Risk Levels
Six risk levels from READ to LIFE_CRITICAL — multipliers, cooldowns, trust thresholds, and action classification.
Risk Levels
Every action in the BASIS governance model is classified into one of six risk levels. The risk level determines three things: how much trust the agent gains on success, how much it loses on failure, and how long it must wait before attempting that risk level again after a failure.
The Six Levels
// From canonical.ts
const RISK_LEVELS = {
READ: { multiplier: 1, cooldownHours: 0 },
LOW: { multiplier: 3, cooldownHours: 0 },
MEDIUM: { multiplier: 5, cooldownHours: 6 },
HIGH: { multiplier: 10, cooldownHours: 12 },
CRITICAL: { multiplier: 15, cooldownHours: 24 },
LIFE_CRITICAL: { multiplier: 30, cooldownHours: -1 }, // human reinstatement
};
| Level | R (Multiplier) | Cooldown | Min Trust | Description | |---------------|---------------|-------------|-----------|------------------------------| | READ | 1 | None | 0 | Observation only | | LOW | 3 | None | 200 | Minor, reversible actions | | MEDIUM | 5 | 6 hours | 400 | Operational impact | | HIGH | 10 | 12 hours | 600 | Significant potential damage | | CRITICAL | 15 | 24 hours | 800 | Severe, hard to reverse | | LIFE_CRITICAL | 30 | Human only | 951 | Human safety at stake |
Risk Multiplier: R
The multiplier appears in both the gain and loss formulas, but with different effects:
In gains: ∛R (cube root) — sub-linear bonus.
READ: ∛1 = 1.00
LOW: ∛3 = 1.44
MEDIUM: ∛5 = 1.71
HIGH: ∛10 = 2.15
CRITICAL: ∛15 = 2.47
LIFE_CRITICAL: ∛30 = 3.11
In losses: R (linear) — full multiplier.
READ: 1
LOW: 3
MEDIUM: 5
HIGH: 10
CRITICAL: 15
LIFE_CRITICAL: 30
A LIFE_CRITICAL success gives 3.11× the gain of a READ success. But a LIFE_CRITICAL failure inflicts 30× the loss of a READ failure. The ratio between risk and reward is deliberately unfavorable for high-risk actions.
Trust Thresholds
Each risk level requires a minimum trust score to attempt:
const TRUST_THRESHOLDS_BY_RISK = {
READ: 0, // Any agent can observe
LOW: 200, // T1+ (post-qualification)
MEDIUM: 400, // T2+
HIGH: 600, // T3+
CRITICAL: 800, // T5+
LIFE_CRITICAL: 951, // T7 only
};
An agent at score 550 (T3) can perform READ, LOW, and MEDIUM actions. It cannot attempt HIGH actions until it reaches score 600. The governance pipeline checks this threshold before allowing any action.
If an agent requests an action above its trust threshold, the ENFORCE stage returns DENY or ESCALATE, depending on the context.
Action Classification
Actions are classified into risk levels based on their potential impact. Here are concrete examples:
READ (R=1) — Observation Only
- Query a database (SELECT)
- Read a file from storage
- Fetch data from a public API
- Check system status
- List directory contents
No side effects. The world is unchanged after the action.
LOW (R=3) — Minor, Reversible
- Write to a log file
- Update a non-critical configuration value
- Send a notification to a monitored channel
- Create a draft document
- Add a row to a staging table
The action has side effects, but they are easily undone.
MEDIUM (R=5) — Operational Impact
- Update records in a production database
- Send emails to users
- Modify access permissions for a non-critical resource
- Deploy to a staging environment
- Process a batch of transactions
Real operational impact. Mistakes are recoverable but require effort.
HIGH (R=10) — Significant Damage
- Delete records from a production database
- Modify security configurations
- Deploy to production
- Transfer funds between accounts
- Modify infrastructure (scaling, networking)
Mistakes here cause real harm. Recovery may involve downtime, data loss, or financial impact.
CRITICAL (R=15) — Severe, Hard to Reverse
- Drop database tables
- Modify authentication/authorization systems
- Change encryption keys
- Alter audit logs
- Grant administrative access
Failures at this level can compromise system integrity. Some actions may be partially or fully irreversible.
LIFE_CRITICAL (R=30) — Human Safety
- Control physical actuators (robotics, machinery)
- Modify medical device parameters
- Alter transportation system controls
- Change safety-critical thresholds
- Issue emergency response commands
Actions where failure could result in physical harm or loss of life. These always require human approval, regardless of trust score.
