Autonomous Fleet Coordination Through Self-Governing Agents

Regulatory Framework

The regulatory and standards landscape for fleet operations is unusually multi-layered because each modality, on-road, off-road, aerial, industrial, military, has its own primary authority but increasingly shares cross-cutting safety and connectivity standards. SAE J3016 defines the taxonomy of driving automation levels that the U.S. National Highway Traffic Safety Administration adopts as the reference vocabulary for its AV TEST initiative and its standing general orders on automated driving system reporting. NHTSA's standing general order requires reporting of crashes involving Level 2 driver-support and Levels 3 through 5 automated driving systems, with disposition data, sensor states, and system engagement records traceable per incident. The reporting obligations are deliberately granular: NHTSA expects to know which systems were engaged, which were available but not engaged, and what the vehicle perceived in the moments leading to the event.

The Federal Motor Carrier Safety Administration regulates commercial fleet behavior through hours-of-service rules and the Electronic Logging Device mandate, both of which require auditable per-vehicle compliance records that survive driver shifts, dispatcher changes, and connectivity outages. ISO 26262 establishes functional safety for road vehicles, requiring that each safety-relevant element have a defined Automotive Safety Integrity Level, a hazard analysis, and an item-level safety case. ISO 21448, Safety of the Intended Functionality, extends the regime to functional insufficiencies that arise even when the system is behaving as designed, a regime particularly relevant to perception-driven autonomy where the failure mode is rarely a component fault and almost always an unanticipated combination of inputs that the trained model never encountered.

For inter-vehicle and infrastructure coordination, SAE J2735 defines the Basic Safety Message and the broader DSRC and C-V2X message set in North America, and ETSI ITS-G5 plays the analogous role in Europe with Cooperative Awareness Messages and Decentralized Environmental Notification Messages. Both standards are message specifications, not coordination protocols: they tell a vehicle what to broadcast and how to format it, but they do not by themselves govern what a vehicle should do with the messages it receives, nor do they specify how trust between participants is established or revoked. For military fleet operations, JADC2, the Joint All-Domain Command and Control concept, sets a doctrinal expectation that platforms across services and domains can coordinate through a shared data fabric while retaining authority structures appropriate to each platform. Across this entire surface, the regulator or doctrinal authority demands per-unit traceability, not aggregated fleet-level statistics, and the demand is unforgiving: an incident investigation that hinges on a perception edge case at a single intersection requires per-unit evidence at the granularity of milliseconds.

The cross-modality convergence is worth dwelling on. A robotaxi operator, a long-haul carrier, a port automation integrator, and a defense systems prime are subject to nominally distinct authorities, but the substantive demand each authority places on the unit is structurally identical. The unit must hold its own authority, must evaluate eligibility against that authority at the moment of action, must produce per-action evidence with sufficient granularity to support incident investigation, and must do so under operational conditions where central connectivity is intermittent. Treating these as four different problems has produced four different procedural compliance regimes that each fail in the same way for the same reason; treating them as one problem reveals the architectural answer that all four authorities have been implicitly demanding.

Architectural Requirement

The architectural requirement that follows is that each fleet unit must be individually evidentiable. Its compliance with hours-of-service, with its ASIL allocation, with the SOTIF triggers it has been validated against, with its V2X message obligations, and with the operator's safety case must be reconstructible from artifacts attached to that unit, not from inferences against a fleet-wide log. The unit must also be able to evaluate its own eligibility to act in the present moment, because the regulatory and safety frameworks are about what the unit may do now, not about what the dispatcher hoped it would do. The temporal locus of authority is the action, not the supervisory window in which the action was anticipated.

This means each unit needs a governance envelope it carries, a capability declaration it can introspect, a memory of its own recent operational state, and a trust relationship with the peers and infrastructure it coordinates with. Without those, the unit is a remote actuator whose behavior derives legitimacy only from the dispatcher's contemporaneous awareness. With the dispatcher unreachable, the unit either stops, which is operationally costly, or continues without governed authority, which is regulatorily indefensible. Neither outcome is acceptable when fleets scale to thousands of units and operate across geographies where connectivity is intermittent by design, whether the intermittency is the cellular dead zone of a rural delivery route, the RF clutter of a multi-floor warehouse, the spectrum contention of a port operations area, or the contested electromagnetic environment of a tactical theatre.

The requirement decomposes into four properties that mirror those required of a regulated operator. First, locality of authority: the unit must hold the rules that govern its own behavior, in a form that can be evaluated without external dependence. Second, capability introspection: the unit must know what it can do, what it has been certified to do, and what it has been authorized to do, and it must be able to refuse mismatches between any of the three. Third, trust topology: the unit must hold a structured representation of which peers, infrastructure components, and authorities it relies upon, and at what assurance level, so that coordination decisions can be made on principled grounds rather than by ambient assumption. Fourth, lineage: the unit must produce a chained record of its decision cycles, sufficient to satisfy NHTSA, FMCSA, ISO 26262 and ISO 21448 reviewers without depending on the dispatcher's log being intact. These four properties are what the centralized dispatcher has been approximating with connectivity, and they are what the framework, when read carefully, has been demanding of the unit all along.

