Trust Ladder and the Identity Matrix
1. Why a Ladder, Not a Score
ATOMx does not produce a probabilistic trust score. It resolves a deterministic level on an ordered ladder. Each level is reached by satisfying a fixed combination of identity inputs across three independent axes; the same inputs always produce the same level.
The ladder serves two purposes. The first is operational — an authority watch-floor user must read the airspace at a glance, and a five-color signal does that. The second is strategic — the existence of intermediate levels (orange, yellow) gives partially-cooperative operators a visible upgrade path off legacy systems. Removing them would collapse the migration story.
“Orange and yellow provide incentive to migrate off legacy systems like LAANC and move toward more blue and green aircraft.” — John Vernon, Apr 14, 2026
2. The Three Identity Axes
Three independent ordinals feed the ladder. Each axis is evaluated independently; the level is resolved from the combination.
| Axis | States (low → high) |
|---|---|
| Flight Intent | Unknown → Known (Operational Intent only) → Verified (Flight Authorization) |
| Pilot Identity | Unknown → Declared (Remote ID Operator field) → Weakly Verified (FTN) → Strongly Verified (login.gov / PIV / CAC) |
| Drone Identity | Unknown → Declared (Remote ID) → Weakly Verified (Software-anchored) → Strongly Verified (Hardware-anchored / TPM) |
Each axis has its own provenance and its own failure modes. They are addressed in dedicated pages:
- Pilot identity provenance and non-repudiation: Pilot Identity
- Aircraft identity provenance and hardware anchoring: Aircraft Hardware Identity
- Flight authorization binding: Authorization Package
3. The Five Trust Levels
| Level | Color | Meaning |
|---|---|---|
| L1 Detected | 🔴 red | One or more counter-UAS sensors are reporting plots or a track. No declared identity. |
| L2 Declared | 🟠 orange | Pilot or aircraft identity is self-reported (typically via Remote ID broadcast). No verification. |
| L3 Correlated | 🟡 yellow | Multiple sources agree on the aircraft. Operational intent has been filed but is not authority-endorsed. |
| L4 Verified | 🔵 blue | Software-anchored aircraft identity, authority-endorsed flight authorization, verified pilot identity. |
| L5 Verified+ | 🟢 green | Hardware-anchored aircraft identity (TPM / secure element), authority-endorsed flight authorization, strongly verified pilot identity. Strong non-repudiation. |
Some internal artifacts use purple for L5 and green for L4. The current product convention (locked Apr 8, 2026) is blue = software-verified, green = hardware-verified. See Origins and Decisions §3.6.
4. How a Level Resolves
The level is not the average or minimum of the three axes. Each level requires a specific combination:
| Level | Resolution Rule |
|---|---|
| 🔴 L1 Detected | Sensor track only. No declared identity on any axis. |
| 🟠 L2 Declared | At least one axis is self-reported via Remote ID. No filed flight intent. |
| 🟡 L3 Correlated | Multiple sources agree, OR flight intent has been filed (Known or Verified) but at least one axis is below the verification threshold required for L4. |
| 🔵 L4 Verified | Authority-endorsed flight authorization AND software-anchored drone identity AND verified pilot identity. |
| 🟢 L5 Verified+ | Authority-endorsed flight authorization AND hardware-anchored drone identity AND strongly-verified pilot identity. Strong non-repudiation. |
Color is determined by the level — never by the axis values. L4 is always 🔵 blue; L5 is always 🟢 green. If you see them swapped in the matrix, that is a bug.
4.1 The Flight × Pilot × Drone Matrix
| Flight Intent | Pilot Identity | Drone: Unknown | Drone: Declared (Remote ID) | Drone: SW-Anchored | Drone: HW-Anchored |
|---|---|---|---|---|---|
| Unknown | Unknown | 🔴 L1 | 🟠 L2 | — | — |
| Unknown | Declared (Remote ID) | 🟠 L2 | 🟠 L2 | — | — |
| Known (Operational Intent) | Unknown | 🟠 L2 | 🟡 L3 | — | — |
| Known (Operational Intent) | Declared (Remote ID) | 🟡 L3 | 🟡 L3 | — | — |
| Verified (Flight Authorization) | Weakly Verified (FTN) | 🟡 L3 † | 🟡 L3 † | 🟡 L3 ‡ | 🔵 L4 * |
| Verified (Flight Authorization) | Strongly Verified (login.gov / PIV / CAC) | 🟡 L3 † | 🟡 L3 † | 🔵 L4 | 🟢 L5 |
Footnotes
* HW-anchored drone with Weakly-Verified (FTN-only) pilot caps at L4 — L5 requires a Strongly-Verified pilot for non-repudiation. See Pilot Identity §4.
† Drone identity caps the level. L4 requires software-anchored drone identity; without it, even a verified flight authorization and a strongly-verified pilot resolve to L3.
‡ Pilot identity caps the level. L4 requires verified pilot identity; FTN-only is Weakly Verified, which holds the level at L3 until paired with login.gov-grade proofing.
— Empty cells indicate combinations that are not realistic in practice — e.g., a drone with SW or HW cryptographic identity broadcasting in flight without any filed flight intent. Such cases are treated as anomalies if observed.
