AIX ALEPHOperational Trust Infrastructure for Mobility
LösungenComplianceBetriebsmodellWhitepaper
Öffentliche Sitzung
Portal-Login
ISO 27001-orientiert · externe Prüfung ausstehend · auditierbar · Made in Germany
LösungenComplianceBetriebsmodellWhitepaperPortal-Login
AIX ALEPHPortal-Login

Inhalt

Executive Summary1. The Governance Gap2. First Principles3. Runtime Governance Lifecycle4. The Six Canonical Principles5. Decision Provenance6. Operational Accountability7. Implications for Autonomous Mobility8. Why Runtime Governance Precedes Autonomy9. ConclusionAppendix: Key Terms
Executive Whitepaper · Runtime Governance Model v1.0

Runtime Governance for Autonomous Mobility

Why Autonomous Mobility Requires a Runtime Governance Layer Before It Can Be Responsibly Operated

Basis: Runtime Governance Model v1.0 · Terminology v1.1Status: Phase 1 · 2026-06-29Herausgeber: AIX ALEPH Governance Authority

Executive Summary

Autonomous mobility is advancing rapidly. Vehicles, systems, and fleets are acquiring the technical capability to act without continuous human direction. What is not advancing at the same pace is the infrastructure that determines whether those actions may legitimately occur — and whether they can be reconstructed, audited, and assigned to responsible parties when they do.

This paper argues that the critical gap in autonomous mobility is not technical capability. It is operational governance. Specifically, it is the absence of a Runtime Governance Layer: a structural foundation that verifies operational state, authorizes decisions in real time, captures the complete origin chain of those decisions, and assigns accountability before an incident occurs rather than after.

Without this layer, autonomous systems operate in a governance vacuum. They may function correctly. They cannot be proven to have done so. And in regulated environments — which all mobility operations will eventually become — that distinction is not abstract. It determines whether a system can be insured, licensed, and trusted by the public institutions that govern its operation.

The Runtime Governance Layer is not a compliance checkbox. It is the precondition for responsible autonomous operation.

1. The Governance Gap

The autonomous mobility industry has invested substantially in capability: sensor fusion, AI-driven perception, trajectory planning, and vehicle control systems that can navigate complex environments with increasing reliability. These investments are producing real results.

What they are not producing is governance.

The governance question is distinct from the capability question. Capability asks: Can the system do this? Governance asks: May the system do this — and who is responsible if it does?

These are different questions with different answers, and they require different infrastructure.

Today, most autonomous mobility systems answer the capability question with impressive engineering. They answer the governance question with after-the-fact logging, static access control configurations, and incident investigations that must reconstruct decision context from incomplete records.

This is not governance. It is documentation of what happened — without the means to demonstrate that what happened was authorized, bounded, and accountable in advance.

The gap between capability and governance is where regulatory exposure lives. It is where insurance underwriting breaks down. It is where public trust erodes when incidents occur and no institution can answer the question that matters most: How did this decision come to be authorized?

Closing this gap is not a software feature. It requires a distinct architectural layer — one designed from first principles around authorization, provenance, and accountability rather than performance and throughput.

2. First Principles

Any serious approach to autonomous mobility governance must begin with premises rather than features. The following five premises are not design choices. They are logical preconditions for any system that claims to operate responsibly without continuous human direction.

Autonomy generates accountability.

When a system acts without direct human instruction, it does not eliminate the need for accountability — it transfers it. The operational environment that authorized the system to act assumes responsibility for that action. Autonomy does not reduce the demand for accountability. It intensifies it.

Accountability presupposes authorization.

An action is only accountable if it was authorized — explicitly, traceably, and within defined operational boundaries. An autonomous system that acts without traceable authorization is not ungoverned in a minor technical sense. It is ungoverned in the sense that no institution, insurer, or regulator can assign responsibility for what occurred.

Authorization presupposes a verified runtime state.

Authorization cannot be evaluated in the abstract. Before any authorization can be granted, the system must know its own operational state with confidence: the configuration in effect, the policies active, the health of its components, the operational context. A system that does not know its runtime state cannot authorize reliably — it can only respond to inputs and hope that the response is permissible.

Decisions without provenance are not auditable.

A decision whose origin, context, policy, and authorization chain cannot be fully reconstructed is not governanceable. It may have been correct. It cannot be proven to have been correct. The difference between "we believe this decision was authorized" and "we can demonstrate this decision was authorized" is the difference between assertion and governance. In regulated environments — and autonomous mobility will be regulated — only the latter is sufficient.

Non-auditable decisions are non-governanceable.

