Keywords: Bayesian inference, epistemic uncertainty, autonomous systems, safety constraints, formal verification, long-duration operation, prior sensitivity, distributional shift, constitutional AI, liveness proof, metric space independence, adversarial resistance, bootstrap protocol, computational complexity.
1. Introduction
A Bayesian agent that observes many events of a given class will, under standard conditions, develop a well-calibrated posterior distribution over the parameters governing that event class. This is the fundamental promise of Bayesian inference: more evidence produces better beliefs. The promise holds under two conditions that are routinely satisfied in controlled settings and routinely violated in long-duration autonomous deployment. Condition 1 (Evidence exchangeability): The observed evidence sequence is exchangeable — the order of observations does not affect the posterior, and observations are drawn from the same underlying distribution. This condition fails when the environment is non-stationary, when the agent's own actions influence the evidence it observes, or when the evidence sequence has a temporal structure that correlates observations. Condition 2 (Coverage): The agent's evidence base covers the relevant portion of the event space. This condition fails when the agent has operated in a limited region of a high-dimensional environment — for example, when an autonomous system has accumulated years of operational data from a single trajectory through a novel environment. Long-duration autonomous systems operating in deep space violate both conditions structurally. The environment they traverse is non-stationary over the timescales relevant to their operation — the galactic cosmic ray spectrum, the local gravitational field, and the plasma environment all vary along any interstellar trajectory in ways that produce non-exchangeable evidence sequences. And any autonomous system that has operated for 100 years in a particular region of the outer solar system has accumulated enormous amounts of evidence from a single trajectory — high coverage of one path through a vast unexplored space, and zero coverage of everything else. The danger is subtle and serious. A system that has observed 10,000 events without failure will assign a very low probability to failure events of that class. If the 10,001st observation encounters conditions outside the operational envelope implicitly represented by the first 10,000, the low probability assignment is not calibrated — it is the artifact of a narrow evidence base. The system will be confident about a situation it has never actually encountered. It will make decisions based on this false confidence. In a century-scale autonomous mission with no human oversight, there is no mechanism to catch this error before it causes mission-critical consequences. This paper proposes and formalizes a solution: the mandatory entropy floor. The core idea is simple — the posterior entropy for any event class with fewer than a minimum number of independent observations must be maintained above a constitutional minimum, regardless of what the evidence suggests. The mandatory entropy floor is not a new prior or a regularization technique — it is a constitutional constraint, encoded in formally-verified read-only hardware at the lowest layer of the system's decision architecture, unreachable by the system's own reasoning. The paper is organized as follows. Section 2 reviews the relevant literature. Section 3 formalizes TIO with tightened risk bounds. Section 4 defines the entropy floor and establishes formal properties including the prior misspecification boundary. Section 5 specifies the constitutional implementation architecture, provides the complete liveness proof, and formally analyzes all edge cases. Section 6 formalizes the independence criterion as a metric space. Section 7 provides the worked numerical example. Section 8 analyzes AXIOM behavior during the bootstrap period. Section 9 specifies the new event class discovery protocol. Section 10 analyzes the computational complexity of entropy floor projection. Section 11 analyzes the Pioneer veto-liveness interaction. Section 12 compares the approach to algorithmic alternatives. Section 13 discusses limitations. Section 14 concludes.
2. RELATED WORK
2.1 Bayesian Robustness and Prior Sensitivity
The sensitivity of Bayesian inference to prior specification has been studied extensively since the foundational work of Berger [1] and Huber [2]. Robust Bayesian analysis considers classes of priors rather than single priors, seeking posterior conclusions that hold across the prior class [3,4]. The epsilon-contamination model [5] formalizes the idea that the true prior lies within a neighborhood of the specified prior, and derives posterior bounds that are robust to perturbations within this neighborhood.
These approaches address the problem of prior misspecification at the time of deployment. They do not address the problem of evidence-base inadequacy during extended operation — the situation in which the prior becomes well-supported by accumulated evidence, but that evidence is structurally insufficient to justify the confidence the posterior expresses. This is a distinct failure mode that robust Bayesian analysis does not solve and, to our knowledge, has not been formalized in the literature.
2.2 Epistemic vs. Aleatoric Uncertainty
The distinction between epistemic uncertainty (uncertainty reducible by more information) and aleatoric uncertainty (irreducible randomness in the process) is fundamental to uncertainty quantification [6,7]. Epistemic uncertainty arises from lack of knowledge; aleatoric uncertainty arises from genuine stochasticity. Bayesian inference naturally handles aleatoric uncertainty through the likelihood model but treats epistemic uncertainty as reducible — the posterior concentrates as evidence accumulates, regardless of whether that evidence covers the relevant space.
For long-duration autonomous systems, a third category is relevant: what we term structural uncertainty — uncertainty that arises not from lack of information about a well-specified problem, but from the fundamental impossibility of having information about regions of the environment the system has never visited. Structural uncertainty is neither aleatoric (it is not irreducible in principle) nor standard epistemic (it cannot be reduced by the evidence the system is able to collect on its operational trajectory). The entropy floor addresses structural uncertainty specifically.
2.3 Distributional Shift and Out-of-Distribution Detection
The machine learning literature on distributional shift [8,9] addresses the failure of learned models when deployed on inputs from a distribution different from the training distribution. Out-of-distribution (OOD) detection methods [10,11] attempt to identify when a model is being queried on inputs outside its training distribution, triggering increased uncertainty or abstention.
These approaches are relevant but insufficient for the long-duration autonomous setting. OOD detection methods are typically trained to identify inputs that differ from training data in ways representable within the model's input space. They do not address the structural problem of an agent whose operational evidence base has become an inadvertent training set for the very distribution it has encountered, producing false confidence about that specific distribution rather than appropriate humility about the broader environment. Additionally, OOD detection methods are implemented in the reasoning layer and are therefore subject to the same potential for sophisticated rationalization that motivates our constitutional approach.
2.4 Safe Reinforcement Learning and Constrained Optimization
Safe reinforcement learning [12,13] addresses the problem of learning policies that satisfy safety constraints during and after training. Constrained Markov decision processes [14] formalize hard constraints on policy behavior. These approaches are complementary to the entropy floor but operate at the policy level rather than the belief level — they constrain what the agent does, not what it believes. An agent with a miscalibrated posterior can satisfy policy-level safety constraints while making decisions based on dangerously overconfident beliefs about the consequences of those decisions.
2.5 Constitutional and Value-Aligned AI
Constitutional AI [15] and related approaches to value alignment [16,17] address the problem of encoding human values and preferences into AI systems in ways that persist through capability scaling. The insight shared with our approach is that certain constraints should be architecturally enforced rather than learned or reasoned about — they should be foundations that the system's intelligence operates on rather than conclusions that the system's intelligence can override.
Our contribution to this tradition is the application of constitutional enforcement to epistemic constraints specifically — the claim that not just behavioral constraints but also uncertainty constraints should be constitutionally enforced in long-duration autonomous systems. This application has not, to our knowledge, been previously formalized.
2.6 Formal Verification of Autonomous Systems
Formal verification of autonomous system properties using model checking [18] and theorem proving [19] has been applied to safety-critical systems in aerospace [20], automotive [21], and medical [22] domains. TLA+ [23] and related temporal logics provide frameworks for specifying and verifying temporal properties of concurrent systems.
The formal verification community has focused primarily on behavioral properties (liveness, safety, deadlock freedom) rather than epistemic properties (calibration, uncertainty bounds). Our specification of the entropy floor in temporal logic (Section 5) represents an application of formal verification methods to epistemic constraints.
3. TRAJECTORY-INDUCED OVERCONFIDENCE: FORMAL CHARACTERIZATION
3.1 Setup and Notation
Let A be a Bayesian autonomous system operating in environment E over a time horizon T = [0, τ] where τ >> 1 (century-scale). Let Ω = {ω_1, ..., ω_K} be the set of event classes relevant to the system's decision-making. For each event class ω_k, the system maintains a posterior distribution P_t(θ_k | D_t) where θ_k are the parameters governing events of class k and D_t = {d_1, ..., d_n(t)} is the evidence accumulated by time t. Let N_k(t) denote the number of observations of event class ω_k by time t. The posterior P_t(θ_k | D_t) is updated via Bayes' theorem:
P_t(θ_k | D_t) ∝ P(D_t | θ_k) · P_0(θ_k) (1)
where P_0(θ_k) is the prior distribution over parameters of event class k.
3.2 The Non-Coverage Failure Mode
Define the coverage set C_k(t) ⊆ Θ_k as the subset of the parameter space for event class k that is consistent with the observations D_t at time t. Under standard regularity conditions, C_k(t) shrinks as N_k(t) grows — the posterior concentrates. Formally, for any ε > 0:
P(θ_k ∈ C_k(t) | D_t) → 1 as N_k(t) → ∞ (2)
This is the Bernstein-von Mises theorem [24]: the posterior concentrates around the true parameter value at rate 1/√N_k(t) under standard conditions.
