Intent-Bound Aviation Mission Execution
by Nick Clark | Published April 25, 2026
Aviation regulators across ICAO, the FAA, EASA, and JARUS converge on a structural requirement that has not yet been satisfied by any deployed autonomous-aviation architecture: every airborne actuation must be traceable, in real time and after the fact, to a credentialed operator intent that lies within an approved mission envelope. The AQ operator-intent primitive supplies that traceability by binding each flight-control actuation cryptographically to the active mission intent, the operator-of-record's authority, the airspace-authority approval, and the certification-class envelope. This article examines the regulatory stack from ICAO Annex 2 through Part 108 NPRM and shows how intent-bound execution composes with SORA, DO-365, Remote ID, and U-space to produce an architecture suitable for crewed, uncrewed, urban-air-mobility, and Mission-Type-Order defense aviation under a single primitive.
Regulatory Framework
Aviation operates under an unusually dense and internationally interlocking regulatory framework. ICAO Annex 2 establishes the Rules of the Air that all contracting states implement domestically, including the obligation that every flight be conducted in accordance with a flight plan filed with the appropriate ATS unit; the ICAO RPAS provisions extend this obligation to remotely piloted aircraft and require that the remote pilot-in-command be identified and that the operating authority be documented. In the United States, the FAA implements 14 CFR Part 91 for general operations, Part 107 for small UAS, and the proposed Part 108 NPRM for beyond-visual-line-of-sight operations, each of which imposes operator-of-record, airspace-authorization, and operational-limitation obligations.
EASA's UAS regulations, anchored in Implementing Regulation 2019/947 and the U-space framework under 2021/664, define open, specific, and certified categories with corresponding operator-authorization, geo-awareness, and Network Identification obligations. JARUS SORA supplies the harmonized Specific Operations Risk Assessment methodology that operators apply to demonstrate, to the satisfaction of the competent authority, that the proposed concept of operations carries acceptable ground and air risk after the application of declared operational and technical mitigations. RTCA DO-365 and the related Detect-and-Avoid minimum operational performance standards govern the technical means by which uncrewed aircraft satisfy separation obligations against crewed traffic. FAA Remote ID under Part 89 and the U-space Network Identification Service under EASA both require that the operating aircraft broadcast or network its identity and operating authority continuously.
Defense aviation overlays additional structure through Mission-Type Orders, in which a commander issues an intent-and-constraints framing within which subordinate units execute, and through the Joint All-Domain Command and Control architecture that requires interoperable mission and intent representations across services. The cumulative effect is that every aviation actuation, civil or defense, must be traceable to an approved mission concept, an authorized operator, an airspace authority, and a certification-class envelope, with the traceability presented in a form that enables real-time deconfliction and post-event reconstruction.
Architectural Requirement
The architectural requirement implied by the regulatory framework is that operator intent, rather than individual flight-control commands, is the proper authorization unit. Operator intent enters the architecture as a credentialed declaration: the intended mission, the intended route, the intended phase profile, the intended escalation profile specifying when to defer to operator, when to land safely, and when to alert. The intent admits through composite admissibility before any flight actuator is authorized to operate against it, and each subsequent actuation admits against the active intent rather than against an unbound permission boundary.
Intent authority composition structures map cleanly to aviation reality. Pilot-of-record authority governs mission intent. Dispatcher authority, where applicable under Part 121 and equivalent commercial frameworks, governs operational intent including dispatch release and operational control. ATC and U-space USP authority govern airspace intent, expressed through clearances, network identification, and dynamic re-routing. Regulator authority, expressed through type certification, operational authorization under SORA, or Part 108 BVLOS authorization, governs the certification-class envelope within which the intent must lie. The architecture supports the multi-authority intent reality of aviation operations rather than collapsing it into a single permission boundary, because the regulatory framework itself is irreducibly multi-authority.
Intent must be revocable and transitionable under authority. Mission abort, weather diversion, emergency descent, ATC re-routing, and pilot-takeover events are not anomalies; they are normal mission operations whose architectural representation determines whether the resulting actuations remain traceable. The architecture admits intent transitions as credentialed events, and subsequent actuations admit against the new intent with the transition itself recorded and bound to the surrounding actuations.
Why Procedural Compliance Fails
Procedural compliance fails aviation autonomy for reasons rooted in the operating tempo and the multi-authority structure of the regulatory framework. First, autonomous and semi-autonomous aviation systems make hundreds of control decisions per second, while procedural intent verification operates at the timescale of human flight-plan filing. By the time a procedural reviewer could examine whether a given actuation was within operator intent, the actuation has occurred and, in most aviation contexts, cannot be unwound; aircraft do not pause mid-maneuver while their compliance status is verified.
Second, current aviation autonomy faces a structural intent gap. Operators configure autopilots, mission management systems, and contingency-management functions that operate semi-autonomously across cruise, descent, holding, and approach phases; the relationship between the operator's recorded intent and the system's actual behavior is implementation-dependent across aviation classes and across vendors. ICAO Annex 2 requires operations in accordance with the flight plan; SORA requires operations within the approved concept of operations; Part 108 will require operations within the BVLOS authorization; but the architectural mechanism by which a given actuation is verified, at the moment it occurs, against the recorded intent is not standardized and not enforced.
Third, post-incident reconstruction under procedural regimes is fragile. When a near-miss, deviation, or accident occurs and the NTSB, EASA, or a Mission-Type-Order commander needs to determine which actuation occurred under which intent, with which authority, in which airspace clearance, the available evidence is a collection of recorded data whose binding to the intent is procedural rather than cryptographic. Remote ID and Network Identification fix the identity-broadcast problem but do not by themselves solve the intent-binding problem: the broadcast establishes who the aircraft is, not which intent each actuation served. Procedural compliance therefore cannot bridge the gap between regulatory obligation and architectural reality.
