Every enterprise security stack contains a set of widely deployed primitives.
Identity establishes who holds an account.
Authentication verifies that a session was opened by that holder.
Fraud scoring estimates how suspicious a given request looks.
Policy engines determine whether a class of action is permitted for a given role.
Each is necessary. None of them answers the question regulated systems actually have to answer after an incident:
Did a specific human authorize this specific action at this specific moment, and can we prove it to a regulator, an auditor, or a court?
That question requires a primitive that does not exist in the conventional stack.
Why the Existing Categories Do Not Cover It
An identity provider knows who owns the account. It does not know who is sitting at the device right now.
A session is a bearer token. Anyone who holds it is the user the server sees. Sessions inherit trust from a login event that may have happened hours ago on a device that may no longer be in the correct hands.
A fraud score is an opinion the platform holds about a transaction. It is not evidence. It is produced by the bank and controlled by the bank.
A policy engine blocks actions that are disallowed by rule. It cannot attest that a permitted action was actually authorized by the specific human on whose behalf it was taken.
These systems, collectively, produce a great deal of operational data.
They do not produce an artifact that binds a specific human to a specific action.
What the Missing Primitive Has to Be
A primitive that covers this gap has four required properties.
- •Produced by the human. Not by the server on behalf of the human. The signing key must be held and exercised by the specific human, on hardware they control.
- •Bound to the specific action. Not a bearer credential that could have authorized anything. The artifact must cryptographically bind the canonical description of the action it authorizes.
- •Verifiable independently. A third party — auditor, regulator, court — must be able to verify the artifact without trusting either the bank’s systems or the customer’s good faith.
- •Non-repudiable. The holder of the signing key cannot credibly deny having produced it, because the key is held in hardware they alone control, and a fresh biometric gesture is required to exercise it.
A primitive that satisfies these four is Execution Authority Infrastructure.
Alongside, Not Instead
Execution Authority Infrastructure does not replace identity, fraud scoring, or policy. It sits orthogonal to all of them.
Identity still knows who owns the account.
Fraud scoring still flags velocity anomalies.
Policy still blocks disallowed classes of action.
Execution Authority Infrastructure adds what none of them can add: the signed, device-bound, per-action artifact that proves a specific human made a specific decision.
Existing systems consume that artifact. The fraud engine uses it as a signal. The policy engine gates sensitive flows on its presence. The ledger persists it for audit.
The category is additive, not competitive. It makes every existing security layer more accurate, because every layer now has access to a ground truth about human intent that used to be unavailable.
Why It Is Emerging Now
Three independent pressures converge on the same requirement.
Issuers and payment networks are moving to liability models that require cryptographic evidence of payer authorization, driven by mandatory reimbursement regimes (UK PSR, 2024) and by PSD2 SCA Dynamic Linking enforcement (APP Scam Fraud).
The EU AI Act requires that human oversight of high-risk AI be effective, not procedural (EU AI Act human oversight).
Strong Customer Authentication under PSD2 demands dynamic linking and non-repudiation that OTP cannot provide (PSD2 Article 97).
Three regulatory regimes. One technical requirement.
The pattern is not a coincidence. Regulators in each domain have independently arrived at the same conclusion: the missing primitive is the one that binds a specific human to a specific action.
Closing
A new category is not defined by a product. It is defined by an artifact the industry needs and does not currently have.
Execution Authority Infrastructure produces that artifact.
Everything else is an implementation detail.