Waymo's Execution Stack Does Not Externalize Harm Ordering

1. Vendor and Product Reality

Waymo, the autonomous-driving subsidiary of Alphabet that grew out of the Google self-driving car project initiated in 2009, operates the most-deployed Level 4 ride-hail autonomy in commercial service in the United States. The Waymo Driver — the integrated hardware-and-software stack — runs in commercial robotaxi deployment in Phoenix, San Francisco, Los Angeles, Austin, and an expanding set of metropolitan service areas, with paid public rides scaled into the millions per year and an operating record that, by Waymo's own published telemetry and by independent crash-rate analysis, places the system at or above the safety frontier of human driving in equivalent conditions.

The Driver itself is a vertically integrated stack: Waymo-designed sensor suites combining lidar, radar, cameras, and audio microphones; an in-house compute platform; perception, prediction, and behavior models trained over hundreds of millions of operational miles and tens of billions of simulated miles; a motion planner producing continuous trajectory candidates with multi-second forward simulation; and an execution layer that gates actuator commands against safety constraints derived from a proprietary Responsibility-Sensitive Safety variant, ISO 26262 functional-safety patterns, and a defense-in-depth supervisory architecture. Waymo publishes a Safety Framework, a Safety Case methodology, and quarterly transparency reports, and operates a remote-assistance fleet-response function that handles edge-case disambiguation without taking real-time control of the vehicle.

Commercially the operation is the reference point for L4 ride-hail. The Jaguar I-PACE platform is being succeeded by the Geely Zeekr-built Waymo-designed sixth-generation vehicle, the rider app handles dispatching at scale, and partnerships with Uber and with airport authorities have extended the service envelope. Within the operational design domain Waymo has chosen, the Driver is engineering of unusually high quality: the perception is robust, the prediction is calibrated, and the behavior policy is conservative enough that the safety record is genuinely strong rather than statistically marginal. The element it does not — and structurally cannot — externalize is the harm ordering applied when the available actuations all produce some harm.

2. The Architectural Gap

The structural property the Waymo stack does not exhibit is externalized, jurisdiction-credentialed harm ordering. The relative weighting of pedestrian outcomes, occupant outcomes, cyclist outcomes, property damage, and ego-vehicle outcomes when no harm-free trajectory exists is computed inside Waymo's planner, parameterized by Waymo's policies, signed by Waymo's release pipeline, and not directly configurable by — or admissibly auditable by — the state Departments of Transportation, the National Highway Traffic Safety Administration, the city traffic authorities, or any other body whose jurisdiction the vehicle operates under. The harm ordering is a manufacturer artifact, not a credentialed regulatory observation.

The trolley-problem framing has been treated as a philosophical edge case for a decade of AV development; it is in fact a routine engineering decision the planner makes thousands of times per operating mile, under sub-second pressure, every time the cost terms in its trajectory optimization weight one risk against another. Every cost-function coefficient that compares an occupant-injury probability term to a pedestrian-injury probability term is a harm-ordering decision. Every override that prefers staying-in-lane to avoiding-debris is a harm-ordering decision. The fact that the planner is sophisticated, well-tested, and conservatively tuned does not change the structural location of those decisions: they live in Waymo's software, not in regulator-signed policy that the software consumes.

The gap matters because the regulatory authority has no structural mechanism to specify the ordering. The authority can review a written ethics statement, can audit logged outcomes after the fact, can demand a Voluntary Safety Self-Assessment, can revoke operating permission, and can litigate after a serious incident. It cannot configure the ordering, cannot sign a policy that the vehicle is structurally required to admit, and cannot reconstruct, after an incident, which ordering the vehicle was operating under and which authority signed it. This is a structural mismatch between regulatory authority (which lives at the jurisdiction) and ethical decision authority (which lives at the manufacturer), and it cannot be patched from inside the Waymo stack because the stack was designed as a self-contained driver, not as a substrate that consumes credentialed external policy. Adding an "ethics module" to the planner does not produce credentialed harm ordering; signing the binary does not produce admissibility; publishing a policy paper does not produce structural admission. The chain is the structural shape; the Waymo stack is shaped as an integrated proprietary driver.

3. What the AQ Confidence-Governance Primitive Provides

The Adaptive Query confidence-governed actuation primitive specifies that every actuation in a conforming cyber-physical system pass through a structural admissibility chain in which harm ordering is a first-class credentialed input rather than an internal coefficient. Harm ordering arrives as a credentialed observation signed by the governing jurisdiction within a published authority taxonomy: the state DOT publishes a state-level ordering for its territory, the NHTSA equivalent publishes a federal-level ordering, the municipal traffic authority publishes a city-level overlay, and conflicts between levels are resolved by the same composite admissibility logic that governs every other policy collision in the chain.

