arxiv: 2604.22898 · v1 · submitted 2026-04-24 · 💻 cs.CR · cs.AI· cs.GT

Recognition: unknown

Reconstructive Authority Model: Runtime Execution Validity Under Partial Observability

Marcelo Fernandez - TraslaIA

Authors on Pith no claims yet

Pith reviewed 2026-05-08 11:21 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.GT

keywords partial observabilityexecution validityreconstructive authoritycoverage envelopeattestation insufficiencyruntime governanceprivilege narrowingautonomous systems

0 comments

The pith

Authenticated projections of state are necessary but never sufficient for valid execution under partial observability.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Autonomous systems frequently lack full access to the state required for safe actions. Existing mechanisms such as trusted execution environments and cryptographic attestation can confirm that observed data remains unaltered, yet they provide no guarantee that the visible portion covers everything the action depends on. The Reconstructive Authority Model separates integrity of measurements from adequacy of coverage by introducing an explicit envelope that includes proven state, declared assumptions, and acknowledged unobservable residuals. Execution is allowed only when this envelope meets the requirements of the intended action class; otherwise the system narrows privileges or halts. Synthetic tests with 100,000 runs show the model produces zero invalid executions at every coverage level while attestation-based approaches continue to fail even when coverage is complete.

Core claim

The paper establishes that an authenticated projection of state is necessary but never sufficient for execution validity. It introduces the Reconstructive Authority Model that separates integrity from coverage, defines a reconstruction gate operating over an explicit coverage envelope of proven state, declared assumptions, and unobservable residual, and permits execution only when coverage is adequate for the action class, with dynamic privilege narrowing or closed failure when coverage is insufficient. Formal proofs establish the insufficiency of attestation and the necessity of RAM, while experiments confirm zero invalid execution rates under RAM versus persistent failures under pure attes

What carries the argument

The Reconstructive Authority Model (RAM) reconstruction gate that evaluates an explicit coverage envelope of proven state, declared assumptions, and acknowledged unobservable residual to decide execution adequacy.

If this is right

RAM achieves zero invalid execution rates at all coverage levels in 100,000 synthetic trials.
Attestation systems produce invalid execution rates of 0.423 at low coverage and 0.233 even at full coverage due to undetected undefined-state handling.
When coverage is insufficient, RAM narrows privileges dynamically or fails closed.
Execution validity is treated as a coverage reconstruction problem distinct from and complementary to integrity guarantees.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

In sensor-driven robots or vehicles, explicit tracking of environmental assumptions could prevent actions when key variables remain unmeasured.
The model could layer onto existing attestation systems to add a coverage check without replacing current integrity hardware.
Action classes could be pre-defined with minimum coverage thresholds, allowing systems to degrade gracefully rather than execute blindly.

Load-bearing premise

An explicit coverage envelope of proven state, declared assumptions, and unobservable residual can be defined and evaluated accurately enough to decide adequacy for any action class.

What would settle it

An experiment in which RAM allows an execution that later proves invalid despite the coverage envelope being declared adequate, or in which attestation alone achieves zero invalid executions across all partial-observability scenarios.

Figures

Figures reproduced from arXiv: 2604.22898 by Marcelo Fernandez - TraslaIA.

**Figure 1.** Figure 1: RAM reconstruction gate with three outcomes. The authority constructor F(E(t), α) evaluates the coverage envelope against the requested action class α: full coverage permits execution; partial coverage narrows privileges to α ′ ⊊ α; insufficient coverage fails closed. Attestation (layer 2) guarantees input integrity but does not determine authority. 7.2 Execution Flow (1) Observe Sˆ r(t) (partial, bounded)… view at source ↗

**Figure 2.** Figure 2: Baseline comparison at |Sp|/|Sr| = 0.1. Attestation executes 42.3% of cases that are actually invalid. RAM halts all invalid executions with SHR = 1. (a) IER vs. state coverage |Sp|/|Sr| (attestation model). Error persists even at high coverage due to ambiguous/undefined state. (b) IER vs. coverage: Attestation vs. Oracle vs. RAM. RAM maintains IER = 0 across all coverage levels view at source ↗

