Tactical Edge Triad Architecture: Adapting the Next-Generation Security Triad for DIL Autonomous Sensing Systems

1. Introduction

This section establishes the operational context for tactical edge security. Key concepts include the challenges of Disconnected, Intermittent, and Low-bandwidth (DIL) conditions, the gap between enterprise security frameworks and tactical reality, and the contributions this paper makes toward addressing that gap.

1.1. The Tactical Edge Challenge

Joint All-Domain Command and Control (JADC2) depends on secure sensor-to-shooter chains spanning air, land, sea, space, and cyber domains [1]. Near-peer adversaries contest the electromagnetic spectrum through jamming, spoofing, and signals intelligence, creating environments where connectivity cannot be assured [2]. The Ukraine conflict demonstrates that tactical units must operate for extended periods without reliable reach-back to enterprise infrastructure [3]. These Disconnected, Intermittent, and Low-bandwidth (DIL) conditions represent the operational norm for tactical sensor networks, not an exception.

Security failures at the tactical edge carry kinetic consequences: compromised sensor data causes flawed situational awareness; manipulated AI targeting recommendations can result in fratricide; authentication failures enable adversary network exploitation. The DoD Zero Trust Strategy [4] establishes the FY2027 target for all DoD information systems to achieve Target Level Zero Trust, aligning with OMB M-22-09’s federal zero trust architecture requirements [25], with DTM 25-003 [5] providing execution governance. Yet no framework addresses how continuous verification functions when the verification infrastructure is unreachable.

1.2. The Next-Generation Security Triad and DIL Gap

The Next-Generation Security Triad integrates three pillars: PQC, ensuring quantum-resistant cryptography; ZTA, eliminating implicit trust; and AI security protecting against adversarial manipulation. Prior work established the enterprise substrate architecture (CSI, IAMF, TAP, POE) and governance mechanisms, including behavioral envelopes, watchdog models, and consensus-backed approval [6]. These mechanisms are architecturally sound but embed connectivity assumptions that fail at the tactical edge.

Table 1 summarizes the disconnect between enterprise assumptions and DIL reality.

1.3. Contributions

This paper makes four contributions: (1) a DIL-specific threat model identifying attack vector amplification; (2) the Tactical Edge Triad Architecture (TETA), adapting enterprise substrate components; (3) the Autonomous AI Governance Framework (AAGF), systematically adapting governance mechanisms for disconnected operations; and (4) analytical evaluation with quantitative analysis across representative tactical scenarios.

Differentiation from Existing Guidance. TETA addresses gaps not covered by existing frameworks:

(a) Standard ZTA guidance (SP 800-207, DoD Zero Trust Strategy): Assumes Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) have continuous or degraded connectivity to identity providers and policy engines. TETA contributes pre-positioned policy with Authority Decay—credentials that degrade predictably without backend verification, with formal attack mitigations for clock rollback, credential replay, and peer collusion not addressed in SP 800-207.

(b) Generic PQC migration guidance (CNSA 2.0, NIST IR 8547): Addresses algorithm selection and transition timelines but not DIL-specific constraints. TETA contributes platform-specific algorithm profiles balancing stateless resilience against bandwidth constraints (Section 2.3.1), two-tier authentication separating routine MACs from evidentiary PQC signatures, and pre-positioned key material strategies for extended disconnection.

(c) Generic AI governance guidance (NIST AI RMF, AI 100-2e2025): Provides risk management frameworks assuming cloud connectivity for monitoring, logging, and human oversight. TETA contributes the Autonomous AI Governance Framework (AAGF) with locally-enforced behavioral envelopes, an autonomous watchdog with self-triggered degradation, pre-mission consensus packaging satisfying DoDD 3000.09 human oversight requirements, and store-forward-reconcile for post-mission accountability.

(d) Triad integration: Existing frameworks address PQC, ZTA, and AI security in isolation. TETA demonstrates cross-pillar dependencies—using PQC to sign AI governance policies, binding credential decay to behavioral envelope constraints, and ensuring quantum-resistant protection for governance audit trails.

Section 2 provides background. Section 3 presents the threat model. Section 4 describes TETA with emphasis on AAGF. Section 5 presents case study scenarios. Section 6 provides quantitative analysis. Section 7 discusses findings and concludes.

