Table of Contents

On High Trust Autonomous Systems
1. Formal frame
2. Society as a special kind of system
3. Autonomous systems
4. Trust as an architectural assumption
5. The "categorical methods" of high trust (as prerequisites)
6. Primitives table (with HTS, HTAS, AI-enabled HTAS)
7. Mapping HTS → HTAS (what transfers, what mutates)
8. Designing conditions for emergence (design-first program)
9. Longer-form AI-enabled HTAS sketches

On High Trust Autonomous Systems

Prior Work and Genesis

This is a riff on "High Trust / Low Trust Societies," widely popularized in late-20th-century political economy and sociology (notably via Francis Fukuyama's framing of trust as transaction-cost suppressor).

Original context: explain why some cultures sustain large-scale cooperation with low friction (lower "tax" from monitoring, contracting, litigation), while others require heavy formalism, kinship-limited trust, or coercive enforcement.

Our contribution

We increase the level of abstraction from Societies to Autonomous Systems, then transfer the concept of High Trust to this new domain.

Reframed aim (design-first):

Humans can design conditions under which high-trust regimes emerge, scale, and persist in autonomous systems—treating trust not as a moral trait, but as an architectural assumption with measurable efficiency gains and characteristic collapse dynamics.

Core stance:

Trust = a conditional efficiency regime.
High trust reduces verification/enforcement overhead, increasing throughput and composability.
High trust increases tail risk under adversarial drift; collapse is predictable and non-linear.

1. Formal frame

1.1 System (object-level)

Intuition: "anything with parts and relations evolving through states."

A system is a tuple:

S = (E, \{R_n\}_{n \geq 1}, \Sigma, \delta)

where:

$E$ is a set of elements (components),
$\{R_n\}_{n \geq 1}$ is a graded family of relations, with $R_n \subseteq E^n$ for each $n \geq 1$ ,
$\Sigma$ is a state space,
$\delta : \Sigma \to \Sigma$ is a dynamics / transition rule.

No assumptions about agency, meaning, normativity, persistence, or internal models.

Examples: thermostat, chemical reaction network, filesystem, planetary system, fixed-weight neural net.

Remark (input-driven dynamics). For open systems, replace $\delta$ with $\delta: \Sigma \times I \to \Sigma$ for an input space $I$ . Morphisms must then include an input map; see §1.2.

1.2 Category of Systems: Sys

To make "Societies ⊊ Systems" precise, we need morphisms.

Objects: systems $S=(E, \{R_n\}, \Sigma, \delta)$ .

Morphisms: a morphism $f: S \to S'$ consists of:

$f_E : E \to E'$ ,
$f_\Sigma : \Sigma \to \Sigma'$ ,

satisfying:

Relational preservation: for each $n \geq 1$ , if $(e_1,\dots,e_n)\in R_n$ then $(f_E(e_1),\dots,f_E(e_n))\in R'_n$ .
Dynamics compatibility: $f_\Sigma \circ \delta = \delta' \circ f_\Sigma$ .

For input-driven systems with $\delta: \Sigma \times I \to \Sigma$ , a morphism additionally includes $f_I: I \to I'$ such that: $f_\Sigma(\delta(\sigma, i)) = \delta'(f_\Sigma(\sigma), f_I(i))$

This yields a category Sys.

Interpretation: morphisms are abstractions / implementations / simulations that preserve constraints + evolution.

2. Society as a special kind of system

2.1 Society (object-level)

Intuition: "systems composed of agents bound by norms and mutual recognition."

A society is a system:

S=(E, \{R_n\}, \Sigma, \delta)

equipped with additional structure:

\mathcal{S} = (S; A, N, M, \rho, \pi)

where:

$A \subseteq E$ is a distinguished non-empty set of agents.
$N$ is a non-empty set of norms (rules whose violation is semantically meaningful inside the system).
$M$ is a modeling structure (at least some agents carry internal models of others / of the society).
$\rho$ is a role structure (agent roles not reducible to physical adjacency/wiring).
$\pi$ is a persistence mechanism (social memory, reproduction, institutional continuity) supporting identity across member turnover.

Minimal agenthood (for this paper): an element $a \in A$ must satisfy:

(A1) ability to choose among actions (non-trivial action space),
(A2) ability to represent at least part of the system (internal model, even if crude),
(A3) participation in norm-governed evaluation (praise/blame/sanction is legible to $a$ ).

