Eleven Graduated Execution Modes
by Nick Clark | Published April 25, 2026
Confidence-governed actuation produces eleven categorically distinct modes — simulated, advisory, consultative, shadowed, partial, constrained, stage-gated, deferred, full, emergency-accelerated, emergency-overridden. Mode selection is a deterministic function of composite admissibility against governance policy.
What the Eleven Modes Specify
Each mode is a categorically distinct operational outcome with its own commit-authority semantics. Simulated: action computed but not committed. Advisory: action displayed to operator without commanding actuator. Consultative: action requires explicit operator ratification. Shadowed: action logged with verification in parallel with continued fallback control. Partial: a fraction of requested authority committed. Constrained: committed within reduced operational envelope. Stage-gated: committed in successive bounded stages. Deferred: held pending additional evidence. Full: committed at full requested authority. Emergency-accelerated: committed at elevated priority under preemption budget. Emergency-overridden: committed despite ordinary admissibility failure under credentialed override.
Mode selection is deterministic. Same input produces same output. Every selection records the supporting computation in lineage.
Why Eleven and Not Three or Twenty
The mode set is the result of structural decomposition rather than enumeration. Each mode corresponds to a distinct combination of (commit authority level) × (verification requirement) × (reversibility envelope) × (operator involvement) that real autonomous-physical systems demonstrably need.
Smaller mode sets — full, partial, halt — collapse meaningfully different operational outcomes. Larger sets become operationally indistinguishable. Eleven matches the empirical structure of how regulated autonomous systems actually operate across automotive, medical, industrial, and defense deployments.
How Mode Selection Composes With Existing Safety Logic
Mode selection runs above existing functional-safety logic (ISO 26262, IEC 61508, IEC 61511). The functional-safety floor remains the unconditional bound: actions violating the floor are suppressed regardless of admissibility. Above the floor, mode selection consumes the admissibility computation against governance policy and produces the appropriate mode.
The composition is additive. Existing safety certification continues to be valid; the architectural primitive operates above the certified safety logic, providing the graduated outcomes the safety standard cannot specify alone.
What Eleven Modes Enable Operationally
Incident response can shift a fleet from full to constrained without service halt. Edge-case handling can defer action pending additional evidence rather than committing under uncertainty. Human-collaborative operation can run shadowed mode during teleoperation with audit-grade lineage of contemplated commands.
Cross-jurisdictional fleet operation handles transitions through governance-credentialed mode-restriction policy. The architecture supports configuration-driven multi-jurisdictional deployment where current architectures require per-jurisdiction re-engineering.