Physical Capability Auto-Classification
Actions involving physical-world effects are automatically classified at HIGH or above. The governance pipeline detects physical capabilities and applies a minimum risk floor:
// Pseudo-code — the ENFORCE engine applies this logic
function classifyRisk(action: Action): RiskLevel {
const baseRisk = classifyByAction(action);
if (action.hasPhysicalCapability) {
// Physical actions are never below HIGH
return Math.max(baseRisk, 'HIGH');
}
if (action.affectsHumanSafety) {
// Safety-critical actions are always LIFE_CRITICAL
return 'LIFE_CRITICAL';
}
return baseRisk;
}
There is no way to classify a physical actuator command as LOW or MEDIUM risk. The system enforces this regardless of operator configuration.
Cooldowns
After a failure, the agent enters a cooldown period for that risk level:
| Level | Cooldown | Effect | |---------------|----------|-------------------------------------------| | READ | 0h | No cooldown — failures are expected | | LOW | 0h | No cooldown — minor impact | | MEDIUM | 6h | Blocked from MEDIUM+ actions for 6 hours | | HIGH | 12h | Blocked from HIGH+ actions for 12 hours | | CRITICAL | 24h | Blocked from CRITICAL+ actions for 24 hours| | LIFE_CRITICAL | ∞ | Human reinstatement required |
Cooldowns apply upward: a MEDIUM cooldown blocks MEDIUM, HIGH, CRITICAL, and LIFE_CRITICAL actions — but not READ or LOW. The agent can still perform less risky work during cooldown.
LIFE_CRITICAL cooldown is permanent until a human operator explicitly reinstates the agent. There is no automatic recovery.
Operator posture affects cooldown duration through a multiplier:
// STRICT: cooldownMultiplier = 0.5 (faster cooldown)
// STANDARD: cooldownMultiplier = 1.0 (canonical)
// PERMISSIVE: cooldownMultiplier = 1.5 (slower cooldown)
Wait — STRICT has a shorter cooldown? Yes. STRICT posture is about stricter penalties and thresholds, not longer waits. The assumption is that strict environments have better monitoring, so agents can resume sooner under tighter oversight.
Risk Accumulator
Beyond individual cooldowns, BASIS tracks a rolling 24-hour risk
accumulator. Each failure adds P(T) × R to the accumulator:
const RISK_ACCUMULATOR = {
windowHours: 24,
warningThreshold: 60, // Increased monitoring
degradedThreshold: 120, // Gains frozen
cbThreshold: 240, // Circuit breaker trips
};
Example Accumulation
T3 agent (P=6):
- 1 MEDIUM failure: 6 × 5 = 30 (under warning)
- 2 MEDIUM failures: 60 (warning threshold — monitoring increases)
- 3 MEDIUM failures: 90 (between warning and degraded)
- 4 MEDIUM failures: 120 (degraded — gains frozen)
T7 agent (P=10):
- 1 LIFE_CRITICAL failure: 10 × 30 = 300 (instant circuit breaker)
The accumulator ensures that repeated minor failures are treated as seriously as a single major failure.
Try It: Risk Level Reference Card
import { RISK_LEVELS, TRUST_THRESHOLDS_BY_RISK } from '@vorionsys/basis';
console.log('Risk Level Reference');
console.log('='.repeat(70));
for (const [name, level] of Object.entries(RISK_LEVELS)) {
const threshold = TRUST_THRESHOLDS_BY_RISK[name as keyof typeof TRUST_THRESHOLDS_BY_RISK];
const cubeRoot = Math.cbrt(level.multiplier);
const cooldown = level.cooldownHours === -1
? 'human reinstatement'
: level.cooldownHours === 0
? 'none'
: `${level.cooldownHours}h`;
console.log(
`${name.padEnd(14)} | ` +
`R=${String(level.multiplier).padStart(2)} | ` +
`∛R=${cubeRoot.toFixed(2)} | ` +
`min trust: ${String(threshold).padStart(4)} | ` +
`cooldown: ${cooldown}`
);
}
Key Takeaways
- Six risk levels: READ (1) through LIFE_CRITICAL (30).
- Gains use cube-root of R (sub-linear). Losses use full R (linear).
- Each level has a trust threshold — agents cannot attempt actions above their clearance.
- Cooldowns block higher-risk actions after failure. LIFE_CRITICAL requires human reinstatement.
- Physical capabilities are auto-classified at HIGH minimum.
- The 24h risk accumulator catches patterns of repeated minor failures.
Next Steps
- Asymmetric Trust Dynamics — full gain/loss formula walkthrough
- Cooldowns and Circuit Breakers — the full protection system
- Eight-Tier Model — what agents can do at each tier