The Always-Active Personal Layer Carve-Out

Mechanism

The personal layer is a credentialed adaptation artifact whose authority is the operator's biological-identity envelope. Its content represents the operator's accumulated preferences, operational history, organizational context, governance settings, and any private knowledge the operator has elected to commit to the layer. Cryptographically, it is signed by a key whose chain of custody is rooted in the same biological-identity envelope that authenticates the operator to the substrate; this binding is the structural fact that makes the personal layer impossible to instantiate or activate without the operator being present.

Activation is implicit. The substrate's admissibility evaluator does not expose a control surface for enabling or disabling the personal layer at inference time. When the operator's biological-identity binding transitions from absent to nominal — that is, when the operator is bound to the substrate under the same mechanism that governs every other identity-bearing operation — the evaluator queries the binding's envelope for the associated personal-layer reference, retrieves the signed artifact (from local storage, from the operator's identity-attached cache, or from a credentialed retrieval service named in the envelope), validates the signature against the binding's key chain, and admits the artifact as a privileged input to every subsequent inference for the duration of the binding.

Privileged admission is structural rather than advisory. The evaluator's contribution-weighting function treats the personal layer as a fixed-weight participant whose contribution cannot be reduced by third-party admissibility evaluation. When third-party skill artifacts are admitted into the same inference, their weights are normalized against each other under the evaluator's policy; the personal layer's weight is not part of that normalization. A third-party artifact cannot be assigned a weight that suppresses the personal layer; cannot inject content that re-ranks the personal layer downward; cannot persuade the evaluator to defer the personal layer to a later turn. The privilege is enforced at the layer that performs admission, not at a layer that runs after admission and might be bypassed.

Deactivation is symmetric with activation. When the biological-identity binding transitions from nominal to terminated — through voluntary handoff, through authority assumption, through liveness-witness expiry, through explicit revocation, through any of the events catalogued by the operator-handoff primitive — the evaluator removes the personal layer from the privileged-input set in the same step that records the binding termination. Inferences performed after the termination event do not include the layer. The substrate cannot continue to exercise the operator's sovereign intent after the operator is no longer bound to it. There is no grace window in which the layer remains active under the prior identity; the only continuity that exists is whatever the incoming operator's own personal layer establishes after their binding completes.

The activation and deactivation events are themselves credentialed observations recorded in the substrate's audit log. The log records the binding identity that caused activation, the moment of activation, every inference in which the personal layer participated, and the moment and cause of deactivation. This is what makes the carve-out auditable: a regulator, the operator, or the operator's governing authority can prove that the personal layer was active exactly when the operator was bound, and only then.

Operating Parameters

The personal layer's minimum contribution weight is a per-policy parameter expressed as a floor on its share of the evaluator's combined contribution. Typical floors lie well above the maximum admissible weight of any single third-party artifact under the same policy, ensuring that the personal layer is never outvoted by an aggressive external skill. The floor is recorded in the operator's biological-identity envelope and may be raised — but not lowered below a network-wide minimum — by the operator's own credentialed governance flow.

The artifact's update flow is credentialed. The operator may amend the personal layer's content (preferences, organizational settings, accumulated context) by signing an update with the same key chain that authorized activation. The evaluator consumes the update through the standard governance-update path, which means the same audit log that records activation also records each update, who authorized it, and what changed at the artifact-version granularity.

Liveness coupling is governed by the same liveness-witness mechanism that controls the binding itself. If the binding's witness lapses, the personal layer is deactivated under the same policy that places the substrate into a coverage gap. There is no separate liveness contract for the layer because the layer's lifetime is defined as a strict subset of the binding's lifetime.

Storage of the personal layer is parameterized by the operator's policy: in-substrate (for substrates the operator owns or trusts), operator-attached (carried with the biological-identity envelope's storage surface), or credentialed-retrieval (fetched on bind from a service named in the envelope). In every case the artifact is encrypted under a key derivable only from the binding's authentication, so a substrate that cannot complete the bind cannot read the layer.

Alternative Embodiments

The carve-out admits several embodiments. In an enterprise-deployment embodiment, the operator is an institutional identity rather than a natural person, and the personal layer carries the institution's policy, identity, and operational history. The structural property — permanently bound, identity-gated, never opt-in — is unchanged; the binding is between the institution's biological-equivalent identity envelope and the substrate, and the personal layer activates and deactivates with that binding.

In a multi-operator co-binding embodiment, two or more operators are concurrently bound to the substrate (a primary operator and a supervisor, for example). Each operator's personal layer activates while the corresponding binding is nominal; the evaluator composes them under a policy that defines their relative weighting but preserves each layer's privileged status against third-party de-weighting. Loss of any one binding deactivates that operator's layer without affecting the others.

