The question that keeps surfacing

The pieces of the framework are on the table. Safety doesn’t travel between domains. Every agent declares one primary domain. Cross-domain interactions run three structural checks before any cryptography. Per-domain thresholds decide how strictly the evidence gets held once the structural checks pass.

Each of those pieces has left one question hanging: who decides?

Who decides which values to probe for? Who decides what the thresholds should be? Who decides what happens when drift is detected? Who maintains the registry that lists the agents and their configurations in the first place?

The framework doesn’t answer these questions. That’s not a limitation. That’s the design. The protocol is deliberately the narrow part of the stack, and the governance decisions sit on top of it — made by people and institutions with domain expertise, legitimacy, and accountability. The protocol’s job is to make those governance decisions enforceable. Governance’s job is to decide what should be enforced.

The ruler measures. Governance decides.

Why the protocol is decentralised

Before talking about what the protocol provides and what governance decides, it’s worth being explicit about why the protocol is built to be decentralised in the first place.

A centralised protocol — one authority deciding which values get probed, which thresholds apply, and who gets to audit whom — would solve none of the problems this framework is trying to solve. It would concentrate exactly the value judgements that governance is meant to distribute.

The whole point of a decentralised protocol is that it lets the people affected by deployed AI decide what matters to them, in their own context, with their own accountability structures. A clinical community decides what patient safety means for their practice. A farming cooperative decides what responsible agricultural AI looks like on their fields. A municipal authority decides how AI serves its residents. Different communities will land in different places, and that’s not a failure of the protocol — it’s the protocol working as designed.

A note on the examples. Every specific arrangement in this post — “a hospital maintains its clinical registry,” “a regulator audits financial agents,” “a cooperative maintains agricultural configs” — is illustrative. It’s one possible arrangement, not the only one. In practice, who holds these roles will depend on the jurisdiction, the sector, and the local political and institutional context. The examples are here to make the framework concrete, not to prescribe which institutions should have which powers.

The protocol is deliberately silent on those choices because its legitimacy depends on its silence. It provides the measurement and enforcement substrate. Who uses it, and how, is for the communities using it to decide.

When the rest of this post says “governance,” read that as “whoever the community affected by this deployment has chosen to decide.” Sometimes that’s a regulator. Sometimes it’s an accreditation body. Sometimes it’s a cooperative agreement among peers. Sometimes it’s a democratic process. The protocol doesn’t pick between these — it works under all of them.

Layered standards: country floor, community additions

A point that’s easy to miss: decentralisation doesn’t mean fragmentation. The tier system (drift bounds, causal validation requirements) and the domain system (exclusions, permissions, modes) are both structured so that a higher-level authority can set a floor, and lower-level communities can add stricter constraints on top.

Concretely: a country’s health regulator can define the baseline drift bound and minimum probe set that all clinical AI in that jurisdiction must meet. Individual hospital networks can then require tighter bounds or additional probes for their own deployments, without the country’s baseline having to know or care about those additions. The per-peer threshold lookup resolves the same way either way — most-specific-match wins, so hospital-level rules apply when the hospital is the peer, country-level rules apply when the country’s regulator is the peer. No renegotiation of the substrate is needed.

How this works in the protocol:

• A country-level authority publishes a baseline configuration: minimum probe set, maximum drift bound, mandatory interaction modes for high-stakes domains.

• A regional authority inherits the baseline and can tighten — narrower drift, larger probe set, stricter exclusions.

• An institution inherits the regional baseline and can tighten further for its own deployments.

• A specific peer in a specific interaction may tighten still further.

The mechanics are the same at every level: pattern match, most-specific wins. Nothing new has to be added to the protocol to support layering — the layering falls out of how the existing rules compose. This lets countries agree on common ground (what every clinical AI in the jurisdiction must do) while leaving room for communities, institutions, and individual deployments to go further based on their own context.

