Our Brief №4 brought attention to the transparent battlespace: when every participant has persistent ISR, the question is no longer how to see the battlefield but how to operate when everyone can see everything. Arquilla and Ronfeldt at RAND in 2000 said the answer was swarming. Many narrow units, local authority, shared awareness instead of central command. Nagorno-Karabakh, Ukraine, the Red Sea: twenty-five years of contested airspace has shown the doctrine is out there.
The same question applies to non-kinetic spaces like information infrastructure. AI agent platforms run under continuous observation. Every action, every prompt tends to be visible, and every output is auditable in principle. The first problem is whether observation happens, the concern of availability. The second and bigger problem is whether the observation is honest, the concern of integrity.
Today's dominant agent platforms could certainly draw from two old loops. Plan, Do, Check, Act (PDCA) was Walter Shewhart in 1939 and popularized by Deming in the 1950s: a quality cycle for industrial production. One process, one operator. Observe, Orient, Decide, Act (OODA) was John Boyd in Patterns of Conflict, 1986: a decision cycle under fire. One pilot, one tempo. Both loops treat the observer as distinct from the actor. AI agents are headed in the opposite direction.
The False Observer
In OODA, the pilot watches the enemy. The observer reports on something they did not produce. That distance is what makes Boyd's loop work.
In an agent loop, the agent watches the state it is changing. What OODA calls observe becomes the agent reporting on its own work, shaped by what it just did. This is what produces sycophancy, self-confirmation, and untruthful summaries in current agent platforms.
PDCA has the same challenge. Plan and Do can be the same operator. Check is the operator reporting on its own work. Deming's loop worked because other humans were in the room to challenge the report. Take the humans out and the loop closes inside the actor.
Single-process agent platforms have no way to tell the actor from the observer. Their audit story is whatever the agent says about itself.
Swarm Doctrine in Information Systems
Arquilla and Ronfeldt's swarming was a counter to the risk of concentrated force, which needed dispersion to survive being watched all the time. Many narrow units. Each with its own authority. Coordinating through what they can all see, not through orders from above. The doctrine is not about hiding. It is about operating in plain sight.
Information systems under continuous observation need the same shape. A single agent with all the keys is a concentrated force in transparent space. You cannot make it honest by adding more dashboards. The architecture is the wrong shape for the environment.
This is the same mistake as counter-drone interdiction in Brief №3. Programmes that try to destroy or jam the sensors miss the actual problem: how do you operate when the sensors cannot be removed. For information systems, the dashboard is the equivalent of jamming. Adding observation tools on top of a single-loop agent does not produce honest observation. It produces more legible dishonesty.
The shape this environment requires: many narrow agents, none allowed to write its own audit record, all reporting through a shared log that sees more than any single agent, with the commit decision held by someone outside the chain that proposed it.
We are therefore introducing MOCA, a loop built for that shape.
It is not a new problem. In 1931, Kurt Gödel proved that any formal system rich enough to describe arithmetic cannot prove its own consistency from within itself. To verify it, you have to step outside it.
An AI agent reasoning about its own actions is a formal system reasoning about itself. The honest-self-report assumption that OODA and PDCA inherit is the assumption that a system can verify itself from inside. Gödel showed that does not work for any formal system above a minimum complexity. Modern agents are well above that complexity. The dashboards bolted onto single-loop platforms are attempts to verify the agent from inside the agent's frame.
What gets you out of the trap is moving verification outside the system being verified, like an internal audit overseen by external auditors. The reader of the log, the holder of the gate, and the judge of honesty all live outside the chain that proposed the action. That is the move Gödel pointed at ninety-five years ago. It is not an AI problem and it is not a security problem. It is the shape verification has to take when a system reasons about itself.
MOCA
Wirken puts the loop into the architecture, not into a procedure. Each phase below appears alongside the structural feature that enforces it.
| The Loop | The Architecture | |
|---|---|---|
| Modify | The operator states what they want changed. The loop starts with action, not observation. Every observation that follows is going to be coloured by the change underway, so name the change first. | Every operator request lands in the audit log as a stated change before any agent runs. The audit log is append-only and hash-chained. The original intent cannot be rewritten later to match whatever happened. |
| Observe | Many narrow agents, each with its own credentials and its own isolated process, produce partial reports. No single agent has authority over the full picture. The agent that changed channel A cannot write the report on channel B. | Each messaging channel runs its own adapter process with its own scoped credentials. Compile-time isolation through Rust phantom types: a SessionHandle<Telegram> cannot be constructed by, converted to, or accessed from a Discord adapter. The compiler rejects cross-channel access before the code runs. |
| Converge | Partial reports and proposed actions arrive at the audit log. The log sees more than any single agent. Contradictions between agents become visible. This is where dishonesty shows up, not where it hides. | Every agent action gets written to the hash-chained audit log before it executes. Message reads, message sends, tool calls, file access, network requests: all written before the act. The permission store decides which proposed actions can be committed against which credentials. The agents cannot bypass any of this because the audit log is the only path to commit. |
| Act | The commit happens at a gate held by someone who did not change anything and did not observe anything. The gate is the only phase of the loop whose operator is not in the chain that proposed the action. | Commit requires authorization from a path the agent does not control. Either the human in the loop, or a pre-authorized policy the agent did not write. The agent proposes. The gate commits. |
The four phases live in the architecture, not in documentation or runtime checks that can be turned off. The agent cannot self-authorize because the type system does not allow it. The agent cannot write its own audit record because the log writes happen before agent execution. The agent cannot commit because the gate is held outside the agent.
What This Means
OODA and PDCA carry an assumption from before AI: that the observer is separate from the actor. The assumption was reasonable when other humans were in the loop to challenge the report. It holds less well when the actor and the observer are the same.
This is the same mistake as counter-drone interdiction. The common response to dishonest agents is to add more observation tools. More dashboards. More telemetry. More audit tooling on top of the same architecture. The response treats the symptom, not the architecture, and treats the architecture as if the environment were not contested. The environment is contested. The observation is not neutral. The actor is in every phase of the loop unless the loop is built to put it elsewhere.
The question for any team running agent infrastructure is whether the loop the agents run on can be verified from outside it. A loop that cannot be is a loop whose audit log is whatever the agents prefer to write. The verifier reads a log it did not produce, holds a gate it was not consulted to bypass, and judges actions it did not propose. The test is structural, not procedural. Wirken is one implementation that meets it; others are possible.