Smart City Infrastructure With Self-Governing Transport

1. Regulatory Framework

Smart-city infrastructure sits inside one of the densest regulatory perimeters in modern engineering. In the United States, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) designates municipal water, electric, transportation, communications, and emergency services as critical infrastructure subject to the Presidential Policy Directive 21 framework, the National Infrastructure Protection Plan, and a growing body of binding sector directives. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires covered entities to report substantial cyber incidents within seventy-two hours and ransom payments within twenty-four. The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards bind any city deployment that touches the bulk electric system. The Environmental Protection Agency's America's Water Infrastructure Act adds cyber-resilience obligations to utility operators serving more than 3,300 people, and the Federal Highway Administration's safety-management rules reach traffic-control deployments at federally-funded intersections.

In Europe, the NIS2 Directive widened the scope of cybersecurity obligations to cover essential and important entities across energy, transport, water, digital infrastructure, public administration, and waste, and imposed personal accountability on management bodies for compliance. The Critical Entities Resilience Directive obligates member states to identify critical entities and ensure resilience plans exist. The EU AI Act reaches into smart-city deployments through its high-risk classifications for AI systems used in critical infrastructure management, traffic management, and public-service provision. The Cyber Resilience Act will, by its phased entry into force, impose security-by-design obligations on every connected device sold into the European market — which includes essentially every sensor, signal, and beacon a smart-city operator deploys. ISO/IEC 30141 (IoT reference architecture), ISO 37120 (sustainable cities indicators), and IEEE P2784 (smart-city planning) provide the standards substrate that auditors and procurement officers expect deployments to align with.

Across all of these regimes, regulators are converging on a structural expectation that has direct architectural consequences. They expect that critical-infrastructure operators can demonstrate, with cryptographically defensible evidence, the chain of authority under which any consequential device action was taken: which authority signed the routing policy, which authority signed the input data, which authority gated the actuation, and which lineage record proves the chain. Operators who cannot produce that evidence face escalating exposure under NIS2 fines, NERC CIP penalties, EU AI Act conformity-assessment failures, CIRCIA enforcement, and litigation by injured citizens whose harm they cannot disprove.

2. Architectural Requirement

The regulatory framework forces an architectural requirement that the centralized smart-city platform model cannot satisfy. The required architecture distributes governance authority to the devices themselves so that each sensor, signal, and beacon carries the credentialed inputs, routing policy, trust scope, and lineage record needed to operate, propagate, and actuate without depending on a central platform whose unavailability or compromise can disable the subsystem. Concretely, this requires four structural properties.

First, intrinsic data governance: every data object produced by a city device must carry its own routing rules, its own authorized-consumer scope, its own priority class, and its own credentialed authorship signature, so that downstream consumers can admit or reject the object on its own merits without a platform mediator. Second, autonomous adjacent-node decision: a traffic signal that receives upstream congestion data must be able to evaluate the data's governance fields and adjust its timing under its own credentialed authority, recording the decision in lineage, without waiting for a traffic-management center to issue a directive. Third, cross-subsystem propagation through the protocol layer: a fire-alarm observation produced by a building-detection device must carry propagation rules that include the traffic subsystem in its authorized trust scope, so that traffic devices initiate rerouting from the alarm itself rather than from a platform-to-platform integration message that may arrive minutes late or not at all. Fourth, tamper-evident lineage: every actuation produces a credentialed actuation-state observation that re-enters the substrate as input to downstream evaluations and as evidence in the post-incident investigation.

The architectural requirement is also a resilience requirement. Critical-infrastructure operators are evaluated on their ability to maintain function under simultaneous failures — platform compromise, network partition, power loss at a control center, supply-chain attack on a vendor SaaS. An architecture that distributes authority survives losses that take down a star-topology deployment, and the survival is not a graceful-degradation feature; it is the default behavior of the substrate. Regulators reading NIS2 risk-management obligations or NERC CIP-008 incident-response plans expect to see this property as a structural commitment, not as a runbook.

