07 — Ownership Model Hardening (Branch G)

Ownership that works at 10⁸ scale. Builds on M-DEF-3 (accountable-owner-per-scope) and M-DEF-7 (owner-link-only inheritance). Defines the seven owner roles, delegation, orphan/double-owner detection, and maps the current recommended owners. All draft; no enactment.

7.1 The core ownership rules

1. Exactly one accountable owner per (object × responsibility scope). Not one owner per object — one per scope. (Resolves contradiction C2 with enacted §4.12.)
2. Supporting roles are unlimited. Delegates, executors, reviewers, auditors, exception-approvers may be many; only the accountable owner is unique-per-scope.
3. Delegation is allowed only if governed. A delegation is a recorded, TTL-bounded edge (delegate_authority action-type — T1-6 prereq; interim recorded in admin_fallback_log). An ungoverned/implicit delegation = island.
4. Owner inheritance only at container grain, owner-link only. A container passes its owner-link (not its risk links) to members, and only if the container is itself covered. (M-DEF-7 anti-hiding.)
5. Owner inheritance cannot hide policy/action/route/exception gaps. Approval/audit/rollback/dot-authority/reconstruction links are computed per object and never inherited.
6. Owner-of-last-resort = GOV-COUNCIL. An object in a seam nobody owns defaults to COUNCIL (covered-by-default, tracked) — never "no owner because ambiguous." (Red-team #8.)
7. Separation of duty (SoD). propose ≠ approve ≠ apply-verify. Approval is always Đ32 quorum, never the DOT. A DOT may never mint a law / owner / action-type / event. (Red-team #9/#12.)

7.2 The seven owner roles (responsibility scopes)

Role / scope	Owns	Recommended agency (live status)
policy owner	the rule/vocab/grouping/ceiling definition; cross-system policy	GOV-COUNCIL (active)
health owner	integrity, coverage, orphan/anarchy/governance-orphan detection, count-integrity, reconstruction/vector integrity	GOV-SIV (active, monitoring.integrity)
execution owner	DOT scan/propose/apply/audit; IU operations	GOV-DOT (active, monitoring.dot)
render owner	display/API/route surfaces; Registries-Pivot UI	GOV-MOUT (draft) → interim COUNCIL delegation, TTL-bounded
approval owner	the Đ32 quorum/lifecycle for a change class	GOV-COUNCIL (quorum incl. president + ai_council per Đ32)
audit owner	the audit ledger for a change class	GOV-SIV (+ reuse registry_changelog/governance_audit_log)
exception owner	the governed-exception lifecycle (grant/review/expire)	GOV-COUNCIL (policy) + GOV-SIV (risk)

A single object typically has different agencies across scopes — that is the federation, and it is legal because each scope has exactly one accountable owner.

7.3 Substrate/vocab sub-owners (don't dump on the policy owner)

For domains with heavy substrate (label/taxonomy, species, KG, IU, vector), the substrate owner is distinct from the policy owner (M-Đ24/29 §0-OWNER, J7):

Substrate	Substrate owner (live)	Policy owner
label/taxonomy facets, label_rules, species	GOV-KG-SYS (active, kg)	GOV-COUNCIL
KG edges (Đ39), IU relation graph	GOV-KG-SYS	GOV-COUNCIL
IU schema/profile/vector	GOV-KG-SYS (+ GOV-SIV integrity)	GOV-COUNCIL
law/normative substrate	GOV-NRM-SYS (active, normative)	GOV-COUNCIL
event substrate	GOV-SIV (Đ45)	GOV-COUNCIL

Centralizing substrate on COUNCIL would bloat the policy owner and create a bottleneck; the split keeps COUNCIL as policy/tie-break while active substrate agencies own the tables.

7.4 Current recommended owner map (federated-but-central)

                         GOV-COUNCIL  (policy · tie-break · owner-of-last-resort · exception-policy)
                              │
     ┌──────────────┬─────────┼───────────────┬──────────────────┐
   GOV-SIV        GOV-DOT   GOV-KG-SYS      GOV-NRM-SYS        GOV-MOUT (draft)
  (health/        (exec/     (taxonomy/      (law/normative     (render/display/API)
   integrity/      DOTs/      species/KG/     substrate)         ── interim COUNCIL
   coverage/       IU ops)    IU substrate/                          delegation, TTL ──
   reconstruction)            vector)

• No new agency is required for the model (reuse-first). GOV-MOUT activation is the one pending change; until then render accountability is a recorded TTL-bounded COUNCIL delegation (J6) so render objects are covered-by-delegation/warning, not high orphans → the gate stays usable.
• IU folds onto this map (doc 03 §3.5): policy→COUNCIL, substrate→GOV-KG-SYS, integrity→GOV-SIV, exec→GOV-DOT, law→GOV-NRM-SYS, render→GOV-MOUT/interim-COUNCIL.

7.5 Orphan-owner & double-owner detection

Condition	Definition	Severity	Detection
owner orphan	governed object with no resolvable accountable owner in a required scope	high (critical if mutating/authority object)	coverage view: object × required-scope with no owner edge → owner_gap
anarchic	owner orphan on an authority-critical scope (policy/execution/approval/exception of a mutating object)	critical	M-DEF-5: gap_type × profile
double owner	two accountable owners in the same scope for one object	high	coverage view: count(distinct owner) per (object,scope) > 1 → island_detected/conflict
dangling delegate	delegation edge whose delegate agency is draft/retired, or expired TTL	high	delegation TTL/agency-status check
stale owner	owner edge to an agency that flipped to draft/retired	warning→high	governance-context-change trigger (G3) re-scans dependents
owner-of-last-resort default	unmapped object → COUNCIL	warning (defaulted, tracked)	seam detection (A5)

Double-owner is detectable only because ownership is per-scope (without scopes, a legitimate multi-agency split is indistinguishable from an illegitimate double-owner). This is why M-DEF-3 is a Tier-1 blocker.

7.6 Bootstrap / anti-self-grant (the scanner owns itself)

The coverage scanner, the Axis Registry, the profile catalog, and the ownership edges are themselves governed objects (Class 2/3/5). To avoid the chicken-egg:

• Seed attestation (I3): a one-time, sovereign-attested seed sequence assigns the bootstrap owners (SIV owns the scanner; COUNCIL owns the profile catalog and Axis Registry) before the first scan. The seed is recorded, not memory.
• Watchdog-of-coverage: COVERAGE-AUDIT watches SCAN; if the scanner itself becomes unowned → watchdog_fault (critical). (Red-team #11.)
• No self-grant: the applier DOT can never approve its own ownership/exception change (SoD §7.1.7). (Red-team #12.)

7.7 Scale property

Ownership scales because:

• it is computed at the governance grain (roots + non-inheriting classes + containers), so 10⁶ inheriting children add zero owner edges;
• owner-link inheritance means a container's members are owned by one edge, not N;
• but risk links are per-object, so a covered container still cannot hide a child's authority gap.

This is the precise balance that makes ownership both cheap (one edge per container) and safe (no hiding).

Branch-G verdict

Ownership is hardened to: one accountable owner per scope (7 roles), governed delegation, owner-link-only container inheritance, explicit orphan/double-owner/dangling-delegate/stale-owner detection, owner-of-last-resort = COUNCIL, SoD + anti-self-grant + seed attestation, and a federated-but-central owner map reusing the 5 active + 4 draft agencies with one pending activation (GOV-MOUT) handled by interim delegation. No new agency required.