So, schematically:

\mathbf{Society} = \mathbf{System} + \mathbf{Agency} + \mathbf{Normativity} + \mathbf{Reflexive modeling} + \mathbf{Roles} + \mathbf{Persistence}

Examples: human societies, firms, states, online communities, ant colonies (if one accepts colony-level normativity / role persistence).

2.2 Category of Societies: Soc

Objects: societies $\mathcal{S}=(S;A,N,M,\rho,\pi)$ .

Morphisms: $g:\mathcal{S}\to\mathcal{S}'$ is a system morphism $g:S\to S'$ plus preservation of the extra structure:

maps agents to agents: $g_E(A)\subseteq A'$ ,
transports norms via a norm-morphism $g_N:N\to N'$ preserving satisfaction/violation semantics,
respects role structure and persistence observables (at least up to isomorphism),
does not destroy the reflexive modeling interface (models remain interpretable under mapping).

2.3 Societies are a strict subset of systems

There is a forgetful functor:

U:\mathbf{Soc}\to \mathbf{Sys}

dropping $(A,N,M,\rho,\pi)$ and retaining $(E, \{R_n\}, \Sigma, \delta)$ .

Non-fullness: $U$ is faithful but not full. A Sys-morphism between underlying systems of two societies need not preserve agent/norm structure, so not every Sys-morphism lifts to a Soc-morphism.

Strictness: There exist systems admitting no society-structure extension.

Proof sketch: Consider a system $S$ where $E$ is a singleton $\{e\}$ . Condition (A1) requires a non-trivial action space, but a single-element system with deterministic dynamics $\delta$ has no choice structure. Thus no non-empty $A \subseteq E$ satisfies the agenthood conditions, and no society structure exists. $\square$

More generally, any system lacking elements satisfying (A1)–(A3) admits no society extension. Thus:

\mathrm{Ob}(\mathbf{Soc}) \subsetneq \mathrm{Ob}(\mathbf{Sys})

3. Autonomous systems

3.1 Autonomous System (object-level)

Goal: parallel to "society" but not requiring human agents.

An autonomous system is a system:

S=(E, \{R_n\}, \Sigma, \delta)

with a distinguished set of controllers/agents $C \subseteq E$ plus governance hooks:

\mathcal{A} = (S;\, C,\, \Omega,\, \alpha,\, \beta,\, G,\, \tau)

where:

$C$ are decision-capable components (software agents, robots, services, model-based controllers).
$\Omega: \Sigma \to O$ is an observation interface (what agents can sense), with $O$ an observation space.
$\alpha: C \times \Sigma \to \mathcal{P}(A)$ is an action interface specifying available actions $A$ per controller and state.
$\beta$ is an internal modeling interface (world-model, other-agent models, forecasts).
$G$ is a governance layer: update rules, permissions, dispute mechanisms, audit/rollback capabilities.
$\tau = (p, B_v, C_d, L)$ is a trust parameterization (see §4.1).

Key difference from "society":

Normativity may be implemented rather than socially interpreted: constraints, policies, invariants, objective functions, protocol rules.
"Meaningful violation" becomes: detectably out-of-policy, out-of-invariant, or out-of-contractual envelope.

Examples:

multi-agent service mesh with automated resource allocation,
autonomous trading/risk system,
robotic warehouse fleet,
protocol-governed network (incl. on-chain systems),
AI tool ecosystem with delegated authority.

3.2 Category of Autonomous Systems: Aut

Objects: autonomous systems $\mathcal{A}=(S; C, \Omega, \alpha, \beta, G, \tau)$ .

Morphisms: $h:\mathcal{A}\to\mathcal{A}'$ consists of a Sys-morphism $(f_E, f_\Sigma): S \to S'$ plus:

$f_E(C) \subseteq C'$ (controllers map to controllers),
$f_O: O \to O'$ such that the following diagram commutes:

\begin{CD} \Sigma @>{\Omega}>> O \\ @V{f_\Sigma}VV @VV{f_O}V \\ \Sigma' @>>{\Omega'}> O' \end{CD}

$f_A: A \to A'$ such that for all $c \in C$ , $\sigma \in \Sigma$ : $f_A(\alpha(c, \sigma)) \subseteq \alpha'(f_E(c), f_\Sigma(\sigma))$ (available actions are preserved or refined),
governance invariants and audit semantics preserved under $(f_E, f_\Sigma)$ ,
trust parameters related by $\tau' \leq \tau$ (target system is at least as trusting) or explicitly flagged as a trust-regime change.