The confidence-governance primitive composes five evaluation layers around the actuation: an authority-credentialed observation layer that admits the harm-ordering policy alongside perception and prediction observations; an evidential weighting layer that combines the policy with operational context (weather, road class, time of day, vulnerable-road-user density); a composite admissibility layer that produces a graduated execution-mode outcome rather than a binary go/no-go; a governed actuator layer that selects the trajectory and reversibility mode under harm-minimization constraints derived from the credentialed ordering; and a lineage layer that records, for every harm-minimization deviation, the policy that governed it, the authority that signed it, the trust slope of that authority at the time, and the alternative trajectories considered. Recursive closure means the actuation outcome itself becomes a credentialed observation that re-enters the chain as input to fleet-level learning, regulator review, and forensic reconstruction.

The architectural change is not from "no ordering" to "an ordering." Waymo already has an ordering. The change is from "the ordering lives in proprietary Waymo software" to "the ordering lives in jurisdiction-credentialed governance policy that the Waymo stack consumes as a structural input." The Driver itself remains Waymo's competitive differentiator — the perception, the prediction, the planner, the operational design domain expansion all remain proprietary. The harm-ordering layer moves to where regulatory authority can configure it, where lineage can prove which ordering governed which incident, and where cross-jurisdiction handoff happens by policy admission rather than by re-engineering. The inventive step disclosed under USPTO provisional 64/049,409 is the closed admissibility chain as a structural condition for confidence-governed actuation in cyber-physical systems.

4. Composition Pathway

Waymo integrates with AQ as the domain-specialized actuator running over the confidence-governance substrate. What stays at Waymo: the sensor suite, the perception stack, the prediction models, the behavior planner, the trajectory optimizer, the simulation infrastructure, the operational design domain definitions, the fleet-management platform, the rider app, and the entire commercial robotaxi relationship. Waymo's investment in autonomy-specific knowledge — perception robustness, prediction calibration, planner conservatism, ODD discipline — remains its differentiated layer and the source of its safety record.

What moves to the AQ substrate: the harm-ordering input to the planner, the admissibility evaluation that gates execution-mode selection, and the lineage record that captures every actuation, the policies that governed it, and the authorities that signed those policies. The integration points are well-defined. At territory entry, the Driver fetches the jurisdiction's currently signed harm-ordering policy from its credentialed authority and admits it through the chain; if the policy is missing, expired, or revoked, the chain produces a graduated admissibility outcome — typically a conservative-mode operation with elevated lineage logging and remote-assistance escalation — rather than a binary failure. At each planning cycle, the planner's cost terms that compare harm classes are sourced from the admitted policy rather than from internal constants. At each execution, the actuator records the policy, the trust slope, and the trajectories considered; deviations from the optimal harm-minimizing path are tagged with the credentialed reason.

The new commercial surface is jurisdiction-portable autonomy. A Waymo vehicle that enters Phoenix admits the Arizona DOT ordering; one that enters San Francisco admits the California DMV ordering layered with the SFMTA overlay; one that enters Austin admits Texas ordering. The Driver is the same; the harm ordering is jurisdiction-signed. Cross-jurisdiction expansion becomes a policy-admission problem rather than a software re-release problem, and the regulator gains a configuration surface that does not require Waymo to re-engineer the planner. The chain belongs to the customer-of-record — the jurisdiction — not to Waymo's repository, so audit-grade history is structurally portable and survives platform generations.

5. Commercial and Licensing Implication

The fitting arrangement is an embedded substrate license: Waymo embeds the AQ confidence-governance primitive into the Driver and sub-licenses chain participation to its operating jurisdictions as part of the deployment agreement. Pricing is per-credentialed-jurisdiction or per-actuation-rate rather than per-vehicle, which aligns with how regulatory consumption actually scales. The principal commercial blocker for L4 expansion is not technology — it is the liability-allocation question. When the Driver is in a no-good-options scenario today, the answer to "who is responsible for the choice the vehicle made" is Waymo, because Waymo wrote the choice into the software. That concentrates liability on Waymo and produces the regulatory caution that has held L4 to narrow geographies despite a strong safety record.

Externalized, credentialed harm ordering shifts the allocation along the lines that every other regulated transportation mode already uses. The jurisdiction signs the ordering; the Driver executes it; the manufacturer is liable for executing the signed ordering correctly, the jurisdiction is liable for the ordering itself, and the lineage record settles disputes about which was at fault. Aviation, rail, and maritime operate this way; surface autonomy will eventually have to. What Waymo gains: a structural answer to the trolley-problem liability question that current ethics statements address only rhetorically, a defensible position against in-segment competition from Cruise successors, Zoox, and Tesla Robotaxi by elevating the architectural floor, and a forward-compatible posture against EU AI Act high-risk classification and emerging US federal AV rulemaking that are converging on credentialed-policy and lineage requirements. What the jurisdiction gains: a configuration surface, audit-grade lineage, and cross-vendor portability across whatever AV stacks operate in its territory. Honest framing — the AQ primitive does not replace the Driver; it gives the Driver the regulatory substrate that L4 commercial scale will eventually require.