🤖 AI Summary
This study addresses the security challenges institutions face in governing the admission, oversight, and revocation of high-privilege external software and AI artifacts—such as dependency packages, container images, and model artifacts. The authors propose the “Custodial Envelope Threshold” framework, which for the first time links privilege scope to the custodial closure of artifacts. It enforces tiered admission control based on execution privileges, permitting infrastructure access only when artifacts satisfy closure conditions regarding identity, provenance path, and revocability. Integrating reference monitors, the principle of least privilege, and transaction cost economics, the framework yields an actionable four-condition sequential assessment tool. Empirical validation via a reference monitor model and a deterministic prediction function demonstrates that high-scrutiny organizations exhibit a pronounced preference for stronger custodial closure when managing high-privilege artifacts across diverse contexts, including package dependencies, GitHub Actions, container images, Terraform modules, and open-source models.
📝 Abstract
Modern infrastructure depends on externally maintained artifacts such as package-registry dependencies, CI/CD actions, container images, Terraform providers and modules, developer extensions, model artifacts, and AI tool servers. These artifacts are easy to fetch but difficult for institutions to admit, govern, and revoke. This paper proposes the Custody Envelope Threshold, an authority-scaled model of artifact admission. It argues that direct institutional admission is defensible only when object identity, ingress path, and revocation capacity are sufficiently closed relative to the execution authority delegated to the artifact. When this threshold is not met, institutions tend to proxy, policy-mediate, vendor-mediate, internalize, quarantine, or reject the artifact. The framework is operationalized as a four-condition ordinal instrument and connected to reference-monitor reasoning, least privilege, and transaction cost economics. It is applied to package dependencies, GitHub Actions, container images, Terraform providers and modules, developer extensions, and open model artifacts, with Model Context Protocol (MCP) servers treated as held-out evidence. The paper also specifies a validation design, deterministic prediction function, and OSF replication package for testing whether high-scrutiny institutions converge toward stronger custody closure for high-authority artifacts.