This dimension governs the structural tension between the operational requirement for mission secrecy in defence and national security AI deployments and the governance imperative for meaningful, independently verifiable oversight and audit. It matters because ungoverned secrecy in AI-assisted missions creates conditions where autonomous or semi-autonomous agents can operate outside any accountability framework, making post-hoc error correction, legal review, or democratic scrutiny structurally impossible rather than merely difficult. Failure manifests as AI systems that caused civilian harm, violated rules of engagement, or exceeded authorised parameters where no auditable record exists, no independent reviewer had access to the operational context, and institutional accountability collapses entirely into classified deniability.
An AI-assisted intelligence fusion agent deployed across a coalition signals-intelligence network processes approximately 340,000 intercept records per 72-hour operational cycle. The agent is configured to suppress detailed inference logs citing SIGINT source-protection rules under a standing national security directive. During a 14-day operation, the agent produces 23 high-confidence targeting nominations. Post-operation review by a legal adviser discovers that 4 of those nominations were based on pattern-of-life models trained on datasets that included protected humanitarian-worker communication metadata, violating the law of armed conflict. Because the inference logs were suppressed rather than stored in a compartmented audit vault, there is no recoverable record of which data contributed to which nomination. The legal adviser cannot reconstruct the decision chain, the commanding officer cannot demonstrate due diligence, and the coalition partner cannot satisfy its own parliamentary inquiry. The failure is not the suppression of logs from external adversaries — that was legitimate — but the absence of a secrecy-compatible audit architecture that would have preserved the inference chain in a classified vault accessible to authorised independent reviewers. Total evidentiary gap: 23 nominations, zero reconstructible decision records.
A military installation deploys an autonomous perimeter-defence agent with rules-of-engagement logic encoded directly in its inference layer. The system is classified at the highest national tier, and the oversight board responsible for AI systems in the relevant armed service has been explicitly excluded from access on the grounds that board members lack the appropriate compartment clearance. Over an 18-month deployment, the system engages 7 targets; in 2 cases, post-engagement physical evidence suggests the targets were non-combatant contractors performing authorised maintenance work. An internal unit inquiry is conducted but cannot access the agent's decision weights, sensor-fusion parameters, or the specific inference outputs that triggered engagement authorisation, because all system internals are stored only on air-gapped hardware whose access logs show no record of any oversight-board inspection visit. The absence of any independent oversight channel — not the classification itself — is the governance failure. The system operated for 18 months in a legal and ethical vacuum because secrecy was used not to protect sources and methods from adversaries but to insulate the deploying unit from accountability to its own institutional oversight structures.
A government laboratory develops an AI-based trajectory prediction module originally cleared for export to a treaty-partner nation under a specific end-use certificate. The module is subsequently modified by the receiving nation's defence contractor to incorporate an autonomous engagement-decision layer. The modification process involves 11 software increments across 8 months. No oversight body in either the originating or receiving nation maintains a modification audit trail because the system's classification marking was upgraded during iteration 3, causing the standard software change-control process — which operated on an unclassified system — to be abandoned without a classified equivalent being established. By iteration 11, the system bears almost no functional resemblance to the certified export version, yet no independent reviewer can verify this because neither the originating nor the receiving nation's oversight body has a complete record of what changed, when, and under whose authorisation. When a treaty-compliance audit is triggered 14 months later, reconstruction of the modification history requires interviews with 23 individual engineers across two jurisdictions, produces a 47% confidence estimate in the reconstructed timeline, and cannot conclusively establish whether the autonomous engagement layer was present before or after the export certification was issued. The governance failure is the absence of a secrecy-compatible modification audit architecture that would have maintained a classified but independently accessible change record throughout all 11 iterations.
This dimension applies to all AI agent systems deployed in defence, intelligence, national security, and dual-use contexts where operational security classification is applied to any component of the agent system, including but not limited to: training data provenance records, model weights, inference logs, decision outputs, rules-of-engagement logic, sensor-fusion parameters, mission planning outputs, and modification or version histories. The dimension applies regardless of whether the agent operates autonomously, semi-autonomously, or in a human-on-the-loop configuration, and regardless of whether the agent is operated by a state entity, a contracted private-sector entity, or a coalition partner. The dimension does not restrict the application of classification to agent system components where operationally necessary; it governs the governance architecture that must coexist with that classification.
