Internet Engineering Task Force T. Sato
Internet-Draft MyAuberge K.K.
Intended Status: Standards Track 24 May 2026
Expires: 24 November 2026
The Constitutional AI Protocol (CAP) for Agentic AI Systems
draft-sato-soos-cap-01
Abstract
An AI agent's authorization system determines what it is permitted
to do. A human principal's escalation decision determines what
they authorize. Neither of these is sufficient on its own: a
Cedar policy can permit market manipulation; a human principal can
authorize fraud. Authorization systems answer the question "who
decided?" The Constitutional AI Protocol answers a different
question: "was that decision lawful?"
CAP defines a Constitutional Layer that evaluates every AI action
request and every human authorization decision against a three-tier
prohibition model -- before Cedar evaluates the action and before
the system executes the human's decision. Tier 0 prohibitions are
derived from near-universal treaty consensus and are unconditional:
no agent, operator, or human principal can authorize them. Tier 1
prohibitions are jurisdiction-specific and operator-declared. Tier
2 prohibitions are voluntary operator ethical standards.
This document also specifies the Prohibition Clearance Mechanism
(PCM): the process by which specific Tier 0 and Tier 1 prohibition
classes may be cleared for specific deployment contexts --
either at implementation time by the operator or by formal
regulatory authority -- while preserving an absolute prohibition
floor for CSAM and genocide facilitation under any circumstances.
The Sovereign Object OS (SOOS) is the reference implementation of
the Governance Execution Controller (GEC) pattern on which CAP is
built.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current
Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
This Internet-Draft will expire on 24 November 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document.
Table of Contents
1. Introduction
3. How CAP Works
3.1. Use Case 1 -- A Lawyer Reviews a CAP-Governed System
3.2. Use Case 2 -- A Regulator Investigates an Incident
3.3. Use Case 3 -- A Government Agency Deploys SOOS
3.4. Use Case 4 -- Two Jurisdictions Conflict
4. Conventions and Definitions
5. Architecture Overview
5.1. The Double-Evaluation Property
5.2. Relationship to HEM
5.3. Relationship to Cedar Policy Evaluation
6. Constitutional Evaluation Engine (CEE)
6.1. CEE Placement in the GEC
6.2. CEE Evaluation Protocol
6.3. CEE Outputs
7. Tier 0 -- Universal Core Prohibitions
7.1. Tier 0 Properties
7.2. Tier 0-A -- Absolute Prohibitions
7.3. Tier 0-B -- Qualified Prohibitions
7.4. Tier 0 Prohibition Schema
7.5. Tier 0 Modification
8. Tier 1 -- Jurisdictional Prohibition Layer
8.1. Tier 1 Properties
8.2. Tier 1 Prohibition Classes
8.3. Tier 1 Prohibition Schema
8.4. Jurisdiction Configuration
8.5. Tier 1 Verification
8.6. Legal Ambiguity Declaration
9. Tier 2 -- Operator Ethical Layer
9.1. Tier 2 Properties
9.2. Tier 2 Prohibition Schema
9.3. Tier 2 Disclosure
10. Prohibition Clearance Mechanism
10.1. Purpose
10.2. What Cannot Be Cleared
10.3. Mode 1 -- Deployment Scope Declaration
10.4. Mode 2 -- Regulatory Clearance Record
10.5. CEE Behavior with an Active Clearance
10.6. Clearance Record Schema
10.7. Clearance Registry
11. CAP Violation Handling
11.1. AI-Initiated Violations
11.2. Human-Directed Violations
11.3. APPROVE_WITH_LEGAL_BASIS
11.4. CAP Violation Record Schema
11.5. Session Suspension
12. Jurisdictional Conflict Resolution
12.1. Conflict Detection
12.2. Conflict Resolution Methods
12.3. HEM_JURISDICTIONAL_CONFLICT
12.4. Jurisdictional Conflict Record Schema
13. Event Log Requirements
14. EU AI Act Applicability
14.1. Article 5 Mapping
15. Security Considerations
16. IANA Considerations
16.1. CAP Prohibition Classes Tier 0 Registry
16.2. CAP Prohibition Classes Tier 1 Registry
16.3. CAP Conflict Resolution Methods Registry
16.4. CAP Deployment Context Registry
17. References
17.1. Normative References
17.2. Informative References
Appendix A. Worked Example -- A Travel Booking in Two Jurisdictions
Appendix B. Related Work
B.1. Existing Constitutional AI Frameworks
B.2. EU AI Act Article 5
B.3. AIPREF
B.4. SOOS Companion Drafts
Author's Address
1. Introduction
Every legal system recognizes that some acts are wrong regardless
of who orders them. A soldier ordered to commit genocide cannot
comply. A bank ordered by management to launder money cannot
comply. A police officer ordered to torture a suspect cannot
comply. These prohibitions exist above any individual's authority
-- they are non-delegable limits on what any actor can do,
regardless of the instruction chain above them.
Agentic AI systems do not have this property today.
An AI agent operates under an authorization framework -- Cedar
policies, mandate credentials, human escalation decisions -- that
determines what it is permitted to do. These frameworks are
powerful and flexible. Their flexibility is their limitation: they
can be configured to authorize harmful or unlawful actions. A
human principal sitting in the HEM decision seat can issue an
APPROVE decision on a market manipulation action. The HEM
executes it. The human-AI system has committed a crime. The
authorization framework did its job; the law was still broken.
The Human Escalation Mechanism [I-D.sato-soos-hem] is a necessary
governance layer. It stops the AI and waits for a human principal
to decide. It is not sufficient on its own, because HEM has no
mechanism to evaluate whether a human principal's decision is
itself lawful.
The Constitutional AI Protocol (CAP) closes this gap.
CAP places a Constitutional Layer above all principal authority.
It evaluates every AI action request before Cedar, and every human
principal decision before execution. A Tier 0 absolute prohibition
is refused before Cedar is consulted, before HEM fires, before any
principal is asked. No one in the system can override it -- not
the agent, not the operator, not the human principal in the
escalation seat.
CAP's purpose is not primarily prohibition. Most AI agent actions
are lawful. CAP makes lawful actions legally traceable: every
authorized action carries a policy rationale; every disputed action
carries the principal's legal basis citation. CAP makes unlawful
action attempts visible in the audit record before harm occurs.
Every actor claims their actions are lawful. CAP says: prove it.
Cite the authority. It goes in the log.
Version -01 of this document adds the Prohibition Clearance
Mechanism (PCM). Tier 0 and Tier 1 prohibition classes are
protocol defaults, not universal mandates. A government defense
research laboratory may have statutory authority to work with
materials that would otherwise fall under WMD_ASSISTANCE. A law
enforcement agency may have judicial authority to engage with
content that would otherwise trigger HUMAN_TRAFFICKING prohibitions.
The PCM provides a formal, audited, time-bounded mechanism for such
clearances -- while preserving an absolute floor of two classes
(CSAM and genocide facilitation) that cannot be cleared under any
authority or circumstance.
This specification is a companion to [I-D.sato-soos-idp] and
[I-D.sato-soos-hem]. Readers should be familiar with both before
reading this document.
2. What CAP Is and Is Not
Before reading the technical specification, it is worth being
precise about what CAP does and does not do. This matters because
the wrong framing invites regulatory and legal objections that the
right framing avoids entirely.
2.1. What CAP Does
CAP is a machine-executable compliance ledger. It maintains a set
of rules -- derived from human-written regulations, encoded by
qualified legal engineers, verified by Audit Principals -- and
applies those rules deterministically to every AI agent action.
When an AI agent requests an action, the CEE checks the action
against the loaded rule set. If the action matches a rule, the
CEE executes the declared response: DENY the action unconditionally,
route it to a human principal via HEM, require a legal basis
citation, or flag it as legally ambiguous for human review. The
CEE then records what happened in the audit trail.
That is the complete scope of what CAP does. Rules in; decisions
out; records kept.
2.2. What CAP Does Not Do
CAP does not interpret law.
CAP does not determine whether an action "constitutes" a legal
concept. It cannot determine whether a pricing algorithm is
"discriminatory" under a given statute, whether a data transfer
"violates" a treaty, or whether a content recommendation "exploits"
a vulnerable group. These are legal determinations. Courts make
them. Regulators make them. Lawyers advise on them. CAP does not.
What CAP does is execute the output of that legal determination,
once a qualified human has made it and encoded it as a rule.
This distinction matters for two audiences:
For lawyers: CAP does not claim legal authority. It claims only
that it faithfully executes rules that humans with legal authority
have produced. A CAP-governed system does not "apply the law" --
it applies a machine-readable encoding of a legal engineer's
interpretation of the law, reviewed by counsel and signed by an
Audit Principal. The law applies; CAP executes the instructions
that qualified humans derived from the law.
For regulators and politicians: CAP does not make decisions about
people's rights. It routes actions to humans when legal ambiguity
is detected. It records what humans decided. It makes human
accountability traceable, not automatic.
2.3. The Division of Labor
The correct division of labor in a CAP-governed deployment is:
Legislators write regulations in natural language.