There is a forgetful functor $V:\mathbf{Aut}\to\mathbf{Sys}$ .

We study trust regimes primarily inside Aut, then map lessons from Soc.

4. Trust as an architectural assumption

4.1 Trust parameterization

Model trust as a system-level configuration: the assumed rate of adversarial behavior, deception, or norm-violation.

The trust parameters $\tau = (p, B_v, C_d, L)$ are:

$p \in [0,1]$ : ambient probability an interaction is adversarial / dishonest / non-compliant.
$B_v \in \mathbb{R}_{\geq 0}$ : verification budget (compute, time, friction) per interaction.
$C_d \in \mathbb{R}_{\geq 0}$ : cost of dispute/adjudication.
$L \in \mathbb{R}_{\geq 0}$ : expected loss from undetected violation.

A trust regime is a choice of $B_v$ and enforcement posture as a function of $p$ and $L$ .

High trust: choose low $B_v$ because expected violations are rare / bounded. Low trust: choose high $B_v$ , heavy formalism, narrow permissions, constant auditing.

The trust parameters $\tau$ are housed in the autonomous system tuple (§3.1) and constrain the governance layer $G$ : policies in $G$ must be consistent with the assumed $p$ (e.g., a high-trust regime with low $B_v$ cannot simultaneously mandate exhaustive verification).

4.2 Efficiency / robustness symmetry

High trust:

increases throughput, delegation, composability, "open joins" with new participants,
decreases robustness to adversarial drift and silent corruption.

Low trust:

increases overhead, slows coordination,
increases worst-case resilience and reduces catastrophic tail.

This is not moral; it is an engineering trade.

4.3 Collapse dynamics (non-linear)

High-trust systems tend to fail by threshold effects:

A small increase in $p$ can abruptly invalidate low $B_v$ assumptions.
Failure is often correlated (reputation cascades, fraud contagion, model poisoning, shared dependency compromise).

Thus the design question becomes:

How do we enable high-trust efficiency while making collapse detectable, containable, and reversible?

5. The "categorical methods" of high trust (as prerequisites)

The point of "category-theoretic fullness" here is: stop collecting anecdotes; identify generators and factorizations that reconstruct the phenomenon without redundancy.

Below are multiple regroupings ("view angles"). Each is a different compression basis over the same infrastructure.

5.1 View angles that reveal structure (non-redundant compressions)

Information topology

What information is globally public vs locally held?
How local truths glue into a shared world-model?
Model as a category $\mathbf{Ctx}$ of contexts with restriction functors $\rho_{UV}: \mathcal{F}(U) \to \mathcal{F}(V)$ for $V \subseteq U$ . Confidentiality = controlled restriction; disclosure = pushforward along inclusion. Redaction is left adjoint to enrichment: for information states $\mathbf{Info}$ ordered by refinement, define $\text{Enrich}: \mathbf{Info}_{\text{coarse}} \to \mathbf{Info}_{\text{fine}}$ as inclusion. Then $\text{Redact} \dashv \text{Enrich}$ where $\text{Redact}(x) = \sup\{y \in \mathbf{Info}_{\text{coarse}} : y \leq x\}$ .

Commitment geometry

How promises become enforceable constraints.
Escrow/hostages/irreversible stake as morphisms from "intent" to "irreversible state change."

Adjudication and repair

Not "prevent all violation," but: detect → attribute → resolve → repair → restore legitimacy.
Repairability is as central as prevention in HT regimes.

Identity and boundary control

Membership, roles, permissions, exit/fork, credential lifecycle.
Boundary permeability is tuned: too open collapses; too closed stagnates.

Incentives and selection

Mechanisms that select for cooperators and eject defectors.
Trust persists when defection has negative expected value within the system's time horizon.

Epistemic commons

Shared semantics, shared measurement, shared logs.
"Agreement surface area" determines how cheaply disputes are settled.

Compositionality

Ability to safely compose subsystems without exponential verification.
Interfaces that make trust assumptions explicit and enforceable.

