Papers
Topics
Authors
Recent
Search
2000 character limit reached

Probabilistic Defensibility Signal (PDS) in AI Governance

Updated 5 July 2026
  • Probabilistic Defensibility Signal (PDS) is a calibrated, rule-based measure that estimates the likelihood of a decision being policy-defensible using token-level log probabilities.
  • It complements cohort-level metrics like the Defensibility Index and Ambiguity Index by offering a real-time, per-decision assessment of reasoning stability and governance compliance.
  • PDS is computationally efficient, extracted via a single audit pass, and validated through large-scale experiments that demonstrate significant risk reduction in decision gating.

Searching arXiv for the cited papers to ground the article in current records. The Probabilistic Defensibility Signal (PDS) is a per-decision, calibrated signal for rule-governed AI systems that estimates whether a proposed decision is policy-defensible under an explicit rule hierarchy and precedent corpus by using token-level log probabilities from an audit model’s structured reasoning trace rather than agreement with historical labels (O'Herlihy et al., 22 Apr 2026). In the formulation introduced for content moderation, PDS complements the Defensibility Index (DI) and Ambiguity Index (AI) by providing a deployment-time estimate of defensibility and reasoning stability from a single audit pass. In a broader interpretive sense, the term “defensibility” inherits a normalized risk-reduction meaning from earlier probabilistic risk analysis (Bier et al., 2019), while the acronym PDS is also used in other arXiv work for a distinct precision-matrix statistic in backdoor detection (Surendrababu et al., 6 May 2025).

1. Rule-grounded correctness and the role of PDS

PDS arises in a framework that rejects label agreement as the primary criterion for evaluation in rule-governed settings. The governing claim is that correctness is policy-grounded, not label-grounded: a decision is correct if it is defensible under the rule hierarchy R=(RG,RC)R = (R_G, R_C) and precedent corpus PP, not if it matches historical human labels. Within this framework, a decision yy on content CC is assigned one of three defensibility levels: L1 – Robustly Defensible, where an explicit rule directly and unambiguously authorizes yy; L2 – Plausibly Defensible, where the rules are genuinely ambiguous but reasonably support yy; and L3 – Indefensible, where no rule authorizes yy, or reasoning misapplies rules or introduces extra-policy concepts (O'Herlihy et al., 22 Apr 2026).

The framework defines two cohort-level summaries. The Defensibility Index is the fraction of decisions assigned to L1L1 or L2L2: DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}. The Ambiguity Index is the fraction of decisions for which an inverse check judges the opposite decision also defensible: PP0

PDS addresses a different problem. DI and AI summarize a cohort after an audit pass, but they do not directly provide a per-instance estimate of how stable a decision’s defensibility is under repeated sampling, whether instability reflects stochastic decoding or structural policy ambiguity, or whether a single decision is suitable for automation. PDS is introduced precisely for that operational gap: it is a calibrated, per-decision probabilistic signal intended to estimate how likely a decision is policy-defensible and how stable that reasoning is, without extra audit passes.

The central failure mode motivating this construction is the Agreement Trap. In rule-governed environments, multiple decisions may be logically consistent with the governing policy; agreement metrics then penalize valid decisions and collapse ambiguity into apparent error. PDS is therefore not a replacement for DI and AI, but a continuous, deployment-time complement that turns rule-grounded audit traces into an uncertainty signal aligned with governance rather than historical labeling conventions.

2. Formal construction from audit-model log probabilities

The PDS formulation assumes two models. A content model PP1 proposes a decision PP2, and an audit model PP3 evaluates whether that decision is derivable from PP4. The audit model emits a structured trace

PP5

where PP6 is policy_citation, PP7 is precedent_weight, PP8 is inverse_check, and PP9 is defensibility_level. Prompt ordering enforces the factorization

yy0

Three logprob-derived quantities define the signal (O'Herlihy et al., 22 Apr 2026).