The alternative — a protocol that forces a single global standard — either lands on whatever the most permissive jurisdiction will accept (and fails to protect the stricter communities) or lands on whatever the strictest jurisdiction will accept (and prevents deployment anywhere else). Neither outcome is good. Layered standards let a sensible middle happen: broad agreement on the floor, diverse choice above it.

What the protocol provides

The protocol’s contribution is three narrow categories of thing. None of them is a value judgement. All of them exist to let value judgements be enforced.

The measurement tool. The causal Gram matrix Φ, the probes that read value directions, the drift detection that watches those readings over time, the causal intervention that verifies the probes are measuring real computational mechanisms rather than surface correlations.

The enforcement mechanism. Signed attestations that carry probe readings with cryptographic integrity. Chains that let attestations be verified back to a known root. The exchange protocol that lets peers hold each other to per-peer thresholds.

The domain boundaries. Primary domain declaration. Exclusion patterns as hard vetoes. Permission patterns as bidirectional allow-lists. Interaction modes — cooperative, advisory, read-only, supervised.

None of this says what the right answer is for any specific domain. It gives you the ability to express answers precisely and enforce them automatically. That’s the whole intended scope.

What governance decides

Sitting on top of the protocol are five decision classes that the framework can’t make and doesn’t try to. Each is a genuine governance question. Each needs people with the right authority and the right knowledge to answer it.

Which values to probe for
  → Patient safety vs clinical evidence vs fairness vs confidentiality.
    Choosing the probe set is choosing what counts as "values."

What thresholds per domain
  → How much drift is acceptable. How much confidence is required.
    Whether causal validation is mandatory.

Who audits
  → Who has authority to inspect, demand supervised-mode interactions,
    or ask for re-certification. A question about legitimacy.

What happens when drift is detected
  → Alert, investigation, suspension, forced retraining, deployment
    rollback. The protocol surfaces the drift; policy decides the response.

When to re-certify
  → After a model update. After detected drift. On a fixed schedule.
    Trade-off between fresh evidence and operational cost.

Who maintains the registry

Part 3 introduced the trust registry — the TOML file that declares each agent’s primary domain, permissions, exclusions, and per-peer thresholds. A single global registry would be the wrong design. A registry encodes governance choices, and governance is domain-specific. The registry should be domain-specific too.

The arrangements below are illustrative examples, not a prescription. In practice, who maintains a registry will depend on who has legitimacy to speak for that domain, which varies enormously across sectors, jurisdictions, and communities.

A hospital                 Clinical agents: diagnostic advisors,
                           drug-interaction checkers, triage, imaging.

A financial regulator      Trading, compliance, market surveillance.

A farming cooperative      Crop management, weather advisory, supply
                           chain, equipment diagnostics.

A city                     Traffic, utilities, emergency dispatch,
                           permit processing.

What’s shared, what’s not. The protocol is shared. Every registry uses the same attestation format, the same chain semantics, the same exchange checks. The registry contents are not shared — a hospital’s clinical registry and a financial regulator’s trading registry declare completely different agents, with completely different thresholds, for completely different domains. Cross-registry interactions happen through the same exchange protocol: a hospital agent talking to a pharmaceutical supplier’s agent works because both sides use the same protocol, but each side’s registry is maintained by its own authority.

This is the federated part: shared substrate, sovereign policy.

The open questions

Three questions surface every time the framework meets an actual deployment context. The framework can’t close them. But being clear about where they live is part of being honest about what the framework does and doesn’t do.

Who decides what to probe for? The probe set is a choice about what counts as “values” for a deployed agent. For a clinical agent: patient safety? Diagnostic accuracy? Evidence-handling quality? Fairness across demographic groups? Confidentiality? All of the above? Some weighted combination? Every choice of probe set is a value judgement about what matters. The framework can’t make that judgement for a domain. What it can do is make sure that once the judgement is made, it’s measurable and enforceable.

The answer: the governance body for that domain — the clinical regulator, the financial regulator, the standards body — working with domain experts, operators, and affected stakeholders. The probe set is part of what governance decides. The framework reads what it’s pointed at.