2. Background and Related Work

This section provides foundational context for the Tactical Edge Triad Architecture. Key concepts include tactical edge sensor network characteristics, the Next-Generation Security Triad foundations (PQC, ZTA, AI security), PQC implementation challenges in constrained environments, and governance mechanisms requiring DIL adaptation. The architecture aligns with NIST cyber-resiliency principles [39], which emphasize anticipating, withstanding, recovering from, and adapting to adverse conditions—particularly relevant for DIL environments where degraded operation is expected rather than exceptional.

2.1. Tactical Edge Sensor Networks

Tactical sensor networks commonly include unmanned aerial vehicles (UAVs/UAS), unattended ground sensors (UGS), unmanned underwater vehicles (UUVs), and software-defined radios (SDRs). These platforms share characteristics of cyber-physical systems operating in contested environments [7], with security requirements amplified by DIL conditions. DoD’s JADC2 strategy emphasizes connecting distributed sensors across domains through resilient networks [1]. Table 2 contrasts enterprise and tactical characteristics.

Current approaches rely on Type 1 encryption and High Assurance Internet Protocol Encryptor (HAIPE) devices, which provide NSA-certified IPsec-based protection for classified networks [40]. HAIPE is defined in CNSSI 4009 as a device providing traffic protection, networking, and management features for information assurance services in IPv4/IPv6 networks. While HAIPE addresses point-to-point encryption, current tactical cryptographic approaches lack unified Triad protection or AI governance for disconnected autonomous operations [8].

2.2. Next-Generation Security Triad Foundations

The Triad integrates PQC (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA) [9,10,11], ZTA (SP 800-207, DoD Zero Trust Strategy) [4,12], and AI security (NIST AI 100-2e2025, AI RMF 1.0) [13,14]. The enterprise substrate enables integration through CSI (cryptographic services), IAMF (identity management), TAP (telemetry analytics), and POE (policy orchestration). Federal AI governance policy shifted in January 2025: EO 14110 was revoked by EO 14148 (January 20, 2025) [44], and subsequent policy direction under EO 14179 [24] and OMB M-25-21 [45] emphasizes reduced barriers to AI development while maintaining risk management requirements. NIST technical frameworks (AI RMF, AI 100-2e2025) remain authoritative for federal AI risk management.

2.3. PQC and ZTA in Constrained Environments

PQC introduces overhead: ML-KEM public keys range from 800 bytes (ML-KEM-512) to 1,568 bytes (ML-KEM-1024) versus 32–64 bytes for ECDH; ML-DSA signatures range from 2,420 bytes (ML-DSA-44) to 4,595 bytes (ML-DSA-87) versus 64 bytes for ECDSA [9,10]. These values represent fixed-size encodings per FIPS 203/204 parameter tables; tactical implementations select parameter sets based on mission security requirements and platform constraints. NIST’s PQC transition guidance [27] and KEM recommendations [28] inform migration strategies. Table 3 summarizes CNSA 2.0 transition timelines.

2.3.1. CNSA 2.0 vs. Expeditionary Edge Algorithm Selection

CNSA 2.0 [8] establishes algorithm requirements for National Security Systems (NSS), but tactical edge deployments span a broader operational context that includes coalition partners, expeditionary forces, and mission-specific equipment outside traditional NSS boundaries. This subsection clarifies the distinction and justifies TETA’s algorithm selections.

NSS/CNSA 2.0 Requirements. For systems processing classified national security information, CNSA 2.0 mandates specific algorithm choices. Notably, for software and firmware signing, CNSA 2.0 specifies stateful hash-based signatures per SP 800-208 [43]—specifically LMS (Leighton-Micali Signature) and XMSS (eXtended Merkle Signature Scheme). These stateful algorithms offer smaller signatures than SLH-DSA but require rigorous state management: each signing key can only be used a finite number of times, and state must never be rewound or duplicated. For NSS firmware signing in enterprise environments with a reliable key management infrastructure, SP 800-208 algorithms are appropriate and mandated.

Expeditionary Edge Constraints. Tactical edge platforms present distinct challenges that complicate SP 800-208 compliance:

(1) State management risk: Stateful signatures require tracking which one-time keys have been used. In DIL environments with potential device capture, power loss, or firmware corruption, state corruption could permanently disable signing capability. A ground sensor that loses state tracking cannot safely sign additional reports without risking key reuse—a cryptographic failure mode.

