Patent Pending  ·  Orbital Governance Architecture

Human Authority
During Orbital Blackout

A patent-pending governance architecture for autonomous spacecraft, satellites, and orbital infrastructure — designed so human authority can survive eclipse, handoff, signal denial, and communications loss.

When Earth cannot reach the spacecraft, the mission does not pause. Collision risks, maneuver decisions, power-routing events, and safety conditions may still arise. Regulator AI Global is developing a Human Firewall architecture that lets human operators pre-authorize bounded actions before blackout, then allows onboard systems to execute only those actions when verified conditions occur.

Patent pending. Technical materials available to qualified parties under NDA.


The Operational Problem

The dangerous moment is not when the system is connected.
It is when it is alone.

Eclipse and Orbital Geometry

A spacecraft in low Earth orbit passes through eclipse multiple times each day. During those windows, ground-based line-of-sight communication is impossible. The spacecraft continues operating. Decisions may still need to be made.

Ground-Station Handoff

Ground coverage is not continuous. As spacecraft arc across the sky, they pass between stations. The handoff gap — even a brief one — creates a window where the ground cannot issue commands and cannot receive telemetry.

Cislunar and Deep-Space Distance

Signal delay from cislunar distances can exceed a second. Deep-space missions introduce minutes of one-way latency. Real-time human control becomes physically impossible. The spacecraft must act on its own judgment — unless another approach exists.

Contested and Degraded Signals

Jamming, spoofing, atmospheric conditions, and hostile electronic environments can degrade or deny communications entirely. Military and defense missions routinely operate under the assumption that communications may not be available when needed most.

Cyberattack and Link Disruption

Adversarial disruption of ground-to-space links is a recognized threat. A spacecraft that depends entirely on live ground contact for authority is a spacecraft that can be isolated from its own operators.

Why Dashboards and Policies Are Not Enough

Monitoring tools track what the spacecraft reports. Policy documents define intended behavior. Neither provides structural authority during disconnection. Post-event logging records what happened — after the fact, without the ability to have constrained it. Something must travel with the spacecraft.

The question is not whether autonomous systems can act when Earth loses contact. They can, and they will. The question is whether human authority remains structurally present when live communication is unavailable — or whether it simply disappears the moment the link drops.


The Forced Choice

Today's systems face two bad options.

Option A

Freeze

The spacecraft waits for ground contact to resume before taking any significant action, even if waiting creates its own risk.

  • Missed orbital maneuver windows
  • Uncorrected attitude or trajectory drift
  • Unresolved collision exposure
  • Mission degradation during extended blackout
  • Power or thermal safety conditions left unaddressed
Option B

Free Autonomy

The spacecraft acts based on its own onboard judgment, without live human approval and without pre-authorized constraints.

  • Maneuvers no human specifically authorized
  • Escalation beyond intended operating limits
  • Judgment calls that cannot be reviewed in advance
  • Unclear accountability for mission-critical decisions
  • No audit record of why specific actions were taken
A Third Option

Pre-authorized human authority travels with the spacecraft.

Before the blackout begins, the human operator defines exactly which actions are permitted, under exactly which conditions, within exactly which limits. That authority is locked into the spacecraft before contact is lost. During blackout, the spacecraft enforces it — nothing more.


Core Architecture

The Human Firewall

Before a blackout, the human operator does not write a general policy or configure a preference setting. The operator defines specific permitted actions: what the spacecraft may do, under what conditions, during what time windows, within what safety limits, and in what priority order. Those instructions are precise, bounded, and explicit.

Once defined, those instructions are signed and stored in a protected onboard record. The act of signing is how the operator formally approves them — comparable to signing an authorization document — and the record cannot be modified during flight. The spacecraft cannot expand its own authority. It cannot reinterpret a permission that was not granted. It can only check the record that was placed there before departure.

During blackout, the onboard system evaluates mission conditions in real time: orbital geometry, sensor readings, system health, time windows, threat indicators. When a condition occurs, the system looks for a matching authorization in the onboard record. If the match exists and the conditions are satisfied, the system may execute the approved action. If no match exists, the system must refuse, halt, or enter a pre-defined safe state. It cannot improvise.

Every decision — every evaluation, every execution, every refusal — is written into a sequential onboard audit trail. When communication with the ground is restored, that record returns to the operators. They can review exactly what conditions were detected, exactly which authority was invoked, exactly what action was taken, and exactly where the system refused. Nothing is inferred after the fact.

Human authority does not disappear during blackout. It travels with the spacecraft — defined before departure, enforced onboard, and audited after reconnection.

