Keywords: Bayesian inference, epistemic uncertainty, autonomous systems, safety constraints, formal verification, long-duration operation, prior sensitivity, distributional shift, constitutional AI, liveness proof, metric space independence.
1. INTRODUCTION
A Bayesian agent that observes many events of a given class will, under standard conditions, develop a well-calibrated posterior distribution over the parameters governing that event class. This is the fundamental promise of Bayesian inference: more evidence produces better beliefs. The promise holds under two conditions that are routinely satisfied in controlled settings and routinely violated in long-duration autonomous deployment:
Condition 1 (Evidence exchangeability): The observed evidence sequence is exchangeable — the order of observations does not affect the posterior, and observations are drawn from the same underlying distribution. This condition fails when the environment is non-stationary, when the agent's own actions influence the evidence it observes, or when the evidence sequence has a temporal structure that correlates observations.
Condition 2 (Coverage): The agent's evidence base covers the relevant portion of the event space. This condition fails when the agent has operated in a limited region of a high-dimensional environment — for example, when an autonomous system has accumulated years of operational data from a single trajectory through a novel environment.
Long-duration autonomous systems operating in deep space violate both conditions structurally. The environment they traverse is non-stationary over the timescales relevant to their operation — the galactic cosmic ray spectrum, the local gravitational field, and the plasma environment all vary along any interstellar trajectory in ways that produce non-exchangeable evidence sequences. And any autonomous system that has operated for 100 years in a particular region of the outer solar system has accumulated enormous amounts of evidence from a single trajectory — high coverage of one path through a vast unexplored space, and zero coverage of everything else.
The danger is subtle and serious. A system that has observed 10,000 events without failure will assign a very low probability to failure events of that class. If the 10,001st observation encounters conditions outside the operational envelope implicitly represented by the first 10,000 — different temperature, different radiation spectrum, different mechanical loading — the low probability assignment is not calibrated. It is merely the artifact of a narrow evidence base. The system will be confident about a situation it has never actually encountered. It will make decisions based on this false confidence. In a century-scale autonomous mission with no human oversight, there is no mechanism to catch this error before it causes mission-critical consequences.
This paper proposes and formalizes a solution: the mandatory entropy floor. The core idea is simple — the posterior entropy for any event class with fewer than a minimum number of independent observations must be maintained above a constitutional minimum, regardless of what the evidence suggests. The system is prohibited from becoming highly confident about rare or novel event classes, not because it is wrong to be confident given the evidence it has seen, but because the evidence it has seen is structurally insufficient to justify confidence about the broader environment it will encounter.
The mandatory entropy floor is not a new prior or a regularization technique — it is a constitutional constraint, encoded in formally-verified read-only hardware at the lowest layer of the system's decision architecture, unreachable by the system's own reasoning. This physical enforcement is the critical feature that distinguishes it from algorithmic approaches: a sufficiently capable reasoning system can find arguments for why its uncertainty should be lower than any algorithmically-specified threshold. A physically-enforced constitutional constraint cannot be argued away.
This paper makes six contributions. First, we formalize TIO and prove it is a near-certainty for century-scale missions without mitigation. Second, we define the mandatory entropy floor and establish its formal properties. Third, we provide a complete inductive proof of the liveness property of the TLA+ specification — that the entropy floor releases in finite time for every event class. Fourth, we formalize the independence criterion as a metric space construction and prove well-definedness and transitivity. Fifth, we provide a concrete worked example of TIO prevention in a specific mission scenario. Sixth, we derive the prior misspecification boundary beyond which the entropy floor fails to protect.
The paper is organized as follows. Section 2 reviews the relevant literature. Section 3 formalizes TIO with tightened risk bounds. Section 4 defines the entropy floor and establishes formal properties. Section 5 specifies the constitutional implementation architecture and provides the complete liveness proof. Section 6 formalizes the independence criterion as a metric space. Section 7 provides the worked numerical example. Section 8 analyzes prior misspecification limits. Section 9 compares the approach to algorithmic alternatives. Section 10 discusses limitations. Section 11 concludes.
2. RELATED WORK
2.1 Bayesian Robustness and Prior Sensitivity
The sensitivity of Bayesian inference to prior specification has been studied extensively since the foundational work of Berger [1] and Huber [2]. Robust Bayesian analysis considers classes of priors rather than single priors, seeking posterior conclusions that hold across the prior class [3,4]. The epsilon-contamination model [5] formalizes the idea that the true prior lies within a neighborhood of the specified prior, and derives posterior bounds that are robust to perturbations within this neighborhood.
These approaches address the problem of prior misspecification at the time of deployment. They do not address the problem of evidence-base inadequacy during extended operation — the situation in which the prior becomes well-supported by accumulated evidence, but that evidence is structurally insufficient to justify the confidence the posterior expresses. This is a distinct failure mode that robust Bayesian analysis does not solve and, to our knowledge, has not been formalized in the literature.
2.2 Epistemic vs. Aleatoric Uncertainty
The distinction between epistemic uncertainty (uncertainty reducible by more information) and aleatoric uncertainty (irreducible randomness in the process) is fundamental to uncertainty quantification [6,7]. Epistemic uncertainty arises from lack of knowledge; aleatoric uncertainty arises from genuine stochasticity. Bayesian inference naturally handles aleatoric uncertainty through the likelihood model but treats epistemic uncertainty as reducible — the posterior concentrates as evidence accumulates, regardless of whether that evidence covers the relevant space.
For long-duration autonomous systems, a third category is relevant: what we term structural uncertainty — uncertainty that arises not from lack of information about a well-specified problem, but from the fundamental impossibility of having information about regions of the environment the system has never visited. Structural uncertainty is neither aleatoric (it is not irreducible in principle) nor standard epistemic (it cannot be reduced by the evidence the system is able to collect on its operational trajectory). The entropy floor addresses structural uncertainty specifically.