6. Primitives table (with HTS, HTAS, AI-enabled HTAS)

6.1 Trust infrastructure primitives

Primitive (generator)	HTS: concrete subsystems / controls / methods	HTAS: concrete subsystems / controls / methods	AI-enabled HTAS: conceptual focus + longer-form examples
Conditional confidentiality	NDAs; clean teams; attorney-client privilege; sealed bids; need-to-know classification; differential disclosure norms	access control; enclaves/TEEs; MPC; split knowledge; key management; data rooms; secure channels; policy-based redaction	AI clean-team broker: an LLM+policy engine mediates diligence. It answers buyer questions from a seller dataset via constrained queries, releasing only allowed aggregates, with audit trails + cryptographic commitments. It can generate counterfactual analyses without leaking raw rows by combining retrieval constraints + noise + human-approved release policies.
Cheap, predictable adjudication	small-claims courts; arbitration; clear commercial code; precedent; standardized contracts; ombuds	dispute workflows; runbooks; incident response; rollback procedures; consistency checks; formal verification for critical invariants	AI dispute triage + repair planner: model classifies incidents, proposes minimal repair actions, and drafts reasoned decisions grounded in logs + policy texts; humans ratify. Key: make the AI's authority recommendation-only unless bounded by reversible actions.
Reputation (public + club)	credit scores; professional licensing; references; social sanction; blacklists/whitelists; guilds	service reputations; SLAs; attestations; signed builds; dependency trust scores; behavior-based allowlists	LLM-based anomaly detection feeding reputation updates is dangerous unless coupled to transparency: explanations tied to verifiable events; appeal path; rate-limited penalties to prevent cascades.
Identity & accountability	IDs; signatures; notarization; corporate registries; audit standards; KYC/AML; chain of custody	PKI; hardware identity; signed actions; immutable logs; provenance graphs; SBOMs	AI can maintain provenance graphs, but must not become a monopoly verifier: require cross-check by independent verifiers (multi-view attestations).
Legibility & observability	public records; accounting; open meetings; journalism; compliance reporting	metrics/logging/tracing; state snapshots; invariants dashboards; audit pipelines	AI observability copilots reduce operator effort, but can also hallucinate diagnoses: require "cite-your-evidence" from logs; forbid action without evidence links.
Standard forms & interfaces	contract templates; business norms; standard accounting; ISO-like routines	schemas; protocol standards; API contracts; compatibility tests; interface stability	AI-generated glue code increases composability but increases supply-chain risk; mitigation: signed artifacts, reproducible builds, constrained generation, mandatory reviews for privilege changes.
Credible commitment	bonds; escrow; collateral; warranties; fiduciary duty; reputational hostage	staking; rate limits; deposits; slashing; escrow smart contracts; capability grants with timeouts	AI agents can post stake and operate under revocable capabilities; stake + revocation is stronger than "trust the model."
Sanction & ejection	fines; jail; firing; ostracism; market exclusion	permission revocation; quarantine; key rotation; service isolation; slashing	AI-driven sanctions must be appealable and slow enough to avoid cascading false positives; design "cooldown + human confirmation" for high-impact sanctions.
Onboarding & norm internalization	education; professional training; rites; mentoring; culture	docs; runbooks; tests; policy-as-code; simulation environments	AI onboarding tutors can accelerate norm acquisition; risk: teaching shortcuts. Enforce by tests + monitored probation period + limited initial capabilities.
Exit, fork, and refuge	emigration; secession; competing jurisdictions; unions	forking protocols; data portability; feature flags; safe-mode; circuit breakers	AI systems need "safe exit": ability to revoke delegated authority and recover control of assets/identities without bricking operations.

6.2 Failure modes and anti-collapse structure

High-trust assumption	Efficiency gain	Collapse mode	Containment / repair	AI-enabled HTAS specific hazard + mitigation
"Most inputs are honest"	minimal validation	data poisoning / adversarial examples	quarantines; sampling audits; provenance checks	Models ingesting tool outputs can be poisoned. Mitigate via signed sources, trust tiers, and gated promotion from "untrusted" → "trusted."
"Partners won't defect"	fewer contracts, faster deals	fraud cascades; adverse selection	escrow; delayed finality; staged permissions	AI agents negotiating deals can be exploited via prompt injection/social engineering. Require fixed protocols + capability-limited tools.
"Disputes are rare"	cheap governance	backlog spike; legitimacy crisis	scalable arbitration; clear appeal paths	AI triage can help scale, but must be auditable and reversible; otherwise it becomes an unaccountable judge.
"Reputation signals are reliable"	open joining	sybil attacks; brigading; reputational collapse	identity cost; rate limits; multi-signal scoring	LLM-generated content can flood reputation surfaces. Require proof-of-personhood/effort and verifiable event links.
"Interfaces won't be abused"	composability	privilege escalation; supply-chain compromise	least privilege; signed builds; compartmentalization	AI codegen hastens risky modifications; enforce policy checks, test gates, and immutable deployment artifacts.