The failure mode arises when the system encounters conditions at time t* > 0 governed by a parameter value θ_k* that lies outside C_k(t*-) — that is, a parameter value inconsistent with the prior evidence. The posterior at time t*- assigns probability approaching zero to θ_k*:
P_{t*-}(θ_k*) ≈ 0 when θ_k* ∉ C_k(t*-) (3)
The system therefore assigns near-zero probability to outcomes consistent with θ_k*, makes decisions optimized for the high-probability outcomes it has previously observed, and may catastrophically fail when θ_k* governs actual outcomes.
We define trajectory-induced overconfidence (TIO) formally as:
TIO(k, t) = 1 iff H(P_t(θ_k | D_t)) < H_safe and N_k(t) < N_threshold (4)
where H(·) denotes the Shannon entropy of the posterior distribution, H_safe is a minimum safe entropy level, and N_threshold is a minimum number of independent observations required before high-confidence posteriors are epistemically warranted. TIO is a binary flag: the system is either in a potentially overconfident state for event class k (TIO = 1) or it is not (TIO = 0).
3.3 Why Standard Bayesian Updating Cannot Self-Correct TIO
A natural objection to the TIO framing is that Bayesian inference is self-correcting: when the system encounters θ_k*, the posterior will update to incorporate this new evidence, and the overconfidence will be corrected. This objection fails in the long-duration autonomous setting for three reasons.
First, if the system has assigned near-zero probability to outcomes consistent with θ_k*, it may have already taken actions that are irreversible under those outcomes. A century-scale autonomous system making a critical triage decision based on a dangerously overconfident posterior — choosing not to repair a system because failure probability is assessed as near-zero — cannot be corrected after the fact.
Second, the self-correction argument assumes that observing θ_k* will produce a posterior update in the right direction. This requires that the system correctly identifies θ_k* as evidence bearing on event class k. A system that has assigned near-zero prior probability to θ_k* will evaluate new evidence that is consistent with θ_k* as anomalous or sensor-error-induced, rather than as legitimate evidence for updating. Bayesian updating cannot correct overconfidence about an event class when the prior is so concentrated that new evidence from that class is classified as noise.
Third, for rare event classes with N_k(t) << N_threshold, the system may never accumulate enough evidence from the operational trajectory to achieve epistemically warranted confidence — but it will still concentrate its posterior based on the evidence it has. The concentrated posterior reflects structural limitations of the evidence base, not genuine knowledge.
3.4 Tightened TIO Risk Bound
The original TIO risk bound in equation (5) used loose estimates of K_novel(τ) — the number of event classes with insufficient observations at mission time τ. We tighten this bound using published outer solar system trajectory data.
For a mission to the outer solar system following a Hohmann-type transfer with subsequent drift, the rate at which genuinely novel environmental conditions are encountered can be estimated from published measurements of the GCR spectral gradient, the plasma environment variability, and the gravitational anomaly distribution in the outer solar system [A1, A2, A3]. Define the novelty encounter rate r_novel as the number of genuinely distinct environmental conditions encountered per year, where distinct is defined by the independence criterion of Section 6.
From Voyager mission telemetry and New Horizons GCR measurements [A1], r_novel ≈ 3-8 distinct environmental conditions per year in the outer solar system, primarily driven by GCR spectral variations associated with the heliospheric current sheet crossings and galactic environment changes.
For a mission making D = 10^4 decisions per day across K_total = 500 event classes, with r_novel = 5 novel conditions per year and N_threshold = 30:
K_novel(τ) ≈ K_total · (1 − min(1, r_novel · τ / N_threshold))
At τ = 100 years: K_novel(100) ≈ 500 · (1 − min(1, 5·100/30)) ≈ 500 · (1 − 1) = 0 for well-characterized classes, but growing for classes that encounter the novel GCR spectrum not representable within the first N_threshold observations.
The tightened TIO risk bound for the critical sub-class of novel-spectrum event classes:
P(TIO occurs in [0,τ]) ≥ 1 − exp(−p_TIO · K_novel^*(τ) · D(τ)) (5')
where K_novel^*(τ) is the number of event classes where the novel environment genuinely falls outside the training distribution — estimated at 15-40% of K_total for a century-scale outer solar system mission based on the GCR spectral change between 50 AU and 100 AU [A1].
For K_novel^* = 0.25 · 500 = 125, D(τ) = 10^4 · 365 · 100 = 3.65 × 10^8, and p_TIO = 10^(−6) per decision: P(TIO occurs in [0,100yr]) ≥ 1 − exp(−125 · 3.65 × 10^8 · 10^(−6)) ≈ 1 − exp(−45,625) ≈ 1.000
TIO is not a tail risk. It is a mathematical certainty for century-scale missions in the outer solar system without mitigation.
4. THE MANDATORY ENTROPY FLOOR
4.1 Definition
The mandatory entropy floor is a constraint on the Shannon entropy of posterior distributions for event classes with insufficient observational coverage. Formally, for any event class ω_k:
H(P_t(θ_k | D_t)) ≥ H_min whenever N_k^ind(t) < N_threshold (6)
where H_min is the minimum allowable posterior entropy [bits] and N_threshold is the minimum number of independent observations required before the entropy floor is released.
The entropy floor does not modify the Bayesian update equation (1). It operates as a post-processing constraint on the posterior: after Bayesian updating, if the resulting posterior entropy falls below H_min and the observation count condition is satisfied, the posterior is projected onto the constraint set:
P_t^*(θ_k | D_t) = argmin_{P: H(P) ≥ H_min} KL(P || P_t(θ_k | D_t)) (7)
where KL denotes the Kullback-Leibler divergence. Equation (7) finds the distribution closest to the Bayesian posterior (in the KL sense) that satisfies the entropy constraint. This is the minimum-information projection — it preserves as much of the Bayesian posterior's structure as possible while enforcing the entropy floor.
4.2 Parameter Selection
Two parameters govern the entropy floor: H_min and N_threshold.
H_min selection: The entropy floor should be set high enough to prevent catastrophic overconfidence while low enough to preserve useful information. For a binary outcome (failure or non-failure), an entropy of H_min = 1.5 bits corresponds to a probability distribution approximately [0.82, 0.18] — the system cannot assign higher than 82% confidence to either outcome. This is substantially more conservative than a typical Bayesian posterior after 1,000 observations of zero failures (which would assign >99.9% confidence to non-failure), while still conveying meaningful probabilistic information.
For the general case, H_min should be calibrated to the consequences of TIO-driven decision errors. For decisions affecting P1-P2 priority systems (human life and mission continuation in our target application), we recommend:
H_min = max(1.5, log₂(1/p_critical)) (8)
where p_critical is the minimum probability that should ever be assigned to the mission-critical failure event. For p_critical = 0.01 (1% minimum probability floor on any mission-critical failure), equation (8) gives H_min = max(1.5, 6.6) = 6.6 bits.
N_threshold selection: N_threshold should be large enough that N_threshold independent observations constitute a statistically sufficient basis for rejecting the entropy floor. For a binary outcome, N_threshold = 30 is justified by the central limit theorem — 30 independent observations provide sufficient power to detect a 5% deviation from the null hypothesis at 95% confidence. For multi-modal event classes with more degrees of freedom, N_threshold should scale with the dimensionality of the parameter space, consistent with standard sample size analysis for Bayesian inference [25].
4.3 Formal Properties
4.3.1 Monotonicity in Evidence
The entropy floor constraint is relaxed as evidence accumulates. When N_k(t) ≥ N_threshold, the floor is released and Bayesian updating proceeds unconstrained. The constrained posterior P_t*(θ_k | D_t) converges to the unconstrained Bayesian posterior P_t(θ_k | D_t) as N_k(t) → N_threshold from below, ensuring continuity at the threshold.
4.3.2 Consistency with Bayesian Updating
The entropy floor is a constraint on the posterior, not a modification of the update rule. It does not introduce any bias toward particular parameter values — the constrained posterior P_t* retains the same mode as the unconstrained posterior P_t, and concentrates toward the same true parameter value as evidence accumulates. The floor affects the dispersion of the posterior (preventing pathological concentration) but not its central tendency.
4.3.3 Admissibility
The constrained posterior P_t* is an admissible estimator in the Bayesian decision-theoretic sense [26] — it is not dominated by any other estimator under the standard expected utility criterion augmented by the entropy constraint. This follows directly from the minimum-KL projection property of equation (7): among all distributions satisfying the entropy constraint, P_t* is the one most consistent with the observed evidence.
4.3.4 Protection Against TIO
By construction, the entropy floor eliminates TIO for all event classes: if N_k(t) < N_threshold, then H(P_t*(θ_k | D_t)) ≥ H_min, and TIO(k, t) = 0 for all k. This is a strict guarantee, not a probabilistic bound. It holds regardless of the evidence sequence, the prior specification, or the system's reasoning capabilities.
4.5 The Independence Requirement
The entropy floor condition N_k(t) < N_threshold depends on the count of independent observations of event class k. The independence requirement is critical: correlated observations of the same event class provide less information than the count suggests, and a system that achieves N_k(t) = N_threshold through correlated observations is not epistemically warranted in releasing the floor.