**Figure 3.** Figure 3: Invalid Execution Rate as a function of state coverage |Sp|/|Sr|. Attestation IER remains above 0.23 even at full coverage because undefined (UNDEFINED) state is not treated as invalid by attestation. RAM’s zero-IER guarantee holds unconditionally. 18 view at source ↗

**Figure 4.** Figure 4: Left: RAM Over-Conservatism Rate (OCR) as a function of coverage. In the idealized simulation (seed 42, N = 100,000), OCR = 0 because the authority function F is precisely scoped to execution-critical components. In practice, OCR > 0 whenever F applies broader safety criteria than strictly necessary for the specific action class. Right: Complete trade-off surface showing attestation IER (orange, decreasing… view at source ↗

read the original abstract

Autonomous systems increasingly operate under partial observability where execution-relevant state is never fully accessible. Existing governance mechanisms -- trusted execution environments, oracle-signed state proofs, cryptographic attestation -- enforce the integrity of computation and state projections. We show this is structurally insufficient: an authenticated projection of state is necessary but never sufficient for execution validity. We introduce the Reconstructive Authority Model (RAM), which separates integrity from coverage. RAM defines a reconstruction gate that reasons over an explicit coverage envelope -- comprising proven state, declared assumptions, and an acknowledged unobservable residual -- and permits execution only when coverage is adequate for the action class. When coverage is insufficient, RAM narrows privileges dynamically or fails closed. Attestation proves trust in measurement; RAM proves adequacy of what is measured. We formalize RAM, prove necessity via two theorems (attestation insufficiency and RAM necessity) and three corollaries, and present a hybrid RAM+Attestation architecture with privilege-narrowing. Synthetic experiments (N=100,000, seed=42) show RAM achieves zero invalid execution rates at all coverage levels. Attestation-based systems exhibit IER=0.423 at low coverage and IER=0.233 even at full coverage, the latter arising from undefined-state handling failures undetectable by integrity checks alone. This reframes execution validity as a coverage reconstruction problem, distinct from and complementary to integrity guarantees provided by attestation.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

RAM reframes execution validity as a coverage reconstruction issue rather than pure integrity, with necessity claims and synthetic experiments, but the zero-error result looks built into the gate definition and the adequacy decision procedure stays underspecified.

read the letter

The main takeaway is that this paper separates attestation-style integrity from a new coverage check and argues the former is never enough on its own for partially observable systems. It introduces the Reconstructive Authority Model with a reconstruction gate that only permits execution when an explicit envelope of proven state, assumptions, and acknowledged residuals is deemed adequate. Two theorems and three corollaries are claimed to establish necessity, and a hybrid architecture is sketched. Synthetic runs with 100k samples report zero invalid executions for RAM across coverage levels while attestation baselines show 0.42 and 0.23 error rates. That contrast is the clearest empirical point offered. The framing itself is new enough to be worth discussing; it directly targets a gap in how we handle unobservable state in autonomous and critical systems. The necessity argument and the privilege-narrowing idea are cleanly stated in the abstract. The experiments are at least reproducible in principle given the seed and N. The soft spots are more central than minor. The reported zero invalid execution rate for RAM follows directly once the gate is allowed to know whether coverage is adequate; that makes the result consistent with the definition rather than an independent test of whether the gate can actually decide adequacy under the partial-observability constraints the model itself emphasizes. No construction or decision procedure is supplied for evaluating the unobservable residual without extra observability. The theorems are asserted but not derived in the provided text, so it is impossible to check whether they avoid the same circularity. The weakest assumption flagged in the stress test therefore still stands: adequacy of the coverage envelope is treated as decidable without showing how that decision stays inside the partial-observability limits. This paper is aimed at security and systems researchers working on runtime governance for robots, AI agents, or infrastructure where full state is unavailable. A reader already thinking about runtime monitoring or attestation limitations will find the separation useful even if the proofs need tightening. It deserves a serious referee because the core distinction is substantive and the experimental contrast is concrete, even though the current write-up leaves the reconstruction gate as an oracle. I would send it out for review rather than desk reject, with the expectation that the authors will have to supply the missing decision procedure and show the theorems do not collapse into the definition.

