Mechanism Security Research

I. Local checks, global failure

Mechanism, throughout, means institutional mechanism: the rule, carrier, record, authority, feedback path, or incentive structure by which an institution claims to turn reality into action. Not cryptographic or protocol-consensus mechanism.

A welfare entitlement can pass every legal check and still fail. The statute is drafted carefully. The implementing regulation is lawful. The agency that administers it has authority, budget, and trained staff. The complaint channel exists. The court that hears appeals is impartial. Every individual mechanism passes its own audit. And the entitlement still fails to reach the people it was written to reach, because two databases disagree about residency, the medical-evidence threshold lives in guidance the appeals body does not bind to, the deadline runs while the complainant is in hospital, and the corrective channel that exists on paper has never actuated for this class of case.

Mechanisms compose. They share substrates — time, attention, legal terms, records, enforcement capacity, legitimacy, evidence, budgets, identity, appeal channels, calendars, compute, strategic affordances. Failures are hypergraph effects over those shared substrates, not pairwise events you can enumerate. Pairwise checks that each mechanism passes do not certify that the composition produces the outcome the formal artefact promises.

Whole-composition verification fails on interaction count, temporal interleavings, and semantic drift. The number of pairwise interactions across N mechanisms is O(N²); triple interactions are O(N³); temporal interleavings explode further; semantic drift across substrates is open-ended. Even where a global proof is technically computable, maintaining the proof eventually costs more than the failure it would have prevented. Whole-system certification would require a map as heavy as the territory.

Software security already works under this limit. It catalogues recurrent vulnerability classes, names residual risk, and refuses whole-system certification. Rice’s theorem rules out arbitrary non-trivial semantic verification of programs; fuzzing, static analysis, red-teaming, and defence-in-depth do the work that whole-system proof cannot. The equivalent posture for institutional mechanisms is what this work pursues.

II. The discipline that has lived with this wall

Software security gets work done without proving the absence of vulnerabilities. CWE names weakness classes. CVE names instances. ATT&CK names adversary techniques. Advisories name timelines. Linters, fuzzers, scanners, and red teams find recurrent failures. The framework that catches recurrent classes is enough; the residual is named; the whole stays uncertified.

The operating rule is short:

Compute the recurrent.
Name the residual.
Never certify the whole.

Institutional-mechanism analysis faces the same impossibility shape: composition outruns exhaustive verification. Laws and software both compose under finite-time analysis; useful work moves to recurrent classes, bounded traces, red-team posture, and named residuals. The substrates differ; the structural wall is the same.

III. Recurrent classes that already exist

Formal availability can replace empirical mechanism. Defensive layers can exhaust the system they protect. Protected names can bypass contribution accounting. The existing essays already function as vulnerability-class records: each gives specimens, detection rules, and limits.

Five existing classes already have security-shaped analogues:

These five examples sit inside the full twelve-layer taxonomy in The Stack, with gates, cross-layer conditions, and attractors. Each class shows a composition-produced failure shape the components alone do not show. Hardening Devices shows how a failure class changes when it moves from software into administration, law, records, or budgets — mechanisms generalise across substrates, but the carriers that close them are substrate-native.

Adjacent taxonomies exist. José Pérez Ríos’s VSM-derived organisational pathologies (2012) catalogue twenty-six typed pathologies in structural, functional, and informational groups — the closest existing typed governance taxonomy. Birhane et al. (2026) catalogue twenty-seven typed regulatory-capture mechanisms for the Big-AI domain with an annotation protocol validated on one hundred articles. Both supply typed class definitions; neither builds the graph of how classes interact, compose, or recur across substrates. The missing layer is a hypergraph of cross-substrate findings — typed classes linked by shared substrates, paired with disclosure-state records — where patterns visible at graph scale are invisible at case scale.

IV. A worked specimen

In Pearson v. Callahan (2009), the United States Supreme Court allowed federal courts to skip the constitutional-merits prong of a qualified-immunity analysis. A civil-rights plaintiff suing a state official under 42 U.S.C. § 1983 needs the court to find both that the right was violated and that the right was clearly established. After Pearson, the court can grant immunity on clearly-established alone, without ever ruling on whether a right was violated.

