arxiv: 2604.17511 · v2 · submitted 2026-04-19 · 💻 cs.LO · cs.AI· cs.CR

Recognition: unknown

Atomic Decision Boundaries: A Structural Requirement for Guaranteeing Execution-Time Admissibility in Autonomous Systems

Marcelo Fernandez (TraslaIA)

Authors on Pith no claims yet

Pith reviewed 2026-05-10 05:32 UTC · model grok-4.3

classification 💻 cs.LO cs.AIcs.CR

keywords atomic decision boundariesadmissibilitysplit evaluation systemsexecution-time guaranteeslabeled transition systemsconcurrent environmentspolicy enforcementTOCTOU

0 comments

The pith

Admissibility requires atomic decision boundaries because split evaluation systems cannot prevent state mismatches from environmental interleaving.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that policies can enforce admissibility at the exact moment of a state transition only if the decision and the transition form one indivisible step in the execution model. In split systems the decision is evaluated in one state while the transition occurs in a possibly different state after environmental actions interleave, and no internal policy adjustment can eliminate this gap. A constructive counterexample trace demonstrates that no split construction can achieve equivalence to an atomic system under concurrent conditions. This yields corollaries that execution-time guarantees are impossible in split architectures, external state enrichment does not suffice, and admissibility is fundamentally an execution-time rather than evaluation-time property. The paper classifies RBAC, ABAC, OPA, Cedar, and AWS IAM as split systems while identifying ACP as atomic.

Core claim

We introduce the atomic decision boundary as a structural property in which decision evaluation and the resulting state transition are jointly determined as a single indivisible step in the labeled transition system model. We distinguish atomic systems from split evaluation systems and prove via constructive counterexample trace that under realistic concurrent environments no construction can make a split system equivalent to an atomic system with respect to admissibility. Three corollaries follow: impossibility of execution-time guarantees in split systems, insufficiency of external state enrichment, and admissibility as an execution-time rather than evaluation-time property. We further (1)

What carries the argument

The atomic decision boundary, the structural coupling of decision evaluation and state transition as one indivisible LTS step that prevents interleaving mismatches.

If this is right

Execution-time guarantees are impossible in any split evaluation system.
External state enrichment cannot close the architectural gap created by interleaving.
Admissibility must be treated as an execution-time property rather than an evaluation-time property.
The Escalate outcome transfers the atomicity requirement rather than eliminating it.
Common mechanisms such as RBAC, ABAC, OPA, Cedar, and AWS IAM are structurally split and therefore cannot provide execution-time admissibility.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Designers of autonomous systems that modify shared state should therefore require atomic architectures for any admission control layer.
The same structural gap may appear in other concurrency contexts such as transactional memory or real-time schedulers where decision and effect are separated.
A practical test would be to instrument a split policy engine and search for mismatch traces under controlled interleaving; absence of such traces would contradict the paper's result.

Load-bearing premise

Environmental actions can always interleave between the evaluation transition and the state transition in split systems, creating a state mismatch that policies cannot close from within the split architecture.

What would settle it

An explicit construction of a split evaluation system that produces the same set of admissible transitions as its atomic counterpart even when arbitrary environmental actions are allowed to interleave between evaluation and transition would falsify the central impossibility claim.

Figures

Figures reproduced from arXiv: 2604.17511 by Marcelo Fernandez (TraslaIA).

read the original abstract

Autonomous systems increasingly execute actions that directly modify shared state, creating an urgent need for precise control over which transitions are permitted to occur. Existing governance mechanisms evaluate policies prior to execution or reconstruct behavior post hoc, but do not enforce admissibility at the exact moment a state transition is committed. We introduce the atomic decision boundary, a structural property of admission control systems in which the decision and the resulting state transition are jointly determined as a single indivisible step in the labeled transition system (LTS) model of execution. We distinguish two classes: atomic systems, where evaluation and transition are coupled within a single LTS step, and split evaluation systems, where they are separate transitions interleaved by environmental actions. The separation introduces an architectural gap -- the decision is evaluated in one system state; the transition fires in a potentially different one -- that no policy, regardless of sophistication, can close from within a split architecture. Under realistic concurrent environments, we prove via a constructive counterexample trace that no construction can make a split system equivalent to an atomic system with respect to admissibility. Three corollaries follow: impossibility of execution-time guarantees in split systems, insufficiency of external state enrichment, and admissibility as an execution-time rather than evaluation-time property. We further formalize the Escalate outcome -- absent from classical TOCTOU analyses -- proving that it transfers rather than eliminates the atomicity requirement: resolution is safe if and only if it is itself atomic. We classify RBAC, ABAC, OPA, Cedar, and AWS IAM as split systems and ACP as atomic, providing a structural taxonomy of existing governance mechanisms. Admissibility is a property of execution, not evaluation.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper shows that split evaluation-then-commit systems cannot guarantee admissibility under interleaving while atomic ones can, via a direct LTS counterexample that extends TOCTOU analysis.