Component Definition Function
yy1 yy2 Label log-confidence
yy3, yy4 Token/span entropy over citation or precedent token Rule/precedent uncertainty
yy5 yy6 Inverse-check log-odds

The first component, label log-confidence yy7, is evaluated at the defensibility_level position. Let

yy8

then

yy9

This is the log-probability of the MAP defensibility level, not necessarily the sampled label token.

The second component measures uncertainty in rule and precedent selection. Citation entropy averages token-level Shannon entropy across the policy_citation span: CC0 with

CC1

where CC2 is approximated as the top-20 next-token candidates, renormalized. The paper also defines a simpler proxy at the precedent_weight token,

CC3

The third component, inverse-check log-odds CC4, is computed at the inverse_check position using the prefix

CC5

It is defined as

CC6

A large positive CC7 means the model regards the opposite action as likely also defensible, which is a direct signal of case-level ambiguity.

These components are assembled into the PDS vector

CC8

with signs chosen so that larger values indicate greater defensibility and stability. A scalar form is then defined by

CC9

In the formal calibration, yy0, and the parameters are fit by maximum likelihood on the binary target

yy1

using logistic cross-entropy loss. After calibration, yy2 is interpreted as approximating the probability that a decision is defensible, meaning yy3 or yy4.

The reported calibrated weights are yy5, yy6, and yy7, which yields the practical approximation

yy8

The near-zero weight on entropy reflects the paper’s binary target: entropy primarily distinguishes yy9 from yy0, while both are counted as defensible.

3. Audit trace, computation pipeline, and stability semantics

PDS is extracted from a single forward pass of the audit model. The audit prompt is structured so that the model first produces a logic_chain, then commits to a policy_citation, then assigns precedent_weight, then answers the inverse_check, and only afterward emits the final defensibility_level (O'Herlihy et al., 22 Apr 2026). This sequencing matters because the final defensibility label is conditioned on an explicit rule citation and a counterfactual check on the opposite decision.

The computation procedure is operationally simple. For each decision yy1 produced by yy2, the audit model yy3 receives yy4 and returns JSON. The system requests top-yy5 log probabilities, with top-20 used in the experiments, at the tokens needed for entropy and log-odds calculations. Character-offset parsing identifies the policy_citation span, which is then mapped to tokens for yy6; the precedent_weight token is used for yy7; the inverse_check token yields yy8; and the defensibility_level token yields yy9. The scalar yy0 is then computed with the calibrated weights.

Several implementation details are part of the definition rather than incidental engineering. Main audits for DI, AI, and PDS calibration use temperature yy1. Stability and variance experiments use yy2. PDS extraction success is reported as greater than 96% even at yy3, citation-span detection is reported as 100% across datasets, and the average citation span is approximately 25 tokens. Because the required logprobs are returned by the audit call itself, PDS adds no extra forward passes and is described as having “zero additional cost” relative to the audit.

Repeated sampling is used only to validate what PDS measures, not to define it. For contested cases, the paper draws yy4 independent samples from the audit model under fixed prompts and varying temperatures. For each replicate yy5, the same scalar yy6 is computed, and per-case variability is summarized as

yy7

This repeated-sampling procedure is a diagnostic study of reasoning stability. The deployment-time PDS remains a single-pass signal.

A key interpretive point follows from this construction. PDS is not merely a softmax confidence on the final label. It is anchored to reasoning-critical positions that correspond to rule citation, precedent strength, counterfactual defensibility of the opposite decision, and final level assignment. The signal is therefore structurally tied to the audit trace’s governance content.

4. Empirical behavior, calibration, and decision gating

The empirical setting is large-scale Reddit moderation. The framework is validated on more than 193,000 moderation decisions across multiple communities and evaluation cohorts, and the reported aggregate findings show a 33–46.6 percentage-point gap between agreement-based metrics and policy-grounded metrics, with 79.8–80.6% of the model’s false negatives corresponding to policy-grounded decisions rather than true errors (O'Herlihy et al., 22 Apr 2026). These results are the paper’s clearest evidence for the Agreement Trap: agreement-based evaluation misclassifies a large fraction of defensible disagreements as failures.