In a delegated-storage embodiment, the personal layer is held by a credentialed retrieval service rather than the substrate. The substrate holds only the envelope reference; on bind, it fetches the layer through a credentialed channel and discards it on deactivation. This embodiment is appropriate for substrates with constrained storage or strict residency requirements.

In a sealed-context embodiment, the personal layer participates in inferences but is not itself exfiltrable: the evaluator admits the layer's contribution while the substrate's storage and logging surfaces treat the layer as opaque to anything below the admissibility boundary. This embodiment prevents the substrate from being repurposed to capture the operator's personal layer for subsequent use under a different binding.

Composition With Other Cognition Primitives

The personal layer composes with the biological-identity envelope: the envelope is the root authority for the layer, so any change to the envelope (credential rotation, policy upgrade, revocation) propagates immediately to the layer's admission. It composes with the operator-handoff primitive: handoff is precisely the event that deactivates the outgoing operator's personal layer and activates the incoming operator's, so the carve-out is the per-inference manifestation of the per-binding handoff transition.

The personal layer composes with the third-party skill-gating primitive: third-party artifacts admitted under the gating policy are precisely the artifacts whose weights cannot dominate the personal layer. Composition produces a stable agent in which the operator's sovereign intent is preserved against any combination of admitted external skills. It composes with the audit primitive: every activation, every inference participation, every update, and every deactivation is anchored to the substrate's tamper-evident log, which is itself a participant in the broader integrity surface.

The personal layer composes with the rate-limit primitive at the update layer: an operator's authorized updates to their own layer are themselves credentialed, rate-limited objects, preventing a compromised credential from rapidly mutating the layer's content beyond the operator's intent. The composition is symmetric with the way the framework rate-limits every other identity-rooted authority.

Distinction From Opt-In Personalization Systems

Conventional personalization systems treat user-specific context as an opt-in adjunct to a pre-existing inference pipeline. The user enables a profile, the system loads it, the inference uses it, and the system honors a request to disable it. The profile is a feature; its presence or absence is a configuration choice; its priority relative to other inputs is a tuning parameter the system owner controls. This produces a structural vulnerability: a third-party component admitted into the pipeline can dominate, override, or adversarially manipulate the user's intent, because the user's intent has no privileged status — it is just another input subject to the system owner's weighting.

The disclosed personal layer is not a feature. It is permanently bound to the operator's biological identity, activates implicitly on bind, deactivates implicitly on bind loss, and is exempt from any weighting policy that the system owner might otherwise apply to dilute it. The user does not opt in because there is nothing to opt into: the layer's existence is a structural property of being bound to the substrate. The layer's privilege is enforced at the admission layer, not by a downstream rule that could be bypassed by a sufficiently clever third-party artifact.

Prior systems that attempt to give user context a privileged status typically do so as a runtime priority assignment that can be overridden by configuration, by a more aggressive third-party skill, or by an upgrade to the system that quietly re-orders the priority list. The disclosed mechanism is structurally different because the privilege is rooted in the biological-identity binding itself: changing it would require changing the binding, which would itself be a credentialed event the operator and the operator's governance can detect.

Disclosure Scope

A further structural property worth emphasizing is that the carve-out's not-opt-in character is what makes its security claims meaningful. Opt-in personalization is, by construction, defeasible: any party capable of changing the configuration can disable the user's privileged input. The disclosed mechanism is not configuration; it is a property of the bind itself. Disabling the personal layer requires terminating the binding, which is a credentialed observation visible to the operator's governance. This produces a chain of accountability in which the operator's sovereign intent cannot be silently dropped from inference without producing an audit-visible transition. In adversarial settings — where a third-party skill might otherwise attempt to suppress the user's intent through prompt engineering, weight injection, or admission-time persuasion — this property is what closes the loop: the layer's privilege is not something the inference path negotiates, it is something the bind asserts, and the inference path cannot reach the operator's substrate at all unless the bind is intact.

The disclosed mechanism covers the always-active personal layer as a credentialed adaptation artifact permanently bound to an operator's biological identity, implicitly activated on identity bind, structurally exempt from third-party de-weighting during the bind, and implicitly deactivated on bind loss, including the floor on its contribution weight, the credentialed update flow, the liveness coupling to the binding, and the audit anchoring of every activation, participation, update, and deactivation event. The disclosure extends to enterprise-deployment, multi-operator co-binding, delegated-storage, and sealed-context embodiments, and to compositions of the personal-layer primitive with the biological-identity envelope, the operator-handoff primitive, the third-party skill-gating primitive, and the network's audit and rate-limit primitives. The disclosure is not limited to any particular inference architecture, model class, or deployment environment; the structural invariants — identity-rooted authority, implicit activation on bind, fixed-weight privileged admission, implicit deactivation on bind loss, audit-anchored lifecycle — are what define the claimed subject matter.