Corrective Closure Ownership

I. Closure is not resolution

Western administrative tradition treats decision as terminal. A court rules; the case is closed. A regulator approves; the permit is granted. A minister signs; the policy is in place. A statute passes; the law is the law. The institutional grammar treats these as endpoints.

In reality almost none of these are endpoints. The court ruling produces an enforcement regime that runs for decades. The permit creates an installation that operates for fifty years. The policy enters an implementation environment that adapts, drifts, and fails in unanticipated ways. The statute interacts with subsequent statutes, with administrative practice, with social change.

The grammar of closure obscures the duration of consequence. It treats the moment of decision as the load-bearing moment, when often the load is borne for decades afterward by an absent owner. The Five-part legitimacy test (source / scope / procedure / constraint / contestability) asks whether the decision was legitimately made; it does not ask whether anyone is legitimately responsible for what happens next.

Closure is acceptance for now under stipulated conditions; the institution remains the owner of the decision’s correction.

II. The irreversibility spectrum

Closures differ by reversal cost. Some decisions can be reversed cheaply; others lock in for generations. The design of closure should track this difference.

Low irreversibility. Routine permits, small fines, short procurement, reversible licenses, ordinary tax determinations. The cost of reversal is comparable to the cost of original decision. Default closure design: fast decision, light appeal route, later correction acceptable.

Medium irreversibility. Professional discipline, school placement, local planning, long contracts, agency guidance, eligibility categories that affect benefits over years. The cost of reversal is meaningfully higher than original decision. Default closure design: recorded reasons, structured appeal route, monitoring trigger, named correction owner, compensation path.

High irreversibility. Constitutional change, demographic transformation, institutional abolition, infrastructure corridors, imprisonment, deportation to danger, irreversible medical intervention, war powers, destruction of state capacity, irreversible environmental loss. The cost of reversal is many multiples of the original decision and often impossible. Default closure design: delay, redundancy, supermajority or multi-office authorization, strong evidence duty, public reasons, appeal before execution where possible, sunset only with real reauthorization, and an implementation ledger with preauthorized re-entry.

The mistake current systems make is treating all closures as low or medium when many are high. A planning decision that constructs a road locks geography for generations. A regulatory abolition that disbands an agency may take decades to rebuild. A school closure dissolves a community in ways that no later policy can reconstitute. An algorithmic eligibility decision that strips someone of benefits at the moment they cannot afford an appeal becomes effectively irreversible.

Tier classification is contextual along at least five dimensions:

• Time-shifting. A decision starts reversible and becomes irreversible through reliance, sunk infrastructure, personnel loss, data deletion, or institutional learning decay. A permit looks reversible until the building is built.
• Case-vs-regime. A single algorithmic eligibility denial is low-irreversibility; the automated regime generating millions of denials is high-irreversibility. CCO applies to the regime where the per-case looks reversible only against the wider system.
• Resource-relative. A decision is not reversible because an appeal exists if the affected party lacks legal aid, time, health, documentation, or safety. CCO triggers on effective irreversibility for affected parties, not formal appealability.
• Capacity destruction. Abolishing an agency, shutting a school, or dismissing expert staff destroys the repair capacity itself; the irreversibility is in the loss of capability to reopen.
• Distributed harm. No individual case crosses the high-irreversibility threshold, but the population-level consequence does (mass eligibility denials, mass low-stakes deportations).

Each dimension can push a decision into a higher tier; the closure design has to match the consequence profile and its contextual reversibility, not the procedural similarity to other decisions.

III. Conditional closure as the default for irreversible decisions

For high-irreversibility decisions, the right closure design is conditional, not final. Conditional closure has six elements.

Named correction owner. A specific office, post, or institution legally required to notice when the decision fails and reopen it. Not “the courts” or “the next government” or “the regulator” — a specifically named owner whose role description includes correction duty for this decision. For decisions distributed across multiple actors (large infrastructure programmes, intergovernmental coordination, public-private welfare regimes, EU multi-level implementation), the owner is a named coordination office with re-entry authority over the coalition’s collective output rather than over any individual actor — but the named-coordination-office requirement is the same architectural test.

