Governance Architecture
QUORUM enforces a strict separation between model inference and decision authority. No model output is independently actionable. Every verdict is subject to a governed arbitration pass that applies institutional policy, rule precedence ordering, and override hierarchy before a decision is finalized.
Rules are evaluated in a strict precedence stack. Whitelist rules resolve first and are final — a session matching a whitelist rule is approved without further evaluation. Blocklist rules resolve second — a match results in immediate rejection. Heuristic rules resolve third and require consensus before a verdict is issued. This ordering is not configurable at runtime; it is an architectural invariant.
Resolves first. Match is final. No further evaluation. Override requires dual institution authorization.
Resolves second. Match results in rejection. Blocklist entries carry expiry conditions and authored attribution.
Resolves third. Requires quorum consensus before verdict. Most rules operate in this tier.
Each rule carries the following fields in its signed schema:
{
"id": "rule_7a3f9c2e",
"precedence": 240,
"type": "WHITELIST | BLOCKLIST | HEURISTIC",
"quorum_required": 2,
"override_eligible": false,
"effective_from": 1716000000,
"expires_at": 1748000000 | null,
"authored_by": "governance_key_A",
"signed_hash": "sha256:a4f2c8d1e6b3..."
}
Rules do not enter production directly. Every rule transits a five-stage approval workflow. Each stage transition requires a signed approval from a governance key. Rollback is available at every stage and preserves full lineage — a rolled-back rule is not deleted; it returns to its prior stage with the rollback event recorded.
Rule is authored and stored. Not active. Not evaluated against traffic. Available for internal review and simulation.
Rule evaluates against live traffic without enforcing verdicts. Accumulates false positive rate, detection rate, and decision coverage metrics. Minimum 72-hour window by default.
Governance committee reviews shadow evaluation metrics. False positive rate must meet threshold. Detection rate must exceed minimum effectiveness floor. Committee holds are applied here.
Rule enforces on a defined subset of live traffic (10% → 50%) with hold periods between stages. False positive rate is monitored continuously. Automatic rollback on threshold breach.
Rule is fully active. Enforces on all eligible traffic. Expiry condition is evaluated continuously. Rule remains rollback-eligible for its full production lifetime.
Three override tiers exist in descending authority. No override is silent. Every override generates a signed governance event that is written to the audit ledger and included in the next KZG commitment window. Override events are irreversible records — they cannot be removed from ledger history.
Requires dual authorization from two distinct institution governance keys. Overrides any system decision including automated safety circuits. All institution overrides are KZG-committed to the audit ledger before taking effect. Dual-key ceremony is logged with both key identifiers.
Quorum-based. Requires a minimum 2-of-N committee key signatures where N is the configured committee size. Committee composition and key assignments are themselves governance-ledger entries. Used for rule adjudication and policy exception handling.
Applied only when an active safety circuit triggers. Conditions: model confidence below configured threshold, pipeline stage failure exceeding degradation floor, or explicit circuit breaker activation. System overrides are logged identically to manual overrides — the triggering condition, timestamp, and circuit state are recorded.
Verdict types carry differentiated consensus requirements. Higher-consequence verdicts require stronger quorum and more demanding signing protocols. The consensus requirement for a verdict type is fixed at the architectural level — it is not subject to runtime override without a governance event.
ISOLATED verdicts require full 3-of-3 sentinel consensus plus an institutional co-signature before enforcement. This prevents any single-party isolation action.
Every governance action — rule promotion, demotion, override, rollback — is recorded as a signed governance event in the audit ledger. The governance lineage of any active rule can be reconstructed in full from ledger state alone. QUORUM's word is not required. The ledger is the record.
Every governance event records the key identifier of the signing authority. Pseudonymous key assignment is supported; key-to-identity mapping is controlled by the institution.
Each governance event is bound to the rule epoch at time of action. Historical rule versions are reconstructable from epoch records without modification to current state.
Multi-key governance actions record all contributing key signatures. The threshold proof is verifiable — it is not possible to assert quorum was met without the signatures to prove it.
Every production rule can be rolled back to its prior state. The rollback operation is itself a signed governance event. The prior state is always recoverable from ledger history.
The complete governance history of any rule — from draft creation through every promotion, rollback, and modification — is preserved in append-only ledger entries and KZG-committed each period.