What the operator controls

  • Permitted actions The specific maneuvers, commands, or operational decisions the spacecraft may take during blackout.
  • Trigger conditions The exact sensor readings, time windows, proximity thresholds, or event signatures that must occur before each action is eligible to execute.
  • Priority rules When multiple conditions occur, which authorizations take precedence and in what order they are evaluated.
  • Safety limits The outer boundaries of acceptable action — attitude limits, velocity limits, power budgets, thermal thresholds — that constrain all permitted actions regardless of other conditions.
  • Refusal behavior What the spacecraft must do when no authorization matches: halt, hold position, enter safe mode, or return to a known baseline state.

The Sequence

How it works

Five phases from pre-blackout preparation to post-reconnection review. Each phase has a defined role, defined records, and a defined handoff to the next.

01

Prepare

Before loss of contact, the human operator defines and signs the complete set of permitted actions, trigger conditions, timing windows, priority rules, and safety limits for the upcoming blackout period.

02

Protect

The approved authorization set is written into a tamper-resistant onboard record before the spacecraft loses contact. Once stored, the record cannot be altered by onboard systems. It represents the boundary of permitted authority.

03

Monitor

During blackout, the spacecraft evaluates real-time conditions against the onboard record — sensor readings, orbital geometry, time windows, system health. Each evaluation is logged in the onboard audit trail.

04

Execute

When conditions match an authorized trigger, the system executes the corresponding permitted action — and only that action, within the defined limits. Actions without a matching authorization are refused. The execution and any refusals are recorded.

05

Reconcile

When communications resume, the complete audit record returns to the ground team. Operators can verify what conditions occurred, which authority was invoked, what was executed, and where the system declined to act.


Technical Foundation

A governance stack for autonomous orbital systems

The Human Firewall architecture is built on four interdependent layers. Each layer has a defined function, and each layer enforces requirements that the layers above and below it depend on.

Layer 01 Control Plane

Deterministic authorization before execution

Every onboard action must pass deterministic safety and authorization checks before it can execute. There is no shortcut path. An action that does not clear the control plane does not execute — regardless of what the sensor data shows or what a software agent recommends. This layer is the enforcement boundary closest to action.

Layer 02 Integration Boundary

Isolation between systems and agents

Interactions between the spacecraft, its autonomous agents, ground systems, and any external services are subject to boundary enforcement. An agent cannot instruct the spacecraft to take an action that requires records or approvals the agent does not possess. Communication across the boundary requires the corresponding authorization to exist in the onboard record.

Layer 03 Human Override

Pre-authorized authority that survives disconnection

This layer carries the human operator's authority in a form that persists through blackout, signal denial, degraded communications, and contested environments. The override record is prepared and signed before contact is lost, stored in protected onboard memory, and enforced by the control plane during disconnection. It is the mechanism by which human authority becomes independent of live human presence.

Layer 04 Audit Trail

Sequential, append-only record of every decision

Every evaluation, every execution, and every refusal is written to a sequential onboard record. The record is append-only — entries cannot be removed or altered after they are written. When communication returns, the complete record transfers to the ground team. Accountability does not depend on memory, inference, or reconstruction. It depends on the record that was written at the moment each decision occurred.


Operational Relevance

Where this architecture applies

Satellite Collision Avoidance

Close approaches, conjunction events, and debris encounters do not wait for ground contact. Pre-approved maneuver envelopes — defined by human operators before eclipse or ground-station handoff — allow the spacecraft to execute a bounded avoidance response without waiting for live authorization that may not arrive in time. The operator defines the envelope. The spacecraft stays within it.

Cislunar and Deep-Space Operations

Signal delay from cislunar distances makes real-time control physically impossible. Missions beyond geosynchronous orbit require authority that can survive distance, intermittent contact windows, and multi-minute communication lag. The Human Firewall architecture allows operators to prepare and pre-authorize decision logic before each contact gap, rather than relying on real-time instruction that the physics of distance makes unavailable.

Defense and Contested Communications

Military and defense missions routinely operate in environments designed to deny, degrade, or deceive communications links. A spacecraft that requires live ground contact for authority is vulnerable the moment that link is disrupted. The Human Firewall allows defense operators to pre-authorize operating limits that hold even under jamming, spoofing, or hostile signal environments — so the mission continues within human-defined parameters regardless of adversarial interference.

Orbital Energy and Infrastructure

Orbital power-routing systems, wireless energy transfer platforms, and autonomous infrastructure nodes require governance during periods when ground oversight is unavailable. High-voltage switching decisions, beam-pointing events, and thermal management actions may occur during eclipse or signal gaps. The Human Firewall provides a framework for preparing explicit authority before those gaps — so power routing and infrastructure decisions remain traceable to specific human approvals, not to onboard judgment made without oversight.


The Distinction

Why this is different from existing approaches

Existing approaches to autonomous spacecraft governance address connected operations. The Human Firewall addresses the gap — the interval when the connection is absent.