The paper also studies how rule specificity changes ambiguity. Auditing 37,286 identical decisions under three tiers of the same community rules reduces AI by 10.8 percentage points while DI remains stable. This establishes that ambiguity is materially affected by the granularity of the governing rules, not merely by model noise.

PDS calibration is reported as reasonably good. On the Balanced Sample calibration set, expected calibration error is approximately 0.076. On the Random Sample held-out set, expected calibration error falls in the range 0.042–0.057 across yy8. Mean yy9 is approximately 0.90 for defensible cases and approximately 0.71 for indefensible cases, yielding roughly 0.19–0.20 separation. By defensibility level, the distribution of L1L10 is highest and tightly concentrated near 1 for L1L11, intermediate and broader for L1L12, and lower for L1L13.

The paper further reports that in a 100-case L1L14 1000-replicate analysis, the single-pass component L1L15 has the strongest correlation with reasoning instability, with L1L16, while L1L17 is a weak predictor under the binary L1L18 versus L1L19 target. In disagreement cases between model and human labels, L2L20 is lower than in agreement cases; the reported reduction is about 7%, and inverse-check log-odds are approximately 63% higher.

Repeated-sampling experiments are used to distinguish governance ambiguity from decoding noise. Two case groups are constructed, “Stable” and “Flippers,” and the ratio of their mean L2L21 values remains around 1.5–1.6, nearly flat across temperatures L2L22. Citation-entropy rank correlation across temperatures remains high, down to 0.878 at L2L23, and aggregate DI is almost invariant across temperatures, remaining around 71–73%. These findings are presented as evidence that PDS variance is driven primarily by governance ambiguity rather than stochastic decoding noise.

The operational culmination of the framework is the Governance Gate. Community-level gating requires thresholds such as L2L24, L2L25, and a minimum of 25 decisions. Within eligible communities, PDS can be used as a second-stage decision-level gate, with L2L26 identified as a useful “knee” point for balancing coverage and stability. Under the paper’s standard configuration, community coverage is 77.4%, decision-weighted coverage is 78.6%, fleet-level DI for the automated portion is 97.2%, and the indefensible rate in the automated portion falls from 5.66% baseline to 2.76%, corresponding to 64.9% risk reduction. PDS is therefore not only a descriptive uncertainty signal but also a gating variable for selective automation.

5. Defensibility as a probabilistic concept and the acronym’s broader uses

The probabilistic meaning of “defensibility” predates the rule-governed AI formulation. In critical-systems risk analysis, defensibility is defined as a dimensionless, normalized improvement in residual system value under defense: L2L27 where L2L28 is attack effort, L2L29 is defense effort, DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}.0 is residual value after attack and defense, and DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}.1 is nominal pre-attack value (Bier et al., 2019). When attacks or disruptions are stochastic, DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}.2 is interpreted as an expectation, so defensibility becomes a normalized expected risk-reduction measure. This earlier formalism treats defensibility as the fraction of total system value regained or protected by incremental defense.

A plausible conceptual implication is that the modern PDS in rule-governed AI preserves the action-oriented meaning of defensibility while moving from system-level asset protection to decision-level governance. In the earlier formulation, defensibility asks how much expected loss can be reduced by defense. In the newer formulation, PDS asks how likely a proposed decision is to remain defensible under explicit rules and how stable that judgment is under the audit model. The shared vocabulary is therefore substantive rather than accidental, even though the mathematical objects differ.

