Fleet-Level Depth-Selective Training Governance

Mechanism

The mechanism is rooted in the fleet boundary as a first-class governance object. A fleet, in the disclosed sense, is the closure of operating units — vehicles, drones, robots, infrastructure agents, embedded controllers, or hosted inference endpoints — operating under a single governance authority that holds signing keys, admissibility policies, and training-acceptance rules. The fleet boundary is not a network boundary, although it frequently coincides with one; it is a credentialed boundary defined by the set of authorities whose observations the fleet's training pipeline admits and the set of authorities to which the fleet's training outputs propagate.

Within the boundary, every training-eligible observation carries a governance-chain credential: a signature chain that names the originating unit, the unit's operating context at the time of observation, the admissibility policy version under which the observation was produced, and the fleet authority's signature attesting that the observation is eligible for the fleet's training pipeline. The credential is structural to the observation, not a sidecar annotation; the training pipeline's ingestion stage refuses observations whose credential does not chain to the fleet authority. This refusal is the boundary's enforcement mechanism for incoming data: an observation produced by a unit no longer credentialed by the fleet — for example, a vehicle whose operating credential expired, or a sensor whose calibration credential was revoked — is structurally invisible to training even if it remains visible to inference.

The depth-selective gradient routing primitive controls which subsets of the model parameter state are eligible to receive updates from which classes of observations. The routing is expressed as a mapping from observation classes — themselves derived from the governance-chain credential — to parameter slices: typically adapter layers, low-rank update matrices, or tagged parameter groups. Observations from a regulated context route to slices whose update is itself subject to the regulator's admissibility policy; observations from a routine operating context route to slices whose update is governed only by the fleet's default policy. The routing is enforced at gradient-application time: the optimizer's update step is structurally incapable of writing into parameter slices for which the contributing observation lacks routing credentials.

Cross-fleet aggregation is the privileged operation that admits parameter increments derived in one fleet into the parameter state of another. The operation is initiated by the receiving fleet's governance authority — never by the sending fleet, and never automatically — and produces a cross-fleet aggregation credential that names the contributing fleet, the contributing parameter increment by content hash, the receiving fleet's policy version under which the admission is authorized, the lineage trace back to the originating observations, and the time-validity window for the admission. The receiving fleet's training pipeline applies the increment to its own parameter state under its own depth-selective routing, with the cross-fleet credential carried forward as part of the resulting parameter slice's lineage. Subsequent inference whose decisions trace to the aggregated parameter slice carries a lineage element naming the contributing fleet, which is the property that allows downstream auditors to determine which fleets contributed to which decisions.

Operating Parameters

Boundary admissibility policies govern which observations the fleet authority will credential for training. Policies are expressed declaratively against the observation's attributes — originating unit class, operating context, sensor calibration state, data classification, regulatory regime — and are versioned. A fleet may run multiple admissibility policies concurrently when units operate under distinct regulatory regimes, in which case the credential records the specific policy variant under which the observation was admitted and the routing primitive uses the variant to select target parameter slices.

Depth-selective routing maps are the primary mechanism for expressing intra-fleet training governance. A typical map names parameter groups — for example, perception backbones, planning heads, language adapter rows, low-rank update matrices indexed by operational domain — and associates each with the credential predicates that authorize updates to it. Maps are versioned and signed; updates to the map propagate through the same credentialed-observation channel that carries other governance changes, with a time-validity window that controls the transition between map versions.

Cross-fleet aggregation parameters specify the predicates under which the receiving fleet's authority is willing to admit foreign contributions: contributing-fleet identity, lineage requirements (full, summarized, or pseudonymized), differential-privacy budgets if applicable, content-hash allowlists, and time-validity windows. Predicates may be expressed conditionally on the contributing fleet's regulatory regime, allowing a deployment to admit increments from peer fleets under one regime while declining increments from peer fleets under an incompatible regime.

Revocation parameters control how invalidation propagates. Revoking a unit's credential invalidates the unit's future contributions and, optionally, its past contributions whose effects on parameter state have not yet been laundered through subsequent aggregation; the choice is policy-controlled. Revoking a cross-fleet aggregation credential invalidates the receiving fleet's parameter slices that traced to the revoked admission, with the fleet's training pipeline either rolling back to a prior parameter state or re-deriving the slice from remaining lineage.

Lineage-retention parameters control how much per-example provenance the fleet's training pipeline retains alongside the parameter state. Full retention preserves the per-example credential chain for every observation that contributed to every parameter slice, which is the requirement for regulatory regimes that demand decision-level training-data disclosure. Summarized retention preserves only aggregated provenance — contributing fleet, contributing policy version, contribution count — which is sufficient for cross-fleet audits that do not reach to individual decisions. Pseudonymized retention preserves provenance under one-way pseudonyms that the fleet authority can resolve under court order or regulator request but that the routine inference pipeline cannot. Retention class is selected per parameter slice and recorded in the slice's lineage metadata; downgrading retention is itself a credentialed operation with its own admissibility predicate.

