Biological Identity Skill Binding

Mechanism

The biological-binding mechanism is defined in Chapter 7 of the cognition patent as a structural precondition on every gated skill invocation. The runtime maintains, for each session, a binding record that ties a specific biological-identity thread (an attested live-presence signal sourced from operator-side hardware: typed cadence, ambient audio, presence sensor, or equivalent) to the session in which the LLM is operating. The binding record contains a freshness timestamp, an attestation reference, the operator identifier, and the set of skills currently authorized under that binding.

When an LLM-driven cognition step proposes a skill invocation, the gating evaluator does not look only at the requested skill and the agent's certified set. It additionally looks up the active binding record, verifies that the binding is fresh within a policy-defined freshness window, verifies that the operator identifier in the binding is on the skill's authorized-operator list, and verifies that the attestation reference is valid against the configured attestation provider. All four checks must pass.

Failure of any check produces non-execution. Non-execution is structurally distinct from a failed call: the runtime emits no side effect, returns no surrogate, and does not enter a retry loop. It records a binding-failure event in lineage and returns control to the cognition step. The LLM's proposal is treated as if it had never been emitted; downstream state is unchanged. This is the "skill use without active biological binding is non-execution" guarantee.

Liveness is the discriminating property. The binding record requires recent biological signal — not merely a stored credential. A keystroke pattern from minutes ago does not satisfy a freshness window of seconds. A passive presence sensor that has lost its operator subject does not satisfy. The runtime treats credentials as necessary but not sufficient; the live signal is what authorizes the skill. This forecloses replay attacks, stored-credential attacks, and unattended-session attacks structurally rather than heuristically.

Skill binding is per-skill, not per-session. A binding may authorize a low-risk skill while leaving a high-risk skill ungated. The binding record carries an explicit authorized-skill set, populated at binding-creation time from operator certifications and policy. Adding a skill to the authorized set requires a fresh attestation; it cannot be inferred from prior bindings. This means an operator who has authenticated for read-only skills cannot have write-skills silently activated by a sufficiently clever LLM proposal.

Operating Parameters

Freshness windows are policy-resident and per-skill. Low-risk informational skills may use minute-scale windows; high-risk irreversible skills may use second-scale windows or require live signal at the moment of invocation. Windows are tunable per deployment so that regulated domains can encode regulator-defined freshness requirements.

Attestation providers are configurable. The runtime accepts attestations from any provider on its trust list — local hardware enclaves, federated identity providers, biometric services, or domain-specific attestation servers. Each provider's attestations carry a provider identifier and a verification key; the runtime cryptographically validates each attestation rather than trusting a flag.

Authorized-skill sets are constructed at binding creation by intersecting operator certifications with current policy. An operator certified for skills {a, b, c} operating in a deployment that authorizes {b, c, d} for the operator's role receives an authorized set of {b, c}. The intersection is recomputed at each binding refresh so that policy changes propagate automatically without requiring re-certification.

Binding refresh cadence governs how often the live signal must be reasserted to maintain the binding. Continuous-presence deployments stream the signal; transactional deployments require an explicit reassertion at each invocation. The cadence is configurable per skill so that the operator is not over-burdened for low-risk operations and not under-burdened for high-risk ones.

Grace-period and degradation parameters govern transient signal loss. A brief gap in the live signal — a momentary occlusion of a presence sensor, a single missed challenge response — does not necessarily collapse the binding to nothing; instead, the binding may transition to a degraded state in which low-risk skills remain authorized while high-risk skills become non-executable. The degradation curve is policy-defined and recorded, so that the binding state at any moment in lineage is reconstructible from the live-signal history.

Alternative Embodiments

In a clinical-prescribing embodiment, a clinician's biological binding is established by hardware-enclave attestation plus continuous typed-cadence signal. LLM-proposed prescription orders are non-executable when the binding lapses (clinician steps away from the workstation), preventing both unattended-session prescribing and assistant-impersonation attacks.

In a financial-execution embodiment, a trader's biological binding is established by face-recognition attestation plus periodic challenge response. LLM-proposed trade executions above a configured size require a fresh challenge response within seconds of execution. Without the response, the trade proposal is non-executed and recorded as a binding-failure event.

In a developer-tooling embodiment, a developer's biological binding gates LLM-proposed destructive operations (force-push, production deploy, secret rotation). Read-only proposals execute under a long-window binding; destructive proposals require a fresh second-scale binding. The mechanism prevents an LLM-driven coding agent from executing destructive operations during periods when the developer is absent from the workstation, even if the session and credentials remain valid.

