatant, the relevant question is not whether someone authorized the mission but whether the system's actual evaluation at the moment of engagement complied with the ROE the authorizer signed.

Article 36 reviews suffer the same defect at the design level. A reviewing authority asked to characterize the weapon's lawful-use envelope cannot do so when the weapon's engagement logic is not cryptographically bound to a stable, inspectable policy artifact. The review becomes a review of the design team's assertions about the weapon, not of the weapon's actual behavior. The ICRC's repeated objection to autonomous targeting of persons rests on exactly this gap: in the absence of a structural primitive that ties engagement to credentialed distinction-and-proportionality logic, the system's compliance with the principles of international humanitarian law is asserted rather than enforced.

What the AQ Primitive Provides

Confidence-governed actuation supplies the missing primitive as a structural property of the weapon system. The credentialing chain descends from national command authority through theater command through mission-ROE issuance, with each level signing within its scope and the composite policy delivered to the platform as a cryptographically verifiable credential bundle. The autonomous platform consumes that bundle through composite admissibility: an engagement is admissible only if every relevant credential in the chain validates and the proposed action falls within the intersection of every layer's authorization. There is no operating mode in which the platform engages outside the credentialed policy, because the engagement gate is an architectural property, not a software policy that could be bypassed.

Engagement decisions select from graduated modes — full engagement, stage-gated engagement requiring intermediate verification, advisory display requiring human ratification, refused engagement when admissibility fails. Mode selection is itself a credentialed decision, and every selection is recorded in lineage with the policy under which it was evaluated, the sensor evidence that supported it, and the confidence assessment the platform attached to its own classification. The lineage is audit-grade in the cryptographic sense: it cannot be altered after the fact without invalidating the credential chain it depends on.

Harm ordering is governance-configurable rather than hard-coded. Combatant-versus-non-combatant prioritization, friendly-versus-unknown-versus-adversarial classification, infrastructure protection priorities, allied-unit risk weighting, and explicit non-combatant prioritization rules are all signed elements of the credential bundle. The platform's harm-minimization deviations from a baseline engagement are recorded with the policy under which each deviation was evaluated. When an Article 36 reviewer asks what the weapon does, the answer is a credentialed artifact rather than a design-team narrative. When a CCW investigator asks how a specific engagement was evaluated, the answer is a cryptographically-bound lineage record that ties the engagement to the ROE the authorizing commander signed.

Cryptographically-bound human-on-the-loop control becomes the operationalization of meaningful human control. The human authority is exercised at policy configuration; the credential binds the policy to the platform; the platform executes only within the credentialed envelope; the lineage records every execution against the credential. Communications-denied operation does not break the model, because the authority was bound into the platform before the engagement; swarm operation does not break the model, because the credential applies uniformly across the swarm; contested-attribution scenarios reconstruct cleanly, because the lineage record is structurally complete.

Compliance Mapping

The mapping from confidence-governed actuation to LAWS governance frameworks is direct. DoDD 3000.09's "appropriate levels of human judgment" requirement maps to credentialed policy authorship and graduated engagement modes. The directive's senior-review requirement before development and fielding maps to Article 36 review of the credentialed policy artifact rather than of design-team assertions. Article 36 of AP I obtains a stable, inspectable subject of review: the weapon's actual engagement envelope as expressed in the credential schema. The CCW GGE LAWS principles of human responsibility and accountability obtain a structural locus — the credentialing authority and the lineage record — rather than a procedural one. The REAIM declarations' call for traceable, contestable autonomous-weapon decision-making is satisfied by the cryptographically-bound lineage. The ICRC's distinction, proportionality, and precaution requirements obtain a structural enforcement point at the admissibility gate. Allied national policies — the UK's JDP, Australia's DAIEF, the NATO Principles — obtain a common architectural primitive that supports interoperable credentialing across coalition operations.

Adoption Pathway

Adoption begins where the structural requirement is highest and the procedural surrogate weakest: communications-degraded autonomous platforms, loitering munitions, and counter-UAS systems whose engagement tempo already exceeds reliable human-in-the-loop authorization. In these systems the credentialing chain and the admissibility gate replace policy assertions that procurement authorities increasingly recognize as unverifiable. Programs at Anduril, Shield AI, the autonomy components of Northrop Grumman and BAE Systems, Lockheed Martin's autonomy work, and Palantir's defense-autonomy programs all face the same structural challenge and are converging, independently, on the same architectural endpoint.

The second adoption phase is coalition interoperability. A NATO or AUKUS deployment in which platforms from multiple nations operate under a shared mission ROE requires a credentialing schema common to all participants; confidence-governed actuation provides that schema as a structural primitive rather than as an interface specification negotiated per-deployment. The third phase is procurement-side: Article 36 reviews and DoDD 3000.09 senior reviews increasingly require structural rather than procedural evidence, and procurement authorities will privilege architectures that supply that evidence as an artifact. The endpoint is a defense-autonomy procurement regime in which meaningful human control is a verifiable architectural property of the weapon system, and the international LAWS-governance debate finds, at last, a technical referent for the principle on which it has converged.