Personal Layer Modulation at Inference

Mechanism

The personal layer is a credentialed adaptation artifact bound to a consumer through a biological identity credential — a credential that derives from a biometric measurement (fingerprint, iris, voice, gait, or multi-modal composite), is signed by a credentialed identity authority, and is presented at inference time as part of the request envelope. The binding is structural: the personal-layer artifact carries an identity-binding descriptor that names the credential type, the issuing authority, and the cryptographic commitment that the artifact's holder must satisfy. An inference call that does not present a satisfying credential cannot admit the personal layer into composition, regardless of whether the underlying storage location is reachable.

The default model state is the inference state that any consumer receives in the absence of a personal layer: the base weights, the system-level policy, the public adaptation artifacts admitted by the consumer's policy. The personal layer is held in a separate logical compartment that the inference engine accesses only after the biological-identity credential has been verified at the request boundary. The compartment exposes its contents only to the verifying call; concurrent inferences from other consumers, even on the same hardware, see the default model state without leakage from the personal compartment.

When an inference call presents a satisfying credential, the inference dispatcher resolves the personal-layer artifact, decrypts its contents using a key bound to the credential, admits it into the composite admissibility evaluator alongside the consumer's policy and the request descriptor, and weights it with the privileged status that the personal-layer descriptor specifies. The privileged status is enforced at three points: at skill selection, where the personal layer is always among the admissible skills; at composition, where the personal layer's contribution carries a weight bounded below by a credentialed minimum; and at output formation, where the personal layer's preferences modulate how the composite output is rendered to the consumer.

When the inference call completes, the personal-layer state is rewritten as needed (recording new preferences, updating context windows, evolving learned modulations), re-encrypted under the credential-bound key, and chained to the prior personal-layer state by hash. The chained record forms a per-consumer lineage that allows the consumer (and only the consumer, through the credential) to audit how the personal layer has evolved across inferences. The default model state observes none of this: the personal-layer evolution is not training data for the base weights, is not telemetry to the operator, is not retained in the multi-tenant cache.

Operating Parameters

Biological-identity binding is parameterized by credential type, false-accept and false-reject rates, freshness bounds, and liveness requirements. A high-stakes deployment may require a multi-modal credential (face plus voice plus gait), a sub-second freshness bound, and an active liveness challenge; a low-stakes deployment may accept a single-modal credential refreshed at session start. The credential-type selection is itself a credentialed parameter: an identity authority publishes the admissible credential types and their tolerance bounds, and consumers choose among them according to local policy.

The privileged-weight floor is parameterized as a minimum admissibility weight that the personal layer carries through composition regardless of how many third-party artifacts are also active. Implementations may set the floor at a fixed value, at a value that scales with the number of active artifacts, or at a value that the consumer signs as part of the personal-layer descriptor. The floor cannot be reduced by third-party-side configuration; only the consumer's authority can revise it.

Isolation from the default model state is parameterized by the cryptographic mode (envelope encryption with hardware-backed key, attribute-based encryption keyed on credential, confidential-computing enclave with attested boundary), by the cache-eviction policy on session end, and by the cross-tenant leakage budget. Implementations target zero leakage as the formal property; the parameter expresses the practical mechanism that achieves it.

Personal-layer evolution is parameterized by the rewrite cadence (per-call, per-session, per-day), by the rewrite scope (which fields the inference may modify, which are read-only), and by the rollback horizon (how far back the consumer may revert through the chained lineage). Consumers that prefer aggressive personalization configure frequent rewrite of broad scope; consumers that prefer stable behavior configure rare rewrite of narrow scope; both configurations are first-class.

The audit-disclosure parameter governs which parties may inspect the personal-layer lineage. The default is consumer-only inspection; the consumer may delegate inspection to a designated authority (a fiduciary, an auditor, an estate executor) through a signed delegation that the lineage substrate enforces. The delegation is itself recorded in lineage, providing a complete record of who has held inspection authority over what window.

Alternative Embodiments

In a personal-device embodiment, the personal layer resides on the consumer's own hardware (a phone, a wearable, a key fob) and is loaded into the inference engine only when the device co-presents with the credential. The device-resident embodiment minimizes server-side custody of personal-layer state and is appropriate for consumers who prefer device-local sovereignty.

In a credentialed-cloud embodiment, the personal layer resides in a custodial store operated by a credentialed identity authority. The store releases the layer only on credential presentation and never to the model operator's general infrastructure. The embodiment supports consumers who lack capable personal hardware but who trust an identity authority's custody.

In an enterprise-bound embodiment, the personal layer represents an enterprise-bound identity (an employee acting in role) rather than a private individual. The enterprise authority issues the credential, the personal layer carries enterprise-context preferences, and the privileged-weight floor is set by enterprise policy. The embodiment supports professional inference (a clinician's voice in a medical workflow, an attorney's voice in a legal workflow) where the enterprise identity is the relevant sovereign.