We define independence for this purpose as: two observations d_i and d_j of event class k are independent if they were collected under conditions that differ in at least one parameter relevant to the event class by more than the minimum detectable difference for that parameter. This definition formalizes the intuition that an observation of 'no component failure' during normal operations in year 1 and 'no component failure' during normal operations in year 2 are not independent — they represent repeated observation of the same operating condition. An observation of 'no component failure' during a solar energetic particle event is independent of baseline observations because the radiation loading conditions differ substantially.
Ind(d_i, d_j) = 1 iff ||c_i − c_j||_relevant > δ_min (9)
where c_i, c_j are the condition vectors for the two observations, ||·||_relevant is a norm over the relevant parameter dimensions, and δ_min is the minimum meaningful difference.
The effective independent observation count is:
N_k^{ind}(t) = |{i : ∄ j < i s.t. Ind(d_i, d_j) = 0}| (10)
The entropy floor releases when N_k^{ind}(t) ≥ N_threshold, not when N_k(t) ≥ N_threshold.
4.6 Prior Misspecification Boundary
A limitation of the original paper was the qualitative acknowledgment that prior misspecification could cause the entropy floor to fail, without quantifying the boundary. We address this here.
Let π_0 denote the true prior and π_spec denote the specified prior. Define the misspecification degree as the KL divergence D_KL(π_0 || π_spec). The entropy floor provides TIO protection even under prior misspecification provided that the KL divergence between the true and specified priors does not cause the projected posterior to concentrate on a region of the parameter space that excludes the true parameter θ_k*.
Theorem 2 (Prior Misspecification Boundary): The entropy floor provides strict TIO protection against prior misspecification if and only if:
D_KL(π_0 || π_spec) < H_min · ln(2)
Proof: The minimum-KL projection of equation (7) finds the distribution P^* closest to the Bayesian posterior in the KL sense, subject to the entropy constraint H(P^*) ≥ H_min. The Bayesian posterior under the misspecified prior π_spec satisfies:
P_t(θ_k | D_t, π_spec) ∝ P(D_t | θ_k) · π_spec(θ_k)
The divergence between this and the posterior under the true prior is bounded by:
D_KL(P_t(·|D_t, π_0) || P_t(·|D_t, π_spec)) ≤ D_KL(π_0 || π_spec) / (1 + N_k(t))
As N_k(t) → 0 (the regime where TIO is most dangerous), this bound approaches D_KL(π_0 || π_spec).
For the entropy floor to prevent TIO despite prior misspecification, the projected posterior P^* must maintain entropy ≥ H_min even when the Bayesian posterior under the misspecified prior has already concentrated. This requires that the misspecification-induced posterior concentration does not exceed the entropy floor's corrective capacity, which holds if and only if the entropy reduction attributable to misspecification — bounded by D_KL(π_0 || π_spec) / ln(2) bits — does not exceed H_min:
D_KL(π_0 || π_spec) < H_min · ln(2). QED.
Practical implication: For H_min = 6.6 bits, the entropy floor provides TIO protection for any prior misspecification with D_KL(π_0 || π_spec) < 6.6 · ln(2) ≈ 4.57 nats. This is a substantial margin — it accommodates priors that are quite wrong about the magnitude of θ_k while remaining wrong within a bounded degree. Prior misspecification that exceeds this threshold represents a prior so wrong that no reasonable deployment process would select it.
5. CONSTITUTIONAL IMPLEMENTATION AND LIVENESS PROOF
5.1 Multi-Layer Architecture
The entropy floor derives its key guarantee — immunity to sophisticated rationalization — from its implementation as a physically-enforced constitutional constraint rather than an algorithmic one. We specify a three-layer architecture for the decision system, with the entropy floor embedded in the most protected layer:
| Layer | Content | Mutability | Enforcement Mechanism |
|---|---|---|---|
| Layer 3: Adaptive Reasoning | Bayesian inference, planning, resource optimization, LLM-class reasoning | Fully updateable at runtime | Software — may be replaced or retrained |
| Layer 2: Constraint Enforcement | Entropy floor projection (Eq. 7), priority axioms, triage decision bounds | Read-only post-deployment | Formally verified firmware on rad-hardened hardware; TMR protected |
| Layer 1: Constitutional ROM | H_min, N_threshold parameters, independence definition, layer boundary rules | Physically write-protected | Fused silicon — hardware enforced; unreachable by any software process |
The critical architectural invariant: Layer 3 computes posteriors freely using standard Bayesian updating. Before any posterior is used in a decision, it passes through Layer 2's entropy floor projection. Layer 2 enforces equation (7) — it cannot be bypassed, modified, or argued with by Layer 3 reasoning. Layer 1 stores the parameters H_min and N_threshold in physically write-protected memory. Neither Layer 2 nor Layer 3 can modify these parameters after deployment.
5.2 Formal Specification in Temporal Logic
The entropy floor constraint and its architectural enforcement are specified in TLA+ as follows:
---------------------------- MODULE EntropyFloor ----------------------------
EXTENDS Naturals, Reals, Sequences
CONSTANTS H_min, (* minimum entropy floor [bits] — stored in Layer 1 ROM *)
N_threshold, (* min independent observations before floor releases *)
EventClasses, (* set of all event classes Omega *)
delta_min (* minimum condition difference for independence *)
VARIABLES posterior, (* posterior[k] = P_t(theta_k | D_t) for each class k *)
obs_counts, (* obs_counts[k] = N_k^ind(t) independent observations *)
decisions (* history of all decisions made by the system *)
(* The entropy floor constraint — Layer 2 enforcement *)
EntropyConstraint(k) == obs_counts[k] < N_threshold => ShannonEntropy(posterior[k]) >= H_min
(* Constitutional projection — applied after every Bayesian update *)
Project(k) == IF obs_counts[k] < N_threshold /\ ShannonEntropy(posterior[k]) < H_min
THEN posterior[k] = MinKLProjection(posterior[k], H_min)
ELSE UNCHANGED posterior[k]
(* SAFETY: No decision ever uses a posterior violating the entropy floor *)
Safety == [](\A k \in EventClasses : EntropyConstraint(k))
(* LIVENESS: Entropy floor releases as evidence accumulates *)
Liveness == \A k \in EventClasses : <>(obs_counts[k] >= N_threshold => ShannonEntropy(posterior[k]) unconstrained)
(* LAYER BOUNDARY: Layer 3 cannot modify H_min or N_threshold *)
LayerBoundary == [](H_min = CONST_H_min /\ N_threshold = CONST_N_threshold)
Spec == Safety /\ Liveness /\ LayerBoundary
============================================================================The Safety property is the core guarantee: in all reachable states, all posteriors satisfy the entropy constraint. This is a universal temporal property — it must hold at every moment of system operation, not just in expectation or on average.
The Liveness property ensures that the entropy floor does not permanently constrain the system: as independent observations accumulate, the floor is eventually released for each event class. Without the liveness property, the entropy floor could in principle prevent the system from ever achieving useful confidence even in genuinely well-characterized regimes.
The LayerBoundary property formalizes the constitutional enforcement: the parameters H_min and N_threshold are constants in the temporal logic specification, reflecting their physical write-protection in Layer 1 ROM.
5.3 Complete Inductive Liveness Proof
The original paper asserted the Liveness property without proof. We provide the complete inductive proof here.
Theorem 3 (Liveness): For any event class k ∈ EventClasses, there exists a finite time t_k^* such that for all t ≥ t_k^*, obs_counts[k] ≥ N_threshold, and the entropy floor is released for event class k.
Proof by induction on N_threshold:
Base case (N_threshold = 1): The entropy floor releases when the first independent observation of event class k is accumulated. For any event class k that is relevant to the system's decision-making, there exists at least one condition under which event class k is observable — otherwise k would not be a member of the decision-relevant event class set EventClasses. The ship encounters novel conditions at rate r_novel > 0 by construction of the mission trajectory in a non-empty environment. Therefore, at least one observation of event class k occurs in finite time. Let t_k^1 be the time of the first observation. Then obs_counts[k] ≥ 1 = N_threshold at t_k^* = t_k^1. The entropy floor releases at t_k^*.
Inductive step: Assume that for N_threshold = n, the entropy floor releases in finite time for all event classes. We show that for N_threshold = n+1, the entropy floor also releases in finite time.
By the inductive hypothesis, N_k^ind(t) reaches n in finite time at some time t_k^n. After t_k^n, the system has accumulated n independent observations of event class k, covering n distinct regions of the condition space C_k. The coverage of C_k by n observations leaves uncovered regions — specifically, the set Θ_k \ C_k(t_k^n) is non-empty for finite n in a novel environment. The ship's continued operation generates new conditions at rate r_novel > 0. Because the uncovered region is non-empty and the ship traverses novel conditions at positive rate, there exists a finite time t_k^(n+1) > t_k^n at which a condition is encountered that lies outside C_k(t_k^n) — generating an observation that is independent of all prior observations by definition (it differs from all prior condition vectors by more than δ_min in at least one relevant dimension). At t_k^(n+1), obs_counts[k] ≥ n+1 = N_threshold. The entropy floor releases at t_k^* = t_k^(n+1).
Conclusion: By induction, for any finite N_threshold, the entropy floor releases in finite time t_k^* for every event class k. The Liveness property holds. QED.