Resourced capacity. The named owner has the data access, staff, expertise, legal powers, and budget to exercise correction. “Resourced” covers more than “funded”: a corrective office that holds a budget line but cannot access the underlying decision data, or cannot compel testimony, or cannot direct subordinate agencies, is decorative. A statutory duty without enforceable access is decorative in the same way.

Independent verification or review channel. The corrective owner cannot also be the original decision owner where the original owner has a structural interest in non-reopening. Independence may be statutory (separation of powers, independent agency status), procedural (third-party audit, ombudsman channel), or structural (incentive separation, term protection). Without it the corrective office becomes captured by the decision it is supposed to correct — the meta-CCO problem. See the Dominant-Player Constraint for the structural-interest analysis.

Monitoring and trigger rule. Explicit signals that prompt reopening. Not “if it seems necessary” — specific indicators (outcome metrics, complaint volumes, audit findings, third-party reports, statistical drift thresholds) that automatically engage the owner’s review duty. The trigger is the operational difference between a corrective owner who will act and one who could act in principle.

Re-entry and repair authority. Legal authority to reopen the original decision and to direct or compel repair, without requiring fresh primary legislation, ministerial approval, or judicial determination as a prerequisite to action. The re-entry path is preauthorized at the original closure. Authority is split out from “able” because the common failure is offices that can investigate and recommend but not compel — recommendation-only authority means the corrective owner depends on the original decision owner’s cooperation for actual correction, which fails predictably under structural interest.

Public record and reporting duty. Two things at once: the original decision’s reasoning is recorded in admissible form (so the corrective owner can later determine what was assumed, what was conditional, and what would constitute disconfirmation — this connects to the Record Gate, the upstream prerequisite); and the corrective owner has a continuing reporting duty to a forum that can act on the report (Parliament, court, regulator, public). Internal monitoring that produces a shelved annual report fails this element.

A decision designed this way is genuinely closed enough to act — the institution can proceed, affected parties have legal certainty, resources can be deployed. It is also not closed enough to forget — the corrective infrastructure is named, resourced, independent, triggered, authorized, and reported.

The line: closed enough to act, not closed enough to forget.

The Potemkin-CCO failure mode

The six elements can be produced on paper without producing real corrective ownership. Bureaucracies can fake the architecture: named director (post vacant); nominal budget (symbolic or earmarked for non-corrective work); statutory duty (unenforced and unenforceable); reporting requirement (met by formulaic one-paragraph annual returns nobody reads); independent channel (formally independent, structurally dependent on the original decision owner for data, staff secondment, or continued appointment); re-entry authority (formally present, conditioned on approvals that the original decision owner controls).

The detection criteria are operational rather than formal. For each element:

• Owner: post is staffed, the staff is in the role for at least a working interval (not rotated quarterly), the role has been used to actually trigger correction in the relevant decision class
• Resourced capacity: budget is proportionate to the decision’s stakes; the corrective office can access the original decision data without permission from the original decision owner; staff have the domain expertise to interpret what they access
• Independent verification: separate appointment chain; protection from removal; ability to seek information from sources beyond the original decision owner
• Monitoring trigger: trigger criteria are pre-specified, automatic to engage when met, and have actually engaged in comparable past cases
• Re-entry and repair authority: the corrective owner has at least once exercised reopening, repair direction, or suspension authority on a decision in this class without requiring fresh approval from the actor whose decision is being corrected
• Public record and reporting: reports are addressed to a forum with response authority (Parliament debate, court action, regulator enforcement); reports actually trigger responses in comparable past cases

A CCO architecture that fails any of these operational tests is Potemkin. The diagnostic question of §IV is the quick screen; these are the deeper test. The architecture is a brake against fake closure only when both pass.

IV. The diagnostic question

The quick-screen test for whether a closure has corrective ownership is one parliamentary-question-shaped sentence:

Minister, when this decision proves wrong in practice, who is legally required, funded, and able to notice it, reopen it, repair it, and show Parliament what changed?

