The problem
When an autonomous vehicle makes a safety-critical manoeuvre, when a robotic arm on an automotive line performs an out-of-specification motion, when an industrial control system overrides a human interlock — a regulator will ask: who authorized that decision, on what evidence, and what was the system's state at the time?
Today, the answer is typically: we have sensor logs, we have audit trails, we have event records — but they are all controlled by the same operator who is the subject of the investigation. An independent verifier cannot confirm they haven't been altered.
AGTS provides an independently verifiable authorization record that is structurally separate from the operator's systems. The transparency log is append-only. The Sovereign Authority key ceremony is hardware-backed. The record exists before any investigation begins.
Gate mapping for safety-critical systems
| Gate | Evidence type | Infrastructure application |
|---|---|---|
| G1 Semantic Validity | Sensor fusion confidence intervals (H ≥ 0.40) | Perception system confidence over required scenario space; bootstrapped CI on object classification accuracy |
| G2 Financial Validity | Sensor/actuator attribution chain (C ≥ 0.40) | The manoeuvre decision is attributed to specific sensor inputs; which camera, which LIDAR reading, which edge case |
| G3 Operational Validity | Protected performance metrics (E ≤ 0.60) | No regression on: collision avoidance rates, emergency braking distance, false positive rate on pedestrian detection |
| G4 Policy Admission | Certified test harness | Evaluation performed by accredited test laboratory (HOOKED) or in type-approved test facility (ATTESTED) |
| G5 Cryptographic Finalization | Sovereign Authority (hardware-backed) | Type approval authority sign-off via HSM; vehicle-level authorization from safety engineering lead |
Validator quorum mapping
| Validator | Role | What they evaluate |
|---|---|---|
| OEM safety engineering | Customer | Functional safety analysis, HARA, ISO 26262 compliance evidence |
| Accredited test laboratory | Auditor | Test scenario coverage, statistical validity of evaluation results |
| Type-approval authority | Regulator | Compliance with UN R157, EU Machinery Regulation, national type approval |
| Insurance underwriter node | Independent | Actuarial risk profile, variance history, governance chain depth |
No single party can authorize deployment. The 3-of-4 quorum requires independent evidence from engineering, testing, regulation, and insurance simultaneously. Each party's vote is recorded in the Governance Envelope — permanently replayable.
Replay as forensic record
After an incident
An accident investigation begins. The autonomous system made a manoeuvre. The question: was that manoeuvre authorized, and on what evidence?
Without AGTS: weeks of forensic work on operator-controlled logs, disputes about chain of custody, inability to prove logs were not altered.
With AGTS: retrieve the authorization leaf by timestamp. Replay shows: G1 Semantic Validity passed with perception confidence 0.89 (CI: 0.82–0.96). G2 Financial Validity linked the manoeuvre to sensor cluster B. G3 Operational Validity confirmed no regression on pedestrian detection. G4 Policy Admission verified evidence from certified test lab (ATTESTED). G5 Cryptographic Finalization committed the decision to the Merkle log. The entire decision context, permanently on record before the incident occurred.
During certification
A type approval authority requires evidence of governance for 10,000 scenario decisions across the operational design domain.
Without AGTS: produce a compliance report written after the test program. Verifier must trust the operator's documentation.
With AGTS: each of the 10,000 scenario evaluations is a canonical leaf. The type approval authority runs their own monitor, verifying log consistency. They don't need to trust the OEM's documentation — they can verify the governance record directly.
Closed loop in action
An autonomous robotic arm is authorized for a cutting operation within specified force limits. The execution trace records the actual forces applied. The variance record computes the drift.
If the force had exceeded the safety threshold: omega_breach: true — visible to the insurance node and the type approval authority watching the log, without accessing the plant's systems.
Regulatory alignment
Annex III: autonomous vehicles, robotics, critical infrastructure management. AGTS provides the governance evidence infrastructure for Art. 9, 12, 13, 14, 15 compliance.
Essential health and safety requirements; technical file documentation; conformity assessment. AGTS compliance report satisfies governance evidence requirements.
ALKS type approval; safety performance requirements; event data recorder requirements. AGTS provides the independently verifiable authorization layer.
Safety lifecycle; HARA; FTA documentation. AGTS canonical leaves provide the cryptographic audit trail for each safety case decision.
Safety lifecycle for E/E/PE systems; SIL requirements. AGTS governance records provide independently verifiable evidence for SIL claims.
Software for railway control and protection systems. AGTS provides continuous governance evidence for autonomous railway systems.
For safety-critical deployments
AGTS operates at the governance layer — it records and makes verifiable the authorization decisions for autonomous actions. It is not a real-time safety interlock and does not replace ISO 26262 functional safety engineering or SOTIF analysis. AGTS provides the evidence layer that makes governance decisions independently verifiable. The safety engineering is yours to conduct; AGTS makes the evidence of that engineering permanently available to regulators and auditors without requiring access to your systems.