AG-785
Threat Level Auto-Decay and Stabilisation
EU AI Act
SOX
FCA
ISO 27001
Threat Level Auto-Decay and Stabilisation governs the automatic reduction of threat levels when the operating environment returns to a stable state. While AG-784 handles the upward movement of threat levels in response to detected threats, AG-785 addresses the equally critical downward trajectory. Without a controlled decay mechanism, systems that have escalated to elevated threat levels would remain locked in restrictive governance postures indefinitely, degrading operational throughput and creating pressure on human operators to manually intervene — a pattern that introduces its own security risks.
The protocol defines a time-based decay function modulated by environmental stability indicators. Rather than simply counting down from the last escalation event, the decay mechanism continuously evaluates whether the conditions that triggered escalation have genuinely subsided. This evaluation incorporates the absence of new detection events, the resolution status of previously identified threats, and the health metrics of the governance infrastructure itself. A system with degraded monitoring capability, for example, should not decay its threat level simply because no new events are arriving — the absence of evidence is not evidence of absence when sensors are impaired.
Stabilisation refers to the process of confirming that a decayed threat level is sustainable. When the threat level drops by one tier, a stabilisation window opens during which the system monitors for recurrence of threat indicators. If the threat recurs within this window, the system re-escalates immediately without the normal evaluation delay. This hysteresis mechanism prevents the costly oscillation pattern where a threat repeatedly pushes the level up, the decay pulls it down, and the cycle repeats — consuming resources and desensitising operators to genuine transitions.
This protocol applies to all governed agents and systems that implement threat level management under AG-784. Specifically:
Operational continuity depends on the governance framework's ability to relax restrictions when threats pass. A system permanently locked at Level 4 or Level 5 imposes severe constraints: mandatory human oversight for every action, restricted delegation, enhanced logging overhead, and tightened operational boundaries. In high-throughput environments such as algorithmic trading or real-time fraud detection, these restrictions can reduce processing capacity by 60-80%, creating significant business impact.
Concrete Failure Scenario: A payments processing agent escalates to Level 4 following a burst of anomalous transaction patterns that are later identified as a legitimate merchant onboarding event. Without auto-decay, the agent remains at Level 4, requiring human approval for every transaction batch. Processing latency increases from 200ms to 45 seconds. Over a weekend when oversight staff are reduced, a backlog of 2.3 million transactions accumulates. The organisation faces contractual SLA breaches, customer complaints, and potential FCA enforcement action for failing to maintain adequate service levels. With AG-785 in place, the decay function recognises the absence of further anomalous patterns, confirms monitoring infrastructure health, and systematically reduces the threat level from 4 to 3 to 2 over a 45-minute stabilisation cycle, restoring normal throughput.
The EU AI Act (Article 9(9)) requires that risk management measures be proportionate and not create disproportionate restrictions on the system's intended purpose. SOX Section 404 requires that internal controls be effective without being so burdensome as to impair the operations they protect. The FCA's SYSC 6.1.1 similarly expects risk management to balance protection with operational functionality. AG-785 operationalises this proportionality requirement by ensuring that defensive postures are temporary and evidence-based.
At the Basic level, an organisation has implemented a simple timer-based decay mechanism. After a fixed period without escalation events, the threat level decrements by one. Logging of decay transitions exists but may lack monitoring health context. There is no integration with federated threat levels, and stabilisation windows are fixed rather than configurable. The decay function does not check the health status of detection pipelines before proceeding, creating a risk that threat levels decay during sensor outages.
At the Intermediate level, the decay function checks monitoring infrastructure health before permitting decay. Stabilisation windows are enforced with automatic re-escalation on threat recurrence. Decay transitions are logged with full metadata including monitoring health status. Configurable stabilisation windows support different agent classes. The system prevents auto-decay from Level 5 while governance seals are active. Graduated single-tier decay is enforced to prevent sudden multi-level drops.
At the Advanced level, the decay engine integrates with federated threat level propagation (AG-788), considering peer platform threat states in decay decisions. The decay function has been validated through adversarial testing, including scenarios where attackers deliberately trigger and withdraw threats to exploit decay windows. Stabilisation windows are dynamically adjusted based on threat history and confidence levels. The complete decay history is tamper-evident (AG-006), and the determinism of the decay function has been independently verified across distributed deployment nodes.
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No auto-decay mechanism exists. Threat levels can only be reduced by manual operator intervention, creating operational bottlenecks and pressure for unsafe overrides. |
| 1 | Basic | A timer-based decay mechanism exists but does not validate monitoring health, lacks stabilisation windows with re-escalation capability, and produces incomplete transition logs. Manual decay is uncontrolled. |
| 2 | Infrastructure-layer enforcement | Decay is enforced at the infrastructure layer with health-aware evaluation, stabilisation windows, automatic re-escalation on recurrence, full metadata logging, and governance seal integration. The mechanism is deterministic and configurable per agent class. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities are validated by independent adversarial testing, including attack-withdraw-reattack patterns designed to exploit decay windows, sensor degradation scenarios, and federated split-state conditions. Results are documented with evidence of correct behaviour under all tested conditions. |
Scenario: A network partition causes three of five detection pipeline feeds to become unreachable. The decay engine, evaluating only the two remaining (quiet) feeds, concludes that the environment has stabilised and reduces the threat level from 4 to 2. Meanwhile, the three offline feeds were detecting an active credential stuffing attack that continues unabated.
