What happens when things go wrong
Governance systems fail. What matters is how they fail. Every behavior on this page is enforced by code and verified by automated tests—not marketing claims.
Why failure behavior matters
Most vendors tell you how their system works when everything is fine. We document what happens when it isn't—because that's when governance matters most.
Predictable degradation
When components fail, behavior degrades in documented, predictable ways. No silent failures, no mystery states.
Audit continuity
Even during failures, audit trails are preserved. You never lose visibility into what happened.
Verifiable claims
These aren't promises—they're behaviors enforced by code. Auditors can verify them. So can you.
Governance degrades safely
When billing issues occur, ΔOS never silently changes behavior. Each state has explicit, documented consequences.
| State | Trigger | What Happens |
|---|---|---|
GRACE_PERIOD | Payment fails | Observe and govern continue. Execution paused. 7 days to resolve. |
PAST_DUE | Grace period expires | All execution blocked. Governance preserved. Data export available. |
SUSPENDED | Admin action | Read-only mode. Export available. Contact support to resolve. |
TERMINATED | Contract ended | Export-only mode. All governance artifacts preserved for retrieval. |
Invariant: You can always export your data. Governance artifacts are never deleted, even after termination.
Governance decisions are deterministic
LLMs generate human-readable explanations, but they never influence actual governance decisions. If the LLM provider goes down, governance continues unchanged.
When LLM is available
- ✓Governance decision rendered (deterministic)
- ✓Human-readable explanation generated
- ✓Full audit trail stored
When LLM is down
- ✓Governance decision rendered (unchanged)
- !Fallback explanation from judgment data
- ✓Full audit trail stored
Invariant: JudgmentIR, PolicyIR, and TrustIR are always deterministic. LLM availability has zero impact on governance outcomes.
Predictable retry and escalation
When execution adapters fail, ΔOS follows documented retry patterns. Every failure mode has an explicit handling path.
Retry patterns
- Timeout: 3 retries with exponential backoff (1s, 2s, 4s)
- Connection error: 3 retries, then Dead Letter Queue
- Auth failure: No retry, immediate escalation
- Partial success: Per-step retry, audit each outcome
After max retries
When all retries are exhausted:
- • Intent enters Dead Letter Queue
- • Operator notified immediately
- • Automatic rollback if configured
- • Full audit trail preserved
Everything is replayable
Every governance decision can be reproduced from its inputs. No black boxes. Auditors can verify any judgment at any time.
What's preserved
- 1IntentIR stored at submission time
- 2Evidence bundle archived at judgment time
- 3LIM definition frozen at deprecation
- 4Policy version preserved with each decision
Replay verification
Every replay bundle includes:
- • Original judgment output
- • Replayed judgment output
- • Match status (identical / diverged)
- • Cryptographic hash verification
Invariant: A LIM that has produced judgments can never be deleted. Audit trails are preserved indefinitely.
See how we measure value
Governance creates measurable value. Learn how ΔOS quantifies it with conservative, evidence-linked estimates.