Probabilistic Defensibility Signal (PDS) in AI Governance
- Probabilistic Defensibility Signal (PDS) is a calibrated, rule-based measure that estimates the likelihood of a decision being policy-defensible using token-level log probabilities.
- It complements cohort-level metrics like the Defensibility Index and Ambiguity Index by offering a real-time, per-decision assessment of reasoning stability and governance compliance.
- PDS is computationally efficient, extracted via a single audit pass, and validated through large-scale experiments that demonstrate significant risk reduction in decision gating.
Searching arXiv for the cited papers to ground the article in current records. The Probabilistic Defensibility Signal (PDS) is a per-decision, calibrated signal for rule-governed AI systems that estimates whether a proposed decision is policy-defensible under an explicit rule hierarchy and precedent corpus by using token-level log probabilities from an audit model’s structured reasoning trace rather than agreement with historical labels (O'Herlihy et al., 22 Apr 2026). In the formulation introduced for content moderation, PDS complements the Defensibility Index (DI) and Ambiguity Index (AI) by providing a deployment-time estimate of defensibility and reasoning stability from a single audit pass. In a broader interpretive sense, the term “defensibility” inherits a normalized risk-reduction meaning from earlier probabilistic risk analysis (Bier et al., 2019), while the acronym PDS is also used in other arXiv work for a distinct precision-matrix statistic in backdoor detection (Surendrababu et al., 6 May 2025).
1. Rule-grounded correctness and the role of PDS
PDS arises in a framework that rejects label agreement as the primary criterion for evaluation in rule-governed settings. The governing claim is that correctness is policy-grounded, not label-grounded: a decision is correct if it is defensible under the rule hierarchy and precedent corpus , not if it matches historical human labels. Within this framework, a decision on content is assigned one of three defensibility levels: L1 – Robustly Defensible, where an explicit rule directly and unambiguously authorizes ; L2 – Plausibly Defensible, where the rules are genuinely ambiguous but reasonably support ; and L3 – Indefensible, where no rule authorizes , or reasoning misapplies rules or introduces extra-policy concepts (O'Herlihy et al., 22 Apr 2026).
The framework defines two cohort-level summaries. The Defensibility Index is the fraction of decisions assigned to or : The Ambiguity Index is the fraction of decisions for which an inverse check judges the opposite decision also defensible: 0
PDS addresses a different problem. DI and AI summarize a cohort after an audit pass, but they do not directly provide a per-instance estimate of how stable a decision’s defensibility is under repeated sampling, whether instability reflects stochastic decoding or structural policy ambiguity, or whether a single decision is suitable for automation. PDS is introduced precisely for that operational gap: it is a calibrated, per-decision probabilistic signal intended to estimate how likely a decision is policy-defensible and how stable that reasoning is, without extra audit passes.
The central failure mode motivating this construction is the Agreement Trap. In rule-governed environments, multiple decisions may be logically consistent with the governing policy; agreement metrics then penalize valid decisions and collapse ambiguity into apparent error. PDS is therefore not a replacement for DI and AI, but a continuous, deployment-time complement that turns rule-grounded audit traces into an uncertainty signal aligned with governance rather than historical labeling conventions.
2. Formal construction from audit-model log probabilities
The PDS formulation assumes two models. A content model 1 proposes a decision 2, and an audit model 3 evaluates whether that decision is derivable from 4. The audit model emits a structured trace
5
where 6 is policy_citation, 7 is precedent_weight, 8 is inverse_check, and 9 is defensibility_level. Prompt ordering enforces the factorization
0
Three logprob-derived quantities define the signal (O'Herlihy et al., 22 Apr 2026).
| Component | Definition | Function |
|---|---|---|
| 1 | 2 | Label log-confidence |
| 3, 4 | Token/span entropy over citation or precedent token | Rule/precedent uncertainty |
| 5 | 6 | Inverse-check log-odds |
The first component, label log-confidence 7, is evaluated at the defensibility_level position. Let
8
then
9
This is the log-probability of the MAP defensibility level, not necessarily the sampled label token.
The second component measures uncertainty in rule and precedent selection. Citation entropy averages token-level Shannon entropy across the policy_citation span: 0
with
1
where 2 is approximated as the top-20 next-token candidates, renormalized. The paper also defines a simpler proxy at the precedent_weight token,
3
The third component, inverse-check log-odds 4, is computed at the inverse_check position using the prefix
5
It is defined as
6
A large positive 7 means the model regards the opposite action as likely also defensible, which is a direct signal of case-level ambiguity.
These components are assembled into the PDS vector
8
with signs chosen so that larger values indicate greater defensibility and stability. A scalar form is then defined by
9
In the formal calibration, 0, and the parameters are fit by maximum likelihood on the binary target
1
using logistic cross-entropy loss. After calibration, 2 is interpreted as approximating the probability that a decision is defensible, meaning 3 or 4.