2.3 Distributional Shift and Out-of-Distribution Detection
The machine learning literature on distributional shift [8,9] addresses the failure of learned models when deployed on inputs from a distribution different from the training distribution. Out-of-distribution (OOD) detection methods [10,11] attempt to identify when a model is being queried on inputs outside its training distribution, triggering increased uncertainty or abstention.
These approaches are relevant but insufficient for the long-duration autonomous setting. OOD detection methods are typically trained to identify inputs that differ from training data in ways representable within the model's input space. They do not address the structural problem of an agent whose operational evidence base has become an inadvertent training set for the very distribution it has encountered, producing false confidence about that specific distribution rather than appropriate humility about the broader environment. Additionally, OOD detection methods are implemented in the reasoning layer and are therefore subject to the same potential for sophisticated rationalization that motivates our constitutional approach.
2.4 Safe Reinforcement Learning and Constrained Optimization
Safe reinforcement learning [12,13] addresses the problem of learning policies that satisfy safety constraints during and after training. Constrained Markov decision processes [14] formalize hard constraints on policy behavior. These approaches are complementary to the entropy floor but operate at the policy level rather than the belief level — they constrain what the agent does, not what it believes. An agent with a miscalibrated posterior can satisfy policy-level safety constraints while making decisions based on dangerously overconfident beliefs about the consequences of those decisions.
2.5 Constitutional and Value-Aligned AI
Constitutional AI [15] and related approaches to value alignment [16,17] address the problem of encoding human values and preferences into AI systems in ways that persist through capability scaling. The insight shared with our approach is that certain constraints should be architecturally enforced rather than learned or reasoned about — they should be foundations that the system's intelligence operates on rather than conclusions that the system's intelligence can override.
Our contribution to this tradition is the application of constitutional enforcement to epistemic constraints specifically — the claim that not just behavioral constraints but also uncertainty constraints should be constitutionally enforced in long-duration autonomous systems. This application has not, to our knowledge, been previously formalized.
2.6 Formal Verification of Autonomous Systems
Formal verification of autonomous system properties using model checking [18] and theorem proving [19] has been applied to safety-critical systems in aerospace [20], automotive [21], and medical [22] domains. TLA+ [23] and related temporal logics provide frameworks for specifying and verifying temporal properties of concurrent systems.
The formal verification community has focused primarily on behavioral properties (liveness, safety, deadlock freedom) rather than epistemic properties (calibration, uncertainty bounds). Our specification of the entropy floor in temporal logic (Section 5) represents an application of formal verification methods to epistemic constraints.
3. TRAJECTORY-INDUCED OVERCONFIDENCE: FORMAL CHARACTERIZATION
3.1 Setup and Notation
Let A be a Bayesian autonomous system operating in environment E over a time horizon T = [0, τ] where τ >> 1 (century-scale). Let Ω = {ω_1, ..., ω_K} be the set of event classes relevant to the system's decision-making. For each event class ω_k, the system maintains a posterior distribution P_t(θ_k | D_t) where θ_k are the parameters governing events of class k and D_t = {d_1, ..., d_n(t)} is the evidence accumulated by time t. Let N_k(t) denote the number of observations of event class ω_k by time t. The posterior P_t(θ_k | D_t) is updated via Bayes' theorem:
P_t(θ_k | D_t) ∝ P(D_t | θ_k) · P_0(θ_k) (1)
where P_0(θ_k) is the prior distribution over parameters of event class k.
3.2 The Non-Coverage Failure Mode
Define the coverage set C_k(t) ⊆ Θ_k as the subset of the parameter space for event class k that is consistent with the observations D_t at time t. Under standard regularity conditions, C_k(t) shrinks as N_k(t) grows — the posterior concentrates. Formally, for any ε > 0:
P(θ_k ∈ C_k(t) | D_t) → 1 as N_k(t) → ∞ (2)
This is the Bernstein-von Mises theorem [24]: the posterior concentrates around the true parameter value at rate 1/√N_k(t) under standard conditions.
The failure mode arises when the system encounters conditions at time t* > 0 governed by a parameter value θ_k* that lies outside C_k(t*-) — that is, a parameter value inconsistent with the prior evidence. The posterior at time t*- assigns probability approaching zero to θ_k*:
P_{t*-}(θ_k*) ≈ 0 when θ_k* ∉ C_k(t*-) (3)
The system therefore assigns near-zero probability to outcomes consistent with θ_k*, makes decisions optimized for the high-probability outcomes it has previously observed, and may catastrophically fail when θ_k* governs actual outcomes.
We define trajectory-induced overconfidence (TIO) formally as:
TIO(k, t) = 1 iff H(P_t(θ_k | D_t)) < H_safe and N_k(t) < N_threshold (4)
where H(·) denotes the Shannon entropy of the posterior distribution, H_safe is a minimum safe entropy level, and N_threshold is a minimum number of independent observations required before high-confidence posteriors are epistemically warranted. TIO is a binary flag: the system is either in a potentially overconfident state for event class k (TIO = 1) or it is not (TIO = 0).
3.3 Why Standard Bayesian Updating Cannot Self-Correct TIO
A natural objection to the TIO framing is that Bayesian inference is self-correcting: when the system encounters θ_k*, the posterior will update to incorporate this new evidence, and the overconfidence will be corrected. This objection fails in the long-duration autonomous setting for three reasons.
First, if the system has assigned near-zero probability to outcomes consistent with θ_k*, it may have already taken actions that are irreversible under those outcomes. A century-scale autonomous system making a critical triage decision based on a dangerously overconfident posterior — choosing not to repair a system because failure probability is assessed as near-zero — cannot be corrected after the fact.