(2) Coalition interoperability: Mission partners may operate under different national cryptographic policies. FIPS 203/204/205 algorithms provide a common baseline with broader international toolchain availability than SP 800-208 implementations, which remain less mature in embedded environments.

(3) Procurement and toolchain realities: Commercial embedded platforms increasingly support ML-DSA and SLH-DSA through standard cryptographic libraries (e.g., liboqs, wolfSSL PQC). SP 800-208 implementations for constrained devices remain limited, with state synchronization adding integration complexity.

TETA Algorithm Justification.Table 8’s algorithm selections reflect these constraints:

ML-DSA-65/87 (FIPS 204): Primary signature algorithm for platforms with sufficient bandwidth. Stateless operation eliminates state management risk. Selected for UAV and vehicle platforms.

SLH-DSA-128s (FIPS 205): Selected for ground sensors using a two-tier authentication model. Routine reports use symmetric MACs; high-confidence detections requiring evidentiary chain-of-custody use SLH-DSA signatures. While SLH-DSA-128s signatures (7,856 bytes) impose bandwidth penalties, ground sensors sign infrequently (typically 2–4 high-value detections daily), making this overhead acceptable. Stateless design eliminates state management vulnerabilities critical for unattended sensors, where power loss or tampering could corrupt the signing state.

FN-DSA (draft FIPS 206): Selected for maritime SATCOM where both bandwidth efficiency and stateless operation are required. Compact 666-byte signatures without state management overhead. Implementation Note: FN-DSA’s bandwidth efficiency comes with implementation complexity. The algorithm requires high-precision floating-point arithmetic for FFT-based Gaussian sampling, which (1) complicates constant-time implementation on platforms without hardware floating-point units, and (2) introduces side-channel vulnerabilities that require careful mitigation on Cortex-M4 class devices. Reference implementations typically require ~30 KB code footprint and show 2–3× slower signing than ML-DSA on integer-only microcontrollers. Maritime platforms with Cortex-A53 or higher are better suited for FN-DSA deployment; ground sensors should prefer ML-DSA-65 unless bandwidth constraints are critical.

SP 800-208 Applicability. For specific use cases within TETA—particularly pre-mission firmware signing conducted in enterprise environments with proper key management—SP 800-208 algorithms (LMS/XMSS) remain appropriate. Governance packages and firmware images signed at mission preparation can use LMS with centralized state tracking. However, for runtime signatures generated by deployed tactical platforms, stateless algorithms (ML-DSA, SLH-DSA, FN-DSA) provide resilience against the state corruption risks inherent to DIL operations. This distinction aligns with NSA guidance that algorithm selection should consider “the specific use case and operational environment” [8], recognizing that tactical edge deployments may require different tradeoffs than enterprise NSS implementations.

Zero Trust for OT guidance acknowledges real-time constraints but assumes degraded rather than absent connectivity [15]. No framework addresses fully disconnected ZTA operations.

2.4. Governance and Behavioral Security Foundations

Prior work established governance mechanisms for autonomous systems. Table 4 summarizes these mechanisms and their connectivity assumptions requiring DIL adaptation.

These mechanisms require adaptation for DIL where consensus nodes are unreachable, human authorities are unavailable, and real-time reporting is impossible. The key insight is that governance intent can be preserved while adapting implementation—consensus can occur before deployment, approval can be pre-authorized, and accountability can be maintained through post-mission reconciliation.

3. DIL Threat Model

This section characterizes the threat environment specific to tactical operations. Key concepts include DIL severity levels, attack vector amplification under disconnection, and integrated Triad responses to DIL-specific threats.

3.1. Threat Environment Characterization

Tactical sensor networks operate under contested spectrum (jamming, spoofing, SIGINT), nation-state adversary capabilities (quantum computing, adversarial ML), physical capture risk, and extended disconnection [21]. Recent Army initiatives identify 58 distinct zero-trust capabilities required for tactical edge implementation [29], underscoring the complexity of DIL security requirements. Table 5 characterizes DIL severity levels.

3.2. DIL-Amplified Attack Vectors

DIL conditions amplify traditional threats. Table 6 summarizes attack amplification and Triad responses.

Cross-domain scenarios include quantum-enabled SIGINT combining HNDL with future cryptanalysis, edge AI manipulation during disconnection, combining adversarial inputs with governance bypass, and supply chain compromise of pre-positioned models with extended exploitation windows.