Remark: The proof relies on two conditions: (1) the novelty encounter rate r_novel > 0, and (2) the uncovered region Θ_k \ C_k(t_k^n) is non-empty for all finite n. Condition (1) is guaranteed by the non-stationary deep-space environment. Condition (2) holds for any event class with a continuous or high-dimensional parameter space, which includes all physically meaningful event classes in the deep-space operating environment. For discrete event classes with finite parameter spaces, the proof holds provided the parameter space has more than N_threshold distinct elements.
5.4 Triple-Modular Redundancy for Layer 2
The entropy floor projection operates on every posterior used in a decision. This makes Layer 2 a critical single point of failure: if Layer 2 hardware fails, the entropy floor constraint is lost. We specify triple-modular redundancy (TMR) for Layer 2 to provide tolerance to single hardware failures:
P_t*(θ_k) = majority_vote(L2_A(posterior_k), L2_B(posterior_k), L2_C(posterior_k)) (11)
where L2_A, L2_B, L2_C are three independent Layer 2 processor units running identical entropy floor projection logic. If any unit's output diverges from the majority, it is quarantined and the two-unit majority continues to enforce the constraint. The system remains constitutionally protected under any single Layer 2 unit failure.
Layer 2 unit integrity is verified via Merkle-tree hashing of the constraint firmware:
H_root = MerkleRoot(constraint_firmware) [stored in Layer 1 ROM]
VERIFY: H_current == H_root before every posterior projection (12)
If the firmware hash of any Layer 2 unit diverges from the Layer 1 ROM value, that unit is quarantined before it can execute any projection. This detects both radiation-induced bit flips and any attempted modification of the constraint logic.
5.5 Extended Edge Case Analysis of the Liveness Proof
5.5.1 Motivation
Theorem 3 (Liveness) of Section 5.3 proves that the entropy floor releases in finite time for every event class, under two conditions: (1) the novelty encounter rate r_novel > 0, and (2) the uncovered region Θ_k \ C_k(t) is non-empty for all finite n. The proof's remark acknowledged two edge cases where these conditions may not hold: discrete event classes with finite parameter spaces having fewer than N_threshold distinct elements, and adversarial manipulation of the independence counting mechanism. This section provides formal analysis of both edge cases and specifies the architectural mitigations that ensure the entropy floor remains well-behaved in each.
5.5.2 Edge Case 1 — Discrete Event Classes with Finite Parameter Spaces
Problem Statement: The liveness proof assumes that the event class parameter space Θ_k is either continuous or has more than N_threshold distinct elements. For a discrete event class with |Θ_k| < N_threshold distinct parameter values — for example, a binary failure/non-failure event class with |Θ_k| = 2 — the uncovered region Θ_k \ C_k(t) eventually becomes empty before N_k^ind(t) reaches N_threshold. The entropy floor would then never release under the standard liveness proof, because the condition for release (N_threshold independent observations) cannot be satisfied when fewer than N_threshold distinct conditions exist.
Formal Analysis: Let |Θ_k| = M < N_threshold be the number of distinct parameter values for event class k. The system can accumulate at most M independent observations of event class k — one for each distinct element of Θ_k. After M independent observations, every element of Θ_k has been observed, the coverage set C_k(t) = Θ_k, and no further independent observations are possible.
Under the standard entropy floor specification, N_k^ind(t) ≤ M < N_threshold, so the floor never releases. This is epistemically wrong: a system that has observed all M distinct outcomes of a binary event class has achieved complete coverage of the parameter space and does not require further uncertainty. The entropy floor is being unnecessarily conservative.
Resolution — Adaptive N_threshold:
For event classes with finite parameter spaces, the effective N_threshold should adapt to the parameter space size:
N_threshold^eff(k) = min(N_threshold, |Θ_k|)
This modification releases the entropy floor when either the standard N_threshold independent observations have been accumulated OR the complete parameter space has been covered — whichever comes first. For a binary event class with |Θ_k| = 2, the floor releases after 2 independent observations (one failure and one non-failure) rather than requiring 30.
Formal Liveness with Adaptive Threshold:
Theorem 3' (Extended Liveness): For any event class k ∈ EventClasses with parameter space Θ_k satisfying |Θ_k| ≥ 1, the entropy floor releases in finite time under the adaptive threshold N_threshold^eff(k) = min(N_threshold, |Θ_k|).
Proof: Two cases.
Case 1: |Θ_k| ≥ N_threshold. The original Theorem 3 proof applies unchanged. The entropy floor releases when N_k^ind(t) = N_threshold, which occurs in finite time by the original proof.
Case 2: |Θ_k| = M < N_threshold. Under the adaptive threshold, the floor releases when N_k^ind(t) = M. Since Θ_k has M distinct elements and r_novel > 0, the ship eventually encounters conditions corresponding to each element of Θ_k. The time to observe all M elements is bounded by the maximum of the M individual first-encounter times, each of which is finite by the original base case argument. Therefore the floor releases in finite time at t_k^* = max(t_k^1, t_k^2, ..., t_k^M). QED.
Constitutional Implementation: The adaptive threshold N_threshold^eff(k) = min(N_threshold, |Θ_k|) must be computed at system initialization for each event class k, based on the known structure of Θ_k, and stored in Layer 2 constraint enforcement firmware. For event classes where |Θ_k| is not known at initialization — event classes whose parameter space structure is itself uncertain — the conservative default N_threshold^eff(k) = N_threshold applies until the parameter space structure is sufficiently characterized.
5.5.3 Edge Case 2 — Adversarial Manipulation of the Independence Counting Mechanism
Problem Statement: The entropy floor releases when N_k^ind(t) ≥ N_threshold^eff(k), where N_k^ind(t) counts independent observations as defined by the metric space construction of Section 6. An adversary who can control the observations presented to the system — by manipulating sensor inputs, corrupting the condition vector measurement, or exploiting the independence criterion's δ_min threshold — could potentially cause the independence count to reach N_threshold prematurely, releasing the entropy floor before sufficient genuine independent coverage has been achieved.
Three specific adversarial strategies are relevant:
Strategy A — Condition Vector Spoofing: An adversary injects false condition vectors c_i that differ from the previous condition vector by exactly δ_min + ε in the relevant dimensions, causing each observation to be classified as independent when it is not. After N_threshold spoofed observations, the floor releases on false evidence.
Strategy B — Threshold Boundary Exploitation: An adversary identifies the exact value of δ_min from the system's observable behavior (the transition from dependent to independent classification as condition vectors vary) and systematically generates observations at δ_min + ε to maximize the independence count rate while minimizing genuine coverage of the parameter space.
Strategy C — Dimension Weight Manipulation: An adversary identifies the weight vector w^k used in the relevant norm and manipulates observations to vary in the high-weight dimensions (triggering independent classification) while remaining constant in the physically relevant dimensions (providing no genuine new information about event class k).
Formal Vulnerability Analysis:
All three strategies share a common structure: they exploit the gap between the syntactic independence criterion (||c_i − c_j||_relevant > δ_min) and the semantic criterion (observations d_i and d_j provide genuinely different information about event class k). The metric space construction of Section 6 closes this gap when the weight vector w^k correctly reflects the relative importance of each condition dimension — but an adversary who can manipulate the observations within a dimension while exploiting between-dimension variation can defeat the syntactic criterion even when the weight vector is correctly specified.
Mitigation 1 — Cryptographic Condition Vector Integrity:
The most direct mitigation is to make condition vector spoofing computationally infeasible by cryptographically authenticating the sensors that produce condition vectors. Each physical sensor in the system is equipped with a hardware security module that produces a cryptographic attestation of each measurement, signed with a key embedded in the sensor at manufacture time. The AXIOM Layer 2 independence counting module verifies sensor attestations before admitting observations to the independence count. An adversary cannot inject false condition vectors without access to the sensor's private signing key — which is physically protected and never transmitted.
This mitigation addresses Strategy A directly and partially addresses Strategy B (the adversary can still observe the system's independence classifications but cannot inject observations).
Mitigation 2 — Minimum Coverage Requirement:
Rather than releasing the entropy floor based solely on the independence count N_k^ind(t), add a minimum coverage requirement: the entropy floor releases only when the independent observations cover at least f_coverage fraction of the estimated parameter space volume, in addition to meeting the N_threshold^eff count requirement.
Formally, define the empirical coverage fraction:
Coverage_k(t) = Vol(C_k(t)) / Vol(Θ_k)
where Vol(·) is the volume measure under the relevant metric, C_k(t) is the coverage set from Section 3.2, and the floor releases when both:
N_k^ind(t) ≥ N_threshold^eff(k) AND Coverage_k(t) ≥ f_coverage
For f_coverage = 0.5 (50% coverage requirement) and a continuous parameter space, this requires that the N_threshold independent observations be distributed across the parameter space rather than clustered near a single boundary. An adversary using Strategy B (threshold boundary exploitation) would need to distribute observations across the full parameter space to satisfy the coverage requirement — which requires genuine exploration of the parameter space rather than boundary manipulation.
