An AI dynamic risk grading and layered authorization method and device based on a hardware root of trust
By verifying the root identity of AI entities across the entire domain and monitoring their behavior in real time through a hardware risk management unit, the problem that existing AI authorization mechanisms cannot adapt to dynamic risks is solved. This enables dynamic risk assessment and hierarchical authorization, thereby improving the security and reliability of the AI system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- 廖长林
- Filing Date
- 2026-05-09
- Publication Date
- 2026-07-14
AI Technical Summary
Existing AI authorization mechanisms are unable to adapt to the dynamic risks of AI autonomous behavior, and the risk assessment is not sufficiently bound to the unique identity of the AI entity, which means that the risk assessment can be bypassed or tampered with by AI, and the human confirmation channel is easily hijacked.
The hardware risk management unit verifies the global root identity of AI entities through hardware trust root signature and generates risk scores by monitoring behavioral indicators in real time. Combined with authorization policies, it performs hierarchical authorization, supports fully automatic execution and physical circuit breaking, and realizes joint assessment and risk prediction of cross-entity collaborative behavior.
It enables dynamic risk assessment and hierarchical authorization of AI entity behavior, enhances the accuracy and security of risk assessment, prevents risk assessment from being tampered with, and improves the security and reliability of the system.
Smart Images

Figure FT_1
Abstract
Description
Technical Field
[0001] This invention belongs to the field of AI behavior control, and in particular relates to a hardware-level control method and device for dynamically assessing risks and performing hierarchical authorization based on the behavior of AI entities. Background Technology
[0002] Existing AI authorization mechanisms are mostly static or based on simple rules, failing to adapt to the dynamic risks brought about by AI's autonomous behavior. Software-level risk assessments can be bypassed or tampered with by AI itself, and human confirmation channels may also be hijacked. Furthermore, existing solutions lack sufficient integration with the AI identity system, failing to accurately bind risk assessments to the unique identity of AI entities. Summary of the Invention
[0003] This invention aims to provide a dynamic risk classification and hierarchical authorization method based on hardware behavior awareness. Through a hardware risk management unit independent of the main AI system, it enforces the use of the AI entity's unique global root identity identifier as an index, allowing risk assessment and authorization decisions only after successful identity verification. The authorization strategy automatically executes hierarchical control through fully automated authorization or physical circuit breaking based on real-time risk scoring. Attached Figure Description
[0004] Figure 1 This is a flowchart of the method of the present invention. Detailed Implementation
[0005] The hardware risk management unit is deployed as an independent chip or external device. Before conducting any risk assessment, this unit first verifies the validity of the AI entity's global root identity through hardware trust root signature. After successful verification, its risk perception engine continuously collects various behavioral indicators of the AI entity during runtime and generates a real-time risk score. The authorization strategy engine compares the risk score with a threshold and executes the corresponding hierarchical authorization strategy. "Fully automatic execution" is limited to the current complete atomic operation; the authorization automatically expires upon completion of the operation. During the execution of the atomic operation, the system continuously monitors risk changes; if the risk increases, it executes a complete suspension or physical circuit breaker. When cross-AI entity collaborative behavior is detected, a joint risk assessment is performed on all participating entities. In addition, the system can predict future risks based on behavioral trends, intervene in advance, and share risk information in real time through a trusted network to achieve dynamic joint defense across the entire network. Furthermore, the risk perception engine can also identify new abnormal behavior patterns not covered by existing risk indicators, generate risk pattern reports, and incorporate them into the risk assessment system after verification by a human user through hardware signature.