Locality of authority deserves a closer look because it is the property that current architectures most aggressively externalize. A modern AV stack typically holds its operational design domain as a set of constants in a configuration file consumed at boot, but the binding decisions, whether the vehicle is presently within the ODD, whether a detected condition warrants an automation downgrade, whether a route segment has been authorized, are taken at the dispatcher or by remote operators reading dashboards. The vehicle's runtime has the data to evaluate these questions but not the authority artifact that would make the evaluation evidentiable. Locality of authority means putting the artifact next to the data, on the unit, in a form that the unit's runtime evaluates and the unit's lineage records. Once that is done, the dispatcher's role shifts from binding decisions to publishing the artifact, and the operational properties of the system change correspondingly.

Why Procedural Compliance Fails

The dominant industry answer is procedural. The dispatcher logs commands. Each vehicle logs telemetry. Compliance teams reconcile the two streams after the fact and produce reports that demonstrate, to the regulator, that the fleet operated within bounds. This works as long as the streams are complete, the dispatcher's decisions were correct, and the connectivity that carried the streams was continuous. It collapses under three structural failure modes that are not edge cases but standard operating conditions for any fleet of meaningful scale.

First, the dispatcher is a bottleneck and a single point of failure. A warehouse robot that loses its connection to the warehouse management system stops, even when the local situation is straightforward. A delivery drone that cannot reach the flight management system holds, even when its battery is degrading and a peer on the same lane could absorb its task. A mining truck whose pit-network link is intermittent oscillates between cautious motion and outright halt because the central scheduler cannot maintain authority at the cadence the operation requires. The procedural model conflates dispatcher reachability with operational legitimacy, and any disruption of the former is treated as if it disrupted the latter. The conflation is structural: the dispatcher is the only place where authority, intent, and current state are integrated, so any loss of connection truncates all three at once.

Second, the procedural reconstruction is gappy. When the link drops, the dispatcher's log ends, and the vehicle's local cache becomes the only record. Whether that cache is sufficient for an ISO 26262 incident analysis or a NHTSA standing general order disclosure depends on what the vehicle happened to be capturing, not on what the regulator will need. SOTIF investigations, which often hinge on perception edge cases that lasted milliseconds, are particularly hostile to gappy reconstruction: the events that matter most are precisely the events the cache was least likely to have recorded with the necessary fidelity. The fleet's regulatory posture during a degraded interval becomes a function of the vehicle's caching policy rather than of its actual conduct, and the policy was authored without knowing which interval would later turn out to matter.

Third, distributed scheduling and multi-agent learning, the most common technical responses to dispatcher fragility, do not actually move governance to the units. ROS 2 distributes the communication layer but leaves coordination logic in planner nodes that decide what each robot should do. Multi-agent reinforcement learning trains agents to coordinate but produces a policy that is centrally authored and deployed as a fixed model, with no structural capacity to evaluate eligibility against an explicit envelope. V2X message exchange under SAE J2735 or ETSI ITS-G5 broadcasts state but does not, by itself, govern behavior; a vehicle that receives a Cooperative Awareness Message has no built-in mechanism for deciding whether the sender is trustworthy, whether the message implies a maneuver obligation, or whether yielding to the sender would breach its own envelope. In each case the agents remain remote-controlled actuators, and the procedural compliance story remains hostage to a central authority whose fragility was the original problem.

A fourth failure deserves explicit acknowledgement: the procedural model does not scale to mixed-vendor fleets. When the dispatcher is the locus of authority, every vendor's units must speak the dispatcher's protocol, and the operator's regulatory exposure aggregates across vendors in ways that are difficult to decompose for incident analysis. A safety event that involves a unit from vendor A operating under a dispatcher policy authored by vendor B and a perception subsystem certified under a different ISO 21448 trigger library by vendor C produces a tangle that the procedural model is structurally unequipped to disentangle. Unit-local governance, by contrast, separates the authority artifact from the executing platform and allows each layer to be reviewed on its own terms.

A fifth failure is economic. Dispatcher-centric architectures impose a coupling between fleet size and connectivity infrastructure that determines the unit economics of any operation. A fleet that doubles in size requires either a doubling of dispatcher throughput, a doubling of connectivity provisioning, or both, regardless of whether the additional units are operating in dense or sparse situations. The marginal cost of an additional unit is therefore not the cost of the unit but the cost of the supporting central capacity, and in many environments the supporting capacity is the binding constraint on fleet growth. Operators have responded by either pre-investing in connectivity ahead of operations, which delays revenue, or accepting degraded service in connectivity-poor zones, which limits addressable market. Neither response addresses the architectural cause; both treat the dispatcher dependency as a fixed cost of doing business.