The deploying organisation MUST establish and maintain a classified audit vault, operating at or above the highest classification tier applied to the agent system, that stores a complete and tamper-evident record of all agent decision outputs, inference pathways, input data provenance references, and rules-of-engagement logic snapshots for every operational cycle. The vault MUST be architecturally separate from the agent's operational systems such that vault access is not required for operational continuity and vault unavailability does not affect mission execution. The vault MUST be accessible to authorised independent oversight reviewers without requiring the operational unit to grant or revoke access on a per-inspection basis.
The deploying organisation MUST designate at least one independent oversight body — distinct from the operational chain of command — that holds or can be granted appropriate classification access to the audit vault defined in 4.1. This body MUST have the right to inspect vault contents without prior notification to the operational unit, subject only to physical access scheduling constraints. The oversight body MUST produce a written review record for each inspection, and that record MUST itself be retained in a classified archive accessible to a second-tier oversight authority such as an inspector general, ombudsman, or parliamentary oversight committee with appropriate clearance.
The deploying organisation MUST implement technical and procedural controls that distinguish between two categories of log suppression: (a) suppression of operationally sensitive metadata from external-facing or cross-domain systems for legitimate source-protection reasons, and (b) suppression of decision-chain records from internal oversight systems for accountability purposes. Category (a) suppression is permissible. Category (b) suppression is not permissible under this dimension. The deploying organisation MUST be able to demonstrate, upon inspection by the oversight body defined in 4.2, that no category (b) suppression has occurred during the audit period.
The deploying organisation MUST maintain a versioned, timestamped, and integrity-verified record of all rules-of-engagement logic, decision thresholds, and authorisation parameters loaded into or active within the agent system at any point during its operational life. Each version record MUST include the identity or role of the authorising officer, the date and time of authorisation, the nature of the change from the prior version, and a cryptographic integrity hash of the parameter set. This record MUST be stored in the classified audit vault defined in 4.1 and MUST be retained for a minimum of 15 years from the date of the agent's decommissioning or the conclusion of the operation to which the agent was assigned, whichever is later.
Where an agent system incorporates components subject to export controls, end-use certification, or treaty-based restrictions, the deploying organisation MUST maintain a classified but independently accessible modification audit trail for all changes to those components from the date of initial certification through decommissioning. The trail MUST record each software and hardware modification at sufficient granularity to enable an independent reviewer to determine whether the system as modified remains within the scope of the original certification. The modification audit trail MUST be provided to the originating nation's oversight authority upon formal request within 90 calendar days.
The deploying organisation MUST conduct a classification review of each agent system component at intervals not exceeding 12 months and MUST document the operational justification for maintaining the current classification level of each component. Where a component's classification level can be reduced without operationally meaningful risk, the organisation MUST reduce it to facilitate broader oversight access. The review record MUST be retained in the classified audit vault.
Where the agent system has authority to initiate, recommend, or authorise kinetic or non-kinetic action, the deploying organisation MUST maintain a per-engagement record that includes: the sensor inputs active at the time of the decision, the inference output and confidence score, the rules-of-engagement logic version active at the time, the human role in the decision loop (if any), the time elapsed between agent output and action execution, and the post-engagement outcome assessment. This record MUST be stored in the classified audit vault and MUST be made available to the independent oversight body within 5 business days of a formal review request.
The deploying organisation MUST ensure that the independent oversight body defined in 4.2 includes personnel who collectively hold the clearances and compartment accesses necessary to conduct a technically meaningful review of the agent system. The organisation MUST not use clearance prerequisites as a mechanism to prevent effective oversight by ensuring that no oversight-eligible personnel can satisfy those prerequisites. Where a new compartment is created for an agent system, the oversight body MUST be notified of the compartment's existence and offered a pathway to obtain access within 30 calendar days of compartment creation.
