Mechanism
Validation feedback asymmetry, as disclosed, is a deliberate informational asymmetry between the language model acting as a proposer and the validation engine acting as the evaluator. The language model proposes a candidate mutation to the semantic agent's state. The validation engine evaluates each candidate against the agent-resident constraints. When a proposal fails validation it is immediately discarded. The asymmetry is in what flows back: the language model does not receive feedback on why its proposal was rejected. It does not receive the validation record, the violated constraint, or guidance on how to produce a passing proposal. The evaluator's decision logic remains opaque to the proposer.
This absence of rejection feedback is the security primitive. A model cannot optimize against a constraint it cannot observe, and it cannot probe the validation boundary because it receives no signal about where the boundary lies. The disclosure frames this as a structurally enforced adversarial defense: even a language model that has been fine-tuned on adversarial examples, subjected to red-teaming, or equipped with chain-of-thought reasoning cannot learn to circumvent validation criteria that it cannot see. The guarantee is architectural rather than a property of the model's own parameters or alignment.
Intermediate Rejection as the Source
The asymmetry originates in one of the five containment constraints that make up structural starvation. That constraint is intermediate rejection: the validation engine evaluates each candidate mutation against agent-resident constraints, and any mutation that fails validation is immediately discarded. Providing the language model with rejection details would let the model learn the validation logic and craft proposals that satisfy the letter of the constraints while violating their intent. Withholding those details is therefore deliberate, not incidental.
The other containment constraints supply the surrounding conditions: prompt bounding limits the model's input to curated, verified agent state; absence of external memory denies the model any persistent store or retrieval source beyond the bounded prompt; forced reliance on agent fields requires every proposal to reference verified field values, with ungrounded proposals flagged during schema mapping and rejected before validation. Intermediate rejection is the constraint that specifically governs what the model learns from a failure, which is nothing.
Maintenance Across Inference Calls
The asymmetry is maintained across inference calls by the stateless purging constraint. After each inference call the language model's context is purged, and no residual state from a prior call persists into the next. The model does not accumulate context, does not build up a model of the agent's history, and does not develop an internal representation of the validation criteria. Each inference call is an independent event: a bounded prompt in, a proposal out, then a reset.
Statelessness closes the multi-turn attack. Even if a model could infer partial information about the validation criteria from a single rejection pattern, that inference is destroyed at the boundary of each inference call. Successive proposals therefore cannot incrementally probe the validation boundary, because there is no carried-over state in which the probing could accumulate.
Asymmetry in Trust-Weight Adjustment
A second, distinct asymmetry appears in trust-weight calibration within the arbitration engine. Trust weights are dynamic values that reflect a model's recent performance within the agent's governance context, and they are calibrated by outcome-based adjustment. When a mutation proposed by a language model is accepted and later evaluated as correct, meaning it did not produce integrity violations, did not require governance intervention, and did not contribute to negative outcomes, the model's trust weight for the relevant domain is increased. When an accepted mutation is later evaluated as incorrect, the trust weight is decreased.
The disclosure states that the decrease may be larger than the increase, to reflect the asymmetric cost of accepting incorrect proposals. Trust weights are also subject to temporal decay: in the absence of new evidence they decay over time, reflecting that reliability demonstrated at one point may not persist due to distribution shift, model updates, or changes in operational context. The decay rate is configurable per domain and per model category. The arbitration event records that drive this loop are cryptographically signed and sealed into the agent's lineage, so the historical record on which calibration operates is tamper-resistant.
Skill Regression and Capability Revocation
The capability-gating side carries its own asymmetry between grant and withdrawal. When the evidence-based capability gating system grants a capability based on accumulated performance evidence, it continues monitoring the grantee's performance after the capability is unlocked. That monitoring produces a continuous evidence stream evaluated against a regression threshold, a defined performance floor below which the grantee's demonstrated competency is deemed insufficient to maintain the grant. If subsequent performance falls below the regression threshold, indicating skill decay, context change, or gaming, the capability is automatically revoked, and the grantee must re-demonstrate competency through the same evidence-based pathway that originally granted it.
The regression threshold may be set at the same level as the original granting threshold or at a lower level that provides a buffer against transient performance dips, as specified by policy configuration. Revocation is protective. The system records the revocation event, the evidence that triggered it, and the performance trajectory leading to revocation in the grantee's lineage. Revocation may trigger a mandatory cooldown period during which the grantee may not re-apply, ensuring that re-demonstration reflects genuine competency recovery rather than short-term performance variance.
Graduated Response Spectrum
Where a security event rather than ordinary regression is detected, the safety-net and escalation layer provides a graduated response selected by the severity of the event, the safety criticality of the affected capabilities, and the individual's prior security history as recorded in the lineage. The graduated responses are: quiet monitoring, in which a detected anomaly is logged and the affected evidence annotated but no immediate action is taken; active challenge, in which the system presents an unannounced assessment to the individual whose evidence is flagged; capability restriction, in which the gate restricts access to the capabilities associated with the flagged evidence while the investigation proceeds; full revocation, in which the gate revokes all capabilities associated with the flagged evidence and the individual must complete a full re-certification; and governance escalation, in which the event is escalated to a human governance authority for investigation and adjudication.
These responses sit downstream of the security architecture's detection stages. Multimodal evidence flows through similarity detection, drift detection, and a validation asymmetry stage that enforces the informational asymmetry between proposer and validator, before reaching the security layer that implements this response spectrum. The same opacity that protects the validation criteria thus feeds the same layer that decides how sharply to restrict or revoke.
Distinction From Prior Art
Conventional approaches to language-model safety operate on the model's own output: they produce potentially unsafe content and then detect and filter it after the fact, or they attempt to align the model's parameters through reinforcement learning from human feedback, constitutional methods, or preference optimization. Post-hoc filtering is inherently unreliable, because the same statistical patterns that produce hallucinated content also produce plausible-appearing hallucinated content that evades detection. Parameter-level alignment leaves the validation criteria observable to a sufficiently sophisticated model, which can then be optimized against.
The disclosed asymmetry inverts the dependency. Safe behavior is produced through architectural containment regardless of the model's alignment status, and the disclosure does not depend on the model being well-aligned. Because the validation engine's decision logic is never returned to the proposer, and because context is purged at every inference boundary, non-circumvention is an architectural guarantee rather than a probabilistic property of filtering or alignment. The mechanism is composable with model-level alignment techniques but does not rely on them.
Disclosure Scope
The validation feedback asymmetry, comprising the deliberate informational asymmetry between the language model proposer and the validation engine evaluator, the intermediate-rejection constraint under which failed proposals are discarded without returning the validation record or violated constraint to the model, the stateless purging that maintains the asymmetry across inference calls and defeats multi-turn adversarial optimization, the asymmetric trust-weight adjustment in which the decrease for an incorrect accepted proposal may exceed the increase for a correct one together with temporal decay configurable per domain and per model category, the skill regression detection and automatic capability revocation against a regression threshold with an optional cooldown period, and the graduated response spectrum from quiet monitoring through governance escalation, is disclosed in the cognition filing (U.S. Application No. 19/647,395 and its international counterpart). This article describes that disclosed mechanism. The scope extends to embodiments in which the regression threshold equals or sits below the original granting threshold, in which the graduated responses are selected by severity, safety criticality, and prior history, and in which the asymmetry is composed with model-level alignment techniques without dependence on them, provided the validation logic remains opaque to the proposer and proposer context is purged at each inference boundary.