read the letter

The main thing to know is that the paper identifies a structural gap in how governance works: when policy evaluation and state transition are separate steps, the environment can change the state in between, and no policy evaluated only at the first step can close that gap. Atomic systems avoid it by coupling decision and change into one indivisible LTS step. They prove no split construction can match atomic admissibility with a constructive trace, and they add the Escalate outcome to show it just relocates the atomicity requirement rather than removing it. They also classify RBAC, ABAC, OPA, Cedar, and AWS IAM as split while calling ACP atomic. That taxonomy is the most immediately usable part. The argument itself is straightforward once the LTS model and interleaving are granted, which matches standard concurrent assumptions. The corollaries about external enrichment not helping and admissibility being an execution-time property follow cleanly from the same setup. One soft spot is that the proof assumes environmental actions can always interleave between the two transitions. That holds in most realistic settings, but the paper could note the boundary cases where a system might block such interleaving without changing its split architecture. The details of the exact LTS definitions and trace would need checking in the full text, though nothing in the abstract suggests hidden assumptions or circularity. This is for people working on formal models of concurrent governance or execution-time safety in autonomous systems. A reader already thinking about TOCTOU or policy enforcement in shared state would get a clear structural distinction out of it. It deserves peer review because the impossibility result is sharp and the taxonomy gives it practical reach, even if the modeling choices invite some discussion.

Referee Report

0 major / 2 minor

Summary. The paper introduces the 'atomic decision boundary' as a structural property in labeled transition system (LTS) models of autonomous systems, where policy evaluation and state transition must occur as a single indivisible step to guarantee execution-time admissibility. It distinguishes atomic systems (coupled evaluation and transition) from split evaluation systems (separate transitions subject to environmental interleaving), proves via a constructive counterexample trace that no policy in a split architecture can prevent state mismatches under concurrency, and derives corollaries on the impossibility of execution-time guarantees, the insufficiency of external state enrichment, and admissibility as an execution-time property. The work also analyzes the Escalate outcome, classifies mechanisms such as RBAC, ABAC, OPA, Cedar, and AWS IAM as split systems and ACP as atomic, and concludes that admissibility is a property of execution rather than evaluation.

Significance. If the LTS definitions and counterexample are rigorous, the result provides a clear structural taxonomy explaining limitations of existing governance mechanisms in concurrent environments and underscores why admissibility cannot be reduced to evaluation-time checks. The constructive proof and corollaries offer a falsifiable framework for assessing system architectures, with potential value for formal methods in autonomous systems design.

minor comments (2)

[§3] §3 (or equivalent section defining the LTS): clarify the precise transition labels and state components used in the atomic vs. split models to ensure the counterexample trace is reproducible from the definitions alone.
[Classification section] The classification of existing systems (RBAC, ABAC, etc.) as split or atomic would benefit from explicit mapping to the LTS transition rules for each, rather than summary statements.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the accurate summary of our contributions and the recommendation for minor revision. The report correctly captures the distinction between atomic and split evaluation systems, the constructive counterexample proving no policy can close the architectural gap under concurrency, and the corollaries on execution-time properties.

Circularity Check

0 steps flagged

No significant circularity; derivation follows directly from LTS definitions

full rationale

The paper's central claim is an impossibility result: in any LTS where evaluation and commit are modeled as distinct transitions (split systems), environmental interleaving produces a state mismatch that no policy evaluated only at the first transition can prevent, while atomic systems couple them in one step. This is established via a constructive counterexample trace that follows immediately once the LTS semantics and interleaving permission are granted by definition. No parameters are fitted, no result is renamed as a prediction, and no load-bearing premise reduces to a self-citation or self-definition. The taxonomy of RBAC/ABAC/OPA/Cedar/AWS IAM as split versus ACP as atomic is a direct classification from the atomic/split distinction rather than a derived prediction. The corollaries on Escalate and admissibility as an execution-time property are logical consequences of the same model separation. The argument is therefore self-contained against external benchmarks and does not exhibit any of the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 3 invented entities

The claims rest on the standard LTS model of execution and the newly introduced distinction between atomic and split systems; no free parameters are used.

axioms (1)

standard math Labeled transition system (LTS) model of execution
The paper models system behavior and admissibility using LTS semantics.

invented entities (3)

atomic decision boundary no independent evidence
purpose: Structural property coupling decision and state transition as one indivisible LTS step
Newly defined to distinguish systems that can guarantee execution-time admissibility.
atomic systems no independent evidence
purpose: Class of systems where evaluation and transition occur in a single LTS step
Defined to contrast with split systems.
split evaluation systems no independent evidence
purpose: Class of systems where evaluation and transition are separate interleaved transitions
Defined to show the architectural gap in admissibility.