A system that cannot reconstruct the complete origin of its decisions cannot be governed, regulated, or insured. It cannot meet the evidentiary standards that incident investigations, regulatory inquiries, and civil proceedings will require. Governance without provenance is compliance theater: it satisfies the form of accountability while lacking the substance.

Derived conclusion

Runtime governance is not a feature that can be added to an autonomous system after it is designed. It is the structural precondition that determines whether autonomous operation is permissible at all.

3. Runtime Governance Lifecycle

The governance of an autonomous decision is not a single event. It is a causal chain of verifications, each of which depends on the one before it. The chain has a defined beginning, a defined sequence, and a governing invariant that applies throughout.

FAIL CLOSED — governs throughout

If any stage cannot be verified → operation stops

01

Operational Eligibility

Is this operation in scope for governance?

02

Runtime Truth

What is the verified operational state?

03

Runtime Authorization

Is this operation permitted within that state?

04

Decision Provenance

What is the complete origin of this decision?

05

Operational Accountability

Who is responsible, and what is the evidence?

06

Human Override

Under what conditions does human authority supersede?

Each stage is a precondition for the next. A system that implements Operational Accountability without Decision Provenance has documentation, not governance. A system that implements Runtime Authorization without Runtime Truth has access control, not authorization. The chain is only valid when it is complete.

Fail Closed is the governing invariant. It applies at every stage. When any element of the chain cannot be verified, the chain does not advance. Operation does not proceed. There is no permissive fallback and no degraded governance mode. The absence of verifiable governance is not an acceptable operational state.

This invariant is not a safety mechanism in the physical engineering sense. It is a governance mechanism: the principled refusal to operate when governance cannot be established.

4. The Six Canonical Principles

Operational Eligibility

Before governance can be applied, it must be determined that governance applies. Operational Eligibility is the pre-condition check that asks whether a given operation falls within the defined scope of the governance chain. This distinction matters. Not all operations require the same governance depth. Operational Eligibility defines the boundary: operations within scope enter the chain; operations outside scope are not authorized by the governance layer at all. An eligibility failure is different from an authorization denial — it precedes the chain rather than occurring within it.

Runtime Truth

Runtime Truth is the verified, current state of the operational environment at the moment a decision is requested. It is not historical data. It is not a cached state. It is the operational reality of the system at the instant of evaluation. Operational environments change continuously. Policies are updated, components degrade, configurations drift. A governance system that authorizes based on a state that no longer reflects operational reality is not governing — it is operating on assumptions. Runtime Truth is the foundation on which all subsequent governance rests. If it cannot be established, the chain stops.

Runtime Authorization

Given a verified runtime state, Runtime Authorization determines whether a specific operation is permissible within it. This is not a static permission check against a role table. It is a real-time evaluation of the intersection between who is requesting, what they are requesting, the policy in effect, and the operational context in which the request occurs. Runtime Authorization is dynamic by design. The same request from the same actor may be authorized at one moment and denied at another — because the operational context has changed, the policy has been updated, or the system state has shifted. The output of Runtime Authorization is not merely a yes or a no. It is a structured authorization record — the first entry in the decision's provenance chain.

Decision Provenance

Decision Provenance is the complete, reconstructable origin chain of an operational decision. It answers not only what was decided but why the decision was permissible: which policy was active, which runtime state was verified, which version of the system was executing, which actor requested the action, and whether any overrides or exceptions were in effect. This is the concept that distinguishes governance from logging. An event log records what happened. Decision Provenance records why it was authorized to happen — the full causal chain from operational state through authorization to execution. Decision Provenance must be captured at the moment of decision. Retrospective reconstruction of provenance is not provenance — it is inference.

Operational Accountability

Operational Accountability is the capacity to assign responsibility for an operational decision to a defined actor, policy, or system — supported by Decision Provenance as the evidentiary foundation. Accountability without provenance is an assertion: "we believe the authorized party was responsible." Accountability with provenance is a demonstrated fact: "here is the complete authorization chain showing that this actor, under this policy, in this operational context, authorized this decision." Operational Accountability is assigned at the moment of decision — not after an incident. By the time an incident occurs, the accountability structure must already be in place.

Human Override

Autonomous operation does not eliminate human authority. It redefines how human authority is exercised. Human Override is the governed mechanism by which a human operator supersedes an autonomous decision or suspends autonomous operation. The critical word is governed. A Human Override that occurs outside the governance chain — that is not authorized, not bounded by policy, and not captured in the provenance record — is not a governed override. It is an uncontrolled intervention. In a governance-complete system, Human Override is itself a governed event. The human actor who initiates an override assumes Operational Accountability for that override. The override generates its own Decision Provenance record. Governance follows the decision wherever it goes — including when a human takes it.