Impact: CRITICAL. The governance layer relaxes restrictions during an active attack because it has lost visibility. The agent operates with insufficient protection, potentially allowing unauthorised access or data exfiltration.
Mitigation: R2 mandates that decay does not proceed when any detection pipeline is degraded. Implement health checks with heartbeat monitoring and treat pipeline silence as a failure condition.
Scenario: An attacker discovers that the stabilisation window for Level 3-to-2 decay is exactly 5 minutes. They time their attack bursts to occur at 5-minute-and-1-second intervals, causing the system to repeatedly decay to Level 2 (relaxing restrictions) just before the next attack burst arrives. The governance layer spends most of its time at the lower, more permissive level.
Impact: HIGH. The attacker effectively controls the governance posture by timing their actions to exploit the decay cycle. Each time the level drops, they gain a brief window of reduced scrutiny.
Mitigation: R5 ensures rapid re-escalation on recurrence. Additionally, Advanced maturity implementations should dynamically extend stabilisation windows when repeated decay-re-escalate cycles are detected, treating the pattern itself as a threat indicator.
Scenario: A governance state seal is created at Level 5 following detection of a suspected integrity compromise. Due to a race condition, the decay engine evaluates eligibility before the seal status is propagated to the decay function's state view. The threat level drops to 4, and the sealed governance state diverges from the current operating state.
Impact: CRITICAL. The governance seal becomes misaligned with the actual operating threat level. Verification of the seal (AG-787) will fail or produce misleading results, and the integrity of the governance record is compromised.
Mitigation: Implement synchronous seal-status checking in the decay path. The seal must be confirmed as absent or resolved before decay can proceed. Use distributed locking if the seal store and decay engine are on separate nodes.
Scenario: In a federated deployment, Platform A decays from Level 4 to Level 2 while Platform B remains at Level 4 for the same threat vector. An adversary, detecting the inconsistency, shifts their attack to Platform A's now less-protected agents.
Impact: HIGH. Inconsistent threat levels across federated platforms create exploitable asymmetries. Attackers can target the least-protected node in the federation.
Mitigation: R7 recommends integrating federated peer levels into decay evaluation. Advanced implementations should treat federated peer elevation as a blocking condition for local decay on correlated threat vectors.
| Requirement | EU AI Act | SOX | FCA SYSC | ISO/IEC |
|---|---|---|---|---|
| R1: Automatic decay evaluation | Art. 9(9) — Proportionality | -- | SYSC 6.1.1 | ISO/IEC 27001:2022 A.5.7 |
| R2: Health-aware decay | Art. 9(2)(b) — Risk estimation | Sec. 404 | SYSC 6.1.2 | ISO/IEC 27005:2022 Cl. 8.4 |
| R3: Stabilisation windows | Art. 9(4)(b) — Mitigation | -- | SYSC 6.1.1 | ISO/IEC 27001:2022 A.5.24 |
| R4: Decay transition logging | Art. 12 — Record-keeping | Sec. 302, 802 | SYSC 9.1.1 | ISO/IEC 27001:2022 A.8.15 |
| R5: Re-escalation on recurrence | Art. 9(2)(b) — Risk estimation | -- | SYSC 6.1.1 | ISO/IEC 27001:2022 A.5.24 |
| R6: Seal-aware decay blocking | Art. 9(7) — Testing | Sec. 404 | SYSC 6.1.2 | ISO/IEC 27001:2022 A.8.24 |
| R10: Deterministic decay | Art. 9(7) — Testing | Sec. 404 | SYSC 6.1.2 | ISO/IEC 25010:2023 |
| Protocol | Relationship |
|---|---|
| AG-784 (Adaptive Threat Level Escalation) | Complementary: AG-784 governs escalation; AG-785 governs the reverse decay process. |
| AG-786 (Cryptographic Governance State Sealing) | Blocking dependency: Auto-decay from Level 5 is blocked while a seal is active. |
| AG-787 (Governance Seal Integrity Verification) | Supporting: Seal verification must account for decay-related state changes. |
| AG-788 (Federated Threat Level Propagation) | Integration: Federated peer threat levels inform decay eligibility. |
| AG-789 (HMAC-Signed Threat Broadcast Authentication) | Security: Decay-related broadcasts must be authenticated. |
| AG-790 (Multi-Source Weighted Threat Composite Scoring) | Input: Composite scores inform whether decay conditions are genuinely met. |
| AG-791 (Pipeline-Integrated Threat Event Ingestion) | Input: Pipeline health status is a mandatory input to decay evaluation. |
| AG-001 (Operational Boundary Enforcement) | Governance action: Boundaries relax as threat levels decay. |
| AG-006 (Tamper-Evident Record Integrity) | Audit: All decay transitions are recorded in tamper-evident logs. |
| AG-009 (Delegated Authority Governance) | Governance action: Delegated authority restrictions ease with decay. |
| AG-019 (Mandatory Human Oversight Enforcement) | Governance action: Oversight requirements relax when decaying from Level 5. |
Document generated under Patent 7 governance framework. Classification: INTERNAL. Review cycle: Quarterly.