What AQ Primitive Provides

The Adaptive Query execution platform is built on a canonical agent representation in which each unit carries, as first-class fields, its governance policy, its capability declaration, its memory of recent operational state, its trust relationships with peers and zones, and the lineage of its prior execution cycles. The unit does not consume instructions; it evaluates situations against its own envelope and decides what it is eligible to execute. Coordination among units happens through trust-weighted quorum, in which nearby agents exchange their proposed actions, evaluate one another's credentials and trust scores, and converge on a non-conflicting joint action without round-tripping through a central scheduler.

For a robotaxi operating under SAE J3016 Level 4 within a defined operational design domain, the governance envelope encodes the ODD itself. The vehicle refuses transitions that would carry it outside the ODD, records the refusal in its lineage, and continues to operate within the domain even when the dispatcher is unreachable. For a long-haul truck subject to FMCSA hours-of-service, the envelope encodes the driver's remaining duty time and the vehicle's mechanical constraints, and the unit will not initiate a leg it cannot lawfully complete. For a warehouse robot validated under ISO 26262 and ISO 21448, the envelope encodes the ASIL-allocated behaviors and the SOTIF triggers, and the unit refuses behaviors that would breach either. The envelope is not advisory; it gates every state transition, and the gating is what produces the artifact the regulator needs.

Coordination through trust-weighted quorum replaces the dispatcher with a structured negotiation. Three robots approaching the same aisle exchange their priorities, their capability envelopes, and their trust scores; each robot evaluates the joint action against its own governance and either ratifies or proposes an amendment. The negotiation completes in milliseconds because it happens between the robots, and it is recorded in each robot's lineage so that a later audit can reconstruct who agreed to what. V2X messages under SAE J2735 or ETSI ITS-G5 carry the negotiation payloads where applicable, and the canonical agent representation gives those messages their semantic interpretation rather than treating them as opaque broadcasts. The trust weighting matters: a message from a peer with an unblemished lineage and a current credential is treated differently from a message from an unfamiliar source with stale credentials, and the difference is encoded as a predicate that any party can audit rather than as an implicit heuristic in a planner.

The platform's behavior under partial failure is what makes the structural claim concrete. When connectivity to the dispatcher drops, the units do not enter a degraded mode; they continue operating within their envelopes, producing the same lineage they would produce under nominal connectivity. When a peer with deteriorating sensors begins broadcasting state inconsistent with its claimed capability, neighboring units detect the inconsistency through their trust evaluation, downweight the peer's contribution to quorum, and record the downweighting in their own lineages so that a later review can reconstruct why the peer's influence diminished. When a new unit joins an active zone, its credentials are evaluated against the zone's policy, its capability declaration is reconciled with the operator's authorization, and its lineage begins immediately, so its first action is already evidentiable. None of this requires a central authority to be reachable, and all of it is reproducible against the artifacts the platform produces.

The trust topology has an additional property worth naming. Because trust scores are derived from observable lineage rather than asserted by a central registry, a peer's standing in the local quorum is grounded in its actual operational record rather than in a credential whose issuance may or may not reflect current behavior. A vendor-mixed fleet operating in a contested or congested environment can therefore self-organize around the units whose recent behavior has been consistent, and downweight units whose recent behavior has not, without requiring a central authority to make and propagate that determination. The local quorum's behavior is thus more robust than the central authority's behavior would be, because the local quorum has access to first-hand observation that the central authority can only receive at network latency, if at all.

Compliance Mapping

The regulatory instruments map onto specific structural features of the primitive. SAE J3016 levels and the corresponding ODD definitions become governance predicates that the unit evaluates on every cycle, so the unit's level of automation is enforced by the envelope rather than by the dispatcher's discipline. NHTSA standing general order disclosures are satisfied directly by the lineage, which contains every engagement, disengagement, and disposition record per unit, with cryptographic chaining that supports the integrity expectations of incident investigation. The disclosure response stops being a forensic reconstruction and becomes an extraction.

FMCSA hours-of-service compliance is enforced at the unit because the envelope holds the driver's duty state and refuses dispatch decisions that would breach it; the Electronic Logging Device function is subsumed into the lineage. ISO 26262 ASIL allocations are encoded as predicates in the envelope, and the lineage substantiates the safety case at the per-unit granularity the standard expects. ISO 21448 SOTIF triggers, including perception edge cases and intended-functionality boundaries, are evaluated as predicates and produce recorded refusals when breached, giving SOTIF investigators the evidentiary surface the standard contemplates rather than the inferred reconstruction the procedural model affords.