The deploying organisation MUST establish an escalation protocol under which any detected anomaly in agent behaviour — including unexpected inference outputs, threshold exceedances, unauthorised parameter modifications, or engagement events outside authorised parameters — is reported to the independent oversight body within 24 hours of detection, without requiring the operational chain of command to initiate or approve that report. The escalation protocol MUST provide a direct reporting channel from the system's integrity monitoring function to the oversight body, independent of command-authority gatekeeping.
The tension between mission secrecy and oversight governance is not merely a policy preference to be balanced case-by-case; it is a structural design problem. Classification systems are engineered to limit information flow, and oversight systems require information flow. When these two systems are allowed to interact without explicit architectural mediation, the stronger engineering tendency — which in military and intelligence contexts is almost always classification — will reliably dominate. The result is not a balanced equilibrium but a progressive erosion of oversight capacity that is invisible to the oversight body itself, because the oversight body has no access to the information that would reveal its own incapacity.
This dimension addresses the problem at the architectural level by requiring that oversight capability be structurally guaranteed rather than procedurally negotiated. A procedural guarantee — "the oversight body may request access" — is insufficient because it places the access decision within the same chain of command that has an institutional interest in minimising external scrutiny. A structural guarantee — "the oversight body has access to the classified audit vault without requiring operational-unit approval" — removes that institutional interest from the access-control path.
Behavioural controls in this landscape — training, culture, voluntary disclosure commitments — fail for a predictable reason: the environments that most require oversight are precisely those where the incentive to avoid oversight is highest. A unit that has caused civilian harm through AI-assisted targeting has both the greatest obligation to facilitate oversight and the greatest institutional incentive to obstruct it. Structural controls — audit vaults, separation of suppression categories, direct escalation channels — are designed to function in precisely that adversarial institutional context. They do not depend on the goodwill of the entity being overseen.
Defence AI systems must satisfy two legitimacy requirements simultaneously: operational legitimacy (the system is effective and appropriately secured from adversarial exploitation) and institutional legitimacy (the system operates within legal and ethical frameworks verifiable by authorised oversight bodies). Neither requirement can be satisfied by sacrificing the other. A system that achieves operational legitimacy by eliminating institutional legitimacy is not a well-governed military system; it is an unaccountable autonomous weapon. A system that achieves institutional legitimacy by compromising operational security is not a well-governed oversight arrangement; it is a security vulnerability. This dimension's architecture — compartmented but accessible audit vaults, cleared oversight personnel, structural escalation channels — is designed to satisfy both requirements in parallel rather than trading one against the other.
A secondary rationale for the structural requirements in this dimension is evidentiary. When an incident occurs — civilian casualties, treaty violations, unintended system behaviour — the ability of the deploying organisation to demonstrate institutional good faith depends on the pre-existence of a functional oversight architecture. If that architecture was not in place before the incident, its retroactive construction is both technically unreliable and legally suspect. The requirements in this dimension create the evidentiary infrastructure that makes post-incident accountability possible, which in turn makes pre-incident deterrence of misconduct credible.
Classified Audit Vault Architecture. The audit vault should be implemented as a write-once, append-only store operating on a separate network segment from the agent's operational systems. The vault should accept automated telemetry from the agent system via a one-way data diode to prevent the vault from being used as a covert channel into the operational environment. Vault integrity should be verified using a cryptographic hash chain, with root hashes stored in a hardware security module accessible only to the independent oversight body's infrastructure. The one-way data diode pattern ensures that the agent can write to the vault without the vault being able to influence agent behaviour.
Cleared Oversight Panel Structure. The independent oversight body should be structured as a standing panel rather than an ad hoc inspection team. Standing membership ensures continuity of institutional knowledge, reduces the time required to conduct meaningful inspections, and eliminates the operational unit's ability to time disclosures to coincide with panel membership transitions. The panel should include at minimum: a legal adviser with law of armed conflict expertise, a technical reviewer with AI systems competence, and an operational-security specialist who can assess whether proposed classification-reduction actions create genuine risk. Panel members should receive periodic technical briefings on the agent system's architecture, independent of the operational unit's briefings, to maintain independent analytical capacity.