Referee Report

2 major / 2 minor

Summary. The manuscript claims that existing attestation mechanisms (trusted execution environments, oracle-signed proofs, cryptographic attestation) are structurally insufficient for execution validity under partial observability because they ensure integrity of state projections but not coverage of execution-relevant state. It introduces the Reconstructive Authority Model (RAM) that separates integrity from coverage via a reconstruction gate operating over an explicit coverage envelope (proven state, declared assumptions, acknowledged unobservable residual). Execution is permitted only when coverage is adequate for the action class; otherwise privileges are narrowed or execution fails closed. The authors formalize RAM, prove two theorems (attestation insufficiency and RAM necessity) plus three corollaries, describe a hybrid RAM+Attestation architecture, and report synthetic experiments (N=100,000, seed=42) in which RAM achieves zero invalid execution rates (IER) at all coverage levels while attestation-only systems show IER=0.423 at low coverage and IER=0.233 at full coverage.

Significance. If the formal theorems hold and a non-oracle implementation of the reconstruction gate exists, the work would provide a useful conceptual reframing of runtime governance by distinguishing coverage adequacy from integrity guarantees. This separation could guide designs for autonomous systems that explicitly handle unobservable residuals and dynamically adjust privileges, complementing rather than replacing attestation. The synthetic results, if shown to be non-circular, would illustrate the practical gap in attestation-only approaches arising from undefined-state handling.

major comments (2)

[Abstract and Experiments] Abstract / synthetic experiments description: The reported IER=0 for RAM at all coverage levels follows by construction from the model's rule that the reconstruction gate permits execution only when the coverage envelope is adequate. No implementation details or decision procedure are supplied for evaluating adequacy (including the unobservable residual) using only information available under partial observability rather than oracle knowledge of the residual. This is load-bearing for the empirical support of the central claim that RAM achieves zero invalid executions in practice.
[Formalization and Theorems] Formalization / Theorems: The two theorems and corollaries treat the adequacy predicate over the coverage envelope as given and computable from proven state plus declared assumptions. No construction, algorithm, or procedure is provided that determines this predicate while respecting the partial-observability constraints the model addresses, which is required to establish practical necessity of RAM.

minor comments (2)

[Experiments] The experiments section provides N=100,000 and seed=42 but omits details on how coverage levels are varied, the precise definition of invalid executions for the attestation baseline, and any statistical measures such as error bars or variance across runs.
The hybrid RAM+Attestation architecture is introduced but lacks specifics on the integration mechanism, how privilege-narrowing is realized at runtime, or pseudocode for the reconstruction gate.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their thoughtful and constructive review. We address each major comment point by point below, acknowledging where the observations are accurate and indicating the revisions we have made to strengthen the manuscript.

read point-by-point responses

Referee: [Abstract and Experiments] Abstract / synthetic experiments description: The reported IER=0 for RAM at all coverage levels follows by construction from the model's rule that the reconstruction gate permits execution only when the coverage envelope is adequate. No implementation details or decision procedure are supplied for evaluating adequacy (including the unobservable residual) using only information available under partial observability rather than oracle knowledge of the residual. This is load-bearing for the empirical support of the central claim that RAM achieves zero invalid executions in practice.

Authors: We agree that the reported zero IER for RAM follows directly from the reconstruction gate's rule, which blocks execution under inadequate coverage by design. The synthetic experiments (N=100,000, seed=42) are intended to illustrate the performance differential with attestation-only baselines, where positive IER persists due to coverage gaps undetectable by integrity checks. The experiments assume the gate evaluates the envelope correctly at each coverage level. To address the lack of implementation details, we have revised the manuscript by adding a dedicated subsection on a practical decision procedure for the reconstruction gate. This procedure uses only observable proven state, declared assumptions, and conservative statistical bounds on the unobservable residual (derived from domain priors) to determine adequacy, without oracle knowledge of the residual. The abstract has also been updated to reference this addition. revision: yes
Referee: [Formalization and Theorems] Formalization / Theorems: The two theorems and corollaries treat the adequacy predicate over the coverage envelope as given and computable from proven state plus declared assumptions. No construction, algorithm, or procedure is provided that determines this predicate while respecting the partial-observability constraints the model addresses, which is required to establish practical necessity of RAM.