Cycle-detection parameters guard the fleet against feedback loops in which a fleet's own outputs return to it as training inputs through cross-fleet aggregation paths. Each contribution carries a cycle-detection token that the aggregation step inspects; a contribution whose token chain indicates that the contributing parameter slice already incorporated lineage from the receiving fleet is refused unless an explicit cycle-admission credential authorizes the closure. The default policy refuses cycles to prevent unbounded amplification of model artifacts; cycle-admission is reserved for deployments — for example, multi-stage training pipelines — that explicitly require the closure.

Alternative Embodiments

The mechanism admits embodiments that vary along boundary topology, aggregation model, and propagation substrate. Single-tier embodiments place all units of an organization in one fleet boundary; this is the natural choice for self-contained operators. Hierarchical embodiments nest fleets — for example, a regional fleet within a national fleet within an international fleet — with each tier holding its own governance authority and admissibility policy, and with cross-tier aggregation following the same explicit-authorization predicate as cross-fleet aggregation. Federated embodiments arrange peer fleets without hierarchy, with cross-fleet aggregations negotiated bilaterally or through a consortium credential authority.

Aggregation models vary between push, pull, and broker embodiments. In push embodiments a sending fleet offers an aggregation increment that the receiving fleet's authority either admits or declines; in pull embodiments a receiving fleet requests an increment from a sending fleet that either honors or refuses; in broker embodiments a third party — a consortium aggregator, a regulator, or a model vendor — operates as a clearinghouse that mediates the aggregation under policies the participating fleets have agreed to. The disclosure covers all three.

Propagation-substrate embodiments range from continuously-connected cloud infrastructure through intermittently-connected mesh networks to mobile store-and-forward couriers carrying signed increments between disconnected operating regions. The mechanism is propagation-substrate-agnostic: the credential structure, routing primitive, and aggregation predicate are unchanged across substrates, and the substrate's contribution is bounded to propagation latency and ordering guarantees.

Composition

Fleet-level training governance composes with the broader credentialed-observation substrate in the manner expected of a structural primitive. The governance-chain credential is a credentialed observation; the routing map is a credentialed observation; the cross-fleet aggregation credential is a credentialed observation. The training pipeline's ingestion, routing, and application stages are all special cases of the policy-evaluator pattern that operates over credentialed observations elsewhere in the architecture.

Composition with sandbox pre-activation certification gates a candidate parameter increment — whether produced internally or admitted through cross-fleet aggregation — through a sandbox certification before the increment is applied to the live model. Composition with capability envelopes bounds the parameter slices that an aggregated increment may affect to the envelope's permitted classes; an increment whose lineage indicates exposure to data classifications outside the envelope is structurally refused at routing time. Composition with the agent's inference-time lineage tracer carries the contributing-fleet identity into the decision lineage of every inference whose parameters trace to a cross-fleet aggregation, which is the property that satisfies regulatory regimes that require disclosure of training-data provenance to the decision level.

Prior-Art Distinction

Cloud-centric federated learning regimes — Google's Gboard update pipeline, Apple's privacy-preserving on-device learning, the academic federated-averaging and federated-SGD literature — assume that contributors send gradients to a single coordinator that aggregates and redistributes. Governance, where it exists, is contributor-side (the contributor's device decides what to send) or coordinator-side (the coordinator decides what to accept), but the boundary that holds the policy is implicit and the lineage from contribution to aggregated model state is not structurally preserved. Cross-organizational aggregation in these regimes is either absent or handled by ad-hoc administrative agreements rather than by a credentialed primitive.

Differential-privacy-trained model regimes provide statistical bounds on individual-contribution leakage but do not provide explicit cross-fleet authorization or lineage to the decision level. SBOM-style attestations for training data — the AI Bill of Materials proposals — record provenance but do not gate aggregation on receiving-side authorization or support immediate revocation. Trusted-execution-environment training regimes protect the aggregator from tampering but do not express the boundary, the depth-selective routing, or the cross-fleet authorization predicate as first-class structural objects. The disclosed mechanism's combination — fleet boundary as governance object, depth-selective routing enforced at gradient-application time, cross-fleet aggregation requiring explicit receiving-side authorization, and lineage carried into inference-time decisions — is absent from these regimes.

Disclosure Scope

The disclosure covers the mechanism by which training data and training-derived parameter updates are governed at the fleet boundary, regardless of the propagation substrate (cloud, mesh, store-and-forward), the boundary topology (single-tier, hierarchical, federated), the aggregation model (push, pull, broker), or the model class (foundation models, adapters, low-rank updates, classical learners). Defense, maritime, agricultural, mining, automotive, healthcare-fleet, and infrastructure-agent deployments are within the disclosed deployment classes. The mechanism is disclosed as a structural primitive of the cognition architecture's training-governance layer, composing with sandbox certification, capability envelopes, and the credentialed-observation substrate.