Distributed policy
distributed policy definition & enforcement — NQM's core innovation
Description
Distributed policy is NQM’s substantive innovation built on top of the standards-based distributed design. Where the identity and data layers adopt open standards (W3C DIDs and Verifiable Credentials, DIF methods), the policy layer is genuinely new: authorisation policy is both defined and enforced in a fully distributed way, with no central policy decision or enforcement point sitting in the path.
All policy rules, edits and supporting evidence are digitally signed, so enforcement is logically verifiable and produces “continuous assurance” rather than trust-on-assertion. The inference engine is swappable (XACML, Prolog, Z3 or custom), so the same distributed, signed policy substrate can express many authorisation models. NQM co-authored NIST SP 1800-36 (Trusted networking / continuous assurance).
Importance
Adopting DIDs and VCs is now common; the hard, largely unsolved problem is enforcing rich authorisation policy without a central authority while keeping enforcement verifiable. Distributed, signed, verifiable policy is what turns decentralised identity into decentralised control — and is NQM’s key point of differentiation.
Benefit
- Enforcement without a central authority — no central PDP/PEP chokepoint to attack, depend on, or bottleneck.
- Logically verifiable (“continuous assurance”) — signed rules, edits and evidence let enforcement be proven, not just asserted.
- Model-agnostic — a swappable inference engine (XACML/Prolog/Z3/custom) fits the customer’s authorisation model.
- Differentiated IP — a substantive innovation on top of open standards, hard for standards-only competitors to match.
Defence Relevance
DTW security is enforced by this distributed, signed policy model, anchored with strong identity (PKI); because rules, edits and evidence are signed, enforcement stays logically verifiable across UK/NATO/partner boundaries. Supports DTW Cycle 0 criterion 3 (security of the API layer) and the Exploitable-by-Design governance principle (60) — governance defined and enforced through declared, signed, auditable policy.
Civilian & Enterprise Relevance
Enterprises and public bodies enforce fine-grained, auditable data-sharing rules per customer, contract or jurisdiction across organisational boundaries — with cryptographic proof of enforcement for audit and regulators (GDPR, EU AI Act), and no central authority every party must trust. It is foundational for cross-organisation data spaces and consent management.
Related
- Distributed — the standards-based design this builds on
- Dynamic — runtime-configurable / adaptive policy
- Signed, Secure, Observable
- Volt4AI
Sources
- NQM DTW response §technical-detail — distributed signed policy, swappable engine
- Volt §how-it-works — policy model, NIST SP 1800-36