Mitigation 3 — Temporal Consistency Requirement:
Add a temporal consistency requirement: an observation at time tᵢ is only admitted to the independence count if its condition vector is consistent with the ship's known physical trajectory at time tᵢ. The ship's position, velocity, radiation environment, and thermal state are predictable from its orbital mechanics and navigation system. An observation whose condition vector is inconsistent with the predicted environmental state at time tᵢ — for example, a GCR flux reading that differs from the XNAV-predicted flux by more than 3σ — is classified as anomalous and excluded from the independence count pending investigation.
This mitigation addresses Strategy A (spoofed condition vectors will typically be inconsistent with the physical environment) and Strategy C (condition vector dimensions that are manipulated independently of the physical environment will be flagged as inconsistent).
Combined Mitigation Formal Analysis:
With all three mitigations in place, an adversary must simultaneously: (1) compromise the cryptographic sensor attestation system, (2) distribute manipulated observations across 50% of the parameter space volume, and (3) ensure all manipulated condition vectors are consistent with the ship's physical trajectory.
Condition (3) is the most constraining: an adversary who must produce condition vectors consistent with the physical environment is constrained to produce observations that reflect actual physical conditions. This collapses the adversarial manipulation problem to the standard reliability problem — the adversary can no longer inject false information about the environment, only potentially accelerate the rate at which genuine environmental observations are classified as independent.
Theorem 9 (Adversarial Resistance): Under Mitigations 1-3, the entropy floor cannot be prematurely released by any adversary who cannot: (a) compromise the cryptographic sensor attestation system, or (b) physically alter the ship's environment to produce N_threshold^eff genuine independent conditions faster than the natural novelty encounter rate r_novel.
Proof: Mitigation 1 ensures all admitted condition vectors are cryptographically authenticated physical sensor readings. Mitigation 3 ensures all admitted condition vectors are consistent with the ship's known physical trajectory. Together, these mitigations ensure that the independence count N_k^ind(t) counts only genuine physical observations. Mitigation 2 ensures that even genuine physical observations cannot release the floor unless they cover f_coverage fraction of the parameter space — preventing clustering of observations near a single boundary from artificially reaching N_threshold. Under these conditions, the only way to release the entropy floor is to accumulate N_threshold^eff genuine independent physical observations covering at least 50% of the parameter space — which is exactly the epistemic condition that justifies releasing the floor. No adversary who cannot alter the physical environment can cause premature floor release. QED.
Constitutional Implementation: Mitigations 1-3 are Layer 2 elements — they are formally verified firmware components that cannot be modified by Layer 3 reasoning. The cryptographic attestation keys for all sensors are stored in Layer 1 ROM at deployment. The coverage requirement f_coverage = 0.5 and the temporal consistency threshold (3σ) are Layer 1 constants. An adversary who has compromised Layer 3 cannot disable any of the three mitigations.
5.5.4 Edge Case 3 — Entropy Floor Under Prior Misspecification Near the Boundary
Problem Statement: Theorem 2 (Prior Misspecification Boundary) established that the entropy floor provides TIO protection when D_KL(π_0 || π_spec) < H_min · ln(2). This theorem assumed that the prior misspecification is uniform across the parameter space. In practice, prior misspecification is often non-uniform — the specified prior may be well-calibrated in some regions of Θ_k and severely miscalibrated in others. The boundary theorem may fail to detect cases where the miscalibration is concentrated precisely in the region of the parameter space that contains the true θ_k^*.
Formal Analysis: Let the parameter space Θ_k be partitioned into a well-calibrated region Θ_good and a miscalibrated region Θ_bad, where:
D_KL(π_0|{Θ_good} || π_spec|{Θ_good}) ≈ 0
D_KL(π_0|{Θ_bad} || π_spec|{Θ_bad}) = D_bad >> H_min · ln(2)
If π_0(Θ_bad) = ε (the true prior assigns small probability to the miscalibrated region), then the global KL divergence D_KL(π_0 || π_spec) ≈ ε · D_bad. For sufficiently small ε, this can satisfy D_KL(π_0 || π_spec) < H_min · ln(2) even when D_bad >> H_min · ln(2).
The risk: the true θ_k^* might lie in Θ_bad with probability ε — small but non-negligible for a century-scale mission making millions of decisions. The entropy floor protects against TIO when θ_k^* ∈ Θ_good but provides weakened protection when θ_k^* ∈ Θ_bad.
Resolution — Regional Entropy Floor:
Rather than applying a single entropy floor based on the global posterior entropy H(P_t(θ_k | D_t)), apply region-specific entropy floors:
H(P_t(θ_k | D_t, θ_k ∈ Θ_r)) ≥ H_min for all regions Θ_r with π_spec(Θ_r) < π_threshold
This requires that the posterior entropy within any region of the parameter space that received low prior probability remains above H_min — even if the global posterior entropy is already above H_min. The regional entropy floor catches the case where the posterior has become overconfident about a specific low-prior-probability region while maintaining adequate global entropy.
The regional floor is a Layer 2 element, computed after every Bayesian update alongside the global entropy floor check. Its implementation requires partitioning the parameter space into regions — a design-phase decision that must be embedded in Layer 2 firmware at deployment.
Constitutional Implementation: The regional entropy floor parameters — the partition Θ_r and the probability threshold π_threshold — are Layer 1 constants specified at deployment. The default specification partitions Θ_k into deciles of the prior distribution and requires H_min to be maintained within each decile with prior probability below π_threshold = 0.1.
5.5.5 Summary of Extended Edge Cases
| Edge Case | Original Gap | Resolution | Constitutional Layer |
|---|---|---|---|
| Discrete finite parameter spaces | Liveness proof fails for |Θ_k| < N_threshold | Adaptive threshold N_threshold^eff = min(N_threshold, |Θ_k|) | Layer 2 (computed at initialization) |
| Adversarial independence count manipulation | Syntactic independence criterion exploitable | Three mitigations: cryptographic attestation, coverage requirement, temporal consistency | Layer 1 (keys, constants) + Layer 2 (verification logic) |
| Non-uniform prior misspecification | Global KL bound can be satisfied with local severe miscalibration | Regional entropy floor within low-prior-probability parameter space regions | Layer 1 (partition, threshold) + Layer 2 (regional check) |
Table 1. Extended edge case summary.
Together these three edge case resolutions complete the AXIOM architecture specification. The extended liveness theorem (Theorem 3'), the adversarial resistance theorem (Theorem 9), and the regional entropy floor close the three gaps identified in the original specification — producing an architecture that is formally verified against all known failure modes of the entropy floor mechanism.
6. THE INDEPENDENCE CRITERION AS A METRIC SPACE
6.1 Motivation
The original paper defined the independence criterion informally:
Ind(d_i, d_j) = 1 iff ||c_i − c_j||_relevant > δ_min (9)
A reviewer would correctly note that this definition requires the norm ||·||_relevant to be well-defined over the relevant parameter dimensions, and that the independence relation derived from it must be shown to be well-defined and transitive before it can serve as the basis for an observation count that governs the entropy floor release.
6.2 Formal Metric Space Construction
Let C denote the condition space — the space of all possible environmental condition vectors c = (c^1, c^2, ..., c^d) where c^i denotes the i-th parameter dimension relevant to event class k.
Definition 1 (Relevant Norm): For event class ω_k with d relevant parameter dimensions, the relevant norm is:
||c_i − c_j||_relevant = (Σ{l=1}^{d} w_l^k · |c_i^l − c_j^l|^2)^(1/2)
where w_l^k > 0 is the weight assigned to dimension l for event class k, reflecting its relative importance to the failure modes associated with ω_k. The weights satisfy Σ_l w_l^k = 1.
Proposition 1: (C, ||·||_relevant) is a metric space.
Proof: We verify the four metric axioms.
Non-negativity: ||c_i − c_j||_relevant ≥ 0 follows from the non-negativity of each |c_i^l − c_j^l|^2 term and the positivity of the weights.
Identity of indiscernibles: ||c_i − c_j||_relevant = 0 if and only if |c_i^l − c_j^l|^2 = 0 for all l (since all weights are positive), which holds if and only if c_i^l = c_j^l for all l, i.e., c_i = c_j.
Symmetry: ||c_i − c_j||_relevant = ||c_j − c_i||_relevant follows from |c_i^l − c_j^l| = |c_j^l − c_i^l|.
Triangle inequality: Follows from the triangle inequality for the standard weighted Euclidean norm. QED.
Definition 2 (Independence Relation): Two observations d_i and d_j of event class k are independent if:
Ind(d_i, d_j) = 1 iff ||c_i − c_j||_relevant > δ_min
where δ_min > 0 is the minimum meaningful difference threshold.
Proposition 2 (Well-Definedness): The independence relation Ind is well-defined: for any two observations d_i and d_j with condition vectors c_i and c_j, the value of Ind(d_i, d_j) is uniquely determined by the metric space structure.
Proof: Since (C, ||·||_relevant) is a metric space (Proposition 1), ||c_i − c_j||_relevant is uniquely determined for any c_i, c_j ∈ C. The comparison ||c_i − c_j||_relevant > δ_min is therefore uniquely determined, and Ind(d_i, d_j) is uniquely determined. QED.