The reported calibrated weights are 5, 6, and 7, which yields the practical approximation
8
The near-zero weight on entropy reflects the paper’s binary target: entropy primarily distinguishes 9 from 0, while both are counted as defensible.
3. Audit trace, computation pipeline, and stability semantics
PDS is extracted from a single forward pass of the audit model. The audit prompt is structured so that the model first produces a logic_chain, then commits to a policy_citation, then assigns precedent_weight, then answers the inverse_check, and only afterward emits the final defensibility_level (O'Herlihy et al., 22 Apr 2026). This sequencing matters because the final defensibility label is conditioned on an explicit rule citation and a counterfactual check on the opposite decision.
The computation procedure is operationally simple. For each decision 1 produced by 2, the audit model 3 receives 4 and returns JSON. The system requests top-5 log probabilities, with top-20 used in the experiments, at the tokens needed for entropy and log-odds calculations. Character-offset parsing identifies the policy_citation span, which is then mapped to tokens for 6; the precedent_weight token is used for 7; the inverse_check token yields 8; and the defensibility_level token yields 9. The scalar 0 is then computed with the calibrated weights.
Several implementation details are part of the definition rather than incidental engineering. Main audits for DI, AI, and PDS calibration use temperature 1. Stability and variance experiments use 2. PDS extraction success is reported as greater than 96% even at 3, citation-span detection is reported as 100% across datasets, and the average citation span is approximately 25 tokens. Because the required logprobs are returned by the audit call itself, PDS adds no extra forward passes and is described as having “zero additional cost” relative to the audit.
Repeated sampling is used only to validate what PDS measures, not to define it. For contested cases, the paper draws 4 independent samples from the audit model under fixed prompts and varying temperatures. For each replicate 5, the same scalar 6 is computed, and per-case variability is summarized as
7
This repeated-sampling procedure is a diagnostic study of reasoning stability. The deployment-time PDS remains a single-pass signal.
A key interpretive point follows from this construction. PDS is not merely a softmax confidence on the final label. It is anchored to reasoning-critical positions that correspond to rule citation, precedent strength, counterfactual defensibility of the opposite decision, and final level assignment. The signal is therefore structurally tied to the audit trace’s governance content.
4. Empirical behavior, calibration, and decision gating
The empirical setting is large-scale Reddit moderation. The framework is validated on more than 193,000 moderation decisions across multiple communities and evaluation cohorts, and the reported aggregate findings show a 33–46.6 percentage-point gap between agreement-based metrics and policy-grounded metrics, with 79.8–80.6% of the model’s false negatives corresponding to policy-grounded decisions rather than true errors (O'Herlihy et al., 22 Apr 2026). These results are the paper’s clearest evidence for the Agreement Trap: agreement-based evaluation misclassifies a large fraction of defensible disagreements as failures.
The paper also studies how rule specificity changes ambiguity. Auditing 37,286 identical decisions under three tiers of the same community rules reduces AI by 10.8 percentage points while DI remains stable. This establishes that ambiguity is materially affected by the granularity of the governing rules, not merely by model noise.
PDS calibration is reported as reasonably good. On the Balanced Sample calibration set, expected calibration error is approximately 0.076. On the Random Sample held-out set, expected calibration error falls in the range 0.042–0.057 across 8. Mean 9 is approximately 0.90 for defensible cases and approximately 0.71 for indefensible cases, yielding roughly 0.19–0.20 separation. By defensibility level, the distribution of 0 is highest and tightly concentrated near 1 for 1, intermediate and broader for 2, and lower for 3.
The paper further reports that in a 100-case 4 1000-replicate analysis, the single-pass component 5 has the strongest correlation with reasoning instability, with 6, while 7 is a weak predictor under the binary 8 versus 9 target. In disagreement cases between model and human labels, 0 is lower than in agreement cases; the reported reduction is about 7%, and inverse-check log-odds are approximately 63% higher.
Repeated-sampling experiments are used to distinguish governance ambiguity from decoding noise. Two case groups are constructed, “Stable” and “Flippers,” and the ratio of their mean 1 values remains around 1.5–1.6, nearly flat across temperatures 2. Citation-entropy rank correlation across temperatures remains high, down to 0.878 at 3, and aggregate DI is almost invariant across temperatures, remaining around 71–73%. These findings are presented as evidence that PDS variance is driven primarily by governance ambiguity rather than stochastic decoding noise.
The operational culmination of the framework is the Governance Gate. Community-level gating requires thresholds such as 4, 5, and a minimum of 25 decisions. Within eligible communities, PDS can be used as a second-stage decision-level gate, with 6 identified as a useful “knee” point for balancing coverage and stability. Under the paper’s standard configuration, community coverage is 77.4%, decision-weighted coverage is 78.6%, fleet-level DI for the automated portion is 97.2%, and the indefensible rate in the automated portion falls from 5.66% baseline to 2.76%, corresponding to 64.9% risk reduction. PDS is therefore not only a descriptive uncertainty signal but also a gating variable for selective automation.