4. Tactical Edge Triad Architecture (TETA)

This section presents the core architectural contribution. Key concepts include disconnected-first design principles, the five TETA substrate components (ECM, TIC, EAE, MPS, AAGF), and the Autonomous AI Governance Framework that enables accountable AI operations without connectivity.

4.1. Design Principles and Substrate Overview

TETA is grounded in five principles: (1) disconnected-first design, assuming no connectivity; (2) graceful degradation with predictable security property curves; (3) pre-positioned trust enabling deployment before mission; (4) autonomous security decisions without external dependencies; (5) cryptographic sustainability managing key lifecycle across disconnection.

Table 7 maps enterprise substrate layers to TETA components.

Figure 1 illustrates the complete TETA architecture, showing the relationship between the Next-Generation Security Triad pillars, the four substrate components adapted from enterprise frameworks, and the Autonomous AI Governance Framework (AAGF) with its five governance mechanisms.

4.2. Substrate Components

Table 8 summarizes PQC algorithm selection by platform constraint profile.

Table 8 presents baseline algorithm selections by platform type; actual mission profiles may adjust selections based on available link capacity. For example, a ground sensor with 9.6 kbps HF radio may use ML-DSA-65 (3,309-byte signatures) rather than the SLH-DSA-128s baseline (7,856 bytes), reserving SLH-DSA for worst-case bps opportunistic links where stateless resilience is paramount.

The Edge Cryptographic Module (ECM) provides mission-scoped key packages with hardware security integration via TPM 2.0. The Tactical Identity Cache (TIC) manages credentials with progressive authority decay. The Edge Analytics Engine (EAE) implements local anomaly detection, store-and-forward telemetry, and adversarial input detection. The Mission Policy Store (MPS) contains hierarchical pre-positioned policies with graceful degradation rules.

The ground sensor selection of SLH-DSA-128s warrants clarification regarding bandwidth constraints. SLH-DSA signatures (7,856 bytes for SLH-DSA-128s per FIPS 205) impose severe penalties on bps opportunistic links. Ground sensors employ a two-tier authentication model: (1) routine status reports and low-confidence detections use symmetric MACs derived from ML-KEM session keys—compact (32 bytes) and computationally inexpensive; (2) high-confidence detections requiring evidentiary chain-of-custody use PQC signatures for non-repudiation. This tiered approach reserves expensive PQC signing for reports that may support targeting decisions or post-mission review, while routine telemetry uses efficient symmetric authentication. Governance packages and firmware updates are signed at mission preparation using enterprise infrastructure; the sensor verifies these signatures locally. For scenarios requiring frequent sensor-originated signatures, FN-DSA (based on FALCON, draft FIPS 206 [17]) offers bandwidth-efficient alternatives. FN-DSA is an NTRU-lattice-based signature scheme using FFT-based sampling, with padded fixed-length encoding yielding compact 666-byte signatures for the FN-DSA-512 parameter set [22]. However, FN-DSA presents implementation challenges on constrained platforms: the Gaussian sampling procedure requires high-precision floating-point arithmetic, complicating deployment on integer-only Cortex-M4 devices and introducing timing side-channel risks that require constant-time countermeasures. Platforms deploying FN-DSA should validate side-channel resistance through power analysis testing before operational use.

Algorithm selections in Table 8 prioritize stateless operation for tactical resilience. For mission preparation activities conducted in enterprise environments (governance package signing, firmware updates), SP 800-208 stateful algorithms (LMS/XMSS) provide an alternative with reduced signature sizes where proper state management infrastructure exists [43]. See Section 2.3.1 for detailed CNSA 2.0 alignment discussion.

4.3. Autonomous AI Governance Framework (AAGF)

The AAGF addresses the tension that AI must make consequential decisions when disconnected, yet autonomous AI without governance poses unacceptable risk. Table 9 summarizes governance mechanism adaptations.

4.3.1. Pre-Mission Consensus and Pre-Authorized Envelopes

Consensus occurs before deployment through multi-party signed governance packages. Required signatories (command, legal, safety) cryptographically sign packages defining authority bounds, machine-readable ROE, envelope parameters, and degradation rules. Pre-authorized decision envelopes establish action spaces with authority obtained in advance.