The generic form (for non-Westminster systems): When this decision proves wrong in practice, which named accountable office is legally required, resourced, and authorized to notice, reopen, repair, and report to a competent oversight forum? The Westminster framing is the memorable institutional specimen; the generic form is what travels across US separation of powers (where the addressee is Congress through Inspector General reporting), EU multi-level governance (where the forum is the Commission, the relevant Parliament committee, or the Court of Auditors depending on the decision), Nordic committee systems, and sub-state or municipal cases.

If no name can be given — if the answer is “the courts,” “the market,” “future governments,” “stakeholders,” “the agency,” “monitoring will happen,” “we will evaluate,” “civil society” — the closure has no corrective owner. It is fake closure.

The quick-screen four-word test inside the question — required, resourced, authorized, answerable — strips out the failure modes:

• Required: there must be a legal duty, not a hope
• Resourced: there must be a budget line, data access, staff, and expertise, not a residual claim on overworked staff with no access to the underlying decision record
• Authorized: there must be repair authority, not a request to the actor whose decision needs correcting; and the authorization must be structurally independent of the original decision owner where that owner has a structural interest in non-reopening
• Answerable: there must be a reporting duty to a forum that can act on the report, not silent self-monitoring

The four-word test is a necessary, not sufficient condition. Passing it earns a presumption that the architecture exists on paper; the operational tests in §III (Potemkin detection) determine whether the architecture is real. A closure that passes both is a real corrective ownership structure. A closure that fails the four-word test is a deferred problem with no owner; a closure that passes the four-word test but fails the operational tests is fake-closure-with-architecture.

V. Why this is a distinct primitive

CCO is a design-time closure-architecture primitive for the original high-irreversibility decision. The corpus already has adjacent primitives that operate at adjacent moments; the seams are load-bearing.

Implementation Ledger is the execution-record primitive: acceptance → transition record → re-entry. IL operates downstream of an accepted commitment and tracks whether execution is faithful. CCO operates upstream of that, at design time of the original high-irreversibility closure, and asks whether the original decision pre-installs the owner who will treat later failure as their job. The two share record/re-entry machinery — CCO requires an IL-compatible transition record once correction has actually triggered — but they are distinct primitives at distinct moments. CCO is closure-architecture for the original decision; IL is execution-architecture for the accepted commitment.

Structural Residue identifies live load remaining after a correct refusal. SR documents where load goes when an institution declines to accept it; CCO names who owns load when the institution does accept it. Together SR and CCO cover the full state space of post-decision load (refused vs accepted); the partition is clean.

Feedback Authority grades response duty once feedback arrives — the consequence-tier of the duty to act on signal. CCO operates upstream of that: it creates the duty to generate, receive, and escalate disconfirming feedback for the decision class. FA grades what happens when feedback arrives; CCO names who must make sure feedback can arrive at all. The monitoring trigger of §III is the operational seam: it is a CCO requirement (the corrective owner must have one) and an FA precondition (feedback can only have consequence-tier if it exists).

Refusal to Compute is the pre-decision evasion primitive: declining to bound a decision-relevant relation when even a rough bound would create obligation. CCO operates after the institution has computed, bounded, decided, and acted. A missing monitoring trigger in a CCO architecture can conceal a later RtC (the institution refuses to compute whether the original decision is still working), so the two primitives interact at the trigger boundary.

The Dominant-Player Constraint is essential to CCO’s independence requirement (§III third element). DPC’s analysis of structural-interest separation is what makes corrective ownership real rather than captured. The specific failure mode it names — hidden veto by the original decision owner over the reopening of decisions in which that owner has structural interest — is the meta-CCO problem CCO’s independence element addresses. Without DPC-style independence protection, the corrective owner is captured by the decision it is supposed to correct: the failure of GAO High-Risk items to leave the list for years, the 2025 mass IG removals, and analogous capture events across ombudsman regimes are all evidence of what happens to CCO architectures lacking that independence.

Positive partial-specimens. Most existing institutions hold some CCO elements but lack others.