Walk the chain a plaintiff traverses. They identify a constitutional violation. They find a lawyer willing to take a § 1983 case. The case survives a motion to dismiss. The court finds the right was clearly established at the time of the violation. Discovery completes. The judge denies summary judgment. Trial or settlement produces a remedy.

Seven independent gates. The teaching calibration in Nominal Execution sets each at 70% pass and reports the end-to-end clearance at roughly 8%. The numbers are not base rates; they make the conjunctive geometry visible. Post-Pearson, the merits prong is routinely skipped, so the “clearly established” jurisprudence freezes: courts do not develop new merits law, which means future plaintiffs find fewer “clearly established” precedents, which lowers the pass rate further. The formal claim — that § 1983 provides a corrective channel for constitutional violations by state officials — does not match the empirical mechanism. The form credits execution that the system does not deliver.

The finding stops at three records: source claim, missing carrier, and trace boundary. The repair path — narrowing qualified immunity by statute, requiring merits-prong findings, building a substitute compensation channel — is where the politics begin and is not the researcher’s task.

The specimen is not the lawsuit. It is the missing execution path.

Pearson is litigation-visible. Most mechanism failure stays in administrative handoffs, expired deadlines, lost records, and unusable decisions. Court cases are the visible subset after ordinary administrative failures have already disappeared from the record. A discipline that draws its specimens only from doctrinal cases overfits to litigation drama; the standing specimen base has to include the database disagreement, the handoff that drops a medical request, the school decision that is legally correct and functionally useless, the migrant whose appeal deadline expires while three offices disagree about competence.

V. Yield discipline

A check earns discipline status only when it finds a recurrent failure more cheaply than case-by-case inspection and remains false-positive-auditable. Low-yield checks try to certify global coherence, vague semantic tension, or every possible interaction. They produce more maintenance load than they detect.

A check has to be recurrent, typed, narrow, high-yield, and false-positive-auditable. An adversary — including an ordinary institutional actor under pressure — can flood a mechanism-analysis system with formally valid micro-findings that exhaust the review capacity without naming any single binding failure. The defence is yield discipline and triage, not a scalar severity score. The Cancer Failures pattern applies to the analytic tool itself: a tool whose maintenance cost exceeds its detection yield is the failure it diagnoses.

A candidate class becomes a vulnerability class only after audits measure its false-positive rate and correction history. The published essays carry the conceptual definitions; the next work is the audit record — evidence thresholds, confidence levels, respondent opportunity to contest, correction protocol when a finding is withdrawn, retrospective validation. A class without these is a candidate, not a class.

VI. The receiver-side that has to exist

A finding is sender-side. It identifies the recurrent class, sources the source-text claim, traces the missing carrier, and names the residual. It does not act on the finding. Authority, resource, and answerability — the conversion triad named in Powerless Intelligence — sit with whoever could repair the substrate.

The receiver must hold the warning architecture. The finding is the sender-side artefact it would need: triage capacity that decides which signals are decision-relevant; a contestation route with formal standing; an escalation trigger that fires when a signal crosses a specified threshold without further discretionary step; a memory layer that outlasts staff turnover; a movement test that distinguishes response from compliance theatre. Where that architecture does not exist, the finding lands in an environment that can absorb it without acting.

Every finding therefore records both halves: the sender-side mechanism trace and the receiver-side condition. If the receiver-side conditions are absent — no authority over the substrate, no resource to investigate, no answerability for non-response — the finding says so. A finding that elides the receiver-side condition pretends to a binding force the institutional environment does not supply, and reproduces the powerless-intelligence pattern from the other direction.

VII. A research layer for oversight

Existing oversight needs a research layer: portable vulnerability classes, execution-trace tests, and finding formats an oversight actor can test, reject, or use. Ombudsmen, inspectors general, audit offices, comptroller-general systems, public-interest litigation clinics, legal aid organisations, whistleblower offices, parliamentary scrutiny committees, and investigative journalists already produce typed findings about institutional mechanism failures. They classify maladministration, delay, failure to give reasons, unlawful discretion, lack of hearing, equality defects, access barriers, conflict of interest, procedural unfairness, and implementation failure. They have professional standards, evidentiary discipline, public reports, intake procedures, and decades of accumulated findings.

