Integrity Structural Placement

Mechanism

The Cognition Patent specifies the integrity-coherence layer as a structurally interposed component of the agent's cognitive architecture. The layer occupies a defined position with two strict adjacencies: it sits above the inference primitives that produce candidate actions and below the execution primitives that dispatch actions to the world or to downstream agents. Every signal that crosses between those two layers must pass through the integrity gate. There is no bypass path, and there is no parallel monitor running alongside execution; the layer is on the critical path.

The downward gate is the more familiar one. Inference produces a candidate action; the integrity layer evaluates that candidate against the policy reference, against the agent's declared values, and against the predictive forecasts produced by the social modeling and confidence-governance primitives that compose with it. The candidate either passes (and is dispatched), is mutated (and the mutated form is dispatched), is refused (and the inference layer is asked to propose another), or is escalated. The disposition is written into lineage so the gating decision is auditable.

The upward gate is the one that conventional architectures omit. When execution returns observations (the result of the dispatched action, the response from a counterparty, the readings from a sensor invoked in service of the action), those observations do not flow directly back into the inference state. They pass through the integrity layer first. The layer evaluates them for credential validity, for consistency with the agent's existing model, and for policy compliance, and it admits them into the agent's canonical fields only if they pass. Observations that fail can be quarantined, escalated, or refused, and the failure itself is recorded as an integrity event.

Operating Parameters

The placement is structural, but the gate's behavior is parameterized by policy. The downward gate's response semantics (refuse, mutate, escalate) are policy-declared per action class. The upward gate's admission policy (which credential authorities are recognized, which observation types require which level of corroboration, which observations are admitted into which canonical fields) is similarly declared. A deployment can be configured to run either gate in advisory mode, in mandatory mode, or in mixed mode where some action classes are advisory and others are mandatory.

A separate operating parameter governs the layer's coupling to the policy reference itself. The integrity layer reads policy at gate evaluation time; it does not cache policy across long horizons. This is a deliberate operating constraint: it ensures that a policy update propagates to the next gate evaluation rather than waiting on cache invalidation, which is what allows governance bodies to update declared values and have those updates take effect at the next decision boundary.

Lineage emission is non-optional. Every gate evaluation, in either direction, emits a structured lineage record containing the input being evaluated, the policy version under which it was evaluated, the disposition produced, and any mutation applied. The lineage record is itself a credentialed observation that downstream auditors can replay. This is the parameter that makes structural placement governable rather than merely architectural: because every gate decision is recorded, the trajectory of the agent's behavior is reconstructable from lineage alone.

Alternative Embodiments

In a monolithic embodiment, the integrity layer is a single in-process component that intercepts calls between the inference module and the execution module. The downward gate is implemented as a function the inference module must call before dispatch; the upward gate is implemented as a function the execution module must call before returning. The placement is enforced by the calling convention.

In a microservice embodiment, the integrity layer is a separate service through which the inference and execution services route their cross-layer traffic. Authentication between services ensures that neither service can address the other directly without traversing the integrity service. The structural placement is preserved through routing, not through in-process calling convention.

In a hardware-rooted embodiment (relevant for high-assurance deployments), the integrity layer runs in a trusted execution environment, and the inference and execution layers are constrained to communicate with it through a hardware-mediated channel. The structural placement is enforced by the platform rather than by software discipline. This embodiment is appropriate for defense, financial, and safety-critical deployments where bypass resistance is itself a regulatory requirement.

In a federated multi-agent embodiment, each agent maintains its own integrity layer, and inter-agent communication crosses through the integrity layers of both the sender and the receiver. The placement is preserved across the agent boundary: an outbound message is gated by the sender's integrity layer before it leaves, and the corresponding inbound message is gated by the receiver's integrity layer before it is admitted. Cross-agent observation exchange therefore inherits the same governance properties as within-agent signal flow.

Composition With Other Primitives

Structural placement is what allows the other integrity-coherence primitives to function as gates rather than as advisors. Predictive social modeling produces a forecast; because integrity is on the critical path, the forecast can refuse or mutate the candidate action rather than merely flagging it. Confidence governance produces calibrated bounds; because integrity is on the critical path, an under-confidence disposition can suspend execution rather than merely warn. Policy reference resolution produces declared values; because integrity is on the critical path, a policy violation can block dispatch rather than merely log it.