In a fiduciary embodiment, the personal layer represents a beneficiary whose credential is exercised by a designated fiduciary (a guardian, a conservator, a delegated agent). The credential descriptor carries the fiduciary delegation; the fiduciary's authentication is what unlocks the personal layer; the lineage records both the beneficiary identity and the exercising fiduciary. The embodiment supports inference for individuals who cannot directly present a biological credential.

In a posthumous embodiment, the personal layer is sealed at the consumer's death by a credential-revocation event from the identity authority. The seal converts the personal layer into a read-only artifact that can be inspected by authorized executors but cannot be admitted into new inference. The embodiment supports estate handling for personal-layer state that has the character of personal property.

In a degraded-credential embodiment, the inference engine accepts a downgraded credential (a partial biometric, a stale credential within tolerance) and admits the personal layer at a reduced privileged-weight floor. The reduction is recorded in lineage so the consumer can identify which inferences ran under degraded credentials and revisit them if necessary.

Composition

The personal layer composes with the base model, the public adaptation artifacts, and the third-party skills admitted by the consumer's policy. The composition is governed by the composite admissibility evaluator, which treats the personal layer as a privileged input but does not exempt it from the evaluator's structural rules: a personal-layer modulation that violates a regulatory constraint is excluded, just as any other modulation would be. Sovereignty does not override safety; it overrides commercial pressure.

Sideways, the personal layer composes with the spatial inference router so that personal-layer artifacts travel through the same routing fabric as other artifacts, with their privileged status preserved. It composes with the authority taxonomy so that the consumer's own authority over the personal layer is recognized as a first-class authority class. It composes with the lineage substrate so that personal-layer evolution shares the chained-record format used for routing and execution lineage, while the encryption and access controls keep personal-layer lineage isolated from operator-visible lineage.

Vertically, the personal layer composes with the consumer's identity authority through credentialed updates: the authority may issue new credential descriptors, revise tolerance bounds, or revoke compromised credentials, and the personal layer consumes these updates at well-defined synchronization points. The architecture treats credential lifecycle as a first-class operation rather than as ad-hoc configuration.

Prior-Art Differentiation

Per-user fine-tuning and per-user embedding stores attach user-bound state to inference, but the binding is typically session-key based and the state lives in the same multi-tenant infrastructure as the default model. A leaked session key, an operator with sufficient privilege, or a misconfigured cache can expose user-bound state. Personalization features in current assistants treat preferences as session metadata that the operator owns and can mine for training; the user has no structural sovereignty over the state.

Biometric authentication systems verify identity at the device boundary but do not propagate the verification into the inference admissibility decision; the inference engine receives an authenticated session and treats the session like any other. Confidential-computing enclaves protect inference inputs from operator inspection but do not specify the structural-sovereignty contract that the personal layer establishes.

The disclosed mechanism differs structurally. Personal-layer state is not session metadata; it is a credentialed artifact bound to biological identity. Access is not session-key gated; it is credential-presentation gated, with cryptographic isolation from the default model state. Privileged composition is not a UI affordance; it is an evaluator-enforced weight floor that the operator cannot override. Lineage is not operator telemetry; it is a consumer-private chained record. The combination of biological-identity binding, isolation from default model state, evaluator-enforced privileged weight, and consumer-private lineage is the operative novelty.

Disclosure Scope

This disclosure covers personal-layer inference state bound to biological identity, including the credential-presentation gate that admits the personal layer; the cryptographic isolation that separates the personal layer from the default model state; the evaluator-enforced privileged-weight floor at composition; the consumer-private chained lineage of personal-layer evolution; and the embodiments described above. The disclosure extends to device-resident, credentialed-cloud, enterprise-bound, fiduciary, posthumous, and degraded-credential embodiments. The disclosure further extends to the composition of the personal layer with spatial inference routing, authority taxonomies, and lineage substrates as described, and to the credentialed-update path through which identity authorities evolve credential descriptors and tolerance bounds without re-deployment.

The disclosure further covers any system that combines (a) biological-identity binding of personal-layer state through a credential issued by a credentialed identity authority, (b) cryptographic isolation of the personal-layer compartment from the default model state under the threat model that includes a curious operator and concurrent multi-tenant inference, (c) evaluator-enforced privileged composition with a weight floor that the operator cannot reduce, and (d) consumer-private chained lineage of personal-layer evolution, irrespective of the specific biometric modality, the specific cryptographic primitive, the specific evaluator architecture, or the specific lineage encoding used to instantiate the four elements. Embodiments that authenticate by knowledge factor or device-possession factor without biological binding, that store personal state in shared-tenant infrastructure without compartment isolation, that allow operator override of the privileged-weight floor, or that expose personal-layer evolution to operator telemetry, fall outside the disclosed mechanism. The four elements together — biological binding, isolation, enforced privilege, and consumer-private lineage — define the structural sovereignty contract that the disclosure protects.