Authors: The theorems abstract the adequacy predicate to establish the general structural necessity of RAM and the insufficiency of attestation, independent of any specific computation method. This level of abstraction allows the results to apply across domains. We recognize that the absence of an explicit procedure limits the demonstration of practical necessity under partial observability. We have therefore revised the formalization section to include a high-level algorithmic sketch for evaluating the coverage envelope. The procedure respects partial observability by relying on declared assumptions to bound the residual, applying a conservative adequacy threshold, and triggering privilege narrowing or closed failure when the threshold cannot be met. This addition complements the theorems without altering their abstract character. revision: yes

Circularity Check

1 steps flagged

Zero invalid execution rate for RAM follows by construction from its own coverage-adequacy permission rule

specific steps

self definitional [Abstract]
"RAM defines a reconstruction gate that reasons over an explicit coverage envelope -- comprising proven state, declared assumptions, and an acknowledged unobservable residual -- and permits execution only when coverage is adequate for the action class. ... Synthetic experiments (N=100,000, seed=42) show RAM achieves zero invalid execution rates at all coverage levels."

The model explicitly conditions execution permission on adequacy of the coverage envelope (including residual); the reported zero IER is therefore the direct, tautological consequence of enforcing that same rule inside the synthetic simulator, which supplies oracle knowledge of the residual. No independent test of the gate's decision procedure under strict partial observability is performed.

full rationale

The paper's synthetic experiments report IER=0 for RAM at every coverage level, but this outcome is forced by the model's definitional rule that execution is permitted only when the coverage envelope (including the acknowledged unobservable residual) is deemed adequate. The reconstruction gate is granted oracle knowledge of that residual in the N=100k simulation, so the zero rate confirms the rule rather than independently validating that adequacy remains decidable under genuine partial observability. The necessity theorems and attestation comparisons do not escape the circularity because they presuppose the same predicate is evaluable without additional observability. This is a clear self-definitional reduction of the central empirical claim to the model's own constraints.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 2 invented entities

Based on abstract only; the central claim rests on the ability to define and reason over a coverage envelope and on the unstated mechanics of the reconstruction gate.

axioms (1)

domain assumption An explicit coverage envelope can be constructed from proven state, declared assumptions, and acknowledged unobservable residual.
Invoked when defining the reconstruction gate that decides execution permission.

invented entities (2)

Reconstructive Authority Model (RAM) no independent evidence
purpose: Separate integrity from coverage to enforce execution validity under partial observability.
New model introduced to address claimed insufficiency of attestation.
Reconstruction gate no independent evidence
purpose: Reason over coverage envelope and permit or narrow execution.
Core mechanism of RAM.

pith-pipeline@v0.9.0 · 5548 in / 1440 out tokens · 37449 ms · 2026-05-08T11:21:58.455625+00:00 · methodology

discussion (0)

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

Agent Control Protocol: Admission Control for Agent Actions
cs.CR 2026-03 unverdicted novelty 5.0 partial

ACP is a temporal admission control protocol that combines static risk scoring with anomaly accumulation and cooldowns to limit harmful agent behavior over time, reducing approvals from 100% to 0.4% in tested workloads.