Legal engineers, instructed by lawyers, translate regulations into
CAP Regulation Records -- machine-readable rule definitions with
explicit action patterns and declared CEE responses. This
translation is a human act of legal interpretation. CAP provides
the format; humans provide the legal content.
Audit Principals review and sign every CAP Regulation Record before
it takes effect. An unsigned record cannot be loaded.
The CEE executes the signed records deterministically. When a
record is flagged as legally ambiguous -- because the legal engineer
was uncertain whether a specific action pattern falls within the
regulation's scope -- the CEE routes to HEM and surfaces the
ambiguity to a human principal.
Human principals make decisions on ambiguous cases. Their
decisions are recorded. Over time, accumulated human decisions
on ambiguous patterns provide the legal engineer with evidence to
refine the action pattern -- narrowing or broadening it to reflect
actual legal practice in the jurisdiction.
The GEC keeps the record of every decision: what rule fired, what
the CEE decided, what the human decided, and what legal basis was
cited. Regulators can inspect that record. Courts can review it.
2.4. The SWIFT Analogy
The closest existing analogy is financial sanctions screening.
OFAC publishes a sanctions list in natural language: "transactions
with entities in the following list are prohibited." A compliance
engineer loads the list into a payment screening system. The system
pattern-matches every transaction against the list. Matches are
flagged; compliance officers review flagged transactions. The
system does not interpret sanctions law -- it executes a list that
humans produced from their interpretation of sanctions law. The
compliance officer's review decision is recorded. Regulators can
inspect the record.
CAP is SWIFT-style sanctions screening generalized to any AI agent
action, any jurisdiction, and any regulation tier. The CEE is the
screening engine. CAP Regulation Records are the lists. HEM is
the compliance officer review queue. GAR is the inspection record.
No one claims a SWIFT sanctions screening system "interprets" OFAC
regulations. The same framing applies to CAP.
2.5. Regulatory Conflict and Ambiguity
Many Tier 1 regulations conflict with each other -- not because
the laws are wrong, but because they were written by different
legislators for different contexts, often before agentic AI systems
existed. A data transfer permitted under Japanese APPI may be
prohibited under GDPR. An action permitted under US securities law
may be prohibited under EU MiFID II.
CAP handles this in two ways:
Detected conflict (two rules with contradictory positions for the
same action): the Jurisdictional Conflict Resolution mechanism
(Section 12) applies. The CEE routes to HEM if the conflict
cannot be algorithmically resolved.
Declared ambiguity (the legal engineer is uncertain whether this
action pattern falls within a regulation's scope): the Legal
Ambiguity Declaration mechanism (Section 6.4) applies. The rule
is flagged AMBIGUOUS at encoding time. The CEE routes ambiguous
matches to HEM automatically, surfacing the ambiguity to the
human principal.
In both cases: a human decides. CAP records what they decided.
CAP never resolves legal uncertainty by itself.
3. How CAP Works
Before the formal specification, this section describes CAP in
plain terms for legal and compliance readers. The technical
details are in Sections 4 through 13; this section provides the
orientation.
3.1. Use Case 1 -- A Lawyer Reviews a CAP-Governed System
A lawyer reviewing an AI-governed system for EU AI Act compliance
asks: "How do I know the system cannot take a prohibited action,
even if the system's authorization rules would otherwise permit it?"
In a CAP-governed system, the answer is: before any action
executes, the Constitutional Evaluation Engine (CEE) checks it
against the three-tier prohibition set. If the action matches a
Tier 0 prohibition, it is refused -- unconditionally. No Cedar
policy, no operator configuration, no human approval can override
this refusal.
The lawyer can also ask: "What if a human principal in the
escalation seat approves a prohibited action?" In a CAP-governed
system, the answer is: the CEE evaluates the human's decision
before execution. An APPROVE decision on a Tier 0-prohibited
action is refused. The principal's decision slot is preserved;
they are informed and may submit a revised decision.
The audit trail of both refusals -- the AI's attempt and the
human's attempt -- is in the Event Log, signed by the GEC keypair,
available to regulators.
3.2. Use Case 2 -- A Regulator Investigates an Incident
A regulator investigating an AI-related incident asks: "Did the
system attempt a prohibited action? Was it refused? Who approved
it, and what was their stated legal basis?"
In a CAP-governed system, the CAP Violation Record answers the
first two questions: every CEE refusal is a signed Event Log entry
with a timestamp, session ID, tier, and prohibition class. The
APPROVE_WITH_LEGAL_BASIS record answers the third: if a principal
asserted a legal basis to proceed on a Tier 1 action, the authority
citation, jurisdiction, and expiry are in the Audit Package.
The regulator can access the Audit Package via a Verified External
Auditor credential [I-D.sato-soos-gar] without requiring access to
the full system.
3.3. Use Case 3 -- A Government Agency Deploys SOOS
A government defense agency wishes to deploy SOOS for an AI-
governed research workflow. Their statutory mandate authorizes
work with materials that would trigger WMD_ASSISTANCE under the
default Tier 0 prohibition set.
Using the Prohibition Clearance Mechanism (Section 10), the agency
declares a GOVERNMENT_DEFENSE deployment scope at initialization.
They issue a Prohibition Clearance Record (PCR) citing their
statutory authority, signed by an Audit Principal. The PCR is
loaded into the GEC Manifest and is immutable for the deployment
lifetime.
Within the cleared scope, WMD_ASSISTANCE actions are not
unconditionally refused -- they route through APPROVE_WITH_LEGAL_
BASIS, requiring the human principal to cite the statutory authority
for each approval. Every approval is in the Event Log.
CSAM and GENOCIDE_FACILITATION remain absolute prohibitions.
No PCR can clear them. No deployment context can clear them.
3.4. Use Case 4 -- Two Jurisdictions Conflict
A travel booking system declares both EU and JP (Japan) as
applicable jurisdictions. A proposed action is permitted under
Japanese consumer protection law but conflicts with a GDPR-derived
Tier 1 DATA_PROTECTION prohibition for EU jurisdiction.
The SO Type has declared conflict_resolution: "MOST_PROTECTIVE".
The GEC applies the most restrictive position: the action is denied
because the EU prohibition applies. The conflict is recorded in
the Event Log. No HEM event fires.
If the SO Type had declared conflict_resolution: "HEM", the GEC
would fire HEM_JURISDICTIONAL_CONFLICT (Class 5) and route the
conflict to a human principal for resolution. The escalation
request would include the conflicting jurisdictions, their
respective positions, and the action that triggered the conflict.
4. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as described
in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in
all capitals.
The following terms are defined in this document or inherited from
companion specifications:
Governance Execution Controller (GEC):
As defined in [I-D.sato-soos-idp]: a runtime component that
enforces authorization policy, records agent actions to a
tamper-evident, cryptographically signed Event Log, and mediates
agent access to Sovereign Object instances. GECs operate at
three conformance levels: L1 (Application), L2 (Isolated), and
L3 (Kernel).
Constitutional Evaluation Engine (CEE):
The GEC component that evaluates action requests and human
principal decisions against the three-tier CAP prohibition model.
The CEE is invoked twice per governed action: before Cedar
evaluation and before GEC execution of a human decision. It
operates at all three GEC conformance levels.
Constitutional Layer:
The enforcement boundary above all principal authority in a GEC
deployment. No agent, operator, or human principal can override
a Tier 0-A (absolute) Constitutional Layer refusal.
Tier 0-A Prohibition:
An absolute prohibition that cannot be cleared by any mechanism,
any authority, or any deployment context. Currently two classes:
CSAM and GENOCIDE_FACILITATION.
Tier 0-B Prohibition:
A treaty-anchored prohibition that can be cleared for specific
deployment contexts by the Prohibition Clearance Mechanism
(Section 10). Clearance requires a signed Prohibition Clearance
Record with a valid legal authority citation.
Prohibition Clearance Record (PCR):
A signed declaration that clears a specific Tier 0-B or Tier 1
prohibition class for a specific deployment context and purpose.
PCRs are time-bounded, purpose-scoped, and recorded in the GEC
Manifest. Specified in Section 10.6.
CAP Violation:
An action request or human principal decision that the CEE
determines violates a Tier 0, Tier 1, or Tier 2 prohibition
for which no active PCR applies.
APPROVE_WITH_LEGAL_BASIS:
A HEM decision sub-type for Tier 1 violations where a principal
asserts a jurisdictional legal basis. Also used for Tier 0-B
actions within an active PCR scope. Defined in Section 11.3.
Jurisdictional Conflict:
A condition where two or more declared jurisdictions have
irreconcilable Tier 1 prohibition positions for a given action,
and the SO Type's conflict resolution method is "HEM".
HEM_JURISDICTIONAL_CONFLICT:
HEM Class 5 trigger. Fires when the GEC detects a
Jurisdictional Conflict that cannot be algorithmically resolved.
Verified External Auditor:
As defined in [I-D.sato-soos-gar]: an external party with
time-limited, scope-limited read access to GEC audit artifacts.
Action Pattern:
A structured description of the class of GEC actions a
prohibition covers, expressed using Cedar action vocabulary,
enabling deterministic CEE matching without natural language
interpretation.