In a robotic-actuation embodiment, an operator's biological binding gates LLM-proposed motion commands to a physical actuator. Loss of binding (operator looks away from the safety-station) immediately disables motion authorization regardless of the LLM's continued proposals. The mechanism integrates with traditional safety interlocks but operates at the cognitive layer rather than the electrical layer, allowing fine-grained per-skill rather than coarse all-or-nothing safety.

Composition With Other Mechanisms

Biological binding composes with confidence governance: a binding-failure event raises the integrity-feedback signal, which raises sufficiency thresholds for subsequent recomputation cycles. An LLM that repeatedly proposes skills under a lapsed binding causes the runtime to become measurably more conservative. Binding composes with skill certification: only certified skills can appear in an authorized set, so an uncertified skill cannot be activated even by a perfectly fresh binding. Binding composes with lineage: each binding-failure event is recorded with the proposed skill, the LLM proposer, the attempted operator identifier, and the reason for failure, producing a complete forensic record of which proposals were not executed and why.

Critically, the mechanism is resistant to LLM compromise. Even an LLM that has been adversarially manipulated cannot invoke a skill without a fresh biological binding, because the gate is structural and external to the LLM. Compromising the LLM does not compromise the binding; only compromising the operator-side attestation hardware does, and that compromise is detectable by attestation chain validation.

The binding mechanism also composes with multi-operator workflows. A skill may require concurrent bindings from two distinct operators (a four-eyes principle), each with independent attestation chains. The cognitive runtime evaluates the conjunction structurally; failure of either binding produces non-execution. This generalizes naturally to N-of-M operator schemes for high-consequence skills without requiring the LLM to be aware of the multi-operator policy at all — the LLM proposes the skill, and the runtime resolves the binding requirement transparently.

Lineage composition deserves explicit emphasis. Each non-execution event records not only that a skill was proposed and refused, but which binding check failed (freshness, attestation, operator-list, or authorized-skill set) and the value at the time of failure. Aggregated over a deployment, this lineage provides a quantitative measure of how often the binding mechanism is the limiting factor on LLM action, allowing operators to tune freshness windows and authorized-skill sets to the empirical operational pattern rather than to a priori guesses.

Distinction From Prior Art

Prior art in the LLM-tooling space gates skills on session credentials or on per-call API tokens. These mechanisms authenticate sessions but do not require live biological presence; an unattended session retains full skill authority. Multi-factor authentication systems require live signals at session start but not at each skill invocation, so a long-running session with strong start-time authentication is functionally identical to an unattended one once the start-time signal is consumed.

Continuous-authentication systems track biological signals throughout a session but typically gate the entire session on the signal rather than gating individual skills with per-skill freshness windows. The claimed mechanism differs by binding individual skills to live attestation with per-skill freshness, by treating binding failure as non-execution rather than as a session error, and by composing the binding signal with the cognitive-runtime governance layer rather than only the transport authentication layer.

Disclosure Scope

The disclosure encompasses any cognitive runtime in which an LLM-proposed skill invocation is gated on the presence of a live, attested biological-identity binding for the authorizing operator, where binding failure produces non-execution rather than substitution or retry, and where the binding carries a per-skill authorized set with policy-defined freshness windows. The scope is independent of the modality of the biological signal, the choice of attestation provider, and the underlying LLM substrate.

Embodiments may be local-hardware, federated-cloud, or hybrid; signal modalities may be visual, auditory, kinesthetic, or sensor-derived; deployment domains may be clinical, financial, developer-tooling, robotic, or consumer. In every embodiment the structural elements are the same: a binding record with freshness, an attestation reference with cryptographic validity, a per-skill authorized set, a non-execution semantics on failure, and a lineage record of binding-failure events. Implementations omitting any element are outside the claimed scope; implementations including them are within scope regardless of the underlying authentication or inference technology.

The disclosure additionally covers embodiments in which the biological signal is derived from a population of operators rather than a single individual — for example, a control-room context in which any of N certified operators may satisfy the binding so long as exactly one live signal is attributable to a member of the certified set at the moment of invocation. The structural mechanism is unchanged: a freshness check, an attestation check, an operator-list check, and an authorized-skill check, with the operator-list expanded to a set rather than a singleton. Such pool-based bindings remain within scope.

Embodiments in which non-execution is accompanied by a structured user-facing notification (for example, a UI affordance indicating that a proposed action requires fresh authentication) are also within scope, provided the notification is generated as a side effect of the lineage record rather than as a substitute for the gating check. The gating check remains structural; the notification is informational. The disclosure does not require the notification, but neither does its presence remove an embodiment from scope.