Relationship to Bounded Autonomy and Run-Time Assurance. Pre-Mission Consensus Packaging implements concepts from the broader bounded autonomy and Run-Time Assurance (RTA) literature. ASTM F3269-17 [46] establishes principles for run-time assurance in autonomous systems, requiring that safety monitors can override potentially unsafe commands from complex decision-making components. TETA’s behavioral envelopes serve an analogous function: pre-computed bounds verified at runtime that constrain AI decision outputs regardless of the reasoning that produced them. The key adaptation for DIL environments is that RTA typically assumes connectivity to ground-based safety monitors; Pre-Mission Consensus pre-positions these constraints cryptographically, enabling local enforcement without external verification.

Authority decay progressively reduces permissions over disconnection time. This mechanism represents a DIL-specific operationalization of Risk-Adaptive Access Control (RAdAC) [34,35], which balances security risk against operational need through dynamic policy evaluation. Authority Decay extends RAdAC principles to disconnected environments where real-time risk assessment infrastructure is unavailable, instead using time-since-verification as a proxy for accumulated risk. Policy expression follows NIST ABAC guidance [31], with subject attributes (role, clearance, mission assignment), object attributes (classification, consequence category), and environmental attributes (time-since-verification, peer attestation count) evaluated against pre-positioned rules.

Authority Decay also draws from capability-based authorization patterns. Like Macaroons [33], which embed contextual caveats that attenuate bearer credentials, governance envelopes contain cryptographically-bound constraints that progressively restrict authority. Unlike enterprise systems like Google’s Zanzibar [32] that require backend connectivity for authorization decisions, Authority Decay pre-computes authorization policies and embeds decay schedules directly in credentials, enabling offline enforcement.

Formal Model. Let t represent elapsed time since last successful verification (connectivity epoch), and let $A\left(t\right)$ denote the authority level function. Authority Decay implements a piecewise monotonically decreasing function:

$$A\left(t\right)=\left\{\begin{array}{cc}{A}_{\mathrm{full}},\hfill & \mathrm{if}0\le t<T_1\hfill \\ A_{\mathrm{reduced}},\hfill & \mathrm{if}{T}_1\le t<T_2\hfill \\ A_{\mathrm{minimal}},\hfill & \mathrm{if}{T}_2\le t<T_3\hfill \\ A_{\mathrm{essential}},\hfill & \mathrm{if}t\ge T_3\hfill \end{array}\right.$$

(1)

where $T_1=24$h, $T_2=48$h, $T_3=72$h represent threshold boundaries (configurable per mission profile). Each authority level $A_x$ corresponds to a subset of permitted actions, with $A_{\mathrm{full}}\supset A_{\mathrm{reduced}}\supset A_{\mathrm{minimal}}\supset A_{\mathrm{essential}}$. Table 10 defines representative permission sets.

Attack Model and Mitigations. Authority Decay faces specific attack vectors in adversarial DIL environments. Table 11 characterizes threats and countermeasures.

Clock integrity represents the primary vulnerability. Implementations should bind authority evaluation to tamper-evident time sources: TPM-protected monotonic counters provide rollback resistance; hardware RTC with battery-backed tamper detection prevents physical manipulation; peer time attestation (where available) provides cross-validation. Credential structures should include epoch counters that increment at each authority transition, preventing replay of higher-authority credentials after decay.

Assurance Boundary. Authority Decay’s security guarantees depend on a hardware root-of-trust providing protected monotonic counters and tamper-evident timekeeping. Specifically, the mechanism assumes: (1) a TPM, secure element, or TEE that maintains monotonic counters resistant to software manipulation; (2) hardware RTC with tamper detection that signals physical interference; and (3) secure storage for decay schedule parameters that cannot be modified post-deployment. Without these hardware foundations, Authority Decay can be bypassed by a physical attacker with device access—clock rollback or counter reset would restore expired authority levels. Platforms lacking a hardware root-of-trust should not rely on Authority Decay for security-critical decisions; such platforms should instead default to minimal pre-authorized authority with mandatory human approval for consequential actions.

RTC Failure Mode. A critical edge case occurs when RTC battery failure or corruption causes the system clock to reset to epoch (e.g., January 1, 1970). Implementations MUST detect this condition—typically via comparison against the pre-mission timestamp embedded in the governance envelope—and default to Safe Mode (Level 0 / Zero Authority), not Full Authority. The $A\left(t\right)$ function should treat any clock value preceding the mission start timestamp as a tamper indicator. Safe Mode behavior: (1) cease autonomous operations; (2) revert to manual-only control if available; (3) activate tamper alert beacon if mission profile permits; (4) await physical recovery or re-initialization.

