Security Gaps Closed
Four gaps every AI deployment
in a regulated environment inherits.
Not edge cases. Structural properties of how current AI governance is built. STS-001 closes all four — not by monitoring for them after they occur, but by making them unreachable before a write happens.
The mechanism for each closure is protected under the STS-001 patent family (PR1–PR5, USPTO). This page describes the problem each closure addresses and the outcome it produces.
AI model drift reaches a system of record before anyone notices.
The Gap
Every AI system changes over time. Weights shift during fine-tuning. Model behavior changes with prompt context. Performance degrades. These changes — individual or cumulative — can alter the output distribution of a model that was validated in one state and is now operating in another.
The standard response is monitoring: log outputs, run evaluations, alert when drift is detected. The problem with monitoring is sequencing. Monitoring detects drift after execution. In a regulated environment, the write has already happened by the time the alert fires. The audit trail records what the drifted model wrote. It does not prove the write was authorized under the governance state that was valid when the model was originally approved.
The Closure
The governance baseline is a structural precondition for execution, not a post-hoc audit. When a model's execution state deviates from its authorized baseline, the deviation is detected before the execution produces a write to a system of record. Drift does not surface in a log entry after the write. It surfaces as a gate condition before the write — and the write does not proceed.
The result: the authorization record and the model's governance state are inseparable. A drifted model cannot write to a regulated record in the same way an unauthorized actor cannot — because at the gate, they are the same condition.
This is the closure most AI governance products claim to provide via monitoring. Monitoring is not closure. A gate before the write is closure.
Compromised execution-side credentials grant unlimited write access.
The Gap
In a conventional architecture, the entity that executes an action and the entity that authorizes it operate in the same trust domain. A privileged account on the execution side — a root credential, an admin token, a compromised service account — can both propose and authorize its own actions.
This is the oldest gap in enterprise security and it has not gotten smaller as AI agents have entered production environments. An AI agent that holds or can obtain elevated credentials on the execution side can, in most current architectures, write to systems of record without any external authorization check. The agent's decision to write is the authorization.
The Closure
The Governance Plane and the Reasoning Plane are architecturally isolated. The plane that executes actions does not hold, and cannot reach, the signing authority that produces TAOs. A compromised process on the execution side — regardless of privilege level — cannot produce a valid authorization receipt. The signing authority is hardware-anchored in the Governance Plane. There is no software path from the execution side to that authority.
The result: privilege escalation on the execution side does not grant write access to systems of record. The escalated credential can still only propose. It cannot authorize.
This is what "structural separation" means in practice. Not a policy that says the approver and the executor should be different. An architecture where they cannot be the same.
Legacy systems cannot adopt governance without modification — so they stay ungoverned.
The Gap
The realistic enterprise environment is not a greenfield deployment. It is a LIMS installed in 2014 that is validated under GAMP 5. It is an EHR system running on a vendor-supported stack that cannot accept kernel-level modifications without triggering full revalidation. It is a SCADA historian that predates modern security controls by a decade.
The standard response to this constraint is: governance applies to the new systems, the legacy systems get network controls and access logs. The governance gap lives in the legacy estate. In regulated industries, that is where the most consequential writes happen.
The Closure
The isolation boundary can be placed at any point where a transit channel meets a persistence environment — a network boundary, a database write path, an API integration point, a protocol translation layer. The mechanism is protocol-agnostic and substrate-agnostic. The legacy system does not need to be modified. It does not need to know the governance layer exists.
What it sees: its normal write path. What sits before that write path: a gate that requires a valid authorization receipt before any write proceeds. The LIMS does not need to be revalidated. The governance layer wraps it at the boundary. The enforcement is structural regardless of what is inside.
The validated system argument — "we cannot modify it" — is not a blocker. The gate sits outside the system. The boundary is the enforcement point, not the system internals.
A single AI model's output — confident, plausible, wrong — writes to a regulated record.
The Gap
A single AI model — even a well-aligned, well-evaluated one — is a probabilistic system. Its outputs are draws from a distribution. For any individual inference, there is a nonzero probability that the output is wrong, hallucinated, adversarially influenced, or simply outside the validated operating envelope.
In most current AI deployments, a single model's output is the write. The model decides, the application writes, the audit log records what happened. There is no structural check between the model's output and the system of record. For most applications, this is acceptable. For a diagnostic result, a batch release decision, a financial settlement, or a deviation log entry, it is not.
The Closure
For high-assurance decisions, the framework supports independent parallel reasoning: multiple isolated reasoning instances, each operating with no shared state, each evaluating the same input independently. Their outputs are evaluated against a deterministic consensus threshold. Only when the threshold is met — and the outputs satisfy the structural consensus criteria — does an authorization receipt issue and the write proceed.
A single model's hallucination, regardless of its stated confidence, cannot produce the consensus result. A single compromised model, in a pipeline of independent models, cannot move the output across the threshold alone. The write requires structural agreement, not individual confidence.
This is how regulated industries handle human decision-making — dual review, independent verification, separation of the proposer and the approver. The same property, applied to AI agents by architecture.
Why These Four
These are not the only security concerns in an AI deployment.
They are the ones that existing governance cannot close.
Network controls, access management, content classifiers, behavioral monitors, model evaluations, red-teaming — these are all real and necessary. They address real threats. None of them close these four gaps, because all of them operate at layers above the one where these gaps live.
AI drift survives monitoring because monitoring fires after the write. Credential compromise survives access management because management controls who can log in — not what an authenticated session can authorize. Legacy systems survive network controls because controls govern traffic, not the write path inside the system. Single-model output risk survives behavioral evaluation because evaluation runs on historical outputs — not on the specific inference that is about to write.
The common property: all four gaps live between the decision and the write. Governance that operates above that layer cannot close them. Governance that operates at that layer — as a structural precondition for the write itself — closes all four simultaneously.
Intellectual Property
The structural mechanisms that close each gap are protected under the STS-001 patent family — five U.S. provisional applications (PR1–PR5) with non-provisional target April 2027. The mathematical foundations are documented in four open-access Zenodo records.
Want to map these gaps to your environment?
The architecture review identifies which closures apply to your write surface and how they deploy.