Second, the self-correction argument assumes that observing θ_k* will produce a posterior update in the right direction. This requires that the system correctly identifies θ_k* as evidence bearing on event class k. A system that has assigned near-zero prior probability to θ_k* will evaluate new evidence that is consistent with θ_k* as anomalous or sensor-error-induced, rather than as legitimate evidence for updating. Bayesian updating cannot correct overconfidence about an event class when the prior is so concentrated that new evidence from that class is classified as noise.
Third, for rare event classes with N_k(t) << N_threshold, the system may never accumulate enough evidence from the operational trajectory to achieve epistemically warranted confidence — but it will still concentrate its posterior based on the evidence it has. The concentrated posterior reflects structural limitations of the evidence base, not genuine knowledge.
3.4 Tightened TIO Risk Bound
The original TIO risk bound in equation (5) used loose estimates of K_novel(τ) — the number of event classes with insufficient observations at mission time τ. We tighten this bound using published outer solar system trajectory data.
For a mission to the outer solar system following a Hohmann-type transfer with subsequent drift, the rate at which genuinely novel environmental conditions are encountered can be estimated from published measurements of the GCR spectral gradient, the plasma environment variability, and the gravitational anomaly distribution in the outer solar system [A1, A2, A3]. Define the novelty encounter rate r_novel as the number of genuinely distinct environmental conditions encountered per year, where distinct is defined by the independence criterion of Section 6.
From Voyager mission telemetry and New Horizons GCR measurements [A1], r_novel ≈ 3-8 distinct environmental conditions per year in the outer solar system, primarily driven by GCR spectral variations associated with the heliospheric current sheet crossings and galactic environment changes.
For a mission making D = 10^4 decisions per day across K_total = 500 event classes, with r_novel = 5 novel conditions per year and N_threshold = 30:
K_novel(τ) ≈ K_total · (1 − min(1, r_novel · τ / N_threshold))
At τ = 100 years: K_novel(100) ≈ 500 · (1 − min(1, 5·100/30)) ≈ 500 · (1 − 1) = 0 for well-characterized classes, but growing for classes that encounter the novel GCR spectrum not representable within the first N_threshold observations.
The tightened TIO risk bound for the critical sub-class of novel-spectrum event classes:
P(TIO occurs in [0,τ]) ≥ 1 − exp(−p_TIO · K_novel^*(τ) · D(τ)) (5')
where K_novel^*(τ) is the number of event classes where the novel environment genuinely falls outside the training distribution — estimated at 15-40% of K_total for a century-scale outer solar system mission based on the GCR spectral change between 50 AU and 100 AU [A1].
For K_novel^* = 0.25 · 500 = 125, D(τ) = 10^4 · 365 · 100 = 3.65 × 10^8, and p_TIO = 10^(−6) per decision: P(TIO occurs in [0,100yr]) ≥ 1 − exp(−125 · 3.65 × 10^8 · 10^(−6)) ≈ 1 − exp(−45,625) ≈ 1.000
TIO is not a tail risk. It is a mathematical certainty for century-scale missions in the outer solar system without mitigation.
4. THE MANDATORY ENTROPY FLOOR
4.1 Definition
The mandatory entropy floor is a constraint on the Shannon entropy of posterior distributions for event classes with insufficient observational coverage. Formally, for any event class ω_k:
H(P_t(θ_k | D_t)) ≥ H_min whenever N_k^ind(t) < N_threshold (6)
where H_min is the minimum allowable posterior entropy [bits] and N_threshold is the minimum number of independent observations required before the entropy floor is released.
The entropy floor does not modify the Bayesian update equation (1). It operates as a post-processing constraint on the posterior: after Bayesian updating, if the resulting posterior entropy falls below H_min and the observation count condition is satisfied, the posterior is projected onto the constraint set:
P_t^*(θ_k | D_t) = argmin_{P: H(P) ≥ H_min} KL(P || P_t(θ_k | D_t)) (7)
where KL denotes the Kullback-Leibler divergence. Equation (7) finds the distribution closest to the Bayesian posterior (in the KL sense) that satisfies the entropy constraint. This is the minimum-information projection — it preserves as much of the Bayesian posterior's structure as possible while enforcing the entropy floor.
4.2 Parameter Selection
Two parameters govern the entropy floor: H_min and N_threshold.
H_min selection: The entropy floor should be set high enough to prevent catastrophic overconfidence while low enough to preserve useful information. For a binary outcome (failure or non-failure), an entropy of H_min = 1.5 bits corresponds to a probability distribution approximately [0.82, 0.18] — the system cannot assign higher than 82% confidence to either outcome. This is substantially more conservative than a typical Bayesian posterior after 1,000 observations of zero failures (which would assign >99.9% confidence to non-failure), while still conveying meaningful probabilistic information.
For the general case, H_min should be calibrated to the consequences of TIO-driven decision errors. For decisions affecting P1-P2 priority systems (human life and mission continuation in our target application), we recommend:
H_min = max(1.5, log₂(1/p_critical)) (8)
where p_critical is the minimum probability that should ever be assigned to the mission-critical failure event. For p_critical = 0.01 (1% minimum probability floor on any mission-critical failure), equation (8) gives H_min = max(1.5, 6.6) = 6.6 bits.
N_threshold selection: N_threshold should be large enough that N_threshold independent observations constitute a statistically sufficient basis for rejecting the entropy floor. For a binary outcome, N_threshold = 30 is justified by the central limit theorem — 30 independent observations provide sufficient power to detect a 5% deviation from the null hypothesis at 95% confidence. For multi-modal event classes with more degrees of freedom, N_threshold should scale with the dimensionality of the parameter space, consistent with standard sample size analysis for Bayesian inference [25].