What the AQ Primitive Provides
The AQ operator-intent primitive provides a cryptographic substrate that binds every flight-control actuation to the active mission intent. Operator intent is admitted as a credentialed declaration, with composite authority drawn from pilot-of-record, dispatcher, ATC or USP, and regulator. Each subsequent flight-control actuation, including autopilot mode changes, flight-management-system route activations, contingency-management transitions, and Detect-and-Avoid resolution maneuvers, admits against the active intent and produces a record bound cryptographically to it.
Phase-gated commitment proceeds within intent scope. Pre-departure phases admit under dispatch and pre-flight intent; takeoff and climb admit against the departure-clearance intent; cruise admits against the en-route intent; approach and landing admit against the approach-clearance intent. Cross-system observations, including Detect-and-Avoid, traffic information, and ground-station telemetry, admit against the prevailing intent context, so that the response to a traffic conflict is recorded as an action taken under a specific intent rather than as an unattributed flight-control event.
Mission-deviation handling proceeds through credentialed intent transitions. When operator intent shifts because of mission abort, weather diversion, emergency descent, ATC re-routing, or pilot takeover from autonomous mode, the architecture admits the transition under the appropriate authority. The new intent becomes the active intent; subsequent actuations admit against it; and the transition is bound into the actuation chain so that audit reconstruction traverses the intent transitions structurally. The same mechanism supports defense Mission-Type Orders, where a commander's intent-and-constraints framing is the authority record against which subordinate-unit actuations admit, and where intent updates from the commander propagate as credentialed transitions.
Compliance Mapping
Each element of the regulatory framework maps to a specific feature of the intent-bound architecture. The ICAO Annex 2 obligation to operate in accordance with the filed flight plan maps to the requirement that each actuation admit against the active intent, with the flight plan itself constituting the en-route component of the intent record. The 14 CFR Part 91 operator-of-record obligation maps to the pilot-of-record authority carried in every actuation record. Part 107 small-UAS authorization maps to the regulator-class envelope component of the intent. The Part 108 BVLOS NPRM, when finalized, will impose operator-authorization, contingency-management, and Detect-and-Avoid obligations that the intent record carries directly: the contingency-management plan is the escalation profile of the intent; the DAA performance is verified at the moment of resolution maneuvering against the active intent.
EASA UAS regulations and U-space services map to the architecture symmetrically. The SORA operational authorization defines the certification-class envelope within which intent must lie; the U-space Network Identification Service consumes the intent-bound actuation stream to produce the network-identification broadcast; the U-space tracking and conformance-monitoring services consume the same stream to produce conformance assessments against the approved concept of operations. JARUS SORA's mitigation-claim structure maps to the escalation profile: the technical and operational mitigations that the operator declared in the SORA submission are encoded as escalation behaviors whose triggering and execution are recorded under intent. RTCA DO-365 Detect-and-Avoid performance assertions are evidenced by the bound resolution-maneuver records.
FAA Remote ID under Part 89 maps to the identity component of the intent broadcast, while the intent record extends the broadcast to a credentialed record of which mission the broadcasting aircraft is currently flying. Defense Mission-Type Orders map to the intent itself: the commander's intent and constraints constitute the active intent record under which subordinate-unit actuations admit; JADC2 interoperability is supported by the cross-authority federation of intent records across services and coalitions.
Adoption Pathway
The adoption pathway begins with operators already obligated to demonstrate intent-conformance to a competent authority: SORA-authorized specific-category operators in EASA jurisdictions, BVLOS-waiver operators under FAA Part 107.31 and the eventual Part 108, and defense operators executing Mission-Type Orders. For these operators, the operator-intent primitive is introduced as an overlay on the existing mission-management stack, with the primitive initially admitting all operator-commanded actuations and producing the credentialed intent-bound records as the substrate for conformance reporting and post-event audit. This step alone strengthens the operator's submissions to the competent authority and reduces the post-event reconstruction burden when deviations occur.
The second step expands the architecture to consume cross-system observations under intent context, so that Detect-and-Avoid resolutions, traffic-information responses, and contingency-management transitions admit against the prevailing intent. This step produces the evidence base that DO-365 and SORA reviewers need to assess technical-mitigation performance in operating conditions. The third step extends the architecture to credentialed intent transitions, so that mission abort, weather diversion, and emergency descent are recorded as authority-bound transitions rather than as unattributed mode changes.
The fourth step admits autonomous execution under the intent envelope, with the regulator-class envelope component constraining the autonomy that may be exercised. Because the intent record is enforced at the moment of actuation, expansions of autonomous authority can be staged conservatively: autonomous execution within reversible mission phases first, autonomous response to declared contingencies next, autonomous diversion and abort under operator-confirmed escalation profiles last. The architecture also supports aviation evolution beyond initial deployment. As autonomous-aviation certification matures, as urban-air-mobility intent frameworks emerge under EASA and FAA, as Part 108 BVLOS operations move from waiver to rule, as U-space services federate across European member states, and as JADC2 interoperability deepens across services and coalitions, the architecture admits the changes through declared specification rather than through architectural rewrite. The same primitive that supports the first SORA-authorized BVLOS deployment supports the eventual mature urban-air-mobility and defense-coalition operating envelope, with the regulatory record growing continuously and remaining auditable across the full lifecycle.