5. Decision Provenance — The Central Concept

Decision Provenance is the integrating concept of runtime governance. Every other principle in the chain exists, in part, to make Decision Provenance possible and meaningful.

  • Runtime Truth provides the operational context that the provenance record must reference.
  • Runtime Authorization provides the authorization event that the provenance record must capture.
  • Operational Accountability is only defensible because Decision Provenance provides the evidentiary foundation.
  • Human Override is only governed because it generates its own provenance record.

Without Decision Provenance, the governance chain produces authorization events that cannot be reconstructed. With Decision Provenance, every authorized decision carries its complete origin — permanently, immutably, and in a form that supports regulatory inquiry, insurance underwriting, and incident reconstruction without relying on human recollection.

A complete provenance record captures: the decision identifier, the timestamp, the actor identity and type, the action authorized, the outcome, the runtime state at the moment of evaluation, the authorization record, the policy and policy version in effect, the system version executing the decision, and whether any overrides were active.

Evidentiary Specification — Provenance Record

✓Decision Identifier
✓Timestamp
✓Actor Identity & Type
✓Action Authorized
✓Outcome
✓Runtime State
✓Authorization Record
✓Policy & Version
✓System Version
✓Active Overrides

This is not a logging specification. It is an evidentiary specification. Logs are written for operational monitoring; provenance records are written for governance accountability.

6. Operational Accountability in Practice

The practical implications of Operational Accountability are most visible in three contexts: regulatory compliance, insurance, and incident investigation.

Regulatory compliance

Regulators governing autonomous mobility do not merely ask whether a system can perform safely. They ask who is responsible when it does not. Operational Accountability, supported by Decision Provenance, provides the answer: here is the actor, the policy, the authorization, and the operational context. The regulatory question is answerable because the governance structure was in place before the question was asked.

Insurance

Insurance underwriters require the ability to assess risk and assign liability. A system that cannot demonstrate its authorization chain for individual decisions cannot be underwritten with confidence. A system with complete Decision Provenance can show, for any decision, the complete chain of authorization — enabling actuarial assessment of policy compliance, operational discipline, and exception patterns.

Incident investigation

When an incident occurs, the question that matters is not "what happened" but "why was this decision authorized." A provenance-complete system can answer this question without inference, reconstruction from memory, or reliance on incomplete logs. The complete authorization chain is on record, immutable, and queryable.

These are not hypothetical future requirements. They are the present requirements of industries that are moving toward autonomous operation — and they are precisely the requirements that existing autonomous systems are least equipped to meet.

7. Implications for Autonomous Mobility

The governance gap identified in this paper is not a future problem. It is a present constraint on the pace at which autonomous mobility can scale beyond controlled environments and early-adopter deployments.

The implicit assumption in many autonomous mobility deployments is that governance can be added later — that the first priority is demonstrating capability, and that governance infrastructure can follow once the technology is mature. This assumption is incorrect, for a structural reason: governance cannot be retrofitted into a decision path that was not designed to accommodate it.

A system that was designed to make decisions without provenance capture cannot be upgraded to produce complete provenance records without architectural change. A system that was designed with static access control cannot be upgraded to support Runtime Authorization without architectural change. Governance is not a feature — it is a structural property of the system, and it must be designed in from the beginning.

The second implication is scale. As autonomous mobility scales — more vehicles, more operators, more jurisdictions, more regulatory frameworks — the governance requirements will intensify, not diminish. The governance infrastructure must be designed for the scale at which accountability will be demanded, not the scale at which the system is first deployed.

The third implication concerns the nature of the regulatory environment that is emerging. Early autonomous mobility deployments operated in relatively unregulated environments. That is changing. Regulators in major jurisdictions are developing frameworks that will require demonstrable governance — authorization, accountability, and provenance — as conditions for operational licensing. Organizations that have not built this infrastructure will face it as a retrofit requirement at the worst possible moment.

8. Why Runtime Governance Precedes Autonomy

Autonomous operation without runtime governance is not ungoverned operation at reduced risk — it is ungoverned operation at increased scale.

The more capable an autonomous system becomes, the more consequential its decisions are, and the greater the demand for demonstrable authorization, provenance, and accountability. Capability amplifies the governance requirement rather than diminishing it. A fully manual system that makes an unauthorized decision has one unauthorized decision. An autonomous system that makes unauthorized decisions makes them continuously, at scale, faster than any human oversight process can catch.