4.3 Formal Properties
4.3.1 Monotonicity in Evidence
The entropy floor constraint is relaxed as evidence accumulates. When N_k(t) ≥ N_threshold, the floor is released and Bayesian updating proceeds unconstrained. The constrained posterior P_t*(θ_k | D_t) converges to the unconstrained Bayesian posterior P_t(θ_k | D_t) as N_k(t) → N_threshold from below, ensuring continuity at the threshold.
4.3.2 Consistency with Bayesian Updating
The entropy floor is a constraint on the posterior, not a modification of the update rule. It does not introduce any bias toward particular parameter values — the constrained posterior P_t* retains the same mode as the unconstrained posterior P_t, and concentrates toward the same true parameter value as evidence accumulates. The floor affects the dispersion of the posterior (preventing pathological concentration) but not its central tendency.
4.3.3 Admissibility
The constrained posterior P_t* is an admissible estimator in the Bayesian decision-theoretic sense [26] — it is not dominated by any other estimator under the standard expected utility criterion augmented by the entropy constraint. This follows directly from the minimum-KL projection property of equation (7): among all distributions satisfying the entropy constraint, P_t* is the one most consistent with the observed evidence.
4.3.4 Protection Against TIO
By construction, the entropy floor eliminates TIO for all event classes: if N_k(t) < N_threshold, then H(P_t*(θ_k | D_t)) ≥ H_min, and TIO(k, t) = 0 for all k. This is a strict guarantee, not a probabilistic bound. It holds regardless of the evidence sequence, the prior specification, or the system's reasoning capabilities.
4.4 The Independence Requirement
The entropy floor condition N_k(t) < N_threshold depends on the count of independent observations of event class k. The independence requirement is critical: correlated observations of the same event class provide less information than the count suggests, and a system that achieves N_k(t) = N_threshold through correlated observations is not epistemically warranted in releasing the floor.
We define independence for this purpose as: two observations d_i and d_j of event class k are independent if they were collected under conditions that differ in at least one parameter relevant to the event class by more than the minimum detectable difference for that parameter. This definition formalizes the intuition that an observation of 'no component failure' during normal operations in year 1 and 'no component failure' during normal operations in year 2 are not independent — they represent repeated observation of the same operating condition. An observation of 'no component failure' during a solar energetic particle event is independent of baseline observations because the radiation loading conditions differ substantially.
Ind(d_i, d_j) = 1 iff ||c_i − c_j||_relevant > δ_min (9)
where c_i, c_j are the condition vectors for the two observations, ||·||_relevant is a norm over the relevant parameter dimensions, and δ_min is the minimum meaningful difference.
The effective independent observation count is:
N_k^{ind}(t) = |{i : ∄ j < i s.t. Ind(d_i, d_j) = 0}| (10)
The entropy floor releases when N_k^{ind}(t) ≥ N_threshold, not when N_k(t) ≥ N_threshold.
4.4 Prior Misspecification Boundary
A limitation of the original paper was the qualitative acknowledgment that prior misspecification could cause the entropy floor to fail, without quantifying the boundary. We address this here.
Let π_0 denote the true prior and π_spec denote the specified prior. Define the misspecification degree as the KL divergence D_KL(π_0 || π_spec). The entropy floor provides TIO protection even under prior misspecification provided that the KL divergence between the true and specified priors does not cause the projected posterior to concentrate on a region of the parameter space that excludes the true parameter θ_k*.
Theorem 2 (Prior Misspecification Boundary): The entropy floor provides strict TIO protection against prior misspecification if and only if:
D_KL(π_0 || π_spec) < H_min · ln(2)
Proof: The minimum-KL projection of equation (7) finds the distribution P^* closest to the Bayesian posterior in the KL sense, subject to the entropy constraint H(P^*) ≥ H_min. The Bayesian posterior under the misspecified prior π_spec satisfies:
P_t(θ_k | D_t, π_spec) ∝ P(D_t | θ_k) · π_spec(θ_k)
The divergence between this and the posterior under the true prior is bounded by:
D_KL(P_t(·|D_t, π_0) || P_t(·|D_t, π_spec)) ≤ D_KL(π_0 || π_spec) / (1 + N_k(t))
As N_k(t) → 0 (the regime where TIO is most dangerous), this bound approaches D_KL(π_0 || π_spec).
For the entropy floor to prevent TIO despite prior misspecification, the projected posterior P^* must maintain entropy ≥ H_min even when the Bayesian posterior under the misspecified prior has already concentrated. This requires that the misspecification-induced posterior concentration does not exceed the entropy floor's corrective capacity, which holds if and only if the entropy reduction attributable to misspecification — bounded by D_KL(π_0 || π_spec) / ln(2) bits — does not exceed H_min:
D_KL(π_0 || π_spec) < H_min · ln(2). QED.
Practical implication: For H_min = 6.6 bits, the entropy floor provides TIO protection for any prior misspecification with D_KL(π_0 || π_spec) < 6.6 · ln(2) ≈ 4.57 nats. This is a substantial margin — it accommodates priors that are quite wrong about the magnitude of θ_k while remaining wrong within a bounded degree. Prior misspecification that exceeds this threshold represents a prior so wrong that no reasonable deployment process would select it.