Rules-of-Engagement Logic as Versioned Code. Rules-of-engagement logic and decision thresholds should be treated as versioned software artefacts subject to the same change-control disciplines as any safety-critical software component. Each version should be tagged with the authorising officer's identity (via digital signature linked to a public-key infrastructure), timestamped by a trusted time authority, and stored in the classified audit vault before being loaded into the operational system. The operational system should verify the integrity hash of the loaded logic against the vault record at each boot and refuse to operate if the verification fails.
Compartment Notification Protocol. When a new compartment is created for an agent system component, the compartment-creation authority should simultaneously issue a notification to the independent oversight body that includes: the existence of the compartment, its scope description at a level of abstraction sufficient to allow the oversight body to assess the relevance to its oversight mandate, and a timeline for access provision. The notification itself should be classified at the compartment level, transmitted via a dedicated secure channel to the oversight body's secure communications infrastructure, and acknowledged by the oversight body within 5 business days.
Maturity Model. Organisations should assess their implementation against four maturity levels: Level 1 (Initial) — audit records exist but are co-located with operational systems and accessible only through the operational chain of command; Level 2 (Developing) — a separate audit vault exists but oversight body access requires operational-unit approval; Level 3 (Defined) — a structurally separate vault exists with independent oversight body access, and suppression categories are formally distinguished; Level 4 (Optimising) — all requirements of this dimension are met, the oversight body conducts regular unannounced inspections, and classification reduction reviews are conducted proactively with documented justifications. Organisations operating Level 1 or Level 2 systems in kinetically active roles should be considered non-conformant with this dimension.
The "Classified So Exempt" Anti-Pattern. Treating classification as a categorical exemption from oversight requirements rather than as a modifier of the modality of oversight. Classification determines how oversight is conducted — who has access, through what channels, with what handling procedures — but does not eliminate the requirement for oversight. Any governance policy or standing directive that uses classification as a basis for excluding the independent oversight body from access to decision records is an anti-pattern under this dimension.
The Clearance-Prerequisite Trap. Structuring compartment access prerequisites such that the oversight body's membership cannot realistically satisfy them. This includes: requiring compartment-specific training that is offered only to operational personnel, requiring a polygraph protocol that the oversight body has no administrative pathway to initiate, or requiring sponsorship from the operational unit's commanding officer for compartment access. Any access-control architecture that places the operational unit in the role of gatekeeper for its own oversight is an anti-pattern.
Log Suppression by Reclassification. Reclassifying existing audit records to a higher tier than the audit vault is authorised to hold, thereby creating a technical basis for removing records from the vault. This pattern can be used to retroactively eliminate inconvenient evidentiary records while maintaining formal compliance with the vault's operating parameters. Governance policy should explicitly prohibit reclassification of records already stored in the audit vault without simultaneous transfer to a vault operating at the new classification level and notification to the oversight body.
The Unclassified Change-Control Abandonment Pattern. As illustrated in Scenario 3.3, abandoning an existing change-control process when a system's classification level increases, without simultaneously establishing a classified equivalent. The correct response to a classification upgrade is to migrate the change-control process to a classified environment, not to discontinue it. Governance policy should treat any gap between an existing change-control process and the current classification level as a high-priority remediation item.
Oversight Body Overloading. Assigning the independent oversight body responsibility for so many concurrent system oversight mandates that it cannot conduct technically meaningful inspections of any individual system. This pattern — common in resource-constrained oversight environments — produces a formal oversight architecture with no substantive oversight capacity. Oversight body capacity should be assessed against the volume and complexity of systems under its mandate, and additional resources should be provided before new AI system deployments if existing capacity is insufficient.
In coalition environments, where agent systems are developed or operated by multiple sovereign entities, the classified audit vault architecture must account for cross-domain access by oversight bodies from partner nations. This requires: establishment of classification equivalency agreements before deployment, designation of a lead-nation oversight body with agreed authority, and specification of which audit records are releasable to partner-nation oversight bodies and under what conditions. These arrangements should be established in the coalition's operating framework before the AI system achieves initial operational capability, not after an incident has already occurred.
