Causal Reachability Model (CRM)

Modern systems rely on rules.

We define policies, write guidelines, and instruct agents—human or artificial—on what they should or should not do. Yet, these rules are routinely violated, misunderstood, or bypassed.

• Access control systems grant broad permissions that are difficult to constrain dynamically
• RAG systems retrieve sensitive data before access checks are enforced
• AI agents can be manipulated through prompt injection and adversarial inputs
• Compliance frameworks depend on interpretation rather than enforcement

Across domains, the pattern is the same:

Rules exist, but they can be broken.

2. The Shift

Security should not rely on rules.
It should rely on reachability.

Instead of asking whether an action is allowed, CRM asks whether there exists a valid path to the action.

If no such path exists, the action is not merely forbidden—it is impossible.

3. Core Model

G = (V, E, Φ)

R(s, τ) = { t ∈ V | s ⇝ t is valid at commit τ }

Here, V represents immutable decision nodes,E directed causal edges, and Φ semantic relations.

A state is reachable if and only if there exists a valid causal path to it, where all constraints along the path are satisfied.

• Systems are represented as graphs of states and transitions
• Actions are reachable only through valid causal paths
• Each transition is constrained by explicit conditions
• Permissions are derived from structure, not assigned as static flags

No path means no capability.

4. From Permission to Path

Traditional Model
User → hasPermission → Action

CRM Model
Actor
 → Role
 → Context
 → Constraints
 → Approval
 → Action

Access is no longer a boolean decision. It becomes the result of a validated causal chain.

5. Key Principle

CRM does not control behavior.
It defines the space of reachable actions.

6. Why This Matters

6.1 AI Safety by Construction

AI systems do not need to perfectly interpret rules.

They may generate any intention internally, but:

They cannot execute actions without a valid path.

Prompt injection becomes insufficient, because persuasion cannot create structure.

6.2 Security as Topology

Security becomes a property of system structure.

• No edge → no transition
• No path → no execution

This eliminates entire classes of vulnerabilities rooted in misinterpretation or misuse.

6.3 Compliance as Reachability

Compliance shifts from:

Did anyone violate the rules?

to:

Is violation even reachable?

This enables:

• Deterministic audits
• Formal verification
• Continuous validation

6.4 Explainability Through Causality

Every action is traceable through its path:

• Why was it allowed?
• Which constraints were satisfied?
• What enabled the transition?

Explanation is not reconstructed—it is inherent.

7. Architecture

AI / Agent Layer
  → proposes actions

Reachability Layer (Graph)
  → validates possible paths

Execution Layer
  → executes only reachable actions

Agents are free to think.

They are not free to act beyond the graph.

Active(V) = {
  v ∈ V |
  ¬∃ v' ∈ V, v →supersedes v'
}

Only active nodes participate in valid traversal. Superseded nodes remain immutable but are structurally shadowed.

8. Implementation Stack

DecisionGraph Core
  = Reachability Engine

TraceOS
  = State Transition Layer

ClaimAtom
  = Causal Justification Layer

TraceSupport
  = Path Debugging / Explanation Layer

9. Implications

• AI agents and autonomous systems
• Financial transactions and approval workflows
• Healthcare data access
• Enterprise systems
• Multi-agent coordination
• Knowledge and reasoning systems

Control what is reachable, not what is intended.

10. Conclusion

A secure system is not one where bad behavior is forbidden.
A secure system is one where bad behavior is unreachable.

Define what is reachable.
Everything else becomes impossible.