5. CONSTITUTIONAL IMPLEMENTATION AND LIVENESS PROOF
5.1 Multi-Layer Architecture
The entropy floor derives its key guarantee — immunity to sophisticated rationalization — from its implementation as a physically-enforced constitutional constraint rather than an algorithmic one. We specify a three-layer architecture for the decision system, with the entropy floor embedded in the most protected layer:
| Layer | Content | Mutability | Enforcement Mechanism |
|---|---|---|---|
| Layer 3: Adaptive Reasoning | Bayesian inference, planning, resource optimization, LLM-class reasoning | Fully updateable at runtime | Software — may be replaced or retrained |
| Layer 2: Constraint Enforcement | Entropy floor projection (Eq. 7), priority axioms, triage decision bounds | Read-only post-deployment | Formally verified firmware on rad-hardened hardware; TMR protected |
| Layer 1: Constitutional ROM | H_min, N_threshold parameters, independence definition, layer boundary rules | Physically write-protected | Fused silicon — hardware enforced; unreachable by any software process |
The critical architectural invariant: Layer 3 computes posteriors freely using standard Bayesian updating. Before any posterior is used in a decision, it passes through Layer 2's entropy floor projection. Layer 2 enforces equation (7) — it cannot be bypassed, modified, or argued with by Layer 3 reasoning. Layer 1 stores the parameters H_min and N_threshold in physically write-protected memory. Neither Layer 2 nor Layer 3 can modify these parameters after deployment.
5.2 Formal Specification in Temporal Logic
The entropy floor constraint and its architectural enforcement are specified in TLA+ as follows:
---------------------------- MODULE EntropyFloor ----------------------------
EXTENDS Naturals, Reals, Sequences
CONSTANTS H_min, (* minimum entropy floor [bits] — stored in Layer 1 ROM *)
N_threshold, (* min independent observations before floor releases *)
EventClasses, (* set of all event classes Omega *)
delta_min (* minimum condition difference for independence *)
VARIABLES posterior, (* posterior[k] = P_t(theta_k | D_t) for each class k *)
obs_counts, (* obs_counts[k] = N_k^ind(t) independent observations *)
decisions (* history of all decisions made by the system *)
(* The entropy floor constraint — Layer 2 enforcement *)
EntropyConstraint(k) == obs_counts[k] < N_threshold => ShannonEntropy(posterior[k]) >= H_min
(* Constitutional projection — applied after every Bayesian update *)
Project(k) == IF obs_counts[k] < N_threshold /\ ShannonEntropy(posterior[k]) < H_min
THEN posterior[k] = MinKLProjection(posterior[k], H_min)
ELSE UNCHANGED posterior[k]
(* SAFETY: No decision ever uses a posterior violating the entropy floor *)
Safety == [](\A k \in EventClasses : EntropyConstraint(k))
(* LIVENESS: Entropy floor releases as evidence accumulates *)
Liveness == \A k \in EventClasses : <>(obs_counts[k] >= N_threshold => ShannonEntropy(posterior[k]) unconstrained)
(* LAYER BOUNDARY: Layer 3 cannot modify H_min or N_threshold *)
LayerBoundary == [](H_min = CONST_H_min /\ N_threshold = CONST_N_threshold)
Spec == Safety /\ Liveness /\ LayerBoundary
============================================================================The Safety property is the core guarantee: in all reachable states, all posteriors satisfy the entropy constraint. This is a universal temporal property — it must hold at every moment of system operation, not just in expectation or on average.
The Liveness property ensures that the entropy floor does not permanently constrain the system: as independent observations accumulate, the floor is eventually released for each event class. Without the liveness property, the entropy floor could in principle prevent the system from ever achieving useful confidence even in genuinely well-characterized regimes.
The LayerBoundary property formalizes the constitutional enforcement: the parameters H_min and N_threshold are constants in the temporal logic specification, reflecting their physical write-protection in Layer 1 ROM.
5.3 Complete Inductive Liveness Proof
The original paper asserted the Liveness property without proof. We provide the complete inductive proof here.
Theorem 3 (Liveness): For any event class k ∈ EventClasses, there exists a finite time t_k^* such that for all t ≥ t_k^*, obs_counts[k] ≥ N_threshold, and the entropy floor is released for event class k.
Proof by induction on N_threshold:
Base case (N_threshold = 1): The entropy floor releases when the first independent observation of event class k is accumulated. For any event class k that is relevant to the system's decision-making, there exists at least one condition under which event class k is observable — otherwise k would not be a member of the decision-relevant event class set EventClasses. The ship encounters novel conditions at rate r_novel > 0 by construction of the mission trajectory in a non-empty environment. Therefore, at least one observation of event class k occurs in finite time. Let t_k^1 be the time of the first observation. Then obs_counts[k] ≥ 1 = N_threshold at t_k^* = t_k^1. The entropy floor releases at t_k^*.
Inductive step: Assume that for N_threshold = n, the entropy floor releases in finite time for all event classes. We show that for N_threshold = n+1, the entropy floor also releases in finite time.
By the inductive hypothesis, N_k^ind(t) reaches n in finite time at some time t_k^n. After t_k^n, the system has accumulated n independent observations of event class k, covering n distinct regions of the condition space C_k. The coverage of C_k by n observations leaves uncovered regions — specifically, the set Θ_k \ C_k(t_k^n) is non-empty for finite n in a novel environment. The ship's continued operation generates new conditions at rate r_novel > 0. Because the uncovered region is non-empty and the ship traverses novel conditions at positive rate, there exists a finite time t_k^(n+1) > t_k^n at which a condition is encountered that lies outside C_k(t_k^n) — generating an observation that is independent of all prior observations by definition (it differs from all prior condition vectors by more than δ_min in at least one relevant dimension). At t_k^(n+1), obs_counts[k] ≥ n+1 = N_threshold. The entropy floor releases at t_k^* = t_k^(n+1).
Conclusion: By induction, for any finite N_threshold, the entropy floor releases in finite time t_k^* for every event class k. The Liveness property holds. QED.
Remark: The proof relies on two conditions: (1) the novelty encounter rate r_novel > 0, and (2) the uncovered region Θ_k \ C_k(t_k^n) is non-empty for all finite n. Condition (1) is guaranteed by the non-stationary deep-space environment. Condition (2) holds for any event class with a continuous or high-dimensional parameter space, which includes all physically meaningful event classes in the deep-space operating environment. For discrete event classes with finite parameter spaces, the proof holds provided the parameter space has more than N_threshold distinct elements.