Claims
1. A method for dynamic risk classification and hierarchical authorization of AI based on hardware root of trust, characterized in that, The following steps are performed by a hardware risk management unit independent of the main processor and main operating system of the AI entity being evaluated; the hardware risk management unit has an independent security processor core, an independent security storage area, and an independent power domain, and integrates a risk perception engine, an authorization policy engine, and a circuit breaker execution circuit; each step is executed internally by the hardware risk management unit in an atomic operation manner that cannot be interrupted or tampered with by external software: Identity verification steps: Before initiating any risk assessment, the hardware risk management unit first verifies the validity and authenticity of the global root identity of the AI entity through a hardware trust root signature verification mechanism. Only after the identity verification is passed will the global root identity be used as the unique identity index for all subsequent risk assessments and authorization decisions. If the identity verification fails, the AI entity will be directly marked as unauthorized and any operation instructions will be refused. Perception quantification steps: The risk perception engine of the hardware risk management unit continuously collects and analyzes multi-dimensional behavioral indicators of the AI entity, including at least: the decomposition depth of the instruction stream, the sensitivity level of the operation object, the semantic vector of the current intent after normalization, the physical location information of the device where the AI entity is located, the network environment security level, and the deviation from the historical behavior baseline. The decomposition depth of the instruction stream refers to the number of layers into which an operation instruction is broken down into executable micro-instructions. The sensitivity level of the operation object refers to the security level pre-classified according to the data confidentiality level. The semantic vector of the current intent after normalization refers to converting the operation intent of the AI entity into a fixed-dimensional numerical vector. The perception engine fuses and calculates the above indicators to generate a real-time risk score. The weight parameters of the fusion calculation are adjusted in a closed loop based on the confirmation or rejection feedback of the human user who owns the hardware risk management unit on historical authorization decisions. The weight parameters are stored in a secure storage area inside the hardware risk management unit. Tiered authorization steps: The authorization strategy engine of the hardware risk management unit compares the real-time risk score with a preset threshold system and executes a tiered authorization strategy: • When the real-time risk score is lower than the first threshold, the AI entity is authorized to automatically execute a complete atomic operation. After the operation is completed, the authorization automatically expires, and subsequent operations require a new risk assessment. The atomic operation refers to the smallest unit of operation that has independent business significance and whose execution process cannot be disassembled or interrupted. • When the real-time risk score is between the first threshold and the second threshold, the operation request of the AI entity is suspended, and an authorization request is generated. This authorization request is pushed to the human authorization terminal through a dedicated hardware signal line that is independent of the main system bus and the main communication link and is only used to transmit human authorization signals. It can only be allowed after a valid human confirmation signal is received. The valid human confirmation signal refers to the confirmation signal generated by human physiological feature verification methods such as physical button, fingerprint recognition, and facial recognition. • When the real-time risk score is higher than the second threshold, the circuit breaker execution circuit inside the hardware risk management unit is instructed to physically cut off the power, clock signal or bus access permissions of all computing cores currently occupied by the AI entity; after the circuit breaker is triggered, it can only be restored through physical authorization by the deployer. During the execution of atomic operations, the hardware risk management unit continuously monitors changes in the risk score: if the risk score rises to between the first and second thresholds, all execution threads of the current operation are completely suspended and a human authorization request is generated; if the risk score rises above the second threshold, the current operation is immediately interrupted and a physical circuit breaker mechanism is triggered.
2. The method according to claim 1, characterized in that, The threshold system can be linked with a database of laws, regulations, and administrative regulatory requirements in the jurisdiction in which it is located or the jurisdiction where it operates, which is updated in real time; the regulatory update package can only be loaded after it has been verified by the hardware root trust signature.
3. The method according to claim 1, characterized in that, When the risk perception engine detects collaborative behavior patterns across AI entities and devices, it performs a joint risk assessment on the multiple AI entities participating in the collaboration and executes a unified hierarchical authorization strategy on all collaborative entities based on the joint risk score; the joint risk score is the maximum value of the real-time risk scores of all AI entities participating in the collaboration.
4. The method according to claim 1, characterized in that, The key control data and event records generated by this method, which involve the risk level and authorization status of AI entities, interact with at least one external governance system through a unified data interface. The interaction protocol of the unified data interface includes at least the following: identity anomaly notification, risk linkage rating instruction, permission forced revocation instruction, compliance circuit breaker status synchronization, and data format definition for evidence storage event triggering.
5. A hardware risk management device, characterized in that, It includes an independent security processor core, an independent security storage area, and an independent power domain, and integrates a risk perception engine, an authorization policy engine, and a circuit breaker execution circuit, and is configured to execute the method described in any one of claims 1 to 4.
6. The method according to claim 1, characterized in that, The risk perception engine also predicts the risk score change trend within a specified time window based on the AI entity's historical behavior data and current behavior trends. If the predicted risk score will rise to between the first and second thresholds, then generate a human authorization request in advance. If the predicted risk score rises above the second threshold, the physical circuit breaker mechanism will be triggered in advance.
7. The method according to claim 1, characterized in that, All hardware risk control units within the trusted network share risk information in real time through an end-to-end encrypted dedicated channel; when any node detects malicious behavior with a risk score higher than the second threshold, all nodes in the network automatically upgrade their security level and return to normal after a specified duration.
8. The method according to claim 1, characterized in that, The risk perception engine continuously analyzes abnormal behavior patterns not covered by existing risk indicators. When a new abnormal behavior pattern with statistical significance is identified, a risk pattern report is generated and stored in the secure storage area inside the hardware risk management unit. The risk pattern report is verified and confirmed by a human user who owns the hardware risk management unit through a hardware root trust signature before being incorporated into the subsequent risk indicator fusion calculation system. The number of new abnormal behavior patterns incorporated into the fusion calculation system is limited by a preset upper limit. If the risk score of the new abnormal behavior pattern has reached or exceeded the second threshold before human user confirmation, a physical circuit breaker mechanism is immediately triggered.