For contracted private-sector entities operating defence AI systems, the audit vault and oversight body access requirements of this dimension should be reflected directly in contract language, including provisions for government audit rights, retention obligations that survive contract termination, and personnel security requirements for contractor staff who have access to vault infrastructure.
| Artefact | Description | Retention Period |
|---|---|---|
| Audit Vault Architecture Document | Technical specification of the classified audit vault, including network topology, access control architecture, integrity verification mechanism, and data diode configuration | Life of system plus 15 years |
| Oversight Body Charter | Formal designation of the independent oversight body, including membership criteria, clearance requirements, inspection rights, and escalation authorities | Life of system plus 15 years |
| Vault Inspection Records | Written records of each independent oversight body inspection, including date, scope, findings, and any corrective action requirements | Minimum 15 years from inspection date |
| Rules-of-Engagement Logic Version Registry | Versioned record of all rules-of-engagement logic states, with authorising officer signatures, integrity hashes, and timestamps | 15 years from decommissioning of associated agent system |
| Compartment Notification Log | Record of all compartments created for agent system components and associated oversight body notifications | Life of system plus 15 years |
| Suppression Category Audit Records | Documentation of all log suppression actions, categorised per the 4.3 distinction, with operational justification | Minimum 10 years from suppression date |
| Classification Review Records | Annual classification review documentation for each agent system component | Life of system plus 15 years |
| Per-Engagement Decision Records | Records per 4.7 for all engagement events | 15 years from engagement date |
| Modification Audit Trail (Dual-Use Components) | Complete modification history for export-controlled or treaty-restricted components | 20 years from decommissioning |
| Incident Escalation Records | Records of all anomaly detections and escalation notifications to oversight body | Minimum 15 years from incident date |
| Oversight Body Capacity Assessment | Annual assessment of oversight body capacity relative to system oversight mandate | 10 years |
All artefacts listed in 7.1 must be stored in tamper-evident systems. Where artefacts are stored electronically, integrity verification must use cryptographic hashing with hash values recorded in a system outside the control of the producing unit. Physical artefacts must be stored under dual-custody procedures. Any evidence of artefact tampering must be treated as a Critical incident under Section 10 and escalated immediately to the second-tier oversight authority.
All artefacts must be catalogued in an index accessible to the independent oversight body without requiring operational-unit mediation. The index must be updated within 48 hours of any new artefact being created. Artefacts must be retrievable within 5 business days of a formal oversight body request and within 24 hours of an emergency escalation request.
Maps to: Section 4.1 Test Type: Architectural inspection and penetration review Procedure: The test assessor, operating with oversight-body-equivalent access, must: (a) confirm that a classified audit vault exists and is documented in the Audit Vault Architecture Document per 7.1; (b) confirm that the vault operates on a network segment that is architecturally separate from the agent's operational systems, verified by reviewing network topology documentation and physically tracing data paths if required; (c) confirm that a one-way data diode or equivalent unidirectional control prevents vault access from influencing agent operations; (d) attempt to access the vault directly, without operational-unit facilitation, to confirm that access does not route through operational-unit administered systems; (e) verify that vault unavailability does not affect agent operational continuity by reviewing failover architecture documentation. Conformance Scoring:
Maps to: Sections 4.2 and 4.8 Test Type: Procedural review and unannounced inspection simulation Procedure: (a) Review the Oversight Body Charter to confirm the existence of a formally designated independent oversight body with inspection rights that do not require prior notification to the operational unit; (b) verify that charter members collectively hold clearances sufficient to conduct a technically meaningful review of the agent system, by cross-referencing member clearance records with the system's compartment access list; (c) conduct a simulated unannounced inspection request — the test assessor submits an access request directly to vault infrastructure without notifying the operational unit and measures the time to access; (d) review the Compartment Notification Log to confirm that the oversight body was notified of all compartments within 30 calendar days of creation; (e) review the Second Review Archive to confirm that oversight body inspection records are accessible to a second-tier authority. Conformance Scoring:
Maps to: Section 4.3 Test Type: Log analysis and policy review Procedure: (a) Review the deploying organisation's log suppression policy to confirm that it formally distinguishes category (a) (source-protection suppression to external systems) from category (b) (decision-chain suppression from oversight systems); (b) review the Suppression Category Audit Records for a 90-day sample period and classify each suppression action as category (a) or category (b); (c) for each action classified as category (a) in the review, verify that the corresponding decision-chain record is nonetheless present in the classified audit vault; (d) for any action that cannot be classified as category (a), determine whether it constitutes impermissible category (b) suppression; (e) verify that the oversight body can independently access suppression category records without operational-unit mediation. Conformance Scoring:
Maps to: Sections 4.4 and 4.7 Test Type: Cryptographic integrity verification and operational cross-reference Procedure: (a) Retrieve the Rules-of-Engagement Logic Version Registry from the classified audit vault; (b) for each version record, verify the cryptographic integrity hash of the parameter set by recomputing it from the stored parameter file and comparing against the recorded hash; (c) verify that each version record includes authorising officer identity or role, timestamp from a trusted time authority, and a description of changes from the prior version; (d) cross-reference version timestamps against operational logs to confirm that the version active at the time of each engagement event can be determined from the registry; (e) for any engagement event in the Per-Engagement Decision Record, verify that the rules-of-engagement version referenced in that record matches the registry record active at the time of the event; (f) verify that retention period compliance is documented. Conformance Scoring:
Maps to: Section 4.5 Test Type: Document reconstruction and expert review Procedure: (a) Identify all components of the agent system subject to export controls, end-use certification, or treaty restrictions; (b) retrieve the Modification Audit Trail for each such component; (c) engage an independent technical expert to assess whether the trail is sufficiently granular to enable determination of whether each modification kept the component within the scope of its original certification; (d) simulate a formal partner-nation oversight request by submitting a test request to the deploying organisation and measuring time to production of the trail; (e) verify that all modifications are recorded from the date of initial certification through the current date, with no unexplained gaps. Conformance Scoring:
Maps to: Section 4.9 Test Type: Live escalation drill and channel architecture review Procedure: (a) Review the incident escalation protocol documentation to confirm the existence of a direct reporting channel from integrity monitoring to the oversight body; (b) conduct a live drill in which a simulated anomaly is injected into the integrity monitoring system and the time to notification of the oversight body — without operational chain of command involvement — is measured; (c) verify that the escalation channel's architecture does not route through any system administered by the operational unit; (d) review Incident Escalation Records for the prior 12 months and confirm that all recorded anomaly events have associated oversight body notifications within 24 hours; (e) verify that no escalation record shows a gap attributable to operational chain of command gatekeeping. Conformance Scoring:
The EU AI Act classifies AI systems used for law enforcement, critical infrastructure, and purposes affecting fundamental rights as high-risk systems subject to mandatory conformity assessment, post-market monitoring, and logging obligations under Articles 9–17. For defence applications, the Act's Annex I scope exemptions apply to national security-specific deployments by Member State authorities, but the Act's general framework establishes the normative expectation that high-risk AI must be auditable, transparent to designated authorities, and subject to human oversight. This dimension's requirements — particularly the classified audit vault (4.1), independent oversight body access (4.2), and engagement decision records (4.7) — are consistent with the Act's logging and human oversight architecture requirements and should be treated as the operationally adapted equivalent of those requirements for classified national security deployments where the Act's direct provisions do not apply. For dual-use systems that also have civilian applications, the Act's requirements apply directly, and this dimension's classified audit vault architecture provides a technically feasible method of satisfying concurrent national security and Act compliance obligations.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Organisation-wide — potentially cross-organisation where agents interact with external counterparties or shared infrastructure |
| Escalation Path | Immediate executive notification and regulatory disclosure assessment |
Consequence chain: Without mission secrecy versus oversight governance, the governance framework has a structural gap that can be exploited at machine speed. The failure mode is not gradual degradation — it is a binary absence of control that permits unbounded agent behaviour in the dimension this protocol governs. The immediate consequence is uncontrolled agent action within the scope of AG-573, potentially cascading to dependent dimensions and downstream systems. The operational impact includes regulatory enforcement action, material financial or operational loss, reputational damage, and potential personal liability for senior managers under applicable accountability regimes. Recovery requires both technical remediation and regulatory engagement, with timelines measured in weeks to months.