The layer adds three things existing oversight rarely stores across cases: cross-jurisdictional class memory, adversarial pre-enactment testing, and a posture that refuses to be domesticated into checklist compliance. It does not add intake authority, jurisdictional reach, or repair power. Those stay where they sit.

Calling a mechanism defect a vulnerability chooses a substrate, failure class, disclosure route, and repair authority. The politics become visible when the receipt states the substrate, class, evidence, residual, and the authority that would have to repair it. The work cannot be apolitical and should not pretend to be. It can be role-bounded, evidence-disciplined, and explicit about repair authority.

Mechanism security research is not a license to securitize governance. It is a way to keep failure analysis bounded when whole-system assurance is impossible. The same scope discipline appears in the most disciplined defect-analysis fields: the NTSB investigates accidents without owning prosecution; aviation safety reporting separates fact-finding from blame; failure-mode-and-effects analysis (FMEA) does typed failure analysis with no security label and no emergency authority. Mechanism audit stays outside securitization when it produces public findings, claims no emergency authority, and leaves repair power with named institutions. Full-Stack Survival §VI–VIII develops the visibility / mechanism focus / no-emergency-powers distinction at length; the framing carries here.

VIII. The finding as a graded record

A finding has a shape. The minimum schema:

• Source artefact — the law, regulation, guidance, decision, indicator, or model whose claim is in question
• Claim — what the source artefact asserts about the mechanism
• Vulnerability class — which recurrent pattern the failure instantiates
• Execution trace — the conjunctive chain or composition path that does not connect
• Evidence and threshold — what the finding relies on and the confidence level
• Respondent route — the substrate’s native intake channel
• Receiver-side condition — present or absent: authority, resource, answerability
• Residual — what the finding does not claim
• Correction protocol — how the finding is withdrawn or revised if challenged

Disclosure is then a record, not a binary. Filing a comment into a public consultation portal is not disclosure. It is intake. The trace proves only that the sender uploaded a document. Modal response across most jurisdictions is the boilerplate acknowledgement that allows the institution to record receipt without engaging the content.

The grades a discipline of this shape needs to track:

• Received — intake confirmed, no further response duty attached
• Procedurally answered — standard response process completed, no engagement with substance
• Materially engaged — institution responded to the mechanism claim, agreed or disagreed with reasons
• Adopted — finding entered the institution’s own corrective architecture
• Rejected with reasons — substantive rejection that can be cited and contested
• Escalated — finding moved to a forum with authority the original intake lacks
• Duty-attached silence — institution under formal duty to respond has not, within the window

A finding without a recorded response-state is incomplete. The accumulating value sits in the record of which findings land in which receiver-side condition, not in the volume of intake events. The discipline becomes measurable when typed findings paired with disclosure-state records show often enough which mechanism failures move institutions and which channels are reliably ignorable.

Disclosure becomes load-bearing when paired with quasi-enforcement substitutes — dashboards, public scorecards, “most wanted” lists, comply-or-explain procedures, recurring follow-up audits — that compound reputational cost on non-response. Without them, the finding still preserves a public trace and lowers future recognition cost; with them, it can compound into repair.

IX. The close

Governance needs recurrent failure records more than whole-system safety certificates. The work is recognisable once the certification demand is dropped: find the recurrent class, disclose the trace, name the residual. Cybersecurity converged on this posture against the same wall fifty years earlier. Existing oversight institutions converged on it from the other direction, without the language.

A research layer earns sustained use only when oversight practitioners can apply the next finding without reconstructing the framework. Whether that happens depends on whether typed findings paired with disclosure-state records accumulate to the point where the failure patterns are visible without the framework as scaffolding.

Mechanism security research is first a mode and a research layer, not yet a profession, registrar, or public infrastructure. The work is to develop the finding shape and prove it can travel through real institutional intake.

Mechanism security research cannot certify the whole. Its value comes from the narrower task.