Normative Foundations for High Trust Autonomous Systems

Relationship to Parent Document

This document extends "On High Trust Autonomous Systems", specifically §7 (Mapping HTS → HTAS).

The parent document defines the category-theoretic structure of High Trust Autonomous Systems and establishes that trust infrastructure transfers from societies to autonomous systems. This document axiomatizes that trust infrastructure by translating foundational concepts of US civic law into machine-checkable HTAS primitives.

Core claim: Enforceable invariants underpin High Trust Autonomous Systems, as civic law underpins High Trust Societies.

1. The Translation Problem

US civic law enables high-trust coordination among humans by providing:

Predictable enforcement of obligations
Bounded cost of dispute resolution
Shared semantics for rights, duties, and remedies
Legitimate authority to adjudicate and sanction

For HTAS to achieve comparable trust efficiency, it must provide functional equivalents. The question: what properties must hold for autonomous systems to sustain high-trust regimes?

2. Source Concepts: US Civic Law

Concept	Function
Personhood	Determines who holds rights, bears obligations, has standing
Property	Exclusive control; transferability; bundle of rights
Contract	Voluntary creation of binding obligations
Tort	Liability for harm outside contractual privity
Agency	Delegated action; principal bound by agent
Jurisdiction	Scope of authority; which rules apply
Due process	Procedure before deprivation
Standing	Injury required to bring claim
Burden of proof	Who proves what, to what standard
Remedy	Relief available upon violation
Precedent	Past decisions constrain future decisions
Limitations	Time bounds on claims
Good faith	Implied honesty obligation
Fiduciary duty	Heightened loyalty to another's interest
Severability	Invalid parts don't void whole
Estoppel	Conduct forfeits inconsistent positions

3. Translation Table

Civic Law	HTAS Primitive	Formalization
Personhood	Principal registration	$\text{Principal} \subseteq E$ with $\text{id}: \text{Principal} \hookrightarrow \text{ID}$ and $\kappa: \text{Principal} \to \mathcal{P}(\text{Cap})$
Property	Capability exclusivity	$\forall r \in R_{\text{excl}}:
Contract	Bilateral commitment	$c = (p_1, p_2, \text{terms}, \text{cond}, \text{rem})$ valid iff signed, well-formed, observable
Tort	Harm attribution sans privity	If $\text{action}(p) \to \text{damage}(p') > 0$ and no contract exists, $p'$ may claim against $p$
Agency	Bounded delegation	$p$ grants $a$ capabilities $\kappa' \subseteq \kappa(p)$ with policy $\pi$ ; $p$ liable for in-scope acts
Jurisdiction	Trust context scope	Policies indexed by $U \in \mathbf{Trust}$ ; minimal containing context governs
Due process	Procedure-before-deprivation	Revocation requires: notice, response opportunity, stated grounds, authorized decider
Standing	Claim eligibility	$p$ may claim re: $s$ iff $\text{injury}(s, p) > \epsilon$
Burden of proof	Evidence threshold	Claim succeeds iff $\text{evidence}(c) \geq \theta$ for context-dependent $\theta$
Remedy	Relief menu	$\{\text{revert}, \text{compensate}, \text{perform}, \text{exclude}, \text{declare}\}$
Precedent	Decision consistency	$J$ Lipschitz-continuous: similar cases yield similar outcomes
Limitations	Claim expiration	Claim from event at $t$ valid only if invoked before $t + \Delta$
Good faith	Anti-adversarial interpretation	Implicit: parties will not exploit ambiguity to defeat reasonable expectations
Fiduciary duty	Heightened loyalty constraint	For $(p_f, p_b)$ : $p_f$ must maximize $p_b$ 's utility among available actions; no self-dealing
Severability	Partial validity	Invalid term $t_i$ severs; remaining terms bind if coherent
Estoppel	Conduct-based obligation	If $p$ acts as if $\phi$ and $p'$ relies, $p$ cannot assert $\neg\phi$ against $p'$

4. HTAS Axiom Schema

4.1 Principals

A1.1 Every principal has a unique, persistent identifier.

A1.2 Principals hold capabilities; $\kappa(p) \subseteq \text{Cap}$ for each $p \in \text{Principal}$ .

A1.3 Principals may enter commitments with other principals.

A1.4 Principals may be named as claimant or respondent in disputes.

4.2 Capabilities

A2.1 A capability authorizes a class of actions on a class of resources.

A2.2 Capabilities are transferable under conditions specified by the capability itself.

A2.3 Exclusive capabilities have at most one holder at any state.

A2.4 Capability revocation requires due process (A6).

4.3 Commitments

A3.1 A commitment is valid iff all named principals have signed.

A3.2 Commitment terms must be well-formed per system grammar.

A3.3 Commitment conditions must reference observable state.

A3.4 Valid commitments create enforceable obligations; breach triggers remedy eligibility.

4.4 Harm and Liability

A4.1 Harm is measurable degradation of a principal's state or capabilities.