pith-pipeline@v0.9.0 · 5605 in / 1367 out tokens · 45505 ms · 2026-05-10T05:32:32.893377+00:00 · methodology

discussion (0)

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

Reconstructive Authority Model: Runtime Execution Validity Under Partial Observability
cs.CR 2026-04 unverdicted novelty 5.0

RAM separates integrity from coverage and uses a reconstruction gate over proven state, assumptions, and unobservable residuals to block invalid executions, achieving zero invalid rates in synthetic tests where attest...
Agent Control Protocol: Admission Control for Agent Actions
cs.CR 2026-03 unverdicted novelty 5.0 partial

ACP is a temporal admission control protocol that combines static risk scoring with anomaly accumulation and cooldowns to limit harmful agent behavior over time, reducing approvals from 100% to 0.4% in tested workloads.

Reference graph

Works this paper leans on

16 extracted references · 5 canonical work pages · cited by 2 Pith papers · 2 internal anchors

[1]

Anderson

James P. Anderson. Computer security technology planning study. Technical Report ESD- TR-73-51, USAF Electronic Systems Division, 1972

1972
[2]

A critical analysis of vulnerability taxonomies

Matt Bishop and David Bailey. A critical analysis of vulnerability taxonomies. Technical Report CSE-96-11, University of California at Davis, 1996

1996
[3]

Cedar: A new policy language

John Cutler et al. Cedar: A new policy language. InUSENIX Security Symposium, 2023

2023
[4]

Agent Control Protocol: Admission Control for Agent Actions

Marcelo Fernandez. Agent control protocol: Admission control for agent actions.https:// arxiv.org/abs/2603.18829, 2026. arXiv:2603.18829 [cs.CR], DOI:10.5281/zenodo.19672575

work page internal anchor Pith review Pith/arXiv arXiv doi:10.5281/zenodo.19672575 2026
[6]

DOI: 10.5281/zenodo.19672597

Zenodo. DOI: 10.5281/zenodo.19672597

work page doi:10.5281/zenodo.19672597
[7]

Irreducible multi-scale governance: Composition and limits of atomic admission systems.https://doi.org/10.5281/zenodo.19672608, 2026

Marcelo Fernandez. Irreducible multi-scale governance: Composition and limits of atomic admission systems.https://doi.org/10.5281/zenodo.19672608, 2026. Zenodo. DOI: 10.5281/zenodo.19672608

work page doi:10.5281/zenodo.19672608 2026
[8]

Reconstructive authority model: Runtime execution validity under partial observability.https://doi.org/10.5281/zenodo.19669430, 2026

Marcelo Fernandez. Reconstructive authority model: Runtime execution validity under partial observability.https://doi.org/10.5281/zenodo.19669430, 2026. Agent Governance Series, Paper 5. Zenodo. DOI: 10.5281/zenodo.19669430

work page doi:10.5281/zenodo.19669430 2026
[9]

From Admission to Invariants: Measuring Deviation in Delegated Agent Systems

Marcelo Fernandez. From admission to invariants: Measuring deviation in delegated agent systems.https://doi.org/10.5281/zenodo.19672589, 2026. Zenodo. DOI: 10.5281/zen- odo.19672589. arXiv:2604.17517

work page internal anchor Pith review Pith/arXiv arXiv doi:10.5281/zenodo.19672589 2026
[10]

Harrison, Walter L

Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman. Protection in operating systems. Communications of the ACM, 19(8):461–471, 1976

1976
[11]

Herlihy and Jeannette M

Maurice P. Herlihy and Jeannette M. Wing. Linearizability: A correctness condition for concurrent objects.ACM Transactions on Programming Languages and Systems, 12(3):463– 492, 1990

1990
[12]

Edit automata: Enforcement mechanisms for run-time security policies.International Journal of Information Security, 4(1–2):2–16, 2005

Jay Ligatti, Lujo Bauer, and David Walker. Edit automata: Enforcement mechanisms for run-time security policies.International Journal of Information Security, 4(1–2):2–16, 2005

2005
[13]

Open policy agent.https://www.openpolicyagent.org,

Open Policy Agent Contributors. Open policy agent.https://www.openpolicyagent.org,
[14]

Ramadge and W

Peter J. Ramadge and W. Murray Wonham. Supervisory control of a class of discrete event processes.SIAM Journal on Control and Optimization, 25(1):206–230, 1987

1987
[15]

Sandhu, Edward J

Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models.IEEE Computer, 29(2):38–47, 1996

1996
[16]

Schneider

Fred B. Schneider. Enforceable security policies.ACM Transactions on Information and System Security, 3(1):30–50, 2000. 20

2000
[17]

Portably solving file TOCT- TOU races with hardness amplification

Dan Tsafrir, Tomer Hertz, David Wagner, and Dilma Da Silva. Portably solving file TOCT- TOU races with hardness amplification. InUSENIX Conference on File and Storage Tech- nologies (FAST), 2008. 21

2008