Access control filters answers. Boundaries scope questions. The two sound alike and are not. Access control is a property of the query path: a check applied near the end, after the data has been gathered, deciding whether to return it. A boundary is a coordinate of the record: a label fixed to every claim and carried into everything derived from it, so the unsafe answer is never assembled in the first place. This note argues that governance belongs in the data model, not the query path, and shows the mechanism that puts it there.
01 · Separation as a coordinateA boundary is a label on the claim, not a check at the end.
Every claim in the substrate carries a boundary label: an information-flow marking that says how widely the claim may travel. The labels form a boundary lattice, an ordered set with a single rule, strictest-wins and no-downgrade: public below internal below confidential below restricted. The order is not decoration. It defines what happens when claims combine, and that is where governance is either kept or quietly lost.
Treating separation as a coordinate has an immediate consequence. Two claims at different levels can only be combined into a derived fact at the stricter of the two. There is no operation in the model that lowers a label. A boundary can tighten as facts compose; it can never relax. Confidentiality is therefore a structural property of the record rather than a discipline the query author is trusted to remember.
02 · The label travelsThe answer inherits the boundary of the claims it was built from.
Because the label lives on the claim, it travels with every projection computed from that claim. A graph node derived from a confidential claim is confidential. A retrieved passage, a summary, a brief, an answer: each inherits the join of the labels of its inputs, the strictest of them, automatically and by construction. The label is not reattached at the end by a process that might forget. It is never detached in the first place.
Retrieval respects the same coordinate, and it does so before ranking rather than after. A request carries the boundary of the context it is being assembled for. Signals that would surface a stricter fact into a looser context cancel while the candidate set is being formed, so a boundary-crossing result never competes for a rank it could win. The contract is what matters here, and the contract is exact: a fact above the context’s boundary cannot appear in the context’s answer, by any retrieval path, ranked or unranked. How the cancellation is computed is an implementation detail. That it happens before ranking, not after, is the guarantee.
03 · Why late filtering is unsafeTo filter an answer, you must first assemble it.
The failure mode of access control is built into its position in the pipeline. To decide whether to return a result, a late filter must first retrieve it, rank it, and hold it in the same context as everything else. The unsafe assembly exists, in memory, in a prompt, in a log, before the filter runs. A single missed check, a new code path, a prompt that quotes its context, and the boundary has already been crossed. The filter was the only thing standing between a confidential claim and a public answer, and filters are exactly the kind of thing that gets skipped under a refactor.
A boundary-first model removes the unsafe intermediate state rather than guarding it. The cross-boundary context is never formed, so there is nothing for a missed filter to leak. This is the difference between a system that is safe because every path remembered to check, and a system that is safe because the unsafe path does not exist.
Context is separated before reasoning. Not filtered after. Separation preserves continuity, because meaning never leaves the frame that gave it meaning.
04 · Crossing a boundary is an actWhen separation must be crossed, the crossing is recorded.
Boundaries that can never be crossed are not governance; they are a wall. Real work sometimes requires moving a fact across a boundary, and the substrate treats that crossing as what it is: an explicit, authorized, recorded act. A crossing happens only under an authority grant, itself a claim, and it appends a claim of its own, so the record shows what crossed, when, and under whose authority. The lattice scopes what may be assembled; the authority model governs the exceptions; the audit chain makes both reconstructable. Separation and continuity are not in tension. The boundary is what makes the context safe to share at all.
The boundary that leaks is the one applied last.
The boundary that leaks is almost never the one that was designed. It is the one that depended on a filter someone forgot to apply, on a query path nobody scoped, on a check that lived everywhere and therefore lived nowhere. Make separation a coordinate of the record and that whole class of failure closes, because the answer cannot be assembled across a boundary by accident. For an intelligent system that an enterprise must be able to defend, that is not a feature. It is the condition of being allowed to run at all.
Notes
- The lattice shown is the default four-level scheme. Tenants may refine it; the strictest-wins, no-downgrade ordering is invariant under refinement.
- Labels are enforced cryptographically, with separation maintained per boundary rather than by trust in the query layer. The enforcement mechanism is treated in the context-of-record specification, SYD-TR-2026-004.
- The claim model and bitemporal coordinates that boundary labels ride on are defined in SYD-TR-2026-003 and SYD-TR-2026-004.