Conventional Approaches

  • Policy documents define intended behavior but do not enforce it onboard
  • Dashboards monitor telemetry that may not arrive during blackout
  • Human oversight assumes continuous or near-continuous contact
  • Post-event logs record what happened, not what was authorized in advance
  • Autonomy rules govern behavior in general without specifying what authority is present at a given moment
  • When contact is lost, the governance framework effectively pauses with it

Human Firewall Architecture

  • Authority is prepared and signed before the blackout begins, not after
  • Execution is limited to pre-approved conditions — no onboard improvisation
  • Verification is performed onboard, not at a ground station that may be unreachable
  • Refusal is structurally enforced when no matching authorization exists
  • Audit trail is written at execution time, not reconstructed later from telemetry
  • Governance remains active during disconnection — it travels with the spacecraft

This is not "trust the autonomy and review afterward." It is "define the authority before departure, enforce it onboard during the gap, and prove afterward exactly what occurred and under whose authorization it occurred."


Program Status

From thesis to technical program

The architecture described here is not a concept paper. It is an active technical and legal development program with a growing patent portfolio, working demonstrations, and published reference materials.

39
Provisional patent filings across the core architectural portfolio, spanning governance, control, override, boundary, and audit functions.
4
Non-provisional applications fully drafted (NP1–NP4), with 3 additional non-provisionals planned. The portfolio covers the unified control plane, integration boundary, human authority override, and runtime telemetry integrity architectures.
6
Embodiment families spanning M&A integration, financial systems, aerospace and defense, infrastructure, healthcare, and industrial robotics.
36
Specific deployment embodiments documented across operational domains, demonstrating breadth of application for the core governance architecture.
39
Interactive reference implementations, one per patent in the portfolio, illustrating each architecture's governance logic — including pre-authorization, condition matching, and audit trail generation.
NDA
Technical materials, architecture documentation, and non-provisional applications are available to qualified parties under NDA. All requests are reviewed and vetted directly by the founder.

Published Reference

The Human Firewall White Paper

A plain-language introduction to the architecture for preserving human authority in autonomous systems during blackout, cyberattack, and communications loss. Selected passages below.

On the problem
"Today's systems have only two options in a blackout: do nothing and risk failure, or act autonomously and risk catastrophe. There is no third option. Until now."
On the core principle
"This is not logging. Logging records what happened after the fact. Commit-before-execution makes commitment to the record the precondition for action itself. The audit ledger is not a byproduct of governance — it is the mechanism through which governance is enforced."
On the human override layer
"Human authority does not disappear during a blackout. It travels with the system, pre-committed and cryptographically bound, ready to be executed only under the exact conditions the human specified."
On non-decomposability
"You cannot remove any layer without destroying the governance guarantee. This is not a defense-in-depth stack where each layer adds marginal protection. It is a structural requirement: the absence of any layer leaves a gap that no other layer can fill."
On conventional approaches
"Current systems are like a car with a seatbelt but no brakes. They reduce the damage after a crash — but do not prevent the crash itself."
Full paper available to qualified parties

The complete white paper covers the three-layer architecture in depth, operational case studies across defense, space, and critical infrastructure, and the technical basis for commit-before-execution governance. Available under NDA upon request.

Request The Full Paper

The Company

About Regulator AI Global

Regulator AI Global, Inc. is a Delaware corporation developing governance infrastructure for high-consequence autonomous systems. Its work is focused on deterministic oversight, human authority preservation, integration boundary enforcement, audit integrity, and safe operation during degraded, disconnected, or adversarially contested conditions.

The company's core thesis is that governance for autonomous systems cannot be built as an afterthought applied to a running system. It must be designed in — as the structural layer through which all consequential decisions pass, and through which human authority remains legible and enforceable even when live human presence is unavailable.

The intellectual property program covers governance architecture across commercial M&A integration, financial systems, defense, orbital and aerospace, smart infrastructure, healthcare, and industrial robotics. The orbital Human Firewall architecture represents one application of a broader framework for pre-authorized, onboard-enforced, audited human oversight.

Technical materials, architectural documentation, and non-provisional applications are available to qualified parties under non-disclosure agreement.

Zachary Michael Akins
Founder & Chief Executive Officer
Bruce Perens
Strategic Advisor  ·  Co-founder, Open Source Initiative
Regulator AI Global, Inc.
Highland Village, TX
Delaware C-Corporation

Qualified Inquiry

Request Access

Qualified aerospace operators, defense contractors, space infrastructure companies, strategic investors, executive candidates, and technical partners may request access to additional materials — including the white paper, architecture documentation, and non-provisional applications under NDA. All inquiries are reviewed and vetted directly by the founder before any materials are shared.

All inquiries are personally vetted. Patent pending.