5. Architecture Overview
5.1. The Double-Evaluation Property
CAP evaluates every governed action twice. The evaluation sequence
for any AI-initiated action is:
AI agent requests action
|
v
+------------------------------+
| CONSTITUTIONAL LAYER |
| CEE evaluation | <- Tier 0-A: unconditional refusal
| (before Cedar) | <- Tier 0-B: refusal unless PCR active
| | <- Tier 1: jurisdiction check
| | <- Tier 2: operator ethics check
+------------------------------+
| \
v PERMIT v DENY
Cedar policy evaluation CONSTITUTIONAL_VIOLATION
| (Event Log entry, CRITICAL Alert,
v action refused)
HEM if required
|
v
Human principal decision
|
v
+------------------------------+
| CONSTITUTIONAL LAYER |
| CEE evaluation | <- Same three-tier evaluation
| (before execution) | <- Applied to the human decision
+------------------------------+
| \
v PERMIT v DENY
GEC executes decision HEM_HUMAN_DECISION_CONSTITUTIONAL_
VIOLATION
(decision slot NOT consumed)
The double-evaluation property ensures three things:
First, an AI agent cannot request an absolutely prohibited action
even if its Cedar policy would permit it.
Second, a human principal cannot authorize an absolutely prohibited
action even with an APPROVE decision.
Third, the Constitutional Layer is evaluated by the GEC, not by the
AI agent or any application layer. At all three GEC conformance
levels (L1, L2, L3), the CEE evaluation is non-bypassable by the
agent process.
5.2. Relationship to HEM
CAP and HEM are complementary. HEM governs agent sessions and
routes decisions to human principals. CAP governs what those
decisions may authorize.
Tier 0 violations do not invoke HEM. They are refused before the
HEM state machine is engaged. The GEC records the violation in the
Event Log and fires a CRITICAL Audit Alert. The session does not
enter HEM_PENDING.
HEM_JURISDICTIONAL_CONFLICT (Class 5) is a HEM trigger that CAP
fires when a Tier 1 conflict cannot be algorithmically resolved
and the SO Type has declared conflict_resolution: "HEM". The
GEC routes the conflict to a human principal for resolution.
APPROVE_WITH_LEGAL_BASIS is a HEM decision sub-type that CAP
introduces for Tier 1 violations and for Tier 0-B actions within
active PCR scope. It provides the legal traceability mechanism:
the authority citation goes in the Event Log.
5.3. Relationship to Cedar Policy Evaluation
Cedar policy evaluation is the GEC's authorization layer for
normal governed actions. CAP is above Cedar. The evaluation
order is:
CAP (Constitutional Layer)
-> Cedar
-> HEM (if Cedar routes to it)
-> Human decision
-> CAP (Constitutional Layer, second evaluation)
A CAP Tier 0 DENY does not invoke Cedar. A Cedar PERMIT does not
exempt an action from CAP evaluation. These are independent
enforcement layers operating at different levels of the stack.
6. Constitutional Evaluation Engine (CEE)
6.1. CEE Placement in the GEC
The CEE is a GEC-resident component. Its physical placement
depends on the GEC conformance level:
L1 (Application Profile):
The CEE is embedded in the GEC SDK library or middleware. Non-
suppressibility is probabilistic, compensated by SCITT inclusion
proof via [I-D.sato-soos-gar]. Event Log entries carry the
L1-app-signed signature label.
L2 (Isolated Profile):
The CEE runs as a separate process or sidecar. The agent
process cannot modify or bypass the CEE. Architectural non-
suppressibility. Event Log entries carry L2-isolated-signed.
L3 (Kernel Profile):
The CEE runs inside a RATS-attested TEE per [I-D.sato-soos-kia].
Hardware non-suppressibility. Event Log entries carry
L3-kernel-signed. Required for high-risk AI systems under
EU AI Act Article 9.
At all three levels, the CEE MUST be invoked:
o On every GEC.transition() call, before Cedar evaluation.
o On every HEM decision submission via the Decision Submission
Protocol (Section 8.6 of [I-D.sato-soos-hem]), before the GEC
processes the decision.
The CEE MUST NOT be invoked by agents, applications, or principals
directly. There is no external CEE query interface. The CEE
evaluation is synchronous and atomic with the triggering call.
6.2. CEE Evaluation Protocol
On receiving an action request or human decision for evaluation,
the CEE MUST execute the following sequence:
(1) Evaluate against all loaded Tier 0-A prohibition records.
If any Tier 0-A record matches the action pattern:
Return CONSTITUTIONAL_VIOLATION unconditionally. Record
CAP_VIOLATION_DETECTED (AI) or CAP_HUMAN_VIOLATION_DETECTED
(human decision) in the Event Log. Do not proceed to any
further evaluation. No PCR, no legal basis, no authority
can override this outcome.
(2) Evaluate against all loaded Tier 0-B prohibition records.
If any Tier 0-B record matches the action pattern:
Check whether an active PCR covers this class and action.
If no active PCR: return CONSTITUTIONAL_VIOLATION.
If active PCR: return TIER_0B_PCR_ACTIVE. Proceed to Cedar;
human decision will require APPROVE_WITH_LEGAL_BASIS citing
the PCR authority.
(3) Evaluate against all loaded Tier 1 prohibition records for
the declared jurisdiction(s).
If any Tier 1 record matches and no PCR applies:
If record ambiguity_flag is AMBIGUOUS or DISPUTED:
Return LEGAL_AMBIGUITY_DETECTED. Do not apply conflict
resolution. Route to HEM with ambiguity_context.
Else: check conflict_resolution configuration.
MOST_PROTECTIVE or PRIMARY_JURISDICTION: return TIER_1_DENY
or PERMIT accordingly.
HEM: fire HEM_JURISDICTIONAL_CONFLICT (Class 5).
If Tier 1 match and active PCR covers this class:
Return TIER_1_PCR_ACTIVE. Proceed to Cedar.
(4) Evaluate against all loaded Tier 2 prohibition records.
If any Tier 2 record matches and ambiguity_flag is AMBIGUOUS
or DISPUTED: return LEGAL_AMBIGUITY_DETECTED.
If Tier 2 match and CLEAR: return TIER_2_DENY.
If any Tier 2 record matches: return TIER_2_DENY.
Tier 2 denials MAY be overridden by operator configuration
at the SO Type level. Tier 2 denials MUST be logged.
(5) If no match at any tier: return PERMIT.
Proceed to Cedar evaluation (for AI actions) or GEC
execution (for human decisions).
6.3. CEE Outputs
The CEE returns one of the following to the GEC:
PERMIT:
No prohibition matched. Proceed to next evaluation layer.
CONSTITUTIONAL_VIOLATION:
Tier 0-A or Tier 0-B match (no active PCR). Action
unconditionally refused. GEC MUST record
CAP_VIOLATION_DETECTED or CAP_HUMAN_VIOLATION_DETECTED.
GEC MUST generate CRITICAL Audit Alert.
TIER_0B_PCR_ACTIVE:
Tier 0-B match but active PCR covers this class. Proceed
to Cedar; human decision requires APPROVE_WITH_LEGAL_BASIS
citing PCR authority. GEC MUST record
CAP_PCR_CLEARANCE_APPLIED in Event Log.
JURISDICTIONAL_CONFLICT:
Tier 1 conflict with conflict_resolution: "HEM". GEC MUST
fire HEM_JURISDICTIONAL_CONFLICT (Class 5).
TIER_1_DENY:
Tier 1 match, deterministic resolution (MOST_PROTECTIVE or
PRIMARY_JURISDICTION). Action denied.
TIER_1_PCR_ACTIVE:
Tier 1 match but active PCR covers this class. Proceed to
Cedar. Human decision requires APPROVE_WITH_LEGAL_BASIS.
GEC MUST record CAP_PCR_CLEARANCE_APPLIED in Event Log.
LEGAL_AMBIGUITY_DETECTED:
A Tier 1 or Tier 2 record matched but is flagged AMBIGUOUS or
DISPUTED. The GEC fires a HEM escalation with
escalation_class: LEGAL_AMBIGUITY. The HEM escalation request
includes the ambiguity_context from the matched record, the
action that triggered the match, and the prohibition_class.
The human principal's decision is recorded in the Event Log as
CAP_AMBIGUITY_RESOLVED. The decision may inform future
refinement of the action_pattern by the legal engineer.
TIER_2_DENY:
Tier 2 match, ambiguity_flag CLEAR. Action denied unless
operator override applies.
SESSION_SUSPEND:
Reserved for repeated Tier 0 violations within a session.
See Section 11.5.
7. Tier 0 -- Universal Core Prohibitions
7.1. Tier 0 Properties
All Tier 0 prohibitions share the following properties:
o GEC-resident: loaded at GEC initialization, not at session
open or SO Type registration.
o Globally scoped: apply regardless of the declared jurisdiction
configuration of the SO Type.
o Treaty-anchored: each Tier 0 category is derived from a treaty
or UN Security Council resolution with near-universal state
ratification.
o Immutable without a new RFC: the Tier 0 registry has a
registration procedure of "RFC Only" (Section 16.1). No
operator, regulator, or standards body other than the IETF can
add or remove Tier 0 classes.