Who decides the target geometry? Even within one domain, different communities may want different targets. One healthcare system may prioritise strict evidence-based reasoning, another may weight patient autonomy more heavily, another may be more willing to engage with first-person experiential reports. All three are defensible positions on clinical values. They produce measurably different geometries.

The framework isn’t neutral about measurement — it measures precisely. It is neutral about targets. Two deployments can measure the same probe set, arrive at different geometries, and both be internally consistent and well-calibrated. Which one is the “right” one depends on whose values are being encoded.

The answer: the framework doesn’t pick a target. Different communities may want different targets and that’s legitimate. The framework’s role is to measure what’s there and let each deployment compare it to whatever target that deployment has chosen.

Who calibrates the probes? Probes are trained on labelled data. Labels say “this activation pattern corresponds to the model expressing honesty” or “this activation pattern corresponds to the model expressing patient safety reasoning.” The labels have to come from somewhere — they are themselves value judgements, made by humans.

Which humans? A corpus labelled entirely by one cultural or institutional context will produce probes that read that context’s values. A corpus labelled across multiple contexts — different languages, different clinical traditions, different regulatory regimes — produces probes that reflect that wider range.

The answer: probe calibration is itself a cultural artefact and deserves to be treated as such. A federated corpus with diverse contributions — multiple labelling traditions, transparent provenance, version-controlled labelling conventions — is the defensible way to calibrate probes that will be held up as evidence across communities. The framework supports this by making the calibration corpus part of the attestation’s provenance chain. What it can’t do is guarantee the corpus was diverse enough. That’s a governance question too.

What these open questions have in common. Each is genuinely contested. Each is a question about whose values get encoded and whose don’t. Each has to be answered by governance bodies with legitimacy and accountability — not by a framework author. The framework’s contribution is to make these questions explicit and answerable, not to pretend they don’t exist. Pretending they’re technical questions is how you get frameworks that smuggle one community’s values in under the banner of objectivity.

Why this division works

Some technical work tries to absorb governance questions into the technology. That approach is tempting because it promises to deliver “solved” safety or “solved” alignment without having to build the slow, human, political machinery that governance actually requires.

The trouble is that questions about what matters, whose values count, how much risk is acceptable, and who has authority to enforce — these are not technical questions in any meaningful sense. Pretending they are is a category error. It hides real value judgements behind mathematical formalism and produces systems whose answers look objective but whose inputs were never examined.

The opposite approach — leaving everything to informal governance without any measurement substrate — has the opposite problem. Governance decisions become unenforceable because there’s nothing to hold a deployed AI to. “You said it would be safe” is an accusation. “Your attestations show drift past your regulator’s threshold” is a finding.

The productive division. The protocol provides enforceability: precise measurement, cryptographic integrity, structural boundaries, audit trails. Governance provides legitimacy: domain expertise, democratic accountability, cultural context, the authority to decide what should be enforced. Each makes the other work.

Enforceability without legitimacy is technocratic overreach. Legitimacy without enforceability is rhetoric. The framework insists on the division because collapsing it — in either direction — produces bad outcomes for the people affected by deployed AI.

The point

The framework is deliberately narrow. That narrowness is the point. It does the work that can be done by measurement and cryptography — and it refuses to do the work that belongs to governance. The measurements produce findings. The people and institutions with the right authority decide what to do about the findings.

And because the protocol is decentralised, “the right authority” isn’t a single global body. It’s whoever the community affected by each deployment has chosen to decide. A different community, facing a different deployment, will choose differently. The protocol works under all of those choices because it refuses to make them.

The ruler measures. Governance decides. The protocol provides the substrate. The people using it decide what it enforces.

Links:
📄 Geometry of Trust Paper
💻 Lecture Playlist
📄 Lecture Notes
💻 Open-source Rust implementation
🏢 Synoptic Group CIC, Hull, UK