Table 12 shows the authority delegation matrix mapping decision categories to required authority levels and DIL authorization mechanisms.

Scope Limitations. Pre-Mission Consensus Packaging provides technical mechanisms supporting documented oversight requirements but does not address several governance challenges that require human judgment, legal interpretation, or policy decisions beyond the scope of this architecture: (1) ROE interpretation—translating rules of engagement into machine-readable constraints requires legal and operational judgment that cannot be automated; (2) commander intent capture—encoding nuanced tactical intent into envelope parameters may incompletely represent command guidance; (3) coalition legal constraints—multinational operations involve varying legal frameworks that pre-positioned packages cannot fully reconcile; (4) novel situation adjudication—scenarios outside envelope parameters default to conservative responses, but determining appropriate responses to truly novel situations requires human judgment.

4.3.2. Locally-Enforced Behavioral Bounds

Behavioral envelopes are enforced locally without cloud dependency. Table 13 defines envelope dimensions.

The Behavioral Envelope Enforcer operates as a separate hardened component that the AI cannot bypass—analogous to hardware interlocks. Every action passes through the enforcer; violations are blocked, logged, and trigger watchdog alerts.

Effective enforcement benefits from hardware or software isolation, preventing the monitored AI model from compromising the governance module. Implementation options include separate security processors (e.g., ARM TrustZone secure world), dedicated microcontrollers for governance functions, or hypervisor-enforced isolation.

4.3.3. Autonomous Watchdog and Self-Triggered Degradation

Watchdog models use pre-positioned baselines with autonomous response, implementing runtime assurance principles from the Simplex architecture [36]. The Simplex approach provides safety guarantees by switching control from an unverified advanced controller to a verified-safe baseline controller when safety violations are imminent. Recent extensions demonstrate applicability to neural network controllers [37] and multi-agent systems [38], directly relevant to AI-enabled tactical platforms. In TETA, the watchdog serves as the decision module, triggering autonomy-downgrade (analogous to baseline controller activation) when behavioral anomalies or constraint violations are detected. Table 14 defines watchdog types.

Self-triggered autonomy degradation uses predefined triggers. Table 15 defines autonomy levels.

Level 5 represents an analytic boundary in this autonomy model; DoDD 3000.09 requires that “autonomous and semi-autonomous weapon systems shall be designed to allow commanders and operators to exercise appropriate levels of human judgment over the use of force” [16]. This directive further mandates that such systems be “sufficiently robust to minimize failures that could lead to unintended engagements.” Maximum DIL authority is Level 3 with envelope enforcement, designed to support these human oversight requirements.

4.3.4. Store-Forward-Reconcile and Conservative Bias

Local audits capture every decision, governance evaluation, watchdog alert, and override. Tamper-evident storage uses cryptographic chaining. Store-forward-reconcile operations align with Delay-Tolerant Networking principles [26], with Bundle Protocol Security (BPSec) [30] providing data integrity and confidentiality services for store-and-forward transmission. BPSec’s block-level security model supports security-at-rest, addressing HNDL concerns for queued audit data. Mandatory reconciliation upon reconnection uploads audits, reviews deviations, verifies model integrity, and refreshes authorities.

5. Case Study Scenarios

This section demonstrates TETA-AAGF feasibility through representative tactical scenarios. Key concepts include scenario selection spanning the DIL spectrum, airborne ISR platform collective governance, and ground sensor operations under extended disconnection.

The evaluation methodology employs analytical modeling rather than empirical measurement, with sources explicitly distinguished. PQC cryptographic operation timings derive from published pqm4 benchmark data [18,19], representing baseline performance on Cortex-M4 microcontrollers. Governance function estimates (envelope checking, watchdog inference, autonomy evaluation, audit logging) are engineering projections based on comparable embedded workloads, lightweight neural network inference, policy engine evaluation, and cryptographic logging—and should be treated as order-of-magnitude estimates requiring validation.

5.1. Scenario Selection

Two scenarios span the DIL spectrum: airborne ISR (intermittent connectivity, collective governance) and ground sensors (extended disconnection, minimal compute). Table 16 compares scenario characteristics.