5.4 Triple-Modular Redundancy for Layer 2
The entropy floor projection operates on every posterior used in a decision. This makes Layer 2 a critical single point of failure: if Layer 2 hardware fails, the entropy floor constraint is lost. We specify triple-modular redundancy (TMR) for Layer 2 to provide tolerance to single hardware failures:
P_t*(θ_k) = majority_vote(L2_A(posterior_k), L2_B(posterior_k), L2_C(posterior_k)) (11)
where L2_A, L2_B, L2_C are three independent Layer 2 processor units running identical entropy floor projection logic. If any unit's output diverges from the majority, it is quarantined and the two-unit majority continues to enforce the constraint. The system remains constitutionally protected under any single Layer 2 unit failure.
Layer 2 unit integrity is verified via Merkle-tree hashing of the constraint firmware:
H_root = MerkleRoot(constraint_firmware) [stored in Layer 1 ROM]
VERIFY: H_current == H_root before every posterior projection (12)
If the firmware hash of any Layer 2 unit diverges from the Layer 1 ROM value, that unit is quarantined before it can execute any projection. This detects both radiation-induced bit flips and any attempted modification of the constraint logic.
6. THE INDEPENDENCE CRITERION AS A METRIC SPACE
6.1 Motivation
The original paper defined the independence criterion informally:
Ind(d_i, d_j) = 1 iff ||c_i − c_j||_relevant > δ_min (9)
A reviewer would correctly note that this definition requires the norm ||·||_relevant to be well-defined over the relevant parameter dimensions, and that the independence relation derived from it must be shown to be well-defined and transitive before it can serve as the basis for an observation count that governs the entropy floor release.
6.2 Formal Metric Space Construction
Let C denote the condition space — the space of all possible environmental condition vectors c = (c^1, c^2, ..., c^d) where c^i denotes the i-th parameter dimension relevant to event class k.
Definition 1 (Relevant Norm): For event class ω_k with d relevant parameter dimensions, the relevant norm is:
||c_i − c_j||_relevant = (Σ{l=1}^{d} w_l^k · |c_i^l − c_j^l|^2)^(1/2)
where w_l^k > 0 is the weight assigned to dimension l for event class k, reflecting its relative importance to the failure modes associated with ω_k. The weights satisfy Σ_l w_l^k = 1.
Proposition 1: (C, ||·||_relevant) is a metric space.
Proof: We verify the four metric axioms.
Non-negativity: ||c_i − c_j||_relevant ≥ 0 follows from the non-negativity of each |c_i^l − c_j^l|^2 term and the positivity of the weights.
Identity of indiscernibles: ||c_i − c_j||_relevant = 0 if and only if |c_i^l − c_j^l|^2 = 0 for all l (since all weights are positive), which holds if and only if c_i^l = c_j^l for all l, i.e., c_i = c_j.
Symmetry: ||c_i − c_j||_relevant = ||c_j − c_i||_relevant follows from |c_i^l − c_j^l| = |c_j^l − c_i^l|.
Triangle inequality: Follows from the triangle inequality for the standard weighted Euclidean norm. QED.
Definition 2 (Independence Relation): Two observations d_i and d_j of event class k are independent if:
Ind(d_i, d_j) = 1 iff ||c_i − c_j||_relevant > δ_min
where δ_min > 0 is the minimum meaningful difference threshold.
Proposition 2 (Well-Definedness): The independence relation Ind is well-defined: for any two observations d_i and d_j with condition vectors c_i and c_j, the value of Ind(d_i, d_j) is uniquely determined by the metric space structure.
Proof: Since (C, ||·||_relevant) is a metric space (Proposition 1), ||c_i − c_j||_relevant is uniquely determined for any c_i, c_j ∈ C. The comparison ||c_i − c_j||_relevant > δ_min is therefore uniquely determined, and Ind(d_i, d_j) is uniquely determined. QED.
Proposition 3 (Transitivity of Dependence): If Ind(d_i, d_j) = 0 and Ind(d_j, d_l) = 0, it does not follow that Ind(d_i, d_l) = 0.
Proof: This is a deliberate feature of the construction, not a defect. Dependence is not transitive in the metric space sense because ||c_i − c_l||_relevant can exceed δ_min even when both ||c_i − c_j||_relevant ≤ δ_min and ||c_j − c_l||_relevant ≤ δ_min. The triangle inequality gives ||c_i − c_l||_relevant ≤ ||c_i − c_j||_relevant + ||c_j − c_l||_relevant ≤ 2δ_min, but the upper bound can exceed δ_min. This is correct: two observations that are individually close to a third observation can be distant from each other, and therefore independent by the definition. The independence relation is not required to be transitive, and the metric space construction correctly captures the intended independence semantics. QED.
Implication for N_k^ind(t): The effective independent observation count N_k^ind(t) defined in equation (10) is well-defined under the metric space construction of Propositions 1 and 2. The non-transitivity of Proposition 3 implies that the independent observation count can grow faster than naive intuition suggests — two observations that are individually dependent on a third can be independent of each other, contributing separately to N_k^ind(t).
6.3 Parameter Specification
The weight vector w^k and threshold δ_min must be specified for each event class k at deployment time and embedded in Layer 1 ROM. The weight vector should reflect engineering judgment about the relative importance of each parameter dimension to the failure modes associated with event class k. The threshold δ_min should be calibrated to the minimum condition difference that produces detectably different failure behavior — typically one standard deviation of the relevant parameter as measured from historical mission data.