• UK project-control lineage (Major Projects Authority 2010 → Infrastructure and Projects Authority 2016 → National Infrastructure and Service Transformation Authority, launched 1 April 2025): Treasury approvals and assurance reviews can trigger funding restrictions. The April 2023 smart motorways cancellation and October 2023 Network North / HS2 Phase 2 cancellation occurred under the predecessor IPA / GMPP / HMT architecture NISTA now consolidates under a Treasury / Cabinet Office MoU with the NISTA Chief Executive as Additional Accounting Officer. Ceiling: assurance power is derived rather than independent, and ministerial decision can override on politically prioritised projects.
• South African structural interdicts. Courts retain supervisory jurisdiction over remedy implementation, requiring periodic implementation reports until compliance — a parallel positive specimen from a different institutional substrate.
• US GAO High-Risk List (biennial since 1990) and Inspector General architecture (1978 IG Act). Together implement most CCO elements at scale, but recommendation-only: GAO and IGs notice and report; they cannot compel repair. The 2025 mass IG removals and earlier vacancy specimens (USITC 17-month IG vacancy) illustrate the meta-CCO problem the independence element addresses.
• European and Nordic ombudsman regimes. Investigation, public reasons, and reporting authority, but no compulsory repair authority.

Empirical detail on each architecture — institutional structure, statutory authority, empirical record, structural failure modes — is in Sources. The CCO discipline is asking, at the moment of closure, which of the six elements are present, which are missing, and what would close the gap. CCO prevents fake closure on irreversible decisions; the other primitives become more powerful once it is installed because they attach to a named, resourced, independent, triggered, authorized, answerable owner.

VI. Worked examples

Algorithmic eligibility systems test all six CCO elements because the recent failure record is concrete.

Algorithmic eligibility system (flagship). Four recent catastrophic failures anchor the architecture’s stakes empirically.

Dutch SyRI / kindertoeslagaffaire. The System Risk Indication (SyRI) law passed both Dutch Parliament and Senate in 2014 despite preemptive warnings from the Dutch Data Protection Authority and the Council of State. SyRI amalgamated datasets across executive bodies to flag fraud risk; it operated as an opaque process and disproportionately profiled low-income and minority neighbourhoods. The corrective architecture nominally resided in parliamentary oversight and internal municipal checks; operationally, no monitoring trigger for disparate impact existed, and the deploying authorities had fraud-detection and recovery incentives aligned against reopening. Concurrently, the Dutch Tax Administration’s algorithmic risk model for childcare-benefit fraud detection included Dutch nationality and dual-nationality indicators among the risk factors. Tens of thousands of parents acting in good faith were subjected to ruthless recovery for minor administrative errors. The National Ombudsman and Children’s Ombudsman produced highly critical reports; the Cabinet and senior Tax Administration leadership did not act on these triggers for years. Correction came externally: the District Court of The Hague’s 5 February 2020 SyRI judgment (Case C-09-550982) found Article 8 ECHR violation, and investigative journalism plus parliamentary inquiry forced the kindertoeslagaffaire into public consciousness, triggering the resignation of the Dutch Cabinet in January 2021. Remediation continues through separate inquiries and compensation schemes.

Australian Robodebt (2015-2020). The Centrelink Online Compliance Intervention scheme automated retrospective identification of welfare overpayments by cross-referencing fortnightly income reporting against ATO annual earnings data. The algorithmic logic — averaging annual income over fortnightly compliance periods — directly contravened the legislated social-security payment calculators, which require consideration of actual earnings in a specific fortnight. The 2014 ‘DSS dot points’ from the Department of Social Services explicitly stated that legislation would be required to use income averaging in this manner; internal DHS legal advice that the scheme was unlawful was siloed and concealed by senior non-lawyers. The scheme scaled to over 20,000 automated debt notices per week by late 2016. The 2023 Royal Commission (Commissioner Catherine Holmes AC SC) documented “obliviousness to, or worse a callous disregard” for the resulting human trauma. The scheme affected more than 500,000 people through unlawful debt-raising before a 2019 Federal Court ruling (Justice Bernard Murphy) forced cessation. Settlement: an A$1.8bn package reducing the debts to zero. The Royal Commission report (7 July 2023) described Robodebt as “crude and cruel” and “a costly failure of public administration, in both human and economic terms”; it issued 57 recommendations.

UK Ofqual A-levels 2020. Following pandemic exam cancellation, Ofqual built a standardisation algorithm to convert teacher-predicted Centre Assessed Grades (CAGs) into final results. The algorithm locked current students