The upward gate composes with the discovery substrate and with the credentialing primitives. Returning observations are evaluated for credential validity at the gate, which is the same evaluation discovery performs when admitting observations into its substrate. The integrity layer reuses the credentialing primitive rather than duplicating it; placement supplies the location at which the primitive is applied to cross-layer traffic.

Composition with execution governance is also structural. Execution governance constrains how an admitted action is dispatched (rate limits, side-effect controls, transactional boundaries). Integrity placement ensures that execution governance receives only candidates that have passed the integrity gate, so execution governance is never asked to enforce policy on actions that should not have reached it in the first place.

Distinction From Prior Art

External monitors are not on the critical path. They observe, they alert, and in some configurations they can revoke after the fact, but they do not gate. An agent fronted by an external monitor can still dispatch an action that the monitor will later flag; the action has already taken effect. The disclosed placement is structurally different: there is no path by which a candidate can reach execution without first passing through integrity, and no path by which a returning observation can reach inference state without first passing through integrity.

Constitutional filters, prompt-level guardrails, and output classifiers operate at a single point of the signal flow, typically just before output emission. They are unidirectional and they are positioned within the inference layer rather than between layers. They cannot gate returning observations, and they cannot mutate candidates with reference to a forecast or to a credential check that requires cross-primitive context.

Policy engines and rule-based authorization systems sit beside the agent, not within its architecture. They answer the question may this action proceed against a static rule set. The disclosed placement integrates the gate into the architecture itself, with composition to forecasting, confidence, and discovery primitives, and with bidirectional coverage that conventional policy engines do not provide.

Disclosure Scope

The Cognition Patent discloses the structural placement of the integrity-coherence layer above inference and below execution, with bidirectional gating, mandatory lineage emission, and policy-declared response semantics. The disclosure covers monolithic, microservice, hardware-rooted, and federated embodiments. It covers the composition interfaces with predictive social modeling, confidence governance, policy reference resolution, the discovery substrate, and execution governance.

The disclosure is explicit that placement is the load-bearing claim. The specific evaluation logic that runs at the gate is interchangeable across deployments and is itself parameterized by policy; what is novel is the structural rule that no signal crosses between inference and execution without passing through the gate, and that the gate composes with the named primitives through defined interfaces. Implementations that preserve this placement, regardless of the specific evaluation logic chosen, fall within the disclosed scope.

Inside scope: any embodiment in which the integrity-coherence layer occupies the structural position above inference and below execution, gates signal flow in both directions, emits lineage on every gate decision, and composes with the policy reference at evaluation time. Inside scope: monolithic, microservice, hardware-rooted, and federated embodiments that preserve this placement under any combination of in-process call discipline, network-routing enforcement, or platform-level mediation. Inside scope: deployments that operate the gates in advisory mode, mandatory mode, or mixed mode, provided the structural placement is preserved; advisory operation does not remove the placement, it only modifies the response semantics declared in policy.

Outside scope: external monitors and policy engines that observe execution from outside the architecture without gating it. Outside scope: unidirectional output filters that gate only outbound signals and do not gate returning observations. Outside scope: governance overlays that consult policy after dispatch rather than at the gate. The boundary is structural: the layer must be on the critical path in both directions, must emit lineage, and must compose with the named primitives through defined interfaces.

Licensees retain freedom over the gate's evaluation logic, the specific lineage encoding, and the implementation technology used to enforce placement. This freedom is intentional: the patent claims the structural primitive, not a specific software stack, so deployments can adopt the placement under their existing technology choices without architectural disruption. What is required is the rule, the bidirectional coverage, and the lineage; what is left to the implementer is everything else.

The disclosure further contemplates progressive adoption paths. A deployment may initially install the integrity layer in advisory mode, observing what the gate would have done without enforcing its dispositions, and then progressively transition specific action classes into mandatory mode as confidence in the gate's evaluation logic grows. The structural placement is preserved across this transition; only the response-semantics policy changes. Lineage emission remains mandatory in both modes, so the audit record of advisory dispositions is itself the evidence base on which the transition to mandatory enforcement is made.