The Authorization Artifact Test: Applying the Impossibility Result to Ex-Ante Regulatory Regimes
Аннотация
This regulatory application note operationalizes the impossibility result established in On the Impossibility of Observability-Based Authorization (Meyman, 2026; DOI 10.5281/zenodo.19647542) for ex-ante regulatory regimes. It introduces the Authorization Artifact Test, a two-prong, regime-neutral instrument for determining whether a candidate governance architecture can, in principle, satisfy an ex-ante authorization requirement. The test asks whether the architecture emits a verdict before execution and whether that verdict can be independently reconstructed without access to the governed system. If either condition fails, the architecture cannot satisfy an ex-ante authorization requirement, regardless of latency, automation, sophistication, or vendor description. The note maps the test to the EU AI Act (Article 14), the General Data Protection Regulation (Article 22), the HIPAA Security Rule technical safeguards (45 C.F.R. § 164.312), DFARS 252.204-7012, and the NIST AI Risk Management Framework's GOVERN function. It provides a structural reading of each regime and derives the consequences of the impossibility result for architectures commonly described as guardrails, monitoring systems, observability platforms, and human-in-the-loop review of system outputs. These architectures are shown to be incapable, as a matter of structural class, of producing the authorization artifact required by ex-ante regimes. The contribution is classificatory rather than prescriptive. The note does not introduce new doctrine or prescribe implementation. It supplies an operational instrument for applying the formal result in regulatory hearings, conformity assessments, audits, supervisory reviews, and standards-body work. The result establishes a categorical distinction between architectures that produce pre-execution, independently verifiable authorization artifacts and those that do not, and identifies enforcement architectures as the only class capable of satisfying this requirement. Intended audience: regulators, regulatory counsel, standards-body participants, and conformity-assessment bodies. This note is part of the FERZ research program on deterministic AI governance. The full corpus is available at https://zenodo.org/communities/ferz/.