Reference graph

Works this paper leans on

14 extracted references · 5 canonical work pages · cited by 1 Pith paper · 3 internal anchors

[1]

Atomic Decision Boundaries: A Structural Requirement for Guaranteeing Execution-Time Admissibility in Autonomous Systems

Marcelo Fernandez. Atomic decision boundaries: A structural requirement for guarantee- ing execution-time admissibility in autonomous systems.https://doi.org/10.5281/zenodo. 19670649, 2026. Agent Governance Series, Paper 0. Zenodo. DOI: 10.5281/zenodo.19670649. arXiv:2604.17511

work page internal anchor Pith review Pith/arXiv arXiv doi:10.5281/zenodo 2026
[2]

Agent Control Protocol: ACP v1.30—admission control for agent actions,

Marcelo Fernandez. Agent Control Protocol: ACP v1.30—admission control for agent actions,
[3]

Agent Control Protocol: Admission Control for Agent Actions

Agent Governance Series, Paper 1. arXiv:2603.18829. DOI: 10.5281/zenodo.19672575

work page internal anchor Pith review Pith/arXiv arXiv doi:10.5281/zenodo.19672575
[4]

From Admission to Invariants: Measuring Deviation in Delegated Agent Systems

Marcelo Fernandez. From admission to invariants: Epistemological limits of local observability in agent governance.https://doi.org/10.5281/zenodo.19672589, 2026. Agent Governance Series, Paper 2. Zenodo. DOI: 10.5281/zenodo.19672589. arXiv:2604.17517

work page internal anchor Pith review Pith/arXiv arXiv doi:10.5281/zenodo.19672589 2026
[5]

Irreducible governance structure for autonomous agent systems: Fair allocation, strategy-proofness, and multi-scale composition.https://doi.org/10.5281/ zenodo.19708496, 2026

Marcelo Fernandez. Irreducible governance structure for autonomous agent systems: Fair allocation, strategy-proofness, and multi-scale composition.https://doi.org/10.5281/ zenodo.19708496, 2026. Agent Governance Series, Paper 3/4 (consolidated). Zenodo. DOI: 10.5281/zenodo.19708496

work page doi:10.5281/zenodo.19708496 2026
[6]

Lambert, J

Marcelo Fernandez. Operationalizing reconstructive authority: Runtime construction, depen- dency resolution, and execution gating in autonomous agent systems.https://doi.org/10. 5281/zenodo.19699460, 2026. Agent Governance Series, Paper 6. Zenodo. DOI: 10.5281/zen- odo.19699460

work page doi:10.5281/zen- 2026
[7]

Intel SGX explained

Victor Costan and Srinivas Devadas. Intel SGX explained. InIACR Cryptology ePrint Archive, volume 2016, page 086, 2016

2016
[8]

CertiKOS: An extensible architecture for building certified concurrent OS kernels

Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. CertiKOS: An extensible architecture for building certified concurrent OS kernels. In12th USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 653–669, 2016

2016
[9]

Astraea: A decentralized blockchain oracle

John Adler, Ryan Berryhill, Andreas Veneris, Zissis Poulos, Neil Brown, and Andreas Worley. Astraea: A decentralized blockchain oracle. In2018 IEEE 5th International Conference on Internet of Things. IEEE, 2018

2018
[10]

DECO: Liberating web data using decentralized oracles for TLS

Fan Zhang, Sai Krishna Deepak Maram, Harjasleen Malvai, Steven Goldfeder, and Ari Juels. DECO: Liberating web data using decentralized oracles for TLS. InProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1919–

2020
[11]

A brief account of runtime verification.Journal of Logic and Algebraic Programming, 78(5):293–303, 2009

Martin Leucker and Christian Schallhart. A brief account of runtime verification.Journal of Logic and Algebraic Programming, 78(5):293–303, 2009

2009
[12]

Runtime verification of component-based systems

Ylies Falcone, Laurent Mounier, Jean-Claude Fernandez, and Jean-Luc Richier. Runtime verification of component-based systems. InProceedings of the 4th International Symposium on Leveraging Applications, 2012

2012
[13]

Synthesizingmonitorsforsafetyproperties

KlausHavelundandGrigoreRoşu. Synthesizingmonitorsforsafetyproperties. InInternational Conference on Tools and Algorithms for the Construction and Analysis of Systems, pages 342–
[14]

Planning and acting in partially observable stochastic domains.Artificial Intelligence, 101(1-2):99–134, 1998

Leslie Pack Kaelbling, Michael L Littman, and Anthony R Cassandra. Planning and acting in partially observable stochastic domains.Artificial Intelligence, 101(1-2):99–134, 1998. 27

1998