# Four-State Trust Machine The Integrity Kernel expresses the trustworthiness of an industrial control system as a single, deterministic state machine with four states: > [!abstract] The four states > `TRUSTED` → `DEGRADED` → `UNTRUSTED` → `SAFE_STATE` State is the output, not the input. The kernel ingests raw signals, runs [[Detection Rules]] and checks [[Proven Invariants]], and the resulting state is a pure function of that evidence. Trust **degrades monotonically** as anomalies accumulate and only resets through an explicit, auditable recovery — there is no silent return to `TRUSTED`. This is what makes the kernel a [[Fail-Closed Trust Gate]] rather than an alerting tool: the state itself gates whether downstream actions are permitted. `SAFE_STATE` is terminal-by-design — the system would rather halt into a known-safe posture than continue executing under unverifiable conditions. Because every transition is driven by [[Deterministic Detection]], the same input log always produces the same state path. That reproducibility is what turns the state machine into [[Frozen Evidence Baseline|admissible evidence]]. ## Why a state machine and not a score A probabilistic anomaly score answers "how weird is this reading?" The trust state answers "are we still allowed to act on this system?" The second question is the one that matters at the [[Fail-Closed Trust Gate]], and it demands a discrete, defensible answer — not a threshold on a continuous number that drifts with retraining. --- Related: [[Integrity Kernel MOC]] · [[Detection Rules]] · [[Proven Invariants]] · [[Fail-Closed Trust Gate]] · [[Deterministic Detection]]