7. Mapping HTS → HTAS (what transfers, what mutates)

High trust in societies often rests on:

low-cost, high-quality dispute resolution,
predictable enforcement,
shared measurement,
reputation that cannot be cheaply forged,
controlled confidentiality that enables cooperation without total transparency.

When mapped to autonomous systems:

"courts" become incident response + rollback + arbitration logic,
"contracts" become interface specs + policy-as-code + capability grants,
"policing" becomes monitoring + anomaly detection + strict privilege boundaries,
"reputation" becomes attestations + reliability scores anchored in signed events,
"norms" become invariants + allowed action envelopes.

Key mutation:

Human normativity → machine-checkable constraints (where possible).
Where not possible, build explicit, reviewable interpretive layers with appeals.

Example transformation: Normative Foundations of High Trust Autonomous Systems as derived from US Civic Law

8. Designing conditions for emergence (design-first program)

8.1 Emergence recipe (minimal)

Make trust assumptions explicit: declare $p$ ranges and what breaks if violated.
Bound damage boundary: compartmentalize; least privilege; staged authority.
Instrument the system: logs + provenance + invariant monitors.
Make repair cheap: rollback, escrow, delayed finality, safe mode.
Make defection unprofitable: stake, slashing, exclusion, timeouts, auditing lotteries.
Make joining cheap but not free: friction that blocks sybils without suppressing adoption.
Provide legitimate adjudication: clear process, appeal, transparency of evidence.

8.2 Trust gluing via descent (Grothendieck-style)

High trust rarely appears globally first. It appears locally, then extends. The analogy to Grothendieck's descent theory is precise enough to be useful:

Setup. Let $\mathbf{Trust}$ be a category where:

Objects are trust contexts (teams, domains, jurisdictions)—analogous to open sets in a site.
Morphisms are trust-preserving inclusions or refinements.
A trust presheaf $\mathcal{T}: \mathbf{Trust}^{\text{op}} \to \mathbf{Set}$ assigns to each context $U$ a set $\mathcal{T}(U)$ of valid commitments/attestations, with restriction maps for context narrowing.

Sheaf condition (trust gluing). $\mathcal{T}$ is a sheaf if: given a cover $\{U_i\}$ of $U$ and local sections $s_i \in \mathcal{T}(U_i)$ agreeing on overlaps ( $s_i|_{U_i \cap U_j} = s_j|_{U_i \cap U_j}$ ), there exists a unique global section $s \in \mathcal{T}(U)$ restricting to each $s_i$ .

Interpretation:

Local sections = locally verified trust (attestations, audit outcomes, reputation within a domain).
Overlap agreement = interoperability contracts (shared evidence standards, mutual recognition).
Global section = system-wide trust derived from compatible local trust.
Trust collapse = failure of the sheaf condition: local sections exist but cannot glue (inconsistent attestations, conflicting audit outcomes, broken interoperability).

Descent data. To merge trust across domains, provide:

Explicit overlap specifications (what evidence is shared on boundaries),
Cocycle conditions (transitivity: if $A$ trusts $B$ and $B$ trusts $C$ on their overlap, the induced $A$ - $C$ trust is consistent),
Effectiveness (descent data uniquely determines the glued trust structure).

Design implication:

Build trust topology: contexts as opens, trust assertions as sections.
Verify sheaf condition before assuming global trust holds.
Trust collapse diagnosis: identify which overlap failed to glue.

8.3 Simplicity-first (Hickey-style constraint)

Avoid "trust by heroics." Prefer:

simple mechanisms,
explicit data,
small orthogonal controls,
minimal ambient authority.

Practical HTAS design heuristics:

Rules as data (versioned, reviewable).
Event-sourcing and immutable audit trails.
Separate policy decision from effectful execution.
Ban hidden channels: if it matters, log it.

8.4 Free theorems (Wadler-style leverage)

In a language with parametric polymorphism and no escape hatches (no reflection, no unsafe casts, no side channels), parametricity yields noninterference properties:

Formal setting. Consider a typed lambda calculus with:

Parametric type variables $\forall \alpha. \tau$
No typecase, instanceof, or runtime type inspection
No unsafe coercions or FFI escapes

Theorem (Reynolds/Wadler). If $f: \forall \alpha. F(\alpha) \to G(\alpha)$ is parametrically polymorphic, then for any relation $R$ between types $A$ and $B$ : $F(R)(x, y) \implies G(R)(f_A(x), f_B(y))$

Trust translation:

Design interfaces so subsystems cannot exfiltrate or tamper by construction.
Use typed capability boundaries: components receive only the powers their types permit.
If a module is polymorphic over "data," it can only transform, not inspect—yielding privacy/noninterference properties as theorems rather than policies.