A4.2 Causation is a relation linking actions to state changes.

A4.3 A principal is liable for harms caused by their actions, subject to defenses.

A4.4 A principal is liable for their agent's in-scope actions; the agent is liable for out-of-scope actions.

4.5 Jurisdiction

A5.1 Every system state is contained in at least one trust context.

A5.2 Each trust context has an associated policy set.

A5.3 The policy of the minimal containing context governs.

A5.4 Cross-context actions require explicit bridging commitments.

4.6 Due Process

A6.1 No capability revocation or penalty without notice to the affected principal.

A6.2 The affected principal must have opportunity to respond before deprivation.

A6.3 Deprivation requires stated grounds referencing specific evidence.

A6.4 Deprivation decisions are subject to appeal to a distinct adjudicator.

4.7 Claims and Remedies

A7.1 A principal has standing to claim iff they have suffered injury.

A7.2 Claims must be invoked within the limitation period.

A7.3 Claims are resolved by weighing evidence against the applicable burden.

A7.4 Successful claims yield one or more remedies from the enumerated set.

A7.5 Remedy selection is proportionate to harm and constrained by reversibility preference.

4.8 Consistency and Reliance

A8.1 Materially similar cases must yield materially similar outcomes.

A8.2 A principal's consistent conduct creates expectations others may rely upon.

A8.3 A principal may not take positions inconsistent with conduct on which others have relied.

A8.4 Partial invalidity of a commitment severs the invalid portion; the remainder persists if coherent.

5. What Transfers Directly

Structural concepts—personhood, property, contract, jurisdiction—have direct HTAS analogs because they concern who, what, and where: definable in any system with principals and resources.

Procedural concepts—due process, standing, burden of proof, limitations—map to protocol design because they specify sequence and thresholds.

Remedies are stronger in HTAS than HTS: state reversion is possible in computational systems but impossible for physical harm.

6. What Requires Interpretation Layers

Tort demands a damage function and causation model. In autonomous systems with emergent behavior, attribution is hard. AI-assisted adjudication (parent document §9.3) addresses this gap.

Good faith resists full formalization. It functions as a meta-rule: "do not weaponize the letter of the rules against their spirit." HTAS approximation: flag and escalate when a principal's action is technically compliant but pattern-anomalous.

Precedent requires a similarity metric over cases. Without a formal theory of case similarity, consistency (A8.1) cannot be enforced. This is unsolved.

7. What Is Missing: Legitimacy

Civic law derives authority from democratic consent, constitutional foundations, and historical continuity. HTAS governance derives authority from what?

Candidate sources:

Opt-in consent: principals voluntarily join and thereby accept governance
Stake-weighted voice: those with more at risk have more say
Exit rights: governance is legitimate if exit is always possible
Explicit constitutional moment: founding principals ratify axioms

An HTAS can be functionally high-trust—low verification overhead, high cooperation—without being legitimate in the sense that its authority is justified. Whether functional trust persists without legitimacy is an empirical question, not a definitional one.

8. Enforcement Hierarchy

Not all axioms enforce equally. The hierarchy, from strongest to weakest:

Mechanism	Property	Example
Constructive	Impossible to violate	Type systems; capability architecture; cryptographic commitments
Automatic revert	Violation detected and undone	Transaction rollback; invariant monitors
Economic penalty	Violation costly	Stake slashing; escrow forfeiture
Exclusion	Violator removed	Key revocation; permission removal
Probabilistic audit	Violation detected stochastically	Sampling; anomaly detection
Reputational	Violation publicized	Attestation logs; transparency reports

Design principle: maximize the constructive surface. What can be made impossible should not merely be made punishable.

9. Open Problems

O1. AI principal status. Can an AI system be a principal? If so, what liability model applies? If an AI agent causes harm, does liability rest with the AI, its deployer, its developer, or some combination?

O2. Interpretation under ambiguity. When axioms underdetermine outcome—terms are vague, facts are contested, novel situations arise—what resolves? Human-in-the-loop? Precedent database? This is the least developed component.

O3. Cross-HTAS interoperability. Different HTAS may adopt different axiom sets. How do principals operating across systems reconcile conflicting rules? The parent document's descent/gluing framework (§8.2) provides structure but not implementation.

O4. Amendment process. How do HTAS axioms evolve? What is the constitutional amendment procedure? Who has standing to propose changes, and what threshold ratifies them?

O5. Failure mode under axiom violation. If a system claims to operate under these axioms but violates them—due process is ignored, remedies are unavailable—what recourse exists? HTAS currently lack a "court of last resort."

10. Summary

High Trust Autonomous Systems require normative foundations to sustain trust regimes. US civic law provides a tested, coherent source. The translation is structural: each legal primitive maps to an HTAS axiom with formal content.

The axiom schema (§4) is untested. Whether systems built on these axioms exhibit high-trust properties—low verification overhead, high cooperation rates, predictable dispute resolution, bounded failure—is not yet known.