Atomic Decision Boundaries: A Structural Requirement for Guaranteeing Execution-Time Admissibility in Autonomous Systems

Abstract: Autonomous systems increasingly execute actions that directly modify shared state, creating an urgent need for precise control over which transitions are permitted to occur. Existing governance mechanisms evaluate policies prior to execution or reconstruct behavior post hoc, but do not enforce admissibility at the exact moment a state transition is committed. We introduce the atomic decision boundary, a structural property of admission control systems in which the decision and the resulting state transition are jointly determined as a single indivisible step in the labeled transition system (LTS) model of execution. We distinguish two classes: atomic systems, where evaluation and transition are coupled within a single LTS step, and split evaluation systems, where they are separate transitions interleaved by environmental actions. The separation introduces an architectural gap -- the decision is evaluated in one system state; the transition fires in a potentially different one -- that no policy, regardless of sophistication, can close from within a split architecture. Under realistic concurrent environments, we prove via a constructive counterexample trace that no construction can make a split system equivalent to an atomic system with respect to admissibility. Three corollaries follow: impossibility of execution-time guarantees in split systems, insufficiency of external state enrichment, and admissibility as an execution-time rather than evaluation-time property. We further formalize the Escalate outcome -- absent from classical TOCTOU analyses -- proving that it transfers rather than eliminates the atomicity requirement: resolution is safe if and only if it is itself atomic. We classify RBAC, ABAC, OPA, Cedar, and AWS IAM as split systems and ACP as atomic, providing a structural taxonomy of existing governance mechanisms. Admissibility is a property of execution, not evaluation.

• The paper establishes that atomic decision boundaries are necessary to guarantee execution-time admissibility by combining policy evaluation and state transition atomically.
• It rigorously demonstrates that split architectures are vulnerable to race conditions due to interleaved environmental actions between decision and execution.
• The analysis provides a theoretical framework mapping common governance mechanisms to atomic versus split architectures, guiding the design of more secure autonomous systems.

Atomic Decision Boundaries for Execution-Time Admissibility in Autonomous Systems

Overview

This essay presents a formal synthesis and analysis of the concept of atomic decision boundaries as articulated in "Atomic Decision Boundaries: A Structural Requirement for Guaranteeing Execution-Time Admissibility in Autonomous Systems" (2604.17511). The work rigorously distinguishes between architectures where admissibility decisions are coupled atomically with state transition and those in which policy evaluation and execution are structurally, temporally, or physically split. The results constitute a definitive theoretical foundation for runtime admissibility guarantees in autonomous agent systems, particularly under adversarial, concurrent, and multi-agent environments.

Formal Model and Definitions

Execution is modeled as a labeled transition system (LTS), with a state space $S$, agent and environment action partitions, and transition relation. Admissibility is defined as a predicate $Adm(s, a)$ over state-action pairs at execution time.

A key structural distinction is established:

• Atomic Systems: Admit a function $F : S \times A \to D \times S$ combining decision and state transition in a single, indivisible LTS arc. No interleaving—such as environment actions—can occur between the point of decision and state transition.
• Split Systems: The admissibility decision $D(s, a)$ and transition $T(s, a)$ are realized as separate LTS steps, permitting arbitrary environment interleaving.

The decision domain is ternary ($\{Allow, Refuse, Escalate\}$), supporting suspensions pending supervisor review, which extends classical binary TOCTOU models.

Impossibility of Execution-Time Guarantees in Split Architectures

A principal theoretical contribution of the paper is a constructive proof that no split evaluation system can guarantee execution-time admissibility under adversarial concurrency. Under minimal and realistic assumptions—namely, that environment actions are uncontrollable and can be interleaved arbitrarily—the following strong non-equivalence result is established (Theorem 1):

• For any split system, there exists an execution trace in which an action admissible at evaluation time becomes inadmissible before execution, yet the (recorded) decision $Allow$ enables the inadmissible transition.
• No policy expressiveness, state enrichment, or additional re-evaluation can eliminate this gap unless the system’s architecture is structurally changed to induce atomicity.

This result is not a property of domain-specific policies, but rather a necessary architectural criterion for any admissibility enforcement demanding strong runtime guarantees. Augmenting split systems with richer state signals, caching, or even re-checks moves but does not close the atomicity gap.

Escalation Semantics and Closure

The model explicitly formalizes an Escalate outcome, which generalizes admissibility mechanisms to support supervisor or higher-level review and decision (e.g., manual intervention, committee, or recursive governance invocation). Importantly, the atomicity requirement is shown to propagate: a non-atomic resolution of an escalation is isomorphic to a split evaluation and permits the same class of race conditions. The closure property asserts that each escalation (and its resolution) must also satisfy atomic boundary criteria recursively to maintain global admissibility guarantees.

Structural Taxonomy of Governance Mechanisms

The architecture-level taxonomy maps prevalent governance mechanisms, such as RBAC, ABAC, OPA, AWS IAM, Kubernetes Admission webhooks, and Cedar, into the atomic vs. split dichotomy. Existing mainstream policy engines (e.g., RBAC [sandhu96], OPA [opa], Cedar [cedar]) are shown to be structurally split: permission checks and enforcement are not indivisible. ACP (Agent Control Protocol) (Fernandez, 19 Mar 2026) exemplifies an atomic enforcement mechanism, employing cryptographic execution tokens that bind admissibility decision and action in a single, uninterruptible ledger state transition.

Partially atomic systems are also identified, such as in Kubernetes’ admission webhooks, which enforce atomicity at the single-resource but not cross-resource level—exposing multi-resource admission predicates to the split-system vulnerability.

Relationships to Transactional and Verification Models

The atomic decision boundary generalizes beyond simple data-level atomicity. Standard transactional primitives (2PC, MVCC) or linearizability (cf. [herlihy90]) guarantee that database writes are atomic but do not couple policy evaluation and execution. Systems that run a policy check outside the transactional context remain vulnerable; atomicity must subsume both evaluation and transition relative to the same state snapshot.

The framework directly interfaces with formal verification: it identifies the system-structural origin of failures that can (and will) be discovered by exhaustive model checking of split architectures under concurrency.

Implications and Future Directions

The atomic decision boundary theorem provides a base structural invariant for agent governance stacks. It implies that for deployment environments demanding strict runtime guarantees against inadmissible operations—particularly in decentralized, distributed, or adversarial settings—architectural enforcement of atomicity is non-optional.

This result anchors an entire series of agent governance papers, mapping the role of enforcement, escalation, allocation, irreducibility, and runtime validity. From a practical perspective, it sets a hard boundary on what can be achieved with conventional split policy engines and motivates new protocol and infrastructure mechanisms (as exemplified by ACP) for stateful, atomic agent execution.

On a theoretical axis, it extends and refines the reference monitor concept, showing that complete mediation must be realized not only in access but in transition via architectural atomicity.

Looking forward, the area is primed for investigation into mechanisms to realize atomic boundaries efficiently (e.g., in distributed ledgers, trusted execution environments, or high-performance OS kernels), protocol-level composition of atomic and split mechanisms, and formal connections to liveness and behavioral safety layers above pure enforcement.

Conclusion

Atomic decision boundaries are a necessary and sufficient structural condition for runtime admissibility preservation in autonomous and concurrent execution environments. The results fundamentally separate what can be achieved by policy expressiveness, state enrichment, or supervision from what requires architectural atomicity. This formalization guides both the design of next-generation agent governance systems and the theoretical limits of enforcement under concurrency. The subsequent papers in the Agent Governance Series elaborate the instantiation, composition, and runtime consequences of systems that satisfy this foundational property (2604.17511).