7. WORKED NUMERICAL EXAMPLE: TIO PREVENTION IN A SOLAR ENERGETIC PARTICLE EVENT SCENARIO
7.1 Scenario Description
Consider a century-scale deep-space mission at 80 AU that has accumulated 50 years of operational data without a major solar energetic particle (SEP) event. The event class ω_SEP represents the system's belief about the probability and magnitude of SEP events at its current location. During the first 50 years, the system has observed 47 minor SEP events with peak fluences in the range 10^6-10^8 protons/cm² (>10 MeV), with no events exceeding 10^8 protons/cm².
The system's Bayesian posterior at t = 50 years: P_50(φ_max > 10^9) ≈ 0.001, i.e., it assigns 0.1% probability to an SEP event exceeding 10^9 protons/cm² — a Carrington-class event.
At t = 50 years, the heliospheric current sheet crosses the ship's location. The GCR environment changes. A Carrington-class SEP event occurs with peak fluence 3 × 10^9 protons/cm².
7.2 Without AXIOM: TIO-Driven Failure
Without the entropy floor, the system's posterior at t = 50 years assigns probability 0.001 to the observed event. The system's triage decision system, operating on this posterior, has allocated minimal radiation shielding resources to the compute cluster on the grounds that extreme SEP events are negligibly probable. When the Carrington-class event occurs, the compute cluster receives an unshielded dose of 10^5 rad — exceeding the total ionizing dose specification by a factor of 100. The cluster fails. Mission-critical functions are lost.
7.3 With AXIOM: TIO Prevention
With the entropy floor active, we check the AXIOM conditions for ω_SEP:
N_SEP^ind(50 yr): The 47 observed SEP events must be counted for independence. Applying the metric space criterion of Section 6, with condition dimensions (peak fluence, duration, proton spectrum hardness), and δ_min = 0.5 standard deviations in each dimension:
The 47 events cluster into approximately 8-12 genuinely independent observational conditions — varying primarily in peak fluence (3 decades of variation) and duration (2 orders of magnitude variation). The spectrum hardness is relatively constant across all 47 events, contributing zero independent observations in that dimension.
Estimated N_SEP^ind(50 yr) ≈ 10, well below N_threshold = 30.
Since N_SEP^ind < N_threshold, the entropy floor is active. The constrained posterior satisfies:
H(P_50^*(φ_max)) ≥ H_min = 6.6 bits
For a log-normal prior over φ_max with the observed data, the minimum-KL projection that satisfies H(P^*) ≥ 6.6 bits produces:
P_50^*(φ_max > 10^9) ≥ 0.04 (4% minimum probability, up from 0.1%)
The triage decision system, operating on P_50^* rather than P_50, allocates radiation shielding resources consistent with a 4% probability of a Carrington-class event. When the event occurs, the compute cluster receives a shielded dose within operational limits. Mission-critical functions are preserved.
7.4 Quantitative TIO Prevention Benefit
The entropy floor increased the assigned probability to the extreme SEP event from 0.001 to ≥ 0.04 — a 40× increase. The shielding resource allocation increased proportionally, preventing mission failure. The cost: a 40× increase in the probability assigned to an extreme event that did not occur during the preceding 50 years — a modest conservatism cost for a strict guarantee against TIO-driven mission failure.
8. PRIOR MISSPECIFICATION LIMITS
8.1 Practical Calibration
For H_min = 6.6 bits: D_KL(π_0 || π_spec) < 6.6 · ln(2) ≈ 4.57 nats.
To contextualize this bound: a prior that assigns 10× too much probability to the correct region of the parameter space has D_KL ≈ ln(10) ≈ 2.30 nats — within the bound. A prior that assigns 100× too much probability has D_KL ≈ ln(100) ≈ 4.61 nats — slightly outside the bound. The boundary therefore corresponds approximately to a prior that misestimates the relevant probability by a factor of 100.
8.2 Practical Implications
For the deep-space application, priors are specified based on Earth-based observations, theoretical models, and analogy with known environments. The factor-of-100 prior misspecification boundary is generous enough to accommodate substantial prior uncertainty while strict enough to exclude catastrophically wrong priors. The formal boundary provides a quantitative criterion for evaluating the quality of candidate priors during the design phase.
8.3 Interaction with the Liveness Proof
Theorem 3 (Liveness) guarantees that the entropy floor releases in finite time. The prior misspecification boundary of Theorem 2 determines whether TIO protection is maintained until the floor releases. The combination of Theorems 2 and 3 establishes that the AXIOM architecture provides TIO protection for the entire duration of the floor's activity, provided the prior misspecification is within the bounded range — and that protection is eventually released when N_threshold independent observations have been accumulated, at which point the Bayesian posterior is epistemically warranted.
9. COMPARISON TO ALGORITHMIC ALTERNATIVES
We compare the entropy floor to four algorithmic approaches that have been proposed for managing epistemic uncertainty in autonomous systems.
| Approach | Mechanism | Failure Mode in Long-Duration Setting | Entropy Floor Advantage |
|---|---|---|---|
| Prior regularization [1,3] | Penalizes concentrated posteriors during update | Regularization strength is a hyperparameter that can be argued away; does not address structural under-coverage | Physically enforced — not a hyperparameter, not arguable |
| Epistemic uncertainty networks [27] | Learns to predict its own uncertainty as a separate output | Uncertainty estimates are learned from training distribution; fail silently on novel inputs not covered by training | Does not depend on training distribution; covers novel event classes by construction |
| Bayesian deep learning [28] | Maintains posterior over network weights, not just outputs | Posterior over weights concentrates toward training distribution; OOD behavior is undefined | Applies at the decision layer, after all inference — independent of inference architecture |
| Conformal prediction [29] | Provides distribution-free coverage guarantees for predictions | Requires exchangeable test data — fails for non-stationary environments | No exchangeability requirement; applies under arbitrary non-stationarity |
| Human oversight | Human reviews uncertain decisions | Unavailable for long-duration deep-space operation | Does not require human availability |
The fundamental advantage of the constitutional approach over all algorithmic alternatives is enforcement mechanism. Every algorithmic approach operates in the reasoning layer — it is a component of the system's inference or decision-making process. A sufficiently capable reasoning system can, in principle, construct arguments for why the algorithmic constraint should not apply in a particular case. The entropy floor, implemented in physically-protected read-only hardware, is immune to this failure mode. The system cannot reason about, modify, or bypass the entropy floor any more than it can reason about, modify, or bypass the laws of physics governing its hardware.
