The Trust Assertion: the verdict that travels

A trust score tells you how a device is doing. By itself it stays on a dashboard. To change a decision, the verdict has to travel — to arrive at the policy engine, at the moment of access, in a form it can act on. That portable form is the Trust Assertion (TA), and it's the unit the whole framework moves around.

This is a field note on the TA as a signal — not on how the score underneath is computed. For what's inside the number, see what the trust score actually measures.

A verdict, not a report

A TA is deliberately small: a time-bound, scoped, quantitative statement about one entity at one moment. Not telemetry, not a log stream — a verdict, compact enough to carry and structured enough to act on. Five properties make it usable as a decision input:

• Scoped — tied to a specific entity at a specific level (workload, rack, zone, facility, region), so a consumer always knows what the verdict is about.
• Time-bound — it carries freshness and an expiry. A TA is true for a bounded window, then it has to be re-earned.
• Confidence-aware — it states how much it actually knows, so a thin-coverage verdict reads as low-confidence, not false certainty.
• Attributable — it traces to who produced it and within which trust domain, so it can be trusted, audited, and revoked.
• Decomposable — the verdict can be opened back up to the factors behind it (covered in the scoring field note).

Read alongside identity, never instead of it

The point of making the verdict portable is what happens at the decision point. A Zero Trust policy engine can take a TA as external context and refine what it was already going to do: deny or degrade if the infrastructure underneath is insufficient — even for a fully authorized user — or steer a workload to a healthier placement, or re-check continuously as the verdict changes.

Two hard rules keep this safe: a TA never overrides identity trust, and it is never authoritative in isolation. It informs the decision; the control plane keeps authority. A signal that quietly seized control would be a new failure domain, and the framework is built specifically not to become one.

Expiry is the feature

The most underrated property is the expiry. Stale trust is treated as no trust: past its window, a TA degrades to unknown and conservative defaults apply. That single rule is what keeps the signal honest — a verdict that cannot quietly go stale is one you can actually build enforcement on. It is the difference between a quarterly audit opinion and a verdict that is continuously re-earned. (Why "continuously" is load-bearing: right at design time, wrong by Tuesday.)

What a TA is not

It is not raw telemetry, not a scoring formula, and not a command. Any method that produces a scoped, graded, time-bound, confidence-aware, attributable verdict is a conforming Trust Assertion — which is exactly why the framework defines the signal and leaves the scoring to the implementer. The conveyance of that verdict in-band, with the traffic, is its own mechanism — patent-pending, and a story for another day.

Back to the map: the Augustine Infrastructure Trust Framework.

SAUTERA™ is the reference implementation of the Augustine Infrastructure Trust Framework.