5. Defensibility as a probabilistic concept and the acronym’s broader uses
The probabilistic meaning of “defensibility” predates the rule-governed AI formulation. In critical-systems risk analysis, defensibility is defined as a dimensionless, normalized improvement in residual system value under defense: 7 where 8 is attack effort, 9 is defense effort, 0 is residual value after attack and defense, and 1 is nominal pre-attack value (Bier et al., 2019). When attacks or disruptions are stochastic, 2 is interpreted as an expectation, so defensibility becomes a normalized expected risk-reduction measure. This earlier formalism treats defensibility as the fraction of total system value regained or protected by incremental defense.
A plausible conceptual implication is that the modern PDS in rule-governed AI preserves the action-oriented meaning of defensibility while moving from system-level asset protection to decision-level governance. In the earlier formulation, defensibility asks how much expected loss can be reduced by defense. In the newer formulation, PDS asks how likely a proposed decision is to remain defensible under explicit rules and how stable that judgment is under the audit model. The shared vocabulary is therefore substantive rather than accidental, even though the mathematical objects differ.
The acronym PDS is not unique across the literature. In the backdoor-detection paper “A Chaos Driven Metric for Backdoor Attack Detection,” PDS stands for Precision Matrix Dependency Score, defined for a cluster or class as
3
where 4 is the precision matrix of Neurochaos features (Surendrababu et al., 6 May 2025). There, large diagonal precision entries correspond to low conditional variances, and high PDS indicates an atypically “locked-in” feature distribution associated with poisoned subsets. The paper explicitly notes that this probabilistic interpretation makes the measure suitable as a broader “probabilistic defensibility signal.” That usage, however, remains distinct from the logprob-based governance signal of rule-governed AI. The shared phrase “probabilistic defensibility signal” therefore denotes a family resemblance at the level of interpretation—probabilistic evidence about vulnerability, anomaly, or policy stability—rather than a single standardized metric.
This terminological overlap matters because it prevents an overly narrow reading of PDS. In one line of work, PDS is a calibrated scalar derived from reasoning-trace logprobs and tied to rule-grounded validity; in another, it is a trace of a precision matrix over chaos-transformed features and tied to poisoning structure. The common denominator is the use of probabilistic structure to expose whether a system state or decision is defensible, stable, or anomalous.
6. Limitations, common misconceptions, and prospective adaptations
A common misconception is to treat PDS as an ordinary model-confidence score. The paper explicitly rejects that reading. PDS is not computed from the content model’s class posterior, and it is not a generic confidence estimate detached from policy. It is derived from log probabilities at reasoning-critical positions in a structured audit trace—rule citation, precedent weighting, inverse check, and final defensibility level—and calibrated to predict rule-grounded defensibility rather than agreement with historical labels (O'Herlihy et al., 22 Apr 2026).
A second misconception is that PDS resolves ambiguity by itself. The framework instead makes ambiguity measurable. DI records whether a decision is defensible, AI records whether the opposite decision is also defensible, and PDS estimates the probability and stability of defensibility for a single case. High AI or a large positive 5 does not necessarily denote error; it often denotes normative underspecification in the governing rules. This is precisely why the paper positions PDS as an instrument for escaping the Agreement Trap rather than for restoring agreement-based evaluation.
The paper is explicit about several limitations. PDS is a property of the audit model 6, so a different audit model requires separate calibration. Under the Same-Backbone Condition, where 7 and 8 share architecture, PDS may conflate governance ambiguity with model prior, although calibration mitigates this. The binary calibration target collapses 9 and 00, which is why entropy receives almost zero weight; the authors note that a multi-class calibration separating robust from ambiguous defensibility would likely make entropy more important. Human validation uses only 30 cases, albeit with 121 raters. Approximately 30% of “hallucinated grounding” adversarial cases escape both PDS and lexical grounding checks, indicating that some failures require semantic grounding verification rather than better calibration alone. The signal is also sensitive to prompt design and rule encoding, although the paper treats that sensitivity as diagnostically useful because poor rule text should manifest as higher AI and more unstable PDS.
The methodology is presented as generic to rule-governed domains beyond moderation. The paper specifically identifies legal reasoning and contracts, financial compliance and underwriting, healthcare authorization, and hiring or HR policy compliance as candidate applications. In each case the required ingredients remain the same: an explicit rule set 01, a precedent corpus 02, a structured audit prompt enforcing rule citation and inverse checking, and calibration of logprob-derived features to approximate 03. This suggests that the PDS framework is best understood not as a moderation-specific artifact but as a general mechanism for converting structured rule-audit traces into deployment-time governance signals.
In that sense, Probabilistic Defensibility Signal denotes a shift in evaluation doctrine. Agreement with legacy labels becomes secondary to the question of whether a decision is logically derivable from explicit rules and whether that derivation is stable. PDS operationalizes that shift at the level of individual decisions, while DI and AI retain the cohort-level view. Together they define an evaluation regime in which uncertainty is interpreted as a property of governance structure and policy ambiguity, not merely of model stochasticity.