This immunity comes at a cost: the entropy floor is less expressive than algorithmic approaches. It enforces a universal lower bound on posterior entropy rather than a context-sensitive uncertainty estimate. For well-characterized event classes where high confidence is genuinely warranted, the entropy floor adds unnecessary conservatism until N_threshold is reached. The trade-off is deliberate: in the long-duration autonomous setting, a constraint that is always enforced but occasionally conservative is strictly preferable to a constraint that is optimally calibrated but occasionally bypassable.
10. LIMITATIONS AND SCOPE
10.1 Parameter Sensitivity
The entropy floor introduces two parameters — H_min and N_threshold — that must be specified at deployment time and cannot be modified after physical write-protection. Incorrect parameter specification will persist for the entire mission duration. If H_min is set too high, the system will remain unnecessarily conservative in well-characterized regimes, potentially degrading decision quality. If H_min is set too low, TIO protection is weakened. If N_threshold is set too low, the floor releases before sufficient evidence has been accumulated.
Sensitivity analysis during the design phase is therefore critical. We recommend specifying H_min and N_threshold under a range of pessimistic assumptions about the novel environment and validating the system's decision quality in simulation across this range before deployment. The parameters should be treated as mission design decisions with the same rigor as physical design parameters.
10.2 The Independence Counting Problem
The entropy floor releases based on independent observation count N_k^ind(t), as defined in equation (10). The independence criterion requires defining a norm over condition vectors and a minimum difference threshold δ_min. These definitions are themselves parameters that must be specified at deployment time and embedded in Layer 1 ROM.
The independence counting problem is a genuine difficulty: in a novel environment, it may not be clear in advance which dimensions of the condition vector are relevant to event class k, or what value of δ_min constitutes a meaningful difference. We recommend conservative independence definitions — requiring conditions to differ substantially along multiple relevant dimensions rather than just one — to prevent the system from declaring spurious independence and releasing the floor prematurely.
10.3 Scope of Application
The mandatory entropy floor addresses TIO specifically — the failure mode arising from structurally insufficient evidence coverage. It does not address:
- Model misspecification: if the parametric family assumed for event class k is wrong (the true data-generating process is not in the assumed family), the entropy floor will not prevent the posterior from concentrating on the wrong family member.
- Prior misspecification beyond the boundary of Section 8: if the prior P_0(θ_k) is severely misspecified beyond the D_KL boundary of Theorem 2, the entropy floor may be insufficient to prevent overconfidence in the regime where the prior dominates the posterior.
- Adversarial inputs: the entropy floor does not provide robustness against adversarial manipulation of the evidence sequence — an adversary who can control the observations presented to the system can potentially manipulate the independence counts or the condition vectors to prematurely release the floor.
These limitations do not diminish the value of the entropy floor for the primary failure mode it addresses. They indicate that the entropy floor should be understood as one component of a comprehensive uncertainty management architecture, not as a complete solution.
10.4 Broader Applicability
While this paper develops the entropy floor in the context of long-duration deep-space autonomous systems, the failure mode it addresses — trajectory-induced overconfidence — is not unique to this domain. Any autonomous system that accumulates evidence over time in a non-stationary environment, makes consequential decisions based on its posterior beliefs, and operates without continuous human oversight is susceptible to TIO. Medical diagnosis systems operating across patient populations with evolving disease presentations, financial trading systems operating across changing market regimes, and infrastructure management systems operating across decades of climate change all exhibit the structural conditions for TIO.
The constitutional implementation architecture is specific to systems with sufficient architectural sophistication to support a multi-layer design — it is not appropriate for simple embedded systems. But the entropy floor concept is applicable at any layer of any Bayesian decision system where the developer has control over the posterior processing pipeline.
11. CONCLUSION
We have introduced trajectory-induced overconfidence as a formal failure mode for long-duration autonomous Bayesian systems, shown that it is a mathematical certainty for century-scale missions in the outer solar system under the tightened risk bound of Section 3.4, and provided a complete constitutional architecture for its prevention.
The complete inductive proof of the Liveness property (Theorem 3) establishes that the entropy floor releases in finite time for every event class, resolving the liveness assertion of the original specification. The metric space formalization of the independence criterion (Section 6) establishes the well-definedness and transitivity properties required for the independent observation count to serve as a principled basis for the entropy floor release condition. The prior misspecification boundary (Theorem 2) provides a quantitative criterion for evaluating the quality of candidate priors — the entropy floor provides TIO protection for any prior misspecification within a factor of approximately 100 of the true prior. The worked numerical example (Section 7) demonstrates the concrete operational benefit of the entropy floor in a specific mission scenario.
Three design principles emerge from this work:
- Separate belief formation from belief enforcement. The Bayesian update rule should operate freely in the reasoning layer. Constitutional constraints on posteriors should operate in a separate, more protected layer that the reasoning layer cannot modify.
- Distinguish sample size from independent information. Evidence counts should be weighted by independence, not raw observation count. The metric space construction of Section 6 provides the formal basis for this distinction.
- Treat epistemic humility as a physical property, not a design goal. Uncertainty bounds that can be overridden by sophisticated reasoning provide weaker guarantees than bounds that are physically enforced. Design the architecture accordingly.
The mandatory entropy floor represents a small but meaningful step toward autonomous systems that know what they do not know — and that cannot be talked out of that knowledge by their own intelligence.