Earned Autonomy: A Governance Framework for Autonomous Network Defence

Autonomous mitigations already act at machine speed - but we still have no legitimate framework for granting them authority over novel threats.

Today, operators either accept vendor-asserted accuracy without environment-specific evidence, or they keep humans in approval chains that complete after the attack does. For known threats with signatures, this works. For zero-days, behavioural anomalies, and abuse patterns outside existing playbooks, the asymmetry is structural: machines attack at machine speed, humans approve at human speed.

Earned autonomy proposes that authority should follow from demonstrated competence, not claimed capability. IBSR (Inline Block Simulation Report) is the mechanism: it observes live traffic at kernel level, learns behavioural baselines, and produces counterfactual records of what it would have blocked - without enforcing outcomes. Humans review the record. Authority is granted per abuse class, only when thresholds are met, and revoked automatically if performance degrades. The system earns trust by showing its work.

I'm publishing this to find out whether this gap is already solved at scale, or whether teams are still navigating between vendor trust and operational paralysis. The paper covers the latency threshold, failure modes (including adversarial drift and baseline poisoning), and a worked vignette on detecting Heartbleed before disclosure.

If you're running autonomous defence at scale and have strong opinions on this - I'd value a correction more than agreement.

Full paper -> SSRN | arXiv coming soon