This is the fundamental argument for why runtime governance must precede autonomy, not follow it. Governance is not the regulatory overhead imposed on a mature technology. It is the precondition for that technology being trusted to operate at scale.

The question facing organizations deploying autonomous mobility systems is not whether they will eventually need governance infrastructure. They will. The question is whether they build it before they need it — when architecture choices are still open and the cost of governance integration is manageable — or after they need it, when incidents, regulatory requirements, or insurance conditions force the issue at the worst possible time.

Runtime governance is not the destination of autonomous mobility. It is what makes the destination reachable.

9. Conclusion

Autonomous mobility is ready to move beyond proving capability. The next challenge is proving trustworthiness — and trustworthiness, in the context of systems that act without continuous human direction, is a governance question.

The Runtime Governance Layer is the architectural response to that question. It is the layer that verifies operational state before authorization, authorizes decisions in real time against that verified state, captures the complete origin chain of every decision, and assigns accountability to defined actors and policies before any incident occurs.

This layer does not exist in most autonomous mobility deployments today. Its absence is not a temporary gap that will be filled as the technology matures. It is a structural deficit that grows more consequential as autonomy scales.

Organizations building autonomous mobility infrastructure have a choice about when to address this deficit. The argument of this paper is that the optimal time is before deployment — when governance can be designed into the architecture — rather than after deployment, when it must be retrofitted into a system that was not built to accommodate it.

AIX ALEPH

AIX ALEPH is a concrete implementation of the Runtime Governance Layer described in this paper. It implements Operational Eligibility, Runtime Truth, Runtime Authorization, Decision Provenance, Operational Accountability, Human Override, and Fail Closed as operational capabilities — derived from the Runtime Governance Model and designed to operate as the governance foundation of autonomous mobility systems.

The goal is not to add governance to autonomous mobility. It is to make autonomous mobility governanceable by design.

Appendix: Key Terms

All terms used in this paper are canonical as defined in AIX ALEPH Terminology v1.1. The definitions below are reference summaries.

TermSummary
Autonomous OperationsThe domain of system operations that proceed without continuous human initiation, requiring governance by design
Runtime GovernanceThe continuous, real-time governance of operational decisions through verified state, authorization, and provenance
Runtime Governance LayerThe architectural component implementing the Runtime Governance Model
Operational EligibilityThe pre-condition determination of whether an operation may enter the governance chain
Runtime TruthThe verified, current operational state at the moment of evaluation
Runtime AuthorizationThe real-time determination of whether an operation is permissible within the verified runtime state
Decision ProvenanceThe complete, reconstructable origin chain of an operational decision
Provenance RecordA single, immutable record capturing the governance context of one authorization decision
Operational AccountabilityThe capacity to assign responsibility for an operational decision, supported by Decision Provenance
Human OverrideThe governed mechanism by which a human operator supersedes an autonomous decision
Fail ClosedThe governing invariant: when any governance element cannot be verified, operation does not proceed

Nächster Schritt

Das produktive Governance-System sehen

Das in diesem Whitepaper beschriebene Runtime Governance Layer ist in AIX ALEPH operational implementiert. Keine Folien. Keine Verkaufspräsentation. Sie sehen das produktive Governance-Modell im Einsatz.

Live-System erlebenGovernance-Modell ansehen

Runtime Governance Model v1.0 · Terminology v1.1 · AIX ALEPH Governance Authority · 2026-06-29

Derivation: RGM → Terminology → Derivation Hierarchy → dieses Dokument

AIX ALEPH

Runtime Governance Layer für Mobilität – Operational Eligibility, Runtime Authorization, Decision Provenance und Operational Accountability.

Fail-Closed by Design

Fail-closed Architektur, auditierbare Prozesse und enterprise-taugliche Schutzmechanismen.

Compliance-fähig

Entwickelt für regulierte Betreiberumfelder mit Fokus auf Nachvollziehbarkeit und Governance.

Auditierbar

Klare Systemzustände, kontrollierte Datenflüsse und belastbare Dokumentationsfähigkeit.

Neue Mobilität

Orchestrierung für emissionsärmere, verschwendungsfreie und operativ beherrschbare Flotten.

Plattform
ImpactPortal-LoginBeratung anfragenWhitepaperRegulatory SignalsManifestAboutInvestor Relations
Recht & Vertrauen
ImpressumDatenschutzCookiesNutzungsbedingungen
© 2026 AIX ALEPHBetreiber: Ahzami Automotive UGRuntime Governance LayerISO 27001-orientiertPrüfungsorientierter StackMade in Germany
Leitstand statt Dashboard · Security, Audit und tenant-fähige Kontrolle
Release: 4.2.0