5. What Degrades a Level
A level is not permanent for the duration of a flight. Inputs that once satisfied a tier may be revoked, fail validation mid-flight, or become time-degraded. The full set of degradation triggers is in Threat Model; the headline cases:
| Trigger | Effect on level |
|---|---|
| Pilot credential expires or is revoked mid-flight | Pilot axis drops to its next-lower state; level recomputes |
| TPM attestation freshness expires (no recent re-quote) | Drone axis may drop from Strongly Verified to Weakly Verified |
| Time-anchor stale or GNSS-spoofing flagged | Aircraft enters “time-degraded” state; verifiers downgrade confidence |
| Authorization rescinded by external event (TFR, jurisdiction change) | Flight-intent axis drops from Verified to Known |
| Telemetry mismatch / corroboration failure | Level retained; security alert raised separately |
Accessibility note. The five-color signal is paired with the L1–L5 numeric label and the named state (“Detected”, “Declared”, etc.) in every operator surface, so colorblind users do not depend on hue alone.
6. Conformance Is an Independent Overlay
Trust level and conformance are separate state machines. A green aircraft that briefly clips its approved-operation boundary stays green and pulses a red conformance overlay. The trust level does not flicker. This is the signal-to-noise property described in Trust Model §4.
Conformance only applies at L3 and above. L1 and L2 cannot be “non-conformant” because they have no operational intent to deviate from. See Origins and Decisions §3.9.
7. Demo Scenarios
The five canonical verification scenarios — locked Apr 3, 2026 and demonstrated Apr 14 — exercise the full ladder. They are documented in Origins and Decisions §5.
Implementation Readiness — Open Questions
Each entry below identifies a decision not yet locked. Items marked (ADR) should be formalized as an Architecture Decision Record before implementation begins. Items marked (blocking) must be resolved before the relevant feature can be built.
| # | Question | Owner | ADR? | Blocking? |
|---|---|---|---|---|
| 1 | What is the canonical input schema (TrustInputs) and output shape (TrustState event) the resolver consumes and emits, including version field, level, axis states, degraded flags, and timestamp? Needed so producers (RID ingest, auth service, attestation service) and consumers (map UI, watch-floor, telemetry decorator) share a contract. | Architecture | Yes — ADR: Trust State Event Schema and Resolver Contract | Yes |
| 2 | Where does the resolver run? Origins §3.7 says frontend, but is there also a backend mirror for authority/audit/replay? Defines whether the algorithm is duplicated, shared via WASM, or split (client = display, server = authoritative). | Architecture / Backend | Yes — ADR: Trust Resolver Placement (Client vs. Server vs. Both) | Yes |
| 3 | Quantitative thresholds for degradation: how stale is “stale” for TPM re-quote freshness, GNSS time-anchor, and pilot credential refresh? The Section 5 triggers are qualitative. | Security / Platform | Yes — ADR: Trust Degradation Thresholds and Freshness Windows | Yes |
| 4 | Conflict-precedence and tie-breaking when multiple sources disagree on the same axis (e.g., Remote ID claims drone-A, sensor track correlates drone-B). Section 4 says “multiple sources agree” for L3 but does not define the agreement function. | Backend / Sensor Fusion | Yes — ADR: Multi-Source Correlation and Conflict Resolution for Identity Axes | Yes |
| 5 | Transition hysteresis and dwell time. Can a level flap L5↔L4↔L5 on every TPM re-quote cycle, or is there debounce / minimum dwell? Affects operator UX and event volume. | Product / Frontend | Yes — ADR: Trust Level Transition Hysteresis | No |
| 6 | Accessibility implementation specifics: contrast ratios for the five hues against light/dark map basemaps, shape/pattern fallback for monochrome printouts, and screen-reader announcements when a level changes. | Frontend / Design | No (design spec) | No |
| 7 | Telemetry-frame decoration shape: does each emitted telemetry frame carry the full TrustState, a level-only field, or a delta-on-change? Impacts bandwidth on the disconnected-ops path and the watch-floor subscription model. | Backend / Platform | Yes — ADR: Telemetry Frame Trust Decoration | Yes |
| 8 | Empty-cell handling. Section 4.1 calls SW/HW-anchored drones with no flight intent “anomalies” — what is the runtime behavior? Suppress, render as L2 with a flag, or raise a security alert into the Trust Model’s third dimension? | Security / Product | Yes — ADR: Handling Anomalous Identity-Axis Combinations | No |
| 9 | Authority-endorsement source of truth for “Verified” flight intent. Which issuer signatures count (USS-issued LAANC, ATC-issued FAUSS, jurisdictional UTM), and how is the signature chain validated at the edge during disconnected operation? Cross-cuts PKI and Chains of Trust and Authorization Package. | Security | Yes — ADR: Accepted Authorization Issuers and Edge Validation | Yes |
| 10 | Regulatory mapping: does our L1–L5 ladder need a published crosswalk to ASTM F3411 Remote ID, FAA UTM trust tiers, and DOD/CISA C-UAS classifications for federal customers? Without it, government buyers cannot map our levels to their procurement language. | Product / Compliance | No (whitepaper / crosswalk doc) | No |