The acronym PDS is not unique across the literature. In the backdoor-detection paper “A Chaos Driven Metric for Backdoor Attack Detection,” PDS stands for Precision Matrix Dependency Score, defined for a cluster or class as

DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}.3

where DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}.4 is the precision matrix of Neurochaos features (Surendrababu et al., 6 May 2025). There, large diagonal precision entries correspond to low conditional variances, and high PDS indicates an atypically “locked-in” feature distribution associated with poisoned subsets. The paper explicitly notes that this probabilistic interpretation makes the measure suitable as a broader “probabilistic defensibility signal.” That usage, however, remains distinct from the logprob-based governance signal of rule-governed AI. The shared phrase “probabilistic defensibility signal” therefore denotes a family resemblance at the level of interpretation—probabilistic evidence about vulnerability, anomaly, or policy stability—rather than a single standardized metric.

This terminological overlap matters because it prevents an overly narrow reading of PDS. In one line of work, PDS is a calibrated scalar derived from reasoning-trace logprobs and tied to rule-grounded validity; in another, it is a trace of a precision matrix over chaos-transformed features and tied to poisoning structure. The common denominator is the use of probabilistic structure to expose whether a system state or decision is defensible, stable, or anomalous.

6. Limitations, common misconceptions, and prospective adaptations

A common misconception is to treat PDS as an ordinary model-confidence score. The paper explicitly rejects that reading. PDS is not computed from the content model’s class posterior, and it is not a generic confidence estimate detached from policy. It is derived from log probabilities at reasoning-critical positions in a structured audit trace—rule citation, precedent weighting, inverse check, and final defensibility level—and calibrated to predict rule-grounded defensibility rather than agreement with historical labels (O'Herlihy et al., 22 Apr 2026).

A second misconception is that PDS resolves ambiguity by itself. The framework instead makes ambiguity measurable. DI records whether a decision is defensible, AI records whether the opposite decision is also defensible, and PDS estimates the probability and stability of defensibility for a single case. High AI or a large positive DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}.5 does not necessarily denote error; it often denotes normative underspecification in the governing rules. This is precisely why the paper positions PDS as an instrument for escaping the Agreement Trap rather than for restoring agreement-based evaluation.

The paper is explicit about several limitations. PDS is a property of the audit model DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}.6, so a different audit model requires separate calibration. Under the Same-Backbone Condition, where DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}.7 and DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}.8 share architecture, PDS may conflate governance ambiguity with model prior, although calibration mitigates this. The binary calibration target collapses DI={i:level(i){L1,L2}}N.\mathrm{DI} = \frac{|\{i : \mathrm{level}(i)\in\{L_1,L_2\}\}|}{N}.9 and PP00, which is why entropy receives almost zero weight; the authors note that a multi-class calibration separating robust from ambiguous defensibility would likely make entropy more important. Human validation uses only 30 cases, albeit with 121 raters. Approximately 30% of “hallucinated grounding” adversarial cases escape both PDS and lexical grounding checks, indicating that some failures require semantic grounding verification rather than better calibration alone. The signal is also sensitive to prompt design and rule encoding, although the paper treats that sensitivity as diagnostically useful because poor rule text should manifest as higher AI and more unstable PDS.

The methodology is presented as generic to rule-governed domains beyond moderation. The paper specifically identifies legal reasoning and contracts, financial compliance and underwriting, healthcare authorization, and hiring or HR policy compliance as candidate applications. In each case the required ingredients remain the same: an explicit rule set PP01, a precedent corpus PP02, a structured audit prompt enforcing rule citation and inverse checking, and calibration of logprob-derived features to approximate PP03. This suggests that the PDS framework is best understood not as a moderation-specific artifact but as a general mechanism for converting structured rule-audit traces into deployment-time governance signals.

In that sense, Probabilistic Defensibility Signal denotes a shift in evaluation doctrine. Agreement with legacy labels becomes secondary to the question of whether a decision is logically derivable from explicit rules and whether that derivation is stable. PDS operationalizes that shift at the level of individual decisions, while DI and AI retain the cohort-level view. Together they define an evaluation regime in which uncertainty is interpreted as a property of governance structure and policy ambiguity, not merely of model stochasticity.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Probabilistic Defensibility Signal (PDS).