Mechanism

The disclosed mechanism implements per-content differential privacy by applying the platform's depth-selective aggregation mechanism to the gradient signal produced by privacy-sensitive training content. It does not add noise. In conventional differential privacy for machine learning, Gaussian or Laplacian noise is added uniformly to all gradient signals during training, regardless of the sensitivity of the content that produced those gradients, and the noise magnitude is calibrated to the worst-case privacy requirement across the entire corpus. The disclosed mechanism instead routes a privacy-sensitive training example's gradient contribution primarily to shallow layers, where representations are generic, distributed, and inherently less memorizable, while suppressing its contribution to deep layers, where representations are specific, localized, and more susceptible to memorization.

The guarantee is therefore structural rather than statistical. The content is not protected by noise injection but by architectural confinement: the model cannot memorize what it was not permitted to encode in memorizable layers. The privacy posture for a given content class is expressed as a depth profile, the same structured object that governs all depth-selective training in the chapter, and the privacy outcome follows directly from where in the model's depth dimension the content's gradient is allowed to land.

The Depth Profile

A depth profile is a structured data object comprising a per-layer or per-block contribution weight vector. For a model comprising L layers or B blocks, the profile specifies a weight value for each layer or block, and that weight governs the magnitude of the gradient signal from the associated training example that is permitted to influence the parameters of that layer or block. A weight of one permits the full gradient signal to reach the layer, a weight of zero prevents any gradient signal from reaching it, and a weight between zero and one attenuates the signal by the specified factor.

For privacy-sensitive content, the depth profile specifies high gating coefficients at the shallow layer blocks and low or zero gating coefficients at the deep layer blocks. This confines the content's influence to the model's generic representational capacity while preventing it from being encoded in the model's specific, retrievable knowledge structures. The profile operates at block-level granularity rather than at individual-layer granularity, where a block is a contiguous sequence of layers performing a coherent computational function, so the per-block weight governs gradient flow to all layers within the block uniformly.

How the Routing Is Applied

The depth profile is enforced by the depth-selective aggregation mechanism, which operates during the backward pass and modulates the gradient signal for each training example according to that example's profile. The chapter discloses three complementary techniques, each achieving the same functional result through a different structural mechanism so the system can be adapted to different model architectures. The gated residual connection technique augments each residual connection with a gating coefficient derived from the depth profile, multiplying the gradient flowing through the residual pathway. The attention-based depth selection technique modulates the gradient flowing through the attention computation at each transformer layer by the depth-profile weight. The layer-specific scaling factor technique, which is architecture-agnostic, applies a scalar multiplier to the gradient signal at each layer boundary before it is accumulated into the layer's gradient buffer.

In each technique the modulation is applied during the backward pass only; the forward pass proceeds with standard connections, so the model's inference behavior is not altered by the training-time mechanism. The per-example scaling occurs after the per-example gradient computation and before the batch-level gradient accumulation, ensuring that each example's contribution to each block is individually governed by its profile. The mechanism does not alter the optimizer's update rule, only the gradient signal the optimizer receives, and is compatible with stochastic gradient descent, Adam, AdamW, and their variants.

Per-Content Independence

The per-content privacy guarantee is independent of the privacy requirements of other training content. Non-sensitive content may be trained with full-depth profiles that permit encoding at all layers, preserving accuracy for content that does not require privacy protection, while privacy-sensitive content is simultaneously confined by its own depth profile. Because each training example's gradient is scaled by its own per-block weights before batch accumulation, the routing applied to one example does not constrain the routing applied to another.

This is the point at which the disclosed mechanism departs from global differential privacy. Global noise injection imposes a single worst-case budget across the corpus and degrades accuracy for content that needs no protection. The depth-selective mechanism eliminates that accuracy-privacy tradeoff: privacy-sensitive content is protected by architectural routing, non-sensitive content is integrated at full depth, and neither degrades the other.

Policy-Governed Suppression

The depth profile applied to a content class is determined by the same policy objects that govern agent behavior, content access, and inference-time admissibility throughout the platform, consulted by the semantic execution substrate during training. Content admitted under a restrictive posture receives a suppressed depth profile, in which the contribution weights for the deeper layers are set to zero or near-zero, confining the example's influence to the shallower layers. Content found inadmissible receives a zero-weight depth profile, which sets the contribution weight to zero at every layer and prevents the example from influencing any of the model's parameters, the training-time analog of the inference-time rejection determination.

This structural prevention is distinguished from post-hoc unlearning. Unlearning operates after training by approximating and attempting to reverse a training example's diffuse influence on the parameters, which is inherently approximate because that influence is spread across the network by the non-linear dynamics of optimization. The disclosed mechanism instead prevents deep integration at training time, before the gradient signal reaches the deep layers. The prevention is deterministic and auditable: a zero weight at a given block means no gradient from the example reaches that block's parameters, so there is no need to unlearn what was never deeply learned.

Provenance and Auditability

Every training iteration is recorded in a training provenance log that enables post-training analysis to reconstruct which content influenced which model capabilities at which depths. For each training example the log records, among other elements, the entropy band classification, the depth aggregation profile that was applied, the per-layer contribution weight that actually reached each block after modulation, the governance record identifying the policy object that determined the depth profile, and the admissibility determination. The log is append-only and chronologically ordered, with each entry timestamped and sequentially numbered, and may be periodically sealed using the cryptographic sealing infrastructure disclosed in the cross-referenced Governance nonprovisional to produce tamper-evident checkpoints.

The log supports compliance auditing for content governance requirements. When a regulatory authority requires evidence that restricted content was not deeply integrated into the model, the provenance log provides the depth profile records showing the contribution weights applied to that content, demonstrating that its gradient signal was confined to the layers and magnitudes specified by the governing policy. This converts the privacy posture from an assertion into a reconstructable, verifiable record.

Distinction From Prior Approaches

Conventional differential privacy for deep learning treats noise injection as a uniform operation over gradients and relies on a single global privacy budget calibrated to the worst case across the corpus, producing significant accuracy degradation for content that does not require protection. The disclosed mechanism does not inject noise and does not share a single budget across the corpus. It protects sensitive content by confining its gradient contribution to shallow, less memorizable layers through the depth-selective aggregation mechanism, and it leaves non-sensitive content free to integrate at full depth. The privacy guarantee is structural, per-content, deterministic, and auditable through the training provenance log, rather than statistical, corpus-wide, and approximate.

Disclosure Scope

The depth-selective gradient routing mechanism for per-content differential privacy, comprising the routing of privacy-sensitive training content's gradient contribution primarily to shallow layers and the suppression of its contribution to deep layers through a depth profile of per-block contribution weights, the application of that profile during the backward pass by way of gated residual connections, attention-based depth selection, or a layer-specific scaling factor, the per-content independence that permits non-sensitive content to train at full depth, the policy-governed suppressed and zero-weight depth profiles, and the recording of the applied profile and contribution weights in the append-only training provenance log, is disclosed in the cognition filing (U.S. Application No. 19/647,395 and its international counterpart) at Section 11.12, drawing on the depth-selective aggregation, policy-governed suppression, and provenance mechanics of Sections 11.3 through 11.6. This article describes that disclosed mechanism. The scope extends to embodiments realized over different model architectures and block groupings, provided the privacy guarantee is achieved by architectural confinement of the gradient's depth rather than by noise injection.