Provisional, Solidified, Reinforced: How Policy Earns Authority
In every compliance tool on the market, a policy has two states: active or inactive.
There is no maturity model. A rule created yesterday by a junior analyst responding to a framework template has the same enforcement weight as a rule confirmed by three domain experts over six months of operational validation. Both are "active." Both are treated as equally authoritative. Both produce the same evidence artifacts during an audit.
This is architecturally wrong.
Authority is not a binary state. A rule that has been corrected once, by one person, in one context, is not as authoritative as a rule that has been confirmed across dozens of contexts, reviewed by multiple humans with domain expertise, and sustained without challenge over an extended period. Treating them identically undermines the legitimacy of the entire governance layer — because it means enforcement cannot distinguish between a well-established organizational standard and someone's first draft.
The Template Authority Problem
Framework-based compliance tools inherit this problem from their own architecture. When an organization adopts SOC 2 or HIPAA, the tooling generates controls pre-mapped to the framework. These controls arrive fully "active" — they have the maximum enforcement weight the system can assign, despite having zero organizational validation behind them.
The authority of these controls derives entirely from the framework. SOC 2 requires it, therefore it is enforced. This works for auditors who are evaluating framework compliance. It does not work for organizations that need to know whether a control reflects how they actually operate.
The gap becomes visible when teams push back against controls. "Why is this required?" is a reasonable question. In a template-driven system, the answer is "because the framework says so." In a provenance-driven system, the answer is "because these specific corrections identified this specific risk, and these specific reviewers confirmed the control addresses it." The first answer produces compliance. The second produces governance.
Three Stages of Maturity
Raknor's maturation pipeline assigns every policy rule to one of three stages. Each stage reflects a different level of organizational confidence and carries a different enforcement posture.
Provisional. A correction has been captured. A single human identified a deviation and articulated the correct behavior. The rule has attribution — who corrected it, when, in what context — but it has not been reviewed or confirmed beyond the initial correction.
Provisional rules are informational. They are visible in the governance layer but not enforced. Their purpose is observation: does this correction represent an organizational pattern, or was it a one-time judgment call? The system tracks whether the same pattern appears in other contexts, but does not act on it until a human promotes it.
Solidified. The correction has been confirmed across multiple contexts, and a human with authority over the relevant domain has reviewed and promoted it. The promotion decision is documented: who reviewed it, when, and what evidence supported the decision to promote.
Solidified rules carry advisory enforcement. They produce warnings when violated and are visible in governance dashboards. They are substantive enough to inform operational decisions but have not yet accumulated the sustained stability required for structural enforcement. The distinction matters — advisory enforcement communicates organizational intent without creating hard blocks that could disrupt operations before the rule has proven its durability.
Reinforced. The rule has sustained stability over an extended period. It has not been challenged, modified, or contradicted. Its provenance chain is complete: origin, reviews, promotion decisions, and enforcement history are all documented. The organization has high confidence that this rule reflects settled operational intent.
Reinforced rules are structurally enforced. Violations are blocked at the point of execution. The enforcement action is recorded and linked to the rule's full provenance chain. Anyone affected by the enforcement can trace back through the chain to understand why the rule exists, who authorized it, and how it earned its enforcement status.
Why Each Transition Requires Human Review
Automated promotion would undermine the entire model.
If rules matured automatically based on frequency of occurrence or time elapsed, the provenance chain would contain no human judgment after the initial correction. A rule that appeared in twenty contexts would be treated as more authoritative than a rule that appeared in three — but frequency is not the same as deliberate organizational decision-making.
Each transition from provisional to solidified to reinforced requires a human to review the rule, evaluate whether it reflects organizational intent, and make a documented decision to promote it. This is the mechanism that gives the provenance chain its authority. Without it, the maturation pipeline is just an automated timer with extra steps.
The human review requirement also creates a natural quality gate. Not every correction should become an enforced rule. Some corrections are context-specific. Some reflect individual preference rather than organizational standard. Some are correct at the time of capture but become obsolete as the organization evolves. The review step filters these out — and the filtering decision is itself part of the provenance chain.
Earned Authority
A rule does not earn enforcement rights by existing long enough. It earns them by being reviewed, confirmed, and promoted by someone with authority.
Provisional means we noticed. Solidified means we decided. Reinforced means we enforce.
Raknor's maturation pipeline ensures that every enforced policy earned its authority through documented human review — not through template inheritance.