Selective Interception Explained
Selective interception means the governance boundary only evaluates operations that match selection rules. Unmatched operations pass through without governance overhead, enabling performance-conscious enforcement.
Why not intercept everything?
Full interception of every operation creates prohibitive overhead. Most operations don't require governance evaluation. Selective interception focuses enforcement where it matters.
Full Interception
- ✕Latency on every operation
- ✕Massive receipt volume
- ✕Resource exhaustion risk
- ✕Overwhelming audit data
Selective Interception
- ✓Overhead only where needed
- ✓Manageable receipt volume
- ✓Predictable resource usage
- ✓Focused audit trail
How does the interception flow work?
Every operation passes through the boundary, but the evaluation path depends on selection rule matching.
┌─────────────────────────────────────────────────────────┐ │ GOVERNANCE BOUNDARY │ ├─────────────────────────────────────────────────────────┤ │ │ │ ┌─────────────┐ │ │ │ INTERCEPT │◄──── All operations enter here │ │ └──────┬──────┘ │ │ │ │ │ ▼ │ │ ┌─────────────┐ │ │ │ MATCH │ Evaluate selection rules │ │ │ RULES │ │ │ └──────┬──────┘ │ │ │ │ │ ┌────┴────┐ │ │ │ │ │ │ ▼ ▼ │ │ MATCHED UNMATCHED │ │ │ │ │ │ ▼ │ │ │ ┌──────┐ │ │ │ │MEASURE│ │ No overhead │ │ │DECIDE │ │ No receipt │ │ │ENFORCE│ │ │ │ │RECEIPT│ │ │ │ └───┬───┘ │ │ │ │ │ │ │ ▼ ▼ │ │ ┌─────────────┐ │ │ │ CONTINUE │───► To workload │ │ │ OR BLOCK │ │ │ └─────────────┘ │ └─────────────────────────────────────────────────────────┘
What creates an enforceable proof?
An enforceable proof is the combination of: a matched operation, a measured state, a decision based on policy, and a signed receipt. All four elements must be present.
- ■Match: Selection rules identified this operation as requiring governance
- ■Measure: Current state was computed and compared to baseline
- ■Decide: Enforcement mapping determined the action (CONTINUE/BLOCK/TERMINATE)
- ■Receipt: Signed record documents the entire evaluation
What about unmatched operations?
Unmatched operations are explicitly ungoverned. The system makes no claims about them. This is intentional and transparent in the evidence bundle.
Unmatched Operations
- —No receipt emitted
- —No enforcement applied
- —Pass through immediately
- —Explicitly out of governance scope
An auditor reviewing the bundle sees what was governed. Absence of receipts for other operations is transparent by design.
How do I design selection coverage?
Balance coverage against overhead. Start broad, then narrow based on operational data.
- 1.Identify critical operations: Which operations require provable governance?
- 2.Measure baseline overhead: What's the current latency budget?
- 3.Define exclusions: Which high-frequency, low-risk operations can pass through?
- 4.Test and refine: Monitor actual overhead and adjust rules
Frequently asked questions
Can I log unmatched operations separately?
Yes. Many deployments maintain a separate audit log for unmatched operations. This is outside the governance system and doesn't produce receipts, but provides observability.
What if I need to prove "nothing happened"?
Use a "heartbeat" pattern. Emit periodic MEASUREMENT_OK receipts even when no operations occur. This proves the boundary was active and no governed operations happened during that window.
Is selective interception less secure?
No. Security comes from correctly defining what needs governance. An operation not requiring governance doesn't become insecure by being unmatched. Focus selection on operations with actual risk.