3. Why Procedural Approaches Fail

The procedural responses available within the centralized smart-city model fail to satisfy the architectural requirement, and the failure modes are well-documented in the post-incident reports of the past decade's municipal ransomware events, traffic-system compromises, and grid-coordination failures. The dominant procedural pattern is platform hardening: invest in firewalls, segmentation, identity-and-access controls, SIEM monitoring, and incident-response runbooks at the central platform layer. This pattern raises the cost of compromise but does not change the structural dependency. When the platform is compromised — by a supply-chain attack, an insider, a credential theft, or a zero-day — the entire subsystem is compromised simultaneously because every device depends on the platform for routing authority.

A second procedural pattern is federation: distribute management across regional platforms so that no single failure takes down the city. Federation reduces the blast radius but does not eliminate the centralization at the device level; each region still operates as a central authority for its devices, and a regional platform compromise still simultaneously disables every device in the region. The federation also introduces inter-platform trust and integration brittleness that itself becomes an attack surface and a failure mode. Auditors evaluating NIS2 resilience plans repeatedly note that federated deployments share the structural vulnerability of centralized deployments at smaller scale.

A third procedural pattern is edge computing: move processing close to the devices to reduce latency and dependence on the central platform. Edge computing distributes computation but maintains the same authority model. The edge node receives its routing policy and operational parameters from the central platform and executes them on behalf of the devices it serves. When the central platform is unavailable, the edge node continues to execute the last-known policy until that policy ceases to be appropriate — at which point there is no mechanism by which the edge can update its authority because the authority lives in the platform. The edge has computation but not governance.

A fourth procedural pattern is platform-to-platform integration for cross-subsystem coordination: build APIs between the traffic-management platform, the utility-management platform, the emergency-dispatch platform, and the environmental-monitoring platform, so that a fire event can trigger traffic rerouting and utility shutdown across the boundary. These integrations are slow, manual, and brittle. Each integration is a versioned contract that breaks when one platform upgrades, that fails closed when the platforms cannot reach each other, and that introduces a new attack surface for adversaries who can pivot from one subsystem into another through the integration layer. Post-incident reviews of major urban events repeatedly identify the inter-platform integration boundary as the slowest and most failure-prone link in the response chain.

The structural failure underlying all four patterns is that the device is not the unit of governance. The devices report; the platforms govern. The regulatory framework demands that the unit of governance reach the device, and no procedural overlay on a platform-centric architecture achieves that.

4. The AQ Memory-Native Protocol Primitive

The Adaptive Query memory-native protocol primitive, disclosed under USPTO provisional 64/049,409, defines a substrate in which every data object produced by a participating device carries its routing policy, trust scope, authorship signature, governance constraints, and lineage pointer as intrinsic typed fields rather than as platform-managed metadata. A traffic sensor producing a vehicle-count observation produces a memory-native object that names its authorized consumers, its propagation scope, its priority class, its expiration, its credentialed signer, and its lineage hash. Adjacent devices admit the object on its own merits, evaluate it against their own credentialed local policy, and make autonomous routing and actuation decisions whose outcomes themselves become memory-native objects re-entering the substrate.

The primitive specifies five structural properties that distinguish it from message-bus and pub-sub architectures. Property one, intrinsic governance: the routing policy, trust scope, and consumer-authorization fields travel with the object and cannot be detached. Property two, credentialed authority: the object is signed under a published authority taxonomy — device-class authority, sensor-network authority, municipal authority, regional authority — so that downstream consumers can weight the object under its provenance. Property three, autonomous adjacent decision: any device whose credentialed local policy admits the object can act on it without consulting a central authority, producing a credentialed actuation observation as output. Property four, hierarchical composition: the same substrate operates at device, neighborhood, district, and city scales by adding levels of authority rather than by reorganizing the topology. Property five, lineage closure: every observation, every weighting, every actuation, and every verification is recorded as a credentialed lineage entry that supports forensic reconstruction of any state at any past time and tamper-evident cross-authority audit.

The primitive is technology-neutral. Any signature scheme, any underlying network — radio mesh, cellular, fiber, satellite — and any storage substrate can carry memory-native objects. The substrate composes hierarchically, so a coalition of cities operates the same protocol with an additional authority level rather than with a parallel inter-city platform. Cross-subsystem coordination is structural: a fire-alarm object produced by a building-detection device names traffic-subsystem nodes in its authorized propagation scope, and traffic devices initiate rerouting from the alarm itself, in single-digit milliseconds, without inter-platform integration. Resilience is structural: when a platform fails, the substrate keeps operating because the substrate is the devices.