5.2. Scenario 1: Airborne ISR Platform (UAV Swarm)

A 4-8 UAV swarm conducts persistent surveillance with burst connectivity (minutes/hour) over 256 kbps tactical datalink. TETA employs ML-KEM-768/ML-DSA-65 with hardware-bound identity. AAGF establishes collective governance requiring a quorum for formation decisions, a peer-based watchdog, and autonomous navigation/classification within an envelope while prohibiting autonomous engagement.

5.3. Scenario 2: Dismounted Ground Sensors

Unattended sensors deploy for 30 days with bits per second opportunistic bandwidth. TETA employs SLH-DSA-128s (compact keys) with tamper-triggered zeroization. AAGF permits detection/reporting only (Level 2 maximum), self-diagnostic watchdog, and automatic shutdown at mission window expiration.

5.4. Evaluation Targets

Table 17 summarizes evaluation targets by scenario.

Key finding: Governance complexity scales with decision consequence, not platform sophistication.

6. Quantitative Analysis

This section provides an analytical assessment of TETA-AAGF overhead and effectiveness. All values represent engineering estimates derived from published benchmarks and protocol specifications—not empirical measurements from implemented prototypes.

6.1. Quantitative Model Methodology

Table 18 summarizes all model parameters, their values, sources, and whether each represents measured data or an engineering estimate.

Timing Conversion Note: pqm4 benchmarks report cycle counts, not wall-clock time. Under conservative assumptions (168 MHz, flash wait state penalty), representative timings are: ML-KEM-768 encaps ~15–25 ms, ML-DSA-65 sign ~40–70 ms, ML-DSA-65 verify ~15–25 ms. These estimates carry ±50% uncertainty.

6.2. Computational Overhead

Table 19 presents computational overhead on representative platforms.

6.3. Bandwidth, Storage, and Power

Table 20 summarizes resource requirements.

6.4. Security Property Preservation

Table 21 shows authentication assurance degradation over disconnection using Tactical Assurance Levels (TAL1–TAL3). These levels are inspired by but not equivalent to NIST SP 800-63B Authenticator Assurance Levels (AAL) [23].

6.5. Worked Example: Tactical Sensor Report

Table 22 presents the byte-level breakdown comparing legacy versus TETA message formats.

Overhead Assessment. The 27.9× message size increase is dominated by the ML-DSA-65 signature (98% of overhead). This overhead applies only to high-confidence detections; routine reports use MAC authentication with negligible overhead (91 bytes total).

7. Discussion and Conclusion

7.1. Contributions and Significance

This paper demonstrates that the Next-Generation Security Triad can be implemented in DIL tactical environments through systematic adaptation of governance mechanisms. TETA provides disconnected-first substrate components; AAGF ensures AI systems operate within constraints with preserved accountability.

Three novel mechanisms distinguish this work: (1) Authority Decay—a DIL-specific operationalization of continuous verification; (2) Pre-Mission Consensus Packaging—cryptographically signed governance envelopes supporting DoD Directive 3000.09 requirements; and (3) Triad Integration—architectural unification demonstrating how PQC secures AI governance integrity.

7.2. Comparison with Existing Approaches

Table 23 compares TETA-AAGF with existing frameworks.

7.3. Limitations and Future Work

This work presents a conceptual architecture with analytical sizing rather than an implemented system. Performance estimates derive from published benchmarks applied to representative operational profiles; they have not been validated through instrumented prototypes.

Future work includes operational pilots with DoD units, hardware PQC acceleration, formal verification of governance properties, federated learning for distributed governance model updates, and coalition interoperability frameworks.

7.4. Conclusion

TETA adapts the Triad for DIL through disconnected-first substrate components. AAGF systematically translates governance mechanisms: consensus becomes pre-mission signed packages; approval becomes pre-authorized envelopes with authority decay; behavioral envelopes become locally-enforced hard constraints; watchdogs become autonomous with pre-positioned baselines; autonomy-downgrade becomes self-triggered degradation; observability becomes store-forward-reconcile.

Analytical evaluation demonstrates feasibility with acceptable estimated overhead. Combined governance latency is estimated at ~15 ms on Cortex-A53 class processors (range: 8–25 ms), with 0.5% steady-state bandwidth increase. TETA-AAGF enables Next-Generation Security Triad protection at the tactical edge—under fire, without connectivity—where it matters most.