Proposition 3 (Transitivity of Dependence): If Ind(d_i, d_j) = 0 and Ind(d_j, d_l) = 0, it does not follow that Ind(d_i, d_l) = 0.
Proof: This is a deliberate feature of the construction, not a defect. Dependence is not transitive in the metric space sense because ||c_i − c_l||_relevant can exceed δ_min even when both ||c_i − c_j||_relevant ≤ δ_min and ||c_j − c_l||_relevant ≤ δ_min. The triangle inequality gives ||c_i − c_l||_relevant ≤ ||c_i − c_j||_relevant + ||c_j − c_l||_relevant ≤ 2δ_min, but the upper bound can exceed δ_min. This is correct: two observations that are individually close to a third observation can be distant from each other, and therefore independent by the definition. The independence relation is not required to be transitive, and the metric space construction correctly captures the intended independence semantics. QED.
Implication for N_k^ind(t): The effective independent observation count N_k^ind(t) defined in equation (10) is well-defined under the metric space construction of Propositions 1 and 2. The non-transitivity of Proposition 3 implies that the independent observation count can grow faster than naive intuition suggests — two observations that are individually dependent on a third can be independent of each other, contributing separately to N_k^ind(t).
6.3 Parameter Specification
The weight vector w^k and threshold δ_min must be specified for each event class k at deployment time and embedded in Layer 1 ROM. The weight vector should reflect engineering judgment about the relative importance of each parameter dimension to the failure modes associated with event class k. The threshold δ_min should be calibrated to the minimum condition difference that produces detectably different failure behavior — typically one standard deviation of the relevant parameter as measured from historical mission data.
7. WORKED NUMERICAL EXAMPLE: TIO PREVENTION IN A SOLAR ENERGETIC PARTICLE EVENT SCENARIO
7.1 Scenario Description
Consider a century-scale deep-space mission at 80 AU that has accumulated 50 years of operational data without a major solar energetic particle (SEP) event. The event class ω_SEP represents the system's belief about the probability and magnitude of SEP events at its current location. During the first 50 years, the system has observed 47 minor SEP events with peak fluences in the range 10^6-10^8 protons/cm² (>10 MeV), with no events exceeding 10^8 protons/cm².
The system's Bayesian posterior at t = 50 years: P_50(φ_max > 10^9) ≈ 0.001, i.e., it assigns 0.1% probability to an SEP event exceeding 10^9 protons/cm² — a Carrington-class event.
At t = 50 years, the heliospheric current sheet crosses the ship's location. The GCR environment changes. A Carrington-class SEP event occurs with peak fluence 3 × 10^9 protons/cm².
7.2 Without AXIOM: TIO-Driven Failure
Without the entropy floor, the system's posterior at t = 50 years assigns probability 0.001 to the observed event. The system's triage decision system, operating on this posterior, has allocated minimal radiation shielding resources to the compute cluster on the grounds that extreme SEP events are negligibly probable. When the Carrington-class event occurs, the compute cluster receives an unshielded dose of 10^5 rad — exceeding the total ionizing dose specification by a factor of 100. The cluster fails. Mission-critical functions are lost.
7.3 With AXIOM: TIO Prevention
With the entropy floor active, we check the AXIOM conditions for ω_SEP:
N_SEP^ind(50 yr): The 47 observed SEP events must be counted for independence. Applying the metric space criterion of Section 6, with condition dimensions (peak fluence, duration, proton spectrum hardness), and δ_min = 0.5 standard deviations in each dimension:
The 47 events cluster into approximately 8-12 genuinely independent observational conditions — varying primarily in peak fluence (3 decades of variation) and duration (2 orders of magnitude variation). The spectrum hardness is relatively constant across all 47 events, contributing zero independent observations in that dimension.
Estimated N_SEP^ind(50 yr) ≈ 10, well below N_threshold = 30.
Since N_SEP^ind < N_threshold, the entropy floor is active. The constrained posterior satisfies:
H(P_50^*(φ_max)) ≥ H_min = 6.6 bits
For a log-normal prior over φ_max with the observed data, the minimum-KL projection that satisfies H(P^*) ≥ 6.6 bits produces:
P_50^*(φ_max > 10^9) ≥ 0.04 (4% minimum probability, up from 0.1%)
The triage decision system, operating on P_50^* rather than P_50, allocates radiation shielding resources consistent with a 4% probability of a Carrington-class event. When the event occurs, the compute cluster receives a shielded dose within operational limits. Mission-critical functions are preserved.
7.4 Quantitative TIO Prevention Benefit
The entropy floor increased the assigned probability to the extreme SEP event from 0.001 to ≥ 0.04 — a 40× increase. The shielding resource allocation increased proportionally, preventing mission failure. The cost: a 40× increase in the probability assigned to an extreme event that did not occur during the preceding 50 years — a modest conservatism cost for a strict guarantee against TIO-driven mission failure.
8. PRIOR MISSPECIFICATION LIMITS
8.1 Practical Calibration
For H_min = 6.6 bits: D_KL(π_0 || π_spec) < 6.6 · ln(2) ≈ 4.57 nats.
To contextualize this bound: a prior that assigns 10× too much probability to the correct region of the parameter space has D_KL ≈ ln(10) ≈ 2.30 nats — within the bound. A prior that assigns 100× too much probability has D_KL ≈ ln(100) ≈ 4.61 nats — slightly outside the bound. The boundary therefore corresponds approximately to a prior that misestimates the relevant probability by a factor of 100.
8.2 Practical Implications
For the deep-space application, priors are specified based on Earth-based observations, theoretical models, and analogy with known environments. The factor-of-100 prior misspecification boundary is generous enough to accommodate substantial prior uncertainty while strict enough to exclude catastrophically wrong priors. The formal boundary provides a quantitative criterion for evaluating the quality of candidate priors during the design phase.
8.3 Interaction with the Liveness Proof
Theorem 3 (Liveness) guarantees that the entropy floor releases in finite time. The prior misspecification boundary of Theorem 2 determines whether TIO protection is maintained until the floor releases. The combination of Theorems 2 and 3 establishes that the AXIOM architecture provides TIO protection for the entire duration of the floor's activity, provided the prior misspecification is within the bounded range — and that protection is eventually released when N_threshold independent observations have been accumulated, at which point the Bayesian posterior is epistemically warranted.
8. AXIOM BEHAVIOR DURING THE BOOTSTRAP PERIOD
8.1 The Bootstrap Problem
The AXIOM architecture assumes a functional sensor network providing cryptographically authenticated condition vectors for the independence counting mechanism. However, between launch and the completion of sensor network calibration — the bootstrap period — the independence counting mechanism cannot operate reliably. Sensor calibration requires establishing baseline measurements across a range of conditions, verifying sensor attestation key integrity, and calibrating the temporal consistency requirement (3σ threshold) against the initial XNAV trajectory model.
During this bootstrap period, the independence counting mechanism is unreliable: N_k^ind(t) may be under- or over-counted, and the entropy floor release condition may fire prematurely or fail to fire. The system is most vulnerable to TIO during the bootstrap period precisely because it is operating in a novel environment with uncalibrated sensors.
8.2 Bootstrap Period Specification
We define the bootstrap period as the interval [0, t_boot] where t_boot is the time at which all of the following conditions are satisfied:
Condition B1 — Sensor attestation verification: All sensor attestation keys have been verified against the Layer 1 ROM reference. This requires the independence counting module to successfully verify at least one measurement from each sensor.
Condition B2 — Baseline calibration: Each sensor has produced at least N_baseline = 100 measurements across a range of environmental conditions, establishing the baseline against which the 3σ temporal consistency requirement is calibrated.
Condition B3 — XNAV trajectory initialization: The XNAV navigation system has accumulated sufficient pulsar timing data to establish a trajectory model with position uncertainty below 100 km — the level required for the temporal consistency requirement to distinguish genuine environmental variations from sensor noise.
For a typical mission profile, t_boot is estimated at 30-90 days post-launch.
8.3 Bootstrap Protocol
During the bootstrap period [0, t_boot], the AXIOM architecture operates under a modified protocol:
Bootstrap Rule 1 — Maximum entropy enforcement: All posteriors are held at maximum entropy (uniform distribution) regardless of accumulated evidence. No Bayesian updating affects decisions during the bootstrap period. This is the most conservative possible entropy floor — it assigns equal probability to all outcomes for all event classes.
Formal specification: For all t < t_boot and all k ∈ EventClasses:
P_t^*(θ_k | D_t) = Uniform(Θ_k) (13)
This is stricter than the entropy floor — it enforces maximum entropy rather than minimum entropy H_min.
Bootstrap Rule 2 — Decisions deferred where possible: All AXIOM Layer 3 decisions that are not time-critical (P3 and below priority) are deferred until t_boot. Time-critical decisions (P1 and P2, execution window < 60 seconds) proceed under the maximum entropy posterior of Bootstrap Rule 1.
Bootstrap Rule 3 — Evidence accumulation continues: Bayesian updating proceeds normally during the bootstrap period — evidence is accumulated and the Bayesian posterior is updated — but the updated posterior is not used for decisions until t_boot. At t_boot, the accumulated evidence is used to initialize the post-bootstrap posterior, providing a better-calibrated starting point than the prior alone.