5. Compliance Mapping

The structural properties of the memory-native protocol primitive map directly onto the regulatory framework. NIS2 Article 21 risk-management obligations and the resilience requirements of the Critical Entities Resilience Directive are satisfied by the substrate's structural property of operating without a central platform; the operator can demonstrate, in its risk-management documentation, that no single platform compromise can disable the subsystem. NERC CIP-005 electronic-security-perimeter obligations are met because the perimeter is no longer a platform boundary but a per-object credentialed admission gate at every device. CIP-007 system-security and CIP-010 configuration-change obligations are satisfied by the lineage record, which provides tamper-evident evidence of every device-level configuration mutation under credentialed authority.

CIRCIA seventy-two-hour incident-reporting obligations are met because the lineage record produces an immediate, signed, reconstructable account of what was observed, what was admitted, what was actuated, and what was verified during the incident window — the operator does not need to rebuild the timeline from logs across multiple platforms. EU AI Act high-risk obligations on AI systems used in critical-infrastructure management are satisfied because every AI-driven decision is gated through the admissibility layer, recorded in lineage, and traceable to a credentialed input under a published authority taxonomy. EPA America's Water Infrastructure Act cyber-resilience obligations are met by the same structural properties applied to water-utility devices.

The Cyber Resilience Act security-by-design obligations are satisfied because the device's primary security property — credentialed input admission, intrinsic governance, lineage emission — is structural rather than procedural and survives firmware updates, vendor changes, and supply-chain compromises that would defeat platform-mediated security models. ISO/IEC 30141 IoT reference-architecture alignment is met by the substrate's well-defined entity, communication, and management layers. Public-records and FOIA obligations on municipal operators are met because lineage records are exportable, signed, and self-describing.

The compliance mapping is not aspirational; each regulatory expectation maps onto a specific structural property of the primitive. Operators do not bolt compliance onto a platform-centric deployment; they adopt a substrate whose structural properties answer the regulatory expectations by construction. The defensive position this produces is qualitatively stronger than any procedural overlay can achieve, because it survives the failure modes — platform compromise, vendor change, supply-chain attack — that defeat procedural overlays.

6. Adoption Pathway

Adoption proceeds incrementally and does not require a city to replace its existing infrastructure stack in a single program. Stage one is a single-subsystem pilot, typically traffic or environmental monitoring, in which new device deployments emit memory-native objects in parallel with their legacy platform reporting. The pilot establishes the operator's credentialed authority taxonomy, validates the substrate against the operator's existing SCADA, traffic-management, or environmental-monitoring platforms, and produces the lineage records that satisfy auditor expectations under NIS2 or NERC CIP. The pilot typically runs for two to three quarters and produces the evidentiary base the operator needs to expand.

Stage two is multi-subsystem participation: utility, emergency-dispatch, and additional sensor classes join the substrate, and cross-subsystem propagation begins to operate through memory-native objects rather than through inter-platform integration. The legacy platforms remain in place as application-layer consumers and operator dashboards, but their role narrows from authoritative coordinator to specialized client of a shared substrate. At this stage the operator begins to retire the inter-platform integration layer that was previously the slowest and most failure-prone component of cross-subsystem response. Stage two typically runs another two to four quarters and produces measurable improvements in cross-subsystem response latency and incident-recovery time.

Stage three is full substrate adoption: every new device deployment defaults to memory-native participation, and legacy devices are retrofitted at refresh cycles. The platforms that once owned routing authority become dashboards and analytics surfaces over a substrate they no longer control. Cross-jurisdictional coalitions — regional traffic authorities, multi-utility consortia, mutual-aid emergency networks — operate the same substrate with an additional authority level. The commercial arrangement that fits the city operator is an embedded substrate license priced per credentialed-authority node or per million admitted observations, with the existing platform vendors retained as application-layer providers. The substrate does not displace SCADA or traffic-management vendors; it gives them the governed memory-native foundation those platforms have always presumed and never had.