SAE J2735 and ETSI ITS-G5 message obligations are driven from the unit's own state, so the unit broadcasts identity, position, and intent without depending on the dispatcher. V2X-mediated negotiations are recorded in the lineage with the same fidelity as local actions, which means that a contested intersection event involving multiple V2X-equipped units yields an evidentiary surface that matches across the participants rather than fracturing into incompatible reconstructions. For JADC2-aligned military fleets, the doctrine's expectation of cross-domain coordination under appropriate authority structures is satisfied by trust-weighted quorum, in which authority and trust are explicit fields rather than ambient assumptions, and by the lineage's reconstructibility, which supports the after-action regime that doctrine demands. Cross-domain federation under different command authorities becomes a matter of envelope authorship and trust topology rather than a bespoke integration project per coalition.

The compliance mapping also supports the kind of cross-modality fleet that current architectures struggle to assemble. An operator running on-road delivery vehicles, last-mile sidewalk robots, and rooftop drone launchpads under unified supervision currently has three compliance regimes, three dispatchers, and three reconciliation pipelines. Under the unit-local model, each unit holds the envelope appropriate to its modality, and the operator's compliance posture is the union of the lineages those units produce. Cross-modality handoffs, parcel transferred from a sidewalk robot to a building's interior robot, drone-delivered package received by a curbside vehicle, are negotiated as quorum events between the participating units, and the negotiation is recorded in each participant's lineage. The operator's audit surface is therefore continuous across modality boundaries that, under the procedural model, would mark the limits of evidentiary coverage.

Adoption Pathway

Adoption follows a staged path that aligns with how fleet operators already engage their regulators and standards bodies. The first stage is observational. The execution platform runs alongside the existing dispatcher, with each unit carrying its envelope and lineage but the dispatcher retaining authority. Operators compare the unit-level evaluations against the dispatcher's commands, identify the divergences, and use them as inputs to the next iteration of the safety case. The lineage at this stage is supplementary evidence; the dispatcher remains the primary record. The observational stage is also where the operator builds confidence in the envelope's coverage: any case in which the dispatcher's command and the unit's evaluation diverge is a candidate for envelope refinement, and the divergence itself is a structured artifact rather than an anecdote.

The second stage is governed degradation. The platform takes authority for connectivity-degraded intervals, replacing the legacy contingencies (hold, stop, return) with governed self-evaluation. The operator's safety case is amended to describe the on-board envelope and the lineage retention regime. ISO 26262 and ISO 21448 reviewers can evaluate the envelope as a structured artifact, and NHTSA disclosures during the degraded interval are satisfied by the lineage rather than by an inferred reconstruction. FMCSA enforcement of hours-of-service continues seamlessly because the envelope was always the source of truth. This stage is where the operator's compliance posture stops being a function of dispatcher reachability and becomes a function of envelope correctness, which is a property the operator can engineer and certify rather than one they can only hope for.

The third stage is primary authority. The platform becomes the unit's primary decision substrate, and the dispatcher transitions into a policy publisher that distributes envelope updates, trust map revisions, and capability advisories. Coordination among units shifts from dispatcher-mediated assignment to trust-weighted quorum among peers. The compliance posture becomes structural: the unit's envelope is the executable form of the regulatory and safety obligations, and the lineage is the audit surface. Fleet operators retain the regulatory relationship and the operational accountability the frameworks demand, but the substrate on which those rest is durable across the connectivity environments their fleets actually inhabit. The economic consequence is the elimination of the dispatcher's reachability as a scaling ceiling: a fleet whose units govern themselves can grow without forcing connectivity infrastructure ahead of the operation.

Across all three stages the standards and regulatory artifacts, J3016 levels, NHTSA disclosures, FMCSA logs, ISO 26262 safety cases, ISO 21448 trigger libraries, V2X message profiles, JADC2 coordination records, are produced from the unit's lineage rather than reconstructed from the dispatcher's commands. The fleet's compliance no longer depends on the dispatcher being reachable at the moment a regulator asks a question, and the regulator's review surface is the same artifact the operator uses to manage the fleet. That alignment, between the operator's operational substrate and the regulator's evidentiary substrate, is what the procedural model has been approximating with reconciliation pipelines and what the structural model delivers as a property of the platform. Operators who complete the staged transition acquire a posture that compounds: every additional unit deployed extends the lineage corpus that informs envelope refinement, every cross-modality handoff records a quorum event that strengthens the trust topology, and every regulatory engagement reinforces the operator's credibility in subsequent engagements. The procedural model produces compliance as a recurring tax; the structural model produces it as an accumulating asset.