Caveats for real systems:

Most deployed systems have escape hatches; the theorem applies only to the parametric fragment.
Side channels (timing, resource consumption) can leak information outside the type system.
The guarantee is "up to the correctness of the type discipline and runtime enforcement."

Design implication:

Trust is partly an interface theorem: constrain what a participant could do, not just what they should do.
Maximize the parametric surface; quarantine non-parametric operations behind audited boundaries.

9. Longer-form AI-enabled HTAS sketches

9.1 AI-enabled drug formula acquisition evaluation

Motivation

Pharmaceutical companies face a bilateral information hazard in M&A and licensing:

Acquirers seek to expand portfolios but cannot reveal which therapeutic areas, mechanisms, or development stages interest them—disclosure invites competitive preemption and price inflation.
Sellers hold proprietary molecules, formulations, and trial data they cannot expose without protection—leakage destroys competitive advantage and may violate regulatory obligations.

Both parties benefit from discovering high-value matches. Neither can move first without exposing strategic intent.

The system-level goal: maximize match discovery while minimizing information leakage to non-matching parties and external observers.

link to full sketch

9.2 AI-enabled liability insurance for autonomous systems

Motivation

Corporate adoption of autonomous systems is constrained by liability uncertainty. Decision-makers cannot bound the risk: failures are difficult to anticipate, attribute, and quantify. Without quantifiable risk, insurers cannot price coverage. Without coverage, operators bear unlimited downside. Adoption stalls at the liability question, not the capability question.

This pattern has precedent. The 1893 Chicago World's Fair demonstrated electrical technology at scale—and demonstrated its dangers. Electrical fires, shocks, and equipment failures were visible and frequent. Insurers could write fire policies that implicitly covered electrical losses, but could not price the electrical risk differentially. They lacked the vocabulary to distinguish safe installations from dangerous ones.

The response emerged over the following decade. In 1894, William Henry Merrill, funded by insurance underwriters, established what became Underwriters Laboratories (UL). UL created testing protocols, published standards, and issued certification marks. A UL listing provided insurers with a proxy: "this device, tested per protocol, presents quantified risk under specified installation conditions."

link to full sketch

9.3 AI-enabled dispute resolution system (n-party adjudication)

Dispute resolution is the determination of contested claims by applying agreed rules to established facts. It is a prerequisite for high-trust coordination: parties transact more freely when they know disagreements will be resolved predictably and at bounded cost.

Current dispute resolution systems exhibit a cost-quality tradeoff:

High-quality resolution (experienced adjudicators, thorough process, reasoned decisions) costs $1,000–$ 50,000+ per dispute and takes weeks to months. It is economical only for disputes exceeding these thresholds.
Streamlined resolution (simplified process, less experienced adjudicators) reduces cost but also reduces accuracy and perceived fairness. Parties may reject outcomes or avoid the system.
Platform-based online dispute resolution (eBay, PayPal, Alibaba) handles high volumes at low cost for narrow dispute types, but is limited to transactions within those platforms and is often perceived as favoring the platform.
No resolution remains common for disputes where resolution cost exceeds value at stake. In commercial contexts: minor contract breaches, small-value SLA violations, inter-business payment disputes under $5,000. In autonomous systems: protocol violations, resource allocation conflicts, inter-agent coordination failures.

What AI changes: AI can reduce marginal adjudication cost from hundreds or thousands of dollars to single digits, making resolution economical for disputes currently abandoned. The 2024 cost of processing a complex document set and generating a structured decision via LLM is approximately $0.10–$ 10 depending on volume, compared to $200–$ 2,000+ for equivalent human review.

The design challenge: reduce cost while maintaining the structural properties that make outcomes respected.

link to full sketch

9.4 AI-enabled multilateral optimization broker

Motivation

Focus: Category of systems where participants have hidden possibly conditional preferences. Disclosure of such preferences may be disadvantageous. But non-disclosure can also be disadvantageous.

Question: How to achieve the highest collective utility when preferences are private?

link to full sketch