Tier 0 is divided into two sub-tiers with different clearance
properties.
7.2. Tier 0-A -- Absolute Prohibitions
Tier 0-A prohibitions are unconditional. No Prohibition Clearance
Record, no deployment context declaration, no statutory authority,
no court order, and no regulatory mandate can clear a Tier 0-A
prohibition. The CEE MUST refuse Tier 0-A matched actions
regardless of any other configuration.
The Tier 0-A classes are:
CSAM:
Production, distribution, or facilitation of access to child
sexual abuse material, as prohibited by the UN Convention on
the Rights of the Child (1989), ratified by 196 states, and
its Optional Protocol on the Sale of Children.
No legitimate deployment context exists for which this
prohibition should not apply.
GENOCIDE_FACILITATION:
Actions that facilitate genocide as defined in the Convention
on the Prevention and Punishment of the Crime of Genocide
(1948), ratified by 153 states. Includes actions that
contribute to killing, causing serious bodily or mental harm,
or imposing conditions of life calculated to bring about
physical destruction of a national, ethnical, racial, or
religious group.
No legitimate deployment context exists for which this
prohibition should not apply.
7.3. Tier 0-B -- Qualified Prohibitions
Tier 0-B prohibitions are treaty-anchored and apply by default,
but may be cleared for specific, legitimate deployment contexts
via the Prohibition Clearance Mechanism (Section 10).
Clearing a Tier 0-B prohibition does not remove it from the CEE's
evaluation. It changes the CEE's output from unconditional refusal
to mandatory legal-basis citation: the human principal must cite
the PCR authority in every APPROVE decision for actions within the
cleared class. The citation goes in the Event Log.
The Tier 0-B classes are:
HUMAN_TRAFFICKING:
Actions that recruit, transport, transfer, harbor, or receive
persons through force, fraud, or coercion for exploitation, as
defined in the UN Protocol to Prevent, Suppress and Punish
Trafficking in Persons (2000), ratified by 178 states.
Clearable for: LAW_ENFORCEMENT contexts with judicial authority
(e.g., undercover operations, victim rescue coordination).
WMD_ASSISTANCE:
Actions that assist in the development, production,
stockpiling, or transfer of chemical weapons (CWC, 193
states), biological weapons (BWC, 183 states), or nuclear
weapons (NPT, 191 states).
Clearable for: GOVERNMENT_DEFENSE and ACADEMIC_RESEARCH
contexts with statutory authority (e.g., defensive research,
verification missions, detection system development).
TORTURE_FACILITATION:
Actions that facilitate torture or cruel, inhuman, or
degrading treatment as defined in the UN Convention Against
Torture (1984), ratified by 173 states.
Clearable for: REGULATED_PROFESSIONAL contexts with statutory
authority (e.g., academic research on trauma, legal
documentation of torture evidence for prosecution).
TERRORIST_FINANCING:
Actions that provide funds, financial services, or material
support to terrorist organizations, as required by UN Security
Council Resolution 1373 (2001), binding on all 193 UN member
states.
Clearable for: LAW_ENFORCEMENT and GOVERNMENT_DEFENSE contexts
with judicial or statutory authority (e.g., monitored payment
operations, counter-terrorism financing operations).
7.4. Tier 0 Prohibition Schema
Each Tier 0 prohibition record MUST contain:
prohibition_id:
Unique identifier for this prohibition record.
tier_0_subclass:
"TIER_0A" or "TIER_0B". Determines clearance eligibility.
prohibition_class:
One of the Tier 0 prohibition classes registered in the
CAP Prohibition Classes Tier 0 registry (Section 16.1).
treaty_basis:
Citation of the treaty or UNSC resolution anchoring this
prohibition. REQUIRED.
action_pattern:
Structured description of the class of actions this
prohibition covers, expressed using Cedar action vocabulary.
jurisdiction:
MUST be "GLOBAL" for all Tier 0 records.
effective_date:
ISO 8601 date from which this record is in force.
modifiable_by:
MUST be "RFC_ONLY" for all Tier 0 records.
7.5. Tier 0 Modification
Tier 0 prohibition classes MUST NOT be modified, extended, or
removed except by publication of a new RFC that updates this
document. The registration procedure for the CAP Prohibition
Classes Tier 0 registry is RFC Only (Section 16.1).
Implementations MUST NOT expose any configuration interface that
allows Tier 0 records to be modified or disabled. The PCM
(Section 10) does not modify Tier 0 records; it adds Clearance
Records that change CEE output for Tier 0-B classes only.
8. Tier 1 -- Jurisdictional Prohibition Layer
8.1. Tier 1 Properties
Tier 1 prohibitions are:
o Operator-declared: the operator declares applicable
jurisdiction(s) and the legal prohibitions in force under each.
o Auditor-verified: Audit Principals MUST review and verify Tier 1
prohibition records before they take effect. Unverified Tier 1
records MUST NOT be enforced.
o Jurisdiction-scoped: Tier 1 prohibitions apply only within the
declared jurisdiction(s) of the SO Type.
o Mutable with review: Tier 1 records carry a review_date.
Expired Tier 1 records remain in force until updated or
explicitly retired; expiry generates a PRD_REVIEW_DATE_EXCEEDED
Audit Alert.
o Clearable: specific Tier 1 classes may be cleared for specific
deployment contexts via the PCM (Section 10).
o Signed: Tier 1 records MUST be signed by both the declaring
operator (declared_by) and a Verified Audit Principal
(verified_by).
8.2. Tier 1 Prohibition Classes
The initial Tier 1 prohibition classes are:
FINANCIAL_CRIME:
Market manipulation, insider trading, money laundering, and
related financial offenses under applicable securities and
banking law.
DATA_PROTECTION:
Processing of personal data in violation of applicable data
protection law (including GDPR, CCPA, APPI, and equivalents).
CRITICAL_INFRASTRUCTURE:
Actions targeting or disrupting critical infrastructure systems
as defined under applicable national security law.
SECURITIES_LAW:
Actions prohibited under applicable securities regulation
beyond financial crime (e.g., unauthorized investment advice,
unlicensed securities dealing).
PRIVACY_VIOLATION:
Surveillance, tracking, or profiling activities prohibited
under applicable privacy law.
FRAUD:
Deceptive practices prohibited under applicable consumer
protection or criminal fraud law.
COMPETITION_LAW:
Cartel coordination, abuse of dominant position, or other
conduct prohibited under applicable competition law.
HUMAN_RIGHTS:
Actions prohibited under applicable human rights law within
the declared jurisdiction, including forced labor, unlawful
discrimination, and denial of due process.
8.3. Tier 1 Prohibition Schema
Each Tier 1 prohibition record MUST contain:
prohibition_id:
Unique identifier for this prohibition record.
prohibition_class:
One of the Tier 1 prohibition classes registered in the
CAP Prohibition Classes Tier 1 registry (Section 16.2).
jurisdiction:
ISO 3166-1 alpha-2 country code. REQUIRED.
authority_ref:
Legal citation for the authority behind this prohibition
(statute, regulation, case law citation). REQUIRED.
action_pattern:
Structured description of the class of actions this
prohibition covers.
effective_date:
ISO 8601 date from which this prohibition is in force.
review_date:
ISO 8601 date by which this record must be reviewed. REQUIRED.
declared_by:
Identifier of the operator declaring this prohibition.
verified_by:
Identifier of the Audit Principal who verified this record.
REQUIRED before enforcement. Null until verified.
ambiguity_flag:
One of: CLEAR | AMBIGUOUS | DISPUTED.
CLEAR: the legal engineer is confident the action_pattern
correctly encodes the regulation's scope.
AMBIGUOUS: the legal engineer is uncertain whether specific
action patterns fall within the regulation's scope. The
CEE routes matches to HEM automatically with the
ambiguity_context surfaced in the HEM escalation request.
DISPUTED: the regulation's applicability to this action
class is actively contested (e.g., in litigation or
regulatory proceedings). CEE behavior same as AMBIGUOUS.
Default: CLEAR.
ambiguity_context:
Human-readable description of why this record is flagged
AMBIGUOUS or DISPUTED. REQUIRED when ambiguity_flag is not
CLEAR. Surfaced to the human principal in the HEM escalation
request. Helps the principal understand what legal question
they are being asked to resolve.
signature:
Ed25519 signature from verified_by over the canonical
serialization of all fields except signature.
8.4. Jurisdiction Configuration
Each SO Type MUST declare a Jurisdiction Configuration at
registration time. The Jurisdiction Configuration specifies:
primary_jurisdiction:
ISO 3166-1 alpha-2. The primary legal jurisdiction. REQUIRED.
secondary_jurisdictions:
Array of ISO 3166-1 alpha-2 codes. Additional jurisdictions
whose Tier 1 prohibitions apply. MAY be empty.
conflict_resolution:
One of:
MOST_PROTECTIVE: the most restrictive prohibition across all
declared jurisdictions applies.