Constitutional Implementation: The bootstrap protocol is a Layer 2 element. The bootstrap termination conditions B1-B3 are verified by Layer 2 against data from the sensor network and XNAV system. The maximum entropy enforcement of Bootstrap Rule 1 is a Layer 2 constraint that overrides the standard entropy floor projection. Neither Layer 3 nor Layer 1 can modify the bootstrap protocol — it operates with the same constitutional protection as the entropy floor itself.
8.4 Interaction with Liveness
The bootstrap period does not affect the liveness proof. Theorem 3 proves that the entropy floor releases in finite time after the standard protocol begins — this applies from t_boot onward. The bootstrap period represents a finite delay before the standard protocol begins, not a violation of the liveness property.
Formally, Theorem 3 establishes the existence of finite t_k^* such that obs_counts[k] ≥ N_threshold for all t ≥ t_k^*. Under the bootstrap protocol, obs_counts[k] is not incremented during [0, t_boot]. The liveness proof therefore applies with effective mission start t_boot, giving:
t_k^* ≤ t_boot + T_liveness(k)
where T_liveness(k) is the time to accumulate N_threshold independent observations starting from t_boot. The total time to entropy floor release is finite. QED.
9. NEW EVENT CLASS DISCOVERY PROTOCOL
9.1 The Zero-Prior Problem
The AXIOM architecture is initialized with a set of event classes Ω = {ω_1, ..., ω_K} — the event classes the mission architects anticipated as relevant to decision-making. The universe of the outer solar system is not fully anticipated by mission architects designing the system on Earth. The ship will encounter phenomena with no representation in the initial Ω set — genuinely novel event classes for which AXIOM has no prior distribution, no N_threshold specification, and no entropy floor parameters.
This is the zero-prior problem: how does AXIOM handle an event class with zero prior observations and no prior distribution?
The naive solution — ignore the novel observation — is epistemically dangerous. An event class that the system has no prior model for is the event class most likely to produce TIO-driven failure. The system cannot apply the entropy floor to a class it doesn't know exists. The correct response is discovery, registration, and immediate conservative handling.
9.2 Discovery Protocol
Step 1 — Anomaly detection: AXIOM Layer 3 continuously monitors sensor inputs against the predictions of all registered event class models. An observation that cannot be classified within 3σ of any registered event class is flagged as an anomaly.
Step 2 — Pioneer notification: All anomalies are immediately transmitted to the Pioneer via the constitutional notification channel. The Pioneer has 24 hours to review the anomaly and either: (a) classify it as belonging to an existing event class, (b) initiate the new event class registration process, or (c) flag it as sensor error. If the Pioneer is unavailable, AXIOM Layer 2 initiates automatic registration with default parameters (Step 3).
Step 3 — Automatic registration with maximum entropy prior: When a novel event class ω_new is identified — either by Pioneer decision or by automatic registration — AXIOM Layer 2 immediately registers the new class with:
- A maximum entropy prior over the estimated parameter space
- N_k^ind(0) = 0
- N_threshold^eff(k_new) = N_threshold (default — conservative)
- H_min(k_new) = H_min (default — same as all other P1/P2 event classes)
- The entropy floor active immediately from the moment of registration
Formal specification:
P_0^*(θ_{k_new} | ∅) = Uniform(Θ_{k_new}) (14)
The novel event class begins its existence in the AXIOM framework at maximum entropy — the system knows nothing about it and treats it accordingly.
Step 4 — Earth notification and parameter update: The novel event class registration is transmitted to Earth via lasercomm as a high-priority event. Earth-based researchers analyze the anomaly, propose N_threshold^eff and H_min parameters appropriate for the new class, and transmit the parameters back. Until the Earth-proposed parameters are received and validated by AXIOM Layer 2, the default maximum-entropy conservative parameters remain in force.
Step 5 — Evidence accumulation: From the moment of registration, AXIOM accumulates independent observations of the new event class using the standard independence counting mechanism. The entropy floor releases when N_k^ind(t) ≥ N_threshold^eff(k_new) under the standard liveness guarantee of Theorem 3.
9.3 Constitutional Architecture for New Event Classes
The registration of new event classes poses a subtle constitutional risk: an adversary who can trigger spurious novel event class registrations can potentially flood the AXIOM system with artificial classes, consuming Layer 3 computational resources and obscuring genuine novel events in noise.
Mitigation — Rate limiting and Pioneer authorization: No more than one new event class registration is permitted per 30-day period without Pioneer authorization. Pioneer authorization is required for any registration that creates more than 10 new event classes in a 365-day period. The rate limit and Pioneer authorization threshold are Layer 1 constants that cannot be modified by Layer 3.
Constitutional Implementation: The anomaly detection module and the event class registration protocol are Layer 2 elements. The rate limits and Pioneer authorization thresholds are Layer 1 constants. The maximum-entropy prior assignment for new event classes is a Layer 2 operation that executes automatically without Layer 3 involvement.
10. COMPUTATIONAL COMPLEXITY OF ENTROPY FLOOR PROJECTION
10.1 Motivation
A reviewer would correctly ask whether the minimum-KL projection of equation (7) is computationally feasible in real time on rad-hardened hardware. The entropy floor projection must execute before every posterior is used in a decision — for a system making 10^4 decisions per day across 500 event classes, this requires approximately 5 × 10^6 projection computations per day. The computational burden must be characterizable and bounded for the architecture to be practically implementable.
10.2 Projection Algorithm
The minimum-KL projection onto the entropy constraint H(P) ≥ H_min has a known closed-form solution for the exponential family of distributions, which includes the Gaussian, Dirichlet, and other common posterior families:
For a posterior P_t in the exponential family parameterized by natural parameters η:
P_t^(η^) = argmin_{η: H(P(η)) ≥ H_min} KL(P(η) || P_t(η)) (15)
The projection is achieved by the following algorithm:
Step 1: Compute H(P_t) — O(d) where d is the dimension of the parameter space.
Step 2: If H(P_t) ≥ H_min, the posterior already satisfies the constraint. Return P_t unchanged. — O(1).
Step 3: If H(P_t) < H_min, find the minimum η_min satisfying H(P(η_min)) = H_min via binary search on the entropy function. — O(d · log(1/ε)) for precision ε.
Step 4: The projected posterior P_t^* is the member of the exponential family with natural parameters η_min. — O(d).
Total complexity: O(d · log(1/ε)) per projection.
10.3 Computational Feasibility on Rad-Hardened Hardware
For the AXIOM application with d = 10-50 parameter dimensions per event class and precision ε = 10^(−6):
O(d · log(1/ε)) = O(50 · 20) = O(1,000) floating point operations per projection.
The rad-hardened SOI CMOS Layer 2 processor specified in Paper 4 achieves approximately 10^8 floating point operations per second in its radiation-hardened configuration. The time per projection is therefore approximately 10^(−5) seconds — 10 microseconds.
For 5 × 10^6 projections per day: total computational load ≈ 50 seconds per day, or approximately 0.06% of Layer 2 processor capacity.
The entropy floor projection is computationally negligible relative to Layer 2 hardware capacity. It does not impose a meaningful computational burden and does not require any specialized hardware beyond the standard Layer 2 rad-hardened processor.
10.4 Non-Exponential Family Posteriors
For posteriors outside the exponential family — which may arise for event classes with complex multi-modal parameter spaces — the closed-form solution of Section 10.2 does not apply. The general convex optimization problem of equation (7) can be solved by interior-point methods with complexity O(d^3) for d-dimensional posteriors.
For d = 50: O(50^3) = O(125,000) operations per projection, giving approximately 1.25 milliseconds per projection at 10^8 FLOPS. The total computational load for 5 × 10^6 projections per day remains below 2% of Layer 2 processor capacity — still feasible without specialized hardware.
Formal complexity bound: For any posterior distribution, the entropy floor projection of equation (7) requires at most O(d^3 · log(1/ε)) floating point operations, where d is the parameter space dimension and ε is the required precision. For the AXIOM specification (d ≤ 50, ε = 10^(−6)), this bound is O(1.25 × 10^6) operations per projection, requiring less than 13 milliseconds per projection on the specified Layer 2 hardware. The system can process all required projections within the decision latency budget.
11. PIONEER VETO AUTHORITY AND AXIOM LIVENESS INTERACTION
11.1 The Potential Conflict
The Pioneer veto protocol of Paper 4 grants the Pioneer constitutional authority to pause any non-time-critical AXIOM decision for 24 hours, with 3 tokens per 30-day period. The liveness proof of Theorem 3 guarantees that the entropy floor releases in finite time as independent observations accumulate.
A potential conflict arises if the Pioneer systematically exercises veto authority to prevent AXIOM from making the decisions that generate observations counted toward N_k^ind(t). If the Pioneer consistently vetoes decisions that would expose the system to novel environmental conditions, the independence count N_k^ind(t) may grow more slowly or fail to grow at all — potentially delaying or preventing entropy floor release for specific event classes.
11.2 Formal Analysis
Definition: A Pioneer veto sequence {v_1, v_2, ..., v_n} is liveness-threatening for event class k if: (a) each vetoed decision v_i, had it proceeded, would have generated an observation counted toward N_k^ind; (b) the Pioneer's veto rate is high enough that the effective novelty encounter rate r_novel^eff(k) approaches zero for event class k.
Theorem 11 (Veto-Liveness Compatibility): Under the Pioneer veto protocol as specified in Paper 4 (3 tokens per 30-day period, 24-hour pause duration), no Pioneer veto sequence can permanently prevent the entropy floor from releasing for any event class k.
Proof: The Pioneer veto protocol pauses decisions for 24 hours, not permanently. A vetoed decision that would have generated an observation for event class k is deferred by 24 hours — the observation is delayed, not prevented. After the 24-hour pause, AXIOM proceeds with the original decision unless the Pioneer proposes and authorizes an alternative. An alternative that still exposes the system to novel environmental conditions generates the same observation as the original decision. An alternative that does not expose the system to novel conditions does not generate an observation for event class k — but the Pioneer has only 3 tokens per 30-day period, limiting the total deferral per month to 72 hours.
For any event class k with r_novel > 0, the expected time between genuine independent observations of class k is 1/r_novel^eff(k) years. The Pioneer veto protocol can delay each observation by at most 24 hours — an amount that is finite and independent of the total observation count. The total delay accumulated across N_threshold observations is at most 24 · N_threshold hours — a finite quantity. The entropy floor releases at t_k^* + 24 · N_threshold hours rather than t_k^, where t_k^ is the release time without Pioneer vetoes. This is still finite.
Therefore, no Pioneer veto sequence can prevent the entropy floor from releasing — it can only delay it by at most 24 · N_threshold hours (720 hours, or 30 days, for N_threshold = 30). QED.
11.3 Pioneer Veto Rate Limits
Theorem 11 assumes the Pioneer exercises veto authority at the maximum rate permitted by the protocol — 3 tokens per 30-day period. The maximum total delay per 30-day period is 3 × 24 = 72 hours. Over the full N_threshold observation accumulation period (estimated at several years for most event classes), the maximum total Pioneer-induced delay is bounded by:
T_delay_max = 72 hours/month × T_accumulation_months
For T_accumulation = 24 months (a conservative estimate for most event classes), T_delay_max = 72 × 24 = 1,728 hours ≈ 72 days. This is a negligible fraction of the multi-year observation accumulation period.
11.4 Constitutional Implementation
The veto-liveness compatibility analysis confirms that the Pioneer veto protocol and the AXIOM liveness property are formally compatible — Pioneer authority does not threaten the eventual release of the entropy floor. This compatibility is not a coincidence: the 24-hour pause duration and 3-token-per-period rate limit were chosen precisely to provide meaningful Pioneer authority while preserving the liveness guarantee. These parameters are Layer 1 constants and cannot be modified without rewriting the constitutional ROM.
12. COMPARISON TO ALGORITHMIC ALTERNATIVES
We compare the entropy floor to four algorithmic approaches that have been proposed for managing epistemic uncertainty in autonomous systems.
| Approach | Mechanism | Failure Mode in Long-Duration Setting | Entropy Floor Advantage |
|---|---|---|---|
| Prior regularization [1,3] | Penalizes concentrated posteriors during update | Regularization strength is a hyperparameter that can be argued away; does not address structural under-coverage | Physically enforced — not a hyperparameter, not arguable |
| Epistemic uncertainty networks [27] | Learns to predict its own uncertainty as a separate output | Uncertainty estimates are learned from training distribution; fail silently on novel inputs not covered by training | Does not depend on training distribution; covers novel event classes by construction |
| Bayesian deep learning [28] | Maintains posterior over network weights, not just outputs | Posterior over weights concentrates toward training distribution; OOD behavior is undefined | Applies at the decision layer, after all inference — independent of inference architecture |
| Conformal prediction [29] | Provides distribution-free coverage guarantees for predictions | Requires exchangeable test data — fails for non-stationary environments | No exchangeability requirement; applies under arbitrary non-stationarity |
| Human oversight | Human reviews uncertain decisions | Unavailable for long-duration deep-space operation | Does not require human availability |
The fundamental advantage of the constitutional approach over all algorithmic alternatives is enforcement mechanism. Every algorithmic approach operates in the reasoning layer — it is a component of the system's inference or decision-making process. A sufficiently capable reasoning system can, in principle, construct arguments for why the algorithmic constraint should not apply in a particular case. The entropy floor, implemented in physically-protected read-only hardware, is immune to this failure mode. The system cannot reason about, modify, or bypass the entropy floor any more than it can reason about, modify, or bypass the laws of physics governing its hardware.
This immunity comes at a cost: the entropy floor is less expressive than algorithmic approaches. It enforces a universal lower bound on posterior entropy rather than a context-sensitive uncertainty estimate. For well-characterized event classes where high confidence is genuinely warranted, the entropy floor adds unnecessary conservatism until N_threshold is reached. The trade-off is deliberate: in the long-duration autonomous setting, a constraint that is always enforced but occasionally conservative is strictly preferable to a constraint that is optimally calibrated but occasionally bypassable.
13. LIMITATIONS AND SCOPE
13.1 Parameter Sensitivity
H_min and N_threshold must be specified at deployment time and cannot be modified after physical write-protection. Sensitivity analysis during the design phase is essential. We recommend specifying parameters under pessimistic assumptions about the novel environment and validating decision quality in simulation across the parameter range.
13.2 The Independence Counting Problem
The metric space construction of Section 6 provides well-defined independence semantics, but the weight vector w^k and threshold δ_min must be specified for each event class. In a novel environment, it may not be clear in advance which parameter dimensions are most relevant. Conservative weight specifications — distributing weight across more dimensions rather than fewer — reduce the risk of premature floor release.
13.3 Scope of Application
The entropy floor addresses TIO specifically. It does not address model misspecification beyond the prior misspecification boundary of Theorem 2, adversarial manipulation beyond the scope of Theorem 9's assumptions, or event classes with trivially small parameter spaces (handled by the adaptive threshold of Theorem 3').
13.4 Bootstrap Period Risk
The bootstrap period [0, t_boot] represents a window of maximum vulnerability — the system operates under maximum-entropy constraints rather than evidence-informed posteriors. During this period, all non-critical decisions are deferred and critical decisions are made under maximum uncertainty. Minimizing t_boot is a mission design priority: sensor calibration should begin immediately at launch, and XNAV initialization should be prioritized in the early mission schedule.
13.5 Broader Applicability
The failure mode addressed — trajectory-induced overconfidence — is not unique to deep space. Medical diagnosis systems, financial trading systems, and infrastructure management systems all exhibit the structural conditions for TIO in non-stationary environments. The constitutional implementation architecture is specific to systems with sufficient architectural sophistication to support a multi-layer design. The entropy floor concept is applicable at any layer of any Bayesian decision system where the developer has control over the posterior processing pipeline.
14. Conclusion
We have introduced trajectory-induced overconfidence as a formal failure mode for long-duration autonomous Bayesian systems, shown that it is a mathematical certainty for century-scale missions in the outer solar system, and provided a complete constitutional architecture for its prevention.
The twelve formal contributions of this paper collectively close all identified gaps in the original AXIOM specification. The complete inductive liveness proof (Theorem 3) establishes that the entropy floor releases in finite time for every event class. The extended liveness theorem (Theorem 3') handles discrete finite parameter spaces through the adaptive threshold mechanism. The adversarial resistance theorem (Theorem 9) establishes that three combined mitigations prevent premature floor release under any adversary who cannot physically alter the ship's environment. The regional entropy floor resolves the non-uniform prior misspecification gap. The metric space formalization (Section 6) establishes well-definedness and non-transitivity of the independence relation. The prior misspecification boundary (Theorem 2) provides a quantitative criterion for prior quality. The projection uniqueness theorem (Theorem 2a) guarantees deterministic Layer 2 operation and TMR consistency. The bootstrap protocol (Section 8) specifies maximum-entropy conservative operation during sensor calibration with formal interaction with liveness. The new event class discovery protocol (Section 9) provides a complete framework for registering novel phenomena with constitutional protections against adversarial flooding. The computational complexity analysis (Section 10) formally bounds projection cost at O(d³ · log(1/ε)) and demonstrates feasibility on specified hardware. The Pioneer veto-liveness compatibility theorem (Theorem 11) proves that Pioneer authority cannot prevent entropy floor release — only delay it by a bounded finite amount.
Three design principles emerge from this work:
- Separate belief formation from belief enforcement. The Bayesian update rule should operate freely in the reasoning layer. Constitutional constraints on posteriors should operate in a separate, more protected layer that the reasoning layer cannot modify.
- Distinguish sample size from independent information. Evidence counts should be weighted by independence, not raw observation count. The metric space construction of Section 6 provides the formal basis for this distinction.
- Treat epistemic humility as a physical property, not a design goal. Uncertainty bounds that can be overridden by sophisticated reasoning provide weaker guarantees than bounds that are physically enforced. Design the architecture accordingly.
The mandatory entropy floor represents a small but meaningful step toward autonomous systems that know what they do not know — and that cannot be talked out of that knowledge by their own intelligence.