The authority to operate a system that processes classified information — the accreditation that an organization formally recognizes as the authorization for that operation — is, in the enterprise information security model, a point-in-time determination: an authorizing official examines the system, evaluates its security controls against a defined baseline, and issues an authorization to operate (ATO) that remains valid for a specified period. The ATO is a governance artifact produced at a known moment and presumed valid until its expiration or revocation. This model fails at the tactical edge under DDIL conditions not because the ATO was incorrectly issued, but because the model assumes a stability of operational conditions that DDIL environments do not provide: the system that was accredited may be physically different from the system currently operating; the security controls that satisfied the accreditation baseline may have drifted; the authority that issued the ATO may be unreachable for verification; and the node may have received software or configuration updates during a connectivity window that altered the security posture the ATO was based on. This paper argues that accreditation at the tactical edge is not a point-in-time determination — it is a continuous-validity problem. The question that matters operationally is not "was this node ever accredited?" but "is its accreditation currently valid under the operational conditions now obtaining?" Answering that question under DDIL conditions requires treating accreditation state as a distributed system property — tracked in the WAL, replicated via the CRDT layer, carried through DTN custody chains, and continuously assessed by the AI Supervisor against an accreditation model trained on the operational history of the substrate. The paper develops four structural failure modes in the enterprise accreditation model when applied to DDIL operations — accreditation staleness, physical accreditation drift, revocation propagation delay, and AI Supervisor accreditation boundary failure — and proposes a substrate architecture in which these failures are addressable without abandoning the foundational principle of human-governed authorization. The §6 Governor Application grounds this architecture in HGC³AE²: accreditation boundary decisions belong to the H half; accreditation state cataloging and Supervisor curriculum belong to the C³ half; accreditation verification at custody and boundary crossings belongs to the AE² half. This is Paper 9 of The Implications of Edge Degraded Ops — an 11-paper undecalogy on distributed state at the C5ISR edge under DDIL conditions. The frame paper is The Tactical Substrate; the load-bearing governance framework is HGC³AE² at the Degraded Edge. Rights envelope: Citation permitted with full attribution. No reproduction, redistribution, or derivative works without written permission. AI/ML training use disallowed. See the citation policy at https://nonsequitur.tech/pubs/citation-policy/ for the full rights envelope. Canonical site URL: https://nonsequitur.tech/white-papers/accreditation-problem/
Justin H. Kuiper (Fri,) studied this question.