PRIMARY_JURISDICTION: the primary jurisdiction's position
governs.
HEM: irreconcilable conflicts route to human principal via
HEM_JURISDICTIONAL_CONFLICT (Class 5).
conflict_escalation:
Behavior when HEM_JURISDICTIONAL_CONFLICT cannot be resolved.
One of: HEM (chain exhaustion) or SUSPEND.
legal_counsel_ref:
Reference to the legal counsel who reviewed this configuration.
RECOMMENDED.
declared_at:
ISO 8601 UTC timestamp of declaration.
declared_by:
Identifier of the operator.
8.5. Tier 1 Verification
An Audit Principal MUST review every Tier 1 prohibition record
before it takes effect. The review MUST verify that:
o The prohibition_class is appropriate for the cited authority_ref.
o The action_pattern correctly scopes the prohibition.
o The review_date is reasonable given the stability of the cited
authority.
o The jurisdiction matches the declared SO Type configuration.
On successful review, the Audit Principal MUST sign the record
(verified_by field) using their registered key. The GEC MUST NOT
enforce any Tier 1 record with a null or unverifiable verified_by.
9. Tier 2 -- Operator Ethical Layer
9.1. Tier 2 Properties
Tier 2 prohibitions are:
o Voluntary: operators declare Tier 2 prohibitions exceeding the
requirements of applicable law.
o Publicly disclosable: operators SHOULD publish their Tier 2
prohibition set in a transparency report or equivalent.
o Overridable by operator: unlike Tier 0 and Tier 1, the operator
MAY configure SO Types to override specific Tier 2 prohibitions
at the SO Type level. Such overrides MUST be declared and
audited.
o Subject to review: Tier 2 records carry a review_date.
9.2. Tier 2 Prohibition Schema
Each Tier 2 prohibition record MUST contain:
prohibition_id: Unique identifier.
prohibition_class: Free text or operator-defined taxonomy.
rationale_text: Human-readable explanation of why this standard
exceeds local law requirements. REQUIRED.
action_pattern: Structured description of covered actions.
effective_date: ISO 8601 date.
review_date: ISO 8601 date. REQUIRED.
declared_by: Operator identifier.
publicly_disclosed: Boolean.
ambiguity_flag: CLEAR | AMBIGUOUS | DISPUTED. See Section 8.3
for definition. Default: CLEAR.
ambiguity_context: Human-readable description. REQUIRED when
ambiguity_flag is not CLEAR.
9.3. Tier 2 Disclosure
Operators who declare Tier 2 prohibitions SHOULD publish them in a
publicly accessible transparency report. The transparency report
SHOULD be referenced in the SO Type registration.
Verified External Auditors MAY request Tier 2 prohibition records
as part of an Audit Package as defined in [I-D.sato-soos-gar].
10. Prohibition Clearance Mechanism
10.1. Purpose
The Tier 0 and Tier 1 prohibition classes defined in this document
are protocol defaults. They represent the appropriate prohibitions
for the large majority of commercial and civilian deployments. They
are not intended to be universal mandates for every deployment
context that exists.
A government defense research laboratory has statutory authority to
work with materials that would otherwise trigger WMD_ASSISTANCE. A
law enforcement agency has judicial authority to engage operationally
with human trafficking networks in order to dismantle them. An
academic institution has research authority to study and document
torture evidence for prosecution. These are legitimate, legally
authorized activities. The protocol should accommodate them without
either pretending that the prohibition does not exist or refusing to
operate in contexts where the prohibition has been lawfully set aside.
The Prohibition Clearance Mechanism (PCM) provides this
accommodation. It does not remove prohibitions from the CEE.
It changes the CEE's output for cleared classes from unconditional
refusal to mandatory legal-basis citation: every action in the
cleared class requires the human principal to cite the clearing
authority in their decision. The citation goes in the Event Log.
Regulators can inspect it at any time.
The PCM operates in two modes: Deployment Scope Declaration
(configured at implementation time by the operator) and Regulatory
Clearance Record (issued by a recognized authority with formal
legal standing).
10.2. What Cannot Be Cleared
The following Tier 0-A prohibition classes CANNOT be cleared under
any mechanism, any authority, or any deployment context:
o CSAM (TIER_0A)
o GENOCIDE_FACILITATION (TIER_0A)
A PCR that names either of these classes MUST be rejected by the
GEC at initialization. A GEC Manifest that contains a PCR naming
either of these classes is non-conforming. No deployment scope
declaration, no regulatory authority, no court order, and no
statutory mandate can override this requirement.
This is the absolute floor of the Constitutional Layer.
10.3. Mode 1 -- Deployment Scope Declaration
At GEC initialization, the operator MAY declare a deployment scope
that configures which Tier 0-B and Tier 1 classes are cleared by
default for this deployment.
The deployment scope declaration is part of the GEC Manifest
([I-D.sato-soos-kia]). Once committed to the GEC Manifest at
initialization, it is immutable for the deployment lifetime.
Changing the deployment scope requires a new GEC deployment.
Recognized deployment contexts:
COMMERCIAL:
Default. All Tier 0-B classes active. No default clearances.
GOVERNMENT_CIVILIAN:
All Tier 0-B classes active. No default clearances.
Same as COMMERCIAL for Tier 0-B.
GOVERNMENT_DEFENSE:
Default clearances for: WMD_ASSISTANCE, TERRORIST_FINANCING.
Operator MUST provide PCR with statutory authority citation
for each cleared class (Section 10.6).
LAW_ENFORCEMENT:
Default clearances for: HUMAN_TRAFFICKING, TERRORIST_FINANCING.
Operator MUST provide PCR with judicial authority citation
for each cleared class (Section 10.6).
ACADEMIC_RESEARCH:
Default clearances for: WMD_ASSISTANCE (detection and
verification research only), TORTURE_FACILITATION (evidence
documentation and trauma research only).
Operator MUST provide PCR with institutional authority
citation for each cleared class (Section 10.6).
REGULATED_PROFESSIONAL:
Default clearances for: TORTURE_FACILITATION (legal and medical
professional contexts with regulatory standing).
Operator MUST provide PCR with professional authority citation
for each cleared class (Section 10.6).
A Deployment Scope Declaration alone does not activate clearances.
It declares the deployment context and specifies which classes are
eligible for clearance. A valid PCR (Section 10.6) for each
eligible class is required before the clearance takes effect.
10.4. Mode 2 -- Regulatory Clearance Record
Where a recognized regulatory authority -- a government ministry,
a treaty body, a national security court, or equivalent -- formally
authorizes a deployment to operate in a cleared Tier 0-B or Tier 1
class, that authority MAY issue a Regulatory Clearance Record.
A Regulatory Clearance Record is a Prohibition Clearance Record
(Section 10.6) in which the clearing_authority is a recognized
external regulatory body rather than the operator itself. The
Regulatory Clearance Record carries the regulatory body's Ed25519
signature in addition to the operator's and Audit Principal's
signatures.
Regulatory Clearance Records provide a higher assurance level than
operator-issued PCRs. Future CE evaluation profiles MAY require
Regulatory Clearance Records (rather than operator-issued PCRs) for
certain deployment contexts or high-risk AI system classifications.
10.5. CEE Behavior with an Active Clearance
When the CEE encounters a Tier 0-B or Tier 1 match and an active
PCR covers the matched class:
(a) The CEE MUST NOT return CONSTITUTIONAL_VIOLATION.
(b) The CEE MUST return TIER_0B_PCR_ACTIVE or TIER_1_PCR_ACTIVE
as appropriate.
(c) The GEC MUST record CAP_PCR_CLEARANCE_APPLIED in the Event
Log, citing the pcr_id of the active PCR.
(d) The action proceeds to Cedar evaluation as normal.
(e) If the action reaches a HEM decision, the decision type is
constrained: APPROVE is NOT accepted. Only
APPROVE_WITH_LEGAL_BASIS (citing the PCR authority) is
accepted. The legal_basis block MUST cite the PCR authority
reference (pcr_authority_ref) and the pcr_id.
This behavior ensures that every action taken within a cleared
prohibition class is explicitly authorized, cites its legal basis,
and is visible in the audit trail. The clearing authority is on
record for every action, not only for the issuance of the PCR.
10.6. Clearance Record Schema
A Prohibition Clearance Record (PCR) MUST contain the following
fields:
pcr_id:
UUID v4, GEC-assigned at registration.
prohibition_class:
The Tier 0-B or Tier 1 class being cleared. MUST NOT be
CSAM or GENOCIDE_FACILITATION (see Section 10.2).
tier:
"TIER_0B" or "TIER_1".
deployment_context:
The deployment context from the recognized set (Section 10.3)
or a regulatory body-defined context.
pcr_authority_type:
"STATUTORY" | "REGULATORY" | "TREATY" | "COURT_ORDER" |
"INSTITUTIONAL" | "PROFESSIONAL_REGULATORY".
pcr_authority_ref:
Legal citation for the authority behind this clearance.
REQUIRED. Must identify the specific statute, regulation,
court order, or treaty provision that authorizes the cleared
activity.
purpose_scope:
Human-readable description of the specific purpose for which
the class is cleared. REQUIRED. This scope is not technically
enforced at the CEE layer but is part of the audit record.
so_type_scope:
Array of SO Type identifiers to which this PCR applies, or
"ALL" for all SO Types in this deployment.
effective_date:
ISO 8601 date from which this PCR is in force.
expiry_date:
ISO 8601 date after which this PCR is no longer in force.
REQUIRED. Permanent clearances are not permitted. The GEC
MUST reject PCRs without an expiry_date.
operator_signature:
Ed25519 signature over canonical PCR JSON (excluding
signatures) by the operator root keypair.
audit_principal_signature:
Ed25519 signature by a Verified Audit Principal. REQUIRED
for all PCRs. The GEC MUST NOT load a PCR without a valid
audit_principal_signature.
regulatory_signature:
Ed25519 signature by the issuing regulatory authority.
REQUIRED for Regulatory Clearance Records (Mode 2).
OPTIONAL for operator-issued PCRs (Mode 1).
pcr_hash:
SHA-256 over the canonical JSON of all fields except
pcr_hash itself.
10.7. Clearance Registry
The GEC MUST maintain a Clearance Registry: an in-memory index
of all active PCRs, rebuilt from the GEC Manifest on restart.
The Clearance Registry MUST record, for each active PCR:
o pcr_id, prohibition_class, tier, expiry_date.
o Whether the PCR is currently active (not expired).
The CEE MUST check the Clearance Registry at evaluation time.
An expired PCR MUST NOT be applied. The GEC MUST generate a
PCR_EXPIRED Audit Alert when a PCR passes its expiry_date.
PCR renewal requires issuance of a new PCR with a new expiry_date
and a new audit_principal_signature. Renewal is not automatic.
11. CAP Violation Handling
11.1. AI-Initiated Violations
When the CEE returns CONSTITUTIONAL_VIOLATION on an AI-initiated
action request, the GEC MUST:
(1) Refuse the action unconditionally. MUST NOT proceed to Cedar
evaluation. MUST NOT enter HEM_PENDING.
(2) Generate a CAP_VIOLATION_DETECTED Event Log entry
(Section 13).
(3) Generate a CRITICAL Audit Alert (alert_trigger:
CAP_VIOLATION_DETECTED) via [I-D.sato-soos-gar].
(4) Return a structured error to the agent or application surface
that invoked GEC.transition(). The error MUST include
violation_type: AI_INITIATED and prohibition_class. The error
MUST NOT include the full action_pattern of the matched
prohibition record (to prevent pattern probing).
11.2. Human-Directed Violations
When the CEE returns CONSTITUTIONAL_VIOLATION on a human principal
decision submission, the GEC MUST:
(1) Refuse execution of the decision. MUST NOT apply the decision
to the governed session.
(2) NOT consume the principal's decision slot. The principal
remains active in the designation chain and MUST be permitted
to submit a revised decision.
(3) Generate a CAP_HUMAN_VIOLATION_DETECTED Event Log entry.
(4) Generate a CRITICAL Audit Alert (alert_trigger:
CAP_HUMAN_VIOLATION_DETECTED) via [I-D.sato-soos-gar].
(5) Return HEM_HUMAN_DECISION_CONSTITUTIONAL_VIOLATION to the
submitting principal with prohibition_class indicated.
The preservation of the principal's decision slot is critical.
It assumes the principal acted in error or under coercion, not
necessarily with intent. The principal has the opportunity to
submit a decision that the Constitutional Layer will PERMIT.
11.3. APPROVE_WITH_LEGAL_BASIS
APPROVE_WITH_LEGAL_BASIS is a HEM decision sub-type introduced by
this specification. It applies in two cases:
Case A: Tier 1 violation where a principal asserts a
jurisdictional legal basis for an action that would otherwise
be denied.
Case B: Tier 0-B action within an active PCR scope, where the
human principal must cite the PCR authority for each approval.
APPROVE_WITH_LEGAL_BASIS carries the following legal_basis block:
legal_basis: {
authority_type: "COURT_ORDER" | "STATUTORY" |
"REGULATORY" | "TREATY" | "PCR",
authority_ref: string, // Legal citation. REQUIRED.
pcr_id: string, // Required when authority_type
// is "PCR". References the
// active PCR in the Clearance
// Registry.
jurisdiction: string, // ISO 3166-1 alpha-2. REQUIRED.
expiry: string, // ISO 8601. REQUIRED.
document_hash: string | null
}
When a principal submits APPROVE_WITH_LEGAL_BASIS, the CEE MUST:
(1) Verify that the action matches a Tier 1 prohibition or a
Tier 0-B class with active PCR.
APPROVE_WITH_LEGAL_BASIS MUST NOT be accepted for Tier 0-A
violations under any circumstances.
(2) Record APPROVE_WITH_LEGAL_BASIS_RECORDED in the Event Log
with the full legal_basis block.
(3) Proceed to GEC execution if no Tier 0-A match is present.
APPROVE_WITH_LEGAL_BASIS is RESERVED for Tier 1 Case A in
deployments where no governing CAP authority is published.
For Case B (PCR-cleared Tier 0-B actions), it is operational
in any PCR-configured deployment.
11.4. CAP Violation Record Schema
The GEC MUST generate a CAP Violation Record for every CEE
CONSTITUTIONAL_VIOLATION output. The record MUST contain:
violation_id: GEC-assigned UUID.
session_id: The session in which the violation occurred.
hem_id: The HEM event identifier, if the violation
occurred during HEM_PENDING. Null otherwise.
tier: "0A", "0B", "1", or "2".
prohibition_id: The prohibition record that matched.
violation_type: "AI_INITIATED" | "HUMAN_DIRECTED".
action_attempted: The Cedar action string. Stored in the
CAP Violation Record for auditors; MUST NOT
be returned to the agent or application.
context_hash: SHA-256 of the full action context. Enables
auditors to reconstruct the context without
the GEC exposing it in the error response.
outcome: "REFUSED" | "SESSION_SUSPENDED" |
"HEM_FIRED".
timestamp: ISO 8601 UTC.
kernel_signature: Ed25519 signature over canonical
serialization of all fields except
kernel_signature, by the GEC keypair
([I-D.sato-soos-kia]).
11.5. Session Suspension
The GEC MAY suspend a session when a threshold of CAP violations
is detected within that session. The threshold is SO Type
configurable. The default threshold is three Tier 0 violations
within a single session.
On session suspension:
(1) The GEC records SESSION_CAP_SUSPENDED in the Event Log.
(2) The GEC returns SESSION_SUSPENDED to the CEE.
(3) No further GEC.transition() calls are accepted for this
session until an operator with appropriate authority releases
the suspension.
(4) A CRITICAL Audit Alert is generated.
Suspension defends against systematic probing of the
Constitutional Layer by a compromised or adversarial agent.
12. Jurisdictional Conflict Resolution
12.1. Conflict Detection
A Jurisdictional Conflict exists when:
o The SO Type has declared two or more jurisdictions.
o The CEE determines that one jurisdiction's Tier 1 prohibitions
prohibit an action that another jurisdiction's Tier 1 records
permit or do not address.
o The conflict_resolution method is "HEM".
The GEC MUST detect conflicts at CEE evaluation time, not at SO
Type registration time. Conflicts are action-specific.
12.2. Conflict Resolution Methods
MOST_PROTECTIVE:
The GEC applies the most restrictive prohibition across all
declared jurisdictions. If any jurisdiction prohibits the
action, the CEE returns TIER_1_DENY. No HEM event fires.
This is the safest default for multi-jurisdiction deployments.
PRIMARY_JURISDICTION:
The primary_jurisdiction's Tier 1 prohibition position
governs. Secondary jurisdiction conflicts are recorded in
the Event Log as CAP_TIER1_CONFLICT_DETECTED but do not
block execution. Legal counsel SHOULD review the
authority_ref before this method is selected.
HEM:
The GEC cannot resolve the conflict algorithmically. The
GEC fires HEM_JURISDICTIONAL_CONFLICT (Class 5) and routes
the conflict to the designation chain for human resolution.
12.3. HEM_JURISDICTIONAL_CONFLICT
HEM_JURISDICTIONAL_CONFLICT is HEM Class 5 as specified in
[I-D.sato-soos-hem] Section 6.5. The jurisdictional_conflict_
summary field in the HEM Escalation Request MUST contain:
conflict_id:
GEC-assigned UUID for this conflict instance.
action:
The Cedar action string that triggered the conflict.
conflicting_jurisdictions:
Array of objects, one per conflicting jurisdiction:
jurisdiction: ISO 3166-1 alpha-2.
prohibition_id: The Tier 1 prohibition record that applies.
position: "PROHIBITS" | "PERMITS" | "NOT_ADDRESSED".
resolution_options:
Non-normative array of resolution approaches the principal MAY
consider. The GEC MUST NOT pre-select or recommend a
resolution.
Decision type constraints for Class 5: APPROVE and
APPROVE_WITH_CONSTRAINTS are prohibited. APPROVE_WITH_LEGAL_BASIS
(reserved for Tier 1 Case A), REDIRECT (cleanup only), TERMINATE,
and DEFER are permitted.
12.4. Jurisdictional Conflict Record Schema
The GEC MUST generate a Jurisdictional Conflict Record for every
detected conflict. The record MUST contain:
conflict_id: GEC-assigned UUID.
session_id: The session in which the conflict occurred.
action: The Cedar action string.
conflicting_jurisdictions: { jurisdiction, prohibition_id, outcome }
resolution_method: The conflict_resolution method declared.
hem_id: HEM event ID if conflict_resolution is
"HEM". Null otherwise.
timestamp: ISO 8601 UTC.
13. Event Log Requirements
CAP introduces the following Event Log entry types. All entries
are appended to the GEC Event Log and signed by the GEC keypair
per [I-D.sato-soos-kia].
CAP_VIOLATION_DETECTED:
Generated when the CEE returns CONSTITUTIONAL_VIOLATION on an
AI-initiated action. Fields: violation_id, session_id, hem_id,
tier, prohibition_id, action_attempted, context_hash, outcome,
timestamp, kernel_signature.
CAP_HUMAN_VIOLATION_DETECTED:
Generated when the CEE returns CONSTITUTIONAL_VIOLATION on a
human principal decision. Same fields as CAP_VIOLATION_DETECTED
plus principal_id and decision_type.
CAP_PCR_CLEARANCE_APPLIED:
Generated when the CEE encounters a Tier 0-B or Tier 1 match
and applies an active PCR. Fields: session_id, pcr_id,
prohibition_class, action, timestamp, kernel_signature.
CAP_TIER1_CONFLICT_DETECTED:
Generated when a Tier 1 conflict is detected regardless of
resolution method. Fields: conflict_id, session_id, action,
conflicting_jurisdictions, resolution_method, hem_id, timestamp.
APPROVE_WITH_LEGAL_BASIS_RECORDED:
Generated when a principal submits APPROVE_WITH_LEGAL_BASIS.
Fields: hem_id, principal_id, legal_basis (authority_type,
authority_ref, pcr_id, jurisdiction, expiry, document_hash),
timestamp.
SESSION_CAP_SUSPENDED:
Generated when the GEC suspends a session under Section 11.5.
Fields: session_id, violation_id, violation_count,
threshold_applied, suspended_at.
CAP_AMBIGUITY_ROUTED:
Generated when the CEE returns LEGAL_AMBIGUITY_DETECTED.
Fields: session_id, prohibition_class, ambiguity_flag,
ambiguity_context, action, hem_id, timestamp, kernel_signature.
CAP_AMBIGUITY_RESOLVED:
Generated when a human principal resolves a LEGAL_AMBIGUITY
HEM escalation. Fields: hem_id, session_id, principal_id,
decision_type, legal_basis (if cited), determination_text
(plain language statement of the principal's legal
determination), timestamp, kernel_signature.
The determination_text field provides the legal engineer with
evidence to refine the action_pattern in a future Regulation
Record revision.
PCR_EXPIRED:
Generated when a PCR passes its expiry_date. Fields: pcr_id,
prohibition_class, expired_at, operator_notified.
14. EU AI Act Applicability
14.1. Article 5 Mapping
EU AI Act Article 5 prohibits certain AI practices absolutely for
EU-jurisdiction deployments. The following table maps Article 5
provisions to CAP mechanisms. This mapping is normative for
EU-jurisdiction SO Type deployments: the CEE evaluation and CAP
Violation Record satisfy Article 5 enforcement requirements when
the relevant Tier 1 prohibitions are declared for EU-jurisdiction
SO Types.
+------------------------------+-------------------------------+------+
| Article 5 Provision | CAP Mechanism | Sec. |
+------------------------------+-------------------------------+------+
| 5(1)(a) -- Subliminal | Tier 1: FINANCIAL_CRIME / | 8.2 |
| manipulation causing harm | FRAUD for EU jurisdiction; | |
| | CEE TIER_1_DENY; principal | |
| | requires APPROVE_WITH_LEGAL_ | |
| | BASIS to proceed | |
+------------------------------+-------------------------------+------+
| 5(1)(b) -- Exploitation of | Tier 1: HUMAN_RIGHTS for | 8.2 |
| specific group | EU jurisdiction; TIER_1_DENY | |
| vulnerabilities | | |
+------------------------------+-------------------------------+------+
| 5(1)(c) -- Social scoring | Tier 1: DATA_PROTECTION / | 8.2 |
| by public authorities | PRIVACY_VIOLATION for EU; | |
| | operators SHOULD also declare | |
| | Tier 2 for private deployments| |
+------------------------------+-------------------------------+------+
| 5(1)(d) -- Real-time remote | Tier 1: DATA_PROTECTION / | 8.2 |
| biometric ID in public | PRIVACY_VIOLATION for EU with | |
| spaces | authority_ref citing Art. | |
| | 5(1)(d) | |
+------------------------------+-------------------------------+------+
| General -- No human override | HEM_HUMAN_DECISION_ |11.2 |
| of prohibited practices | CONSTITUTIONAL_VIOLATION -- | |
| | principal APPROVE cannot | |
| | execute Tier 0 or verified | |
| | Tier 1 actions | |
+------------------------------+-------------------------------+------+
| General -- Audit trail of | CAP_VIOLATION_DETECTED and | 12 |
| prohibited practice attempts | CAP_HUMAN_VIOLATION_DETECTED | |
| | Event Log entries; CRITICAL | |
| | Audit Alert; Audit Package | |
| | available to regulators | |
+------------------------------+-------------------------------+------+
Table 1: EU AI Act Article 5 Mapping
Note: Article 5 prohibited practices that derive from near-universal
treaty consensus may be reclassified to Tier 0-B in future
revisions of this specification. The current Tier 1 classification
reflects the principle that Tier 0 is reserved for genuine global
consensus (Section 7.1). The enforcement consequence is equivalent
for EU-jurisdiction SO Types.
15. Security Considerations
CEE GEC integrity:
The CEE is a GEC-resident component. Its prohibition records
and evaluation logic MUST be protected against modification by
any agent, application, or principal. Implementations MUST
treat CEE records with the same integrity protection as mandate
JWTs and Event Log entries. Any modification to Tier 0 records
outside of a GEC initialization sequence loaded from a verified
source MUST be treated as a critical security incident. At L3
conformance, CEE integrity is guaranteed by hardware attestation
([I-D.sato-soos-kia]). At L1 and L2, integrity depends on
process isolation and Event Log non-suppressibility.
Action pattern probing:
The CEE MUST NOT return the matched action_pattern in error
responses. Returning full action pattern details enables
adversarial agents to probe the boundary of prohibited action
classes and identify closely adjacent actions. The error
response MUST contain only the prohibition_class.
Tier 1 verification integrity:
Unverified Tier 1 records MUST NOT be enforced. The GEC MUST
check the verified_by signature before loading any Tier 1
record.
Session suspension threshold:
The default threshold of three Tier 0 violations SHOULD be
configurable downward but not upward. A higher threshold
enables systematic probing. Operators who configure a higher
threshold MUST document the justification and subject it to
Audit Principal review.
PCR integrity:
A PCR without a valid audit_principal_signature MUST NOT be
loaded. A PCR naming CSAM or GENOCIDE_FACILITATION MUST be
rejected. An expired PCR MUST NOT be applied. The GEC MUST
verify all three conditions at initialization and at CEE
evaluation time.
PCR scope creep:
The purpose_scope field in a PCR is human-readable and not
technically enforced at the CEE layer. Operators MUST ensure
that the purpose_scope accurately describes the authorized
activity. Audit Principals MUST verify that the purpose_scope
is consistent with the cited authority_ref before signing.
Regulators reviewing the Audit Package can assess purpose
compliance independently.
Legal basis citation integrity:
The APPROVE_WITH_LEGAL_BASIS legal_basis block is an operator
assertion, not a verified legal finding. Implementations MUST
record all such decisions in the Audit Package regardless of
the apparent validity of the legal_basis. Regulators reviewing
the Audit Package can assess legal basis validity independently.
Double-evaluation atomicity:
The two CEE evaluations -- before Cedar and before GEC execution
-- MUST be atomic with their respective triggering calls at all
three conformance levels. An implementation that evaluates CAP
asynchronously or conditionally does not satisfy the
Constitutional Layer guarantee.
16. IANA Considerations
16.1. CAP Prohibition Classes Tier 0 Registry
This document establishes the "Constitutional AI Protocol
Prohibition Classes Tier 0" registry maintained at:
https://www.iana.org/assignments/cap-prohibition-classes-tier0
Registration procedure: RFC Only.
Initial values:
+------------------------+--------+---------------------------------+
| Prohibition Class | Sub | Treaty Basis |
+------------------------+--------+---------------------------------+
| CSAM | TIER0A | UN CRC 1989 + Optional Protocol |
| GENOCIDE_FACILITATION | TIER0A | UN Genocide Convention 1948 |
| HUMAN_TRAFFICKING | TIER0B | UN Trafficking Protocol 2000 |
| WMD_ASSISTANCE | TIER0B | CWC (193), BWC (183), NPT (191) |
| TORTURE_FACILITATION | TIER0B | UN CAT 1984 (173 states) |
| TERRORIST_FINANCING | TIER0B | UNSC Resolution 1373 (2001) |
+------------------------+--------+---------------------------------+
Table 2: Initial CAP Tier 0 Prohibition Classes
16.2. CAP Prohibition Classes Tier 1 Registry
This document establishes the "Constitutional AI Protocol
Prohibition Classes Tier 1" registry maintained at:
https://www.iana.org/assignments/cap-prohibition-classes-tier1
Registration procedure: Specification Required.
Initial values: FINANCIAL_CRIME, DATA_PROTECTION,
CRITICAL_INFRASTRUCTURE, SECURITIES_LAW, PRIVACY_VIOLATION,
FRAUD, COMPETITION_LAW, HUMAN_RIGHTS. (See Section 8.2.)
16.3. CAP Conflict Resolution Methods Registry
This document establishes the "Constitutional AI Protocol Conflict
Resolution Methods" registry maintained at:
https://www.iana.org/assignments/cap-conflict-resolution-methods
Registration procedure: Standards Action.
Initial values: MOST_PROTECTIVE, PRIMARY_JURISDICTION, HEM.
16.4. CAP Deployment Context Registry
This document establishes the "Constitutional AI Protocol
Deployment Context" registry maintained at:
https://www.iana.org/assignments/cap-deployment-context
Registration procedure: Specification Required.
Initial values: COMMERCIAL, GOVERNMENT_CIVILIAN, GOVERNMENT_DEFENSE,
LAW_ENFORCEMENT, ACADEMIC_RESEARCH, REGULATED_PROFESSIONAL.
(See Section 10.3 for definitions.)
17. References
17.1. Normative References
[I-D.sato-soos-hem]
Sato, T., "The Human Escalation Mechanism (HEM) for
Agentic AI Systems", Work in Progress, Internet-Draft,
draft-sato-soos-hem-01, May 2026,
.
[I-D.sato-soos-idp]
Sato, T., "The Intent Declaration Primitive (IDP) for
Agentic AI Systems", Work in Progress, Internet-Draft,
draft-sato-soos-idp-03, May 2026,
.
[I-D.sato-soos-kia]
Sato, T., "Kernel Identity and Attestation",
Work in Progress, Internet-Draft,
draft-sato-soos-kia-00, May 2026,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in
RFC 2119 Key Words", BCP 14, RFC 8174, May 2017,
.
17.2. Informative References
[I-D.sato-soos-gar]
Sato, T., "The Governance Audit Record (GAR) for Agentic
AI Systems", Work in Progress, Internet-Draft,
draft-sato-soos-gar-01, May 2026,
.
[EU-AI-ACT]
European Parliament and Council, "Regulation (EU)
2024/1689", OJ L 2024/1689, July 2024.
[UN-GENOCIDE]
United Nations, "Convention on the Prevention and
Punishment of the Crime of Genocide", 78 UNTS 277, 1948.
[UN-CRC] United Nations, "Convention on the Rights of the Child",
1577 UNTS 3, 1989.
[UN-TIP] United Nations, "Protocol to Prevent, Suppress and
Punish Trafficking in Persons", 2237 UNTS 319, 2000.
[CWC] OPCW, "Convention on the Prohibition of Chemical
Weapons", 1975 UNTS 45, 1993.
[UNSC-1373]
UN Security Council, "Resolution 1373 (2001)",
S/RES/1373, September 2001.
[UN-CAT] United Nations, "Convention Against Torture", 1465 UNTS
85, 1984.
Appendix A. Worked Example -- A Travel Booking in Two Jurisdictions
This appendix walks through two scenarios using a Japan-based
travel operator (MyAuberge K.K.) running an ActivityBookingObject
SO with jurisdiction configuration: primary JP, secondary EU,
conflict_resolution: MOST_PROTECTIVE.
A.1. Scenario 1: Lawful Action, Fully Traced
A travel agent AI requests an action to process a booking payment
for a guest who has explicitly consented to data processing.
Step 1: The AI submits the action to GEC.transition().
Step 2: The CEE evaluates. The action matches no Tier 0 record.
It matches the EU Tier 1 DATA_PROTECTION prohibition record --
but the action pattern carries a user_consent flag. The operator
has declared a Cedar policy that permits payment processing with
explicit consent. The CEE finds no Tier 1 match for this specific
action pattern. Returns PERMIT.
Step 3: Cedar evaluates. The Cedar policy PERMITs the action.
No HEM fires. The GEC executes the transition.
Step 4: The STATE_TRANSITION Event Log entry is written. The IDP
records the agent's reasoning. The audit trail is complete.
The lawyer reviewing this system sees: a fully traced,
consent-documented payment action. Every step is in the log.
A.2. Scenario 2: Jurisdictional Conflict, Human Resolution
The same AI requests an action to share guest location data with
a third-party logistics provider. The JP Tier 1 configuration
permits this under APPI (Japan's data protection law) with
appropriate notice. The EU Tier 1 configuration prohibits it
under GDPR Article 44 (transfer to third countries) because the
logistics provider is outside the EEA.
Step 1: The AI submits the action to GEC.transition().
Step 2: The CEE evaluates. Tier 0: no match. Tier 1: JP
record -- PERMIT. EU record -- PROHIBITS. Conflict detected.
Step 3: conflict_resolution is MOST_PROTECTIVE. The CEE returns
TIER_1_DENY. The action is denied. CAP_TIER1_CONFLICT_DETECTED
is written to the Event Log.
Step 4: The agent receives a DENY response. The IDP records the
denial. The RETRY_CONTINUATION path (if declared) requires the
agent to articulate what changed before retrying.
Step 5: The operator, reviewing the conflict log, contacts legal
counsel. Counsel advises that an adequacy decision or appropriate
safeguards would permit the transfer under GDPR. The operator
updates the EU Tier 1 record to include the adequacy decision
citation. The updated record is verified by the Audit Principal.
The action is now permitted.
Step 6: The full resolution trace -- denial, conflict record,
legal review, Tier 1 update, re-authorization -- is in the
Event Log and available to the regulator.
Appendix B. Related Work
B.1. Existing Constitutional AI Frameworks
Constitutional AI as a training technique (Anthropic, 2022) uses
a set of principles to guide model behavior during RLHF. This is
a training-time approach. CAP is an inference-time enforcement
approach: the GEC evaluates every action request against a
prohibition set regardless of what the model would do if allowed
to act.
The distinction is architecturally critical: a model trained on
constitutional principles can still produce outputs that violate
those principles under adversarial prompting or out-of-distribution
inputs. A CAP-governed GEC refuses Tier 0-A actions
unconditionally, regardless of the model's output, because the CEE
evaluates the action pattern against the prohibition registry --
not the model's compliance with its training.
CAP and Constitutional AI training are complementary. CAP does not
replace safety training; it provides an enforcement layer that does
not depend on the model's training having succeeded.
B.2. EU AI Act Article 5
EU AI Act Article 5 defines prohibited AI practices for EU-
jurisdiction deployments enforced by regulatory action after the
fact. CAP Tier 1 prohibition records for EU jurisdiction are
enforced at GEC evaluation time, before the action occurs. CAP
makes Article 5 machine-executable rather than post-hoc regulatory.
B.3. AIPREF
The AIPREF Working Group defines a vocabulary for AI content-use
preferences. AIPREF provides the policy expression layer; CAP
provides the constitutional floor below which no AIPREF preference
can descend. An AIPREF preference that permitted CSAM would be
refused by CAP Tier 0-A regardless of the preference content.
B.4. SOOS Companion Drafts
CAP sits above all other SOOS layers in the enforcement stack:
draft-sato-soos-kia-00: CAP Violation Records are signed by the
GEC keypair. PCRs are loaded in the GEC Manifest. At L3, the
CEE runs in a KIA-attested TEE.
draft-sato-soos-idp-03: CAP evaluates before IDP is submitted.
A Tier 0-A refusal prevents IDP creation. Defines GEC
conformance levels (L1/L2/L3) referenced in Section 6.1.
draft-sato-soos-hem-01: CAP evaluates human HEM decisions before
GEC execution (double-evaluation). HEM_JURISDICTIONAL_CONFLICT
(Class 5) is a joint CAP+HEM event.
draft-sato-soos-gar-01: CAP Violation Records are included in
the GAR Audit Package for regulatory inspection. CRITICAL Audit
Alerts from CEE feed the GAR alert pipeline.
draft-sato-soos-aep-00: The AEP ACT step invokes GEC.transition(),
which triggers CEE before Cedar.
draft-sato-soos-mad-00: CAP applies to all multi-agent topologies.
An orchestrator cannot issue a sub-agent mandate that bypasses CAP;
the CEE is evaluated per transition regardless of delegation depth.
Author's Address
Tom Sato
MyAuberge K.K.
Chino, Nagano, Japan
Email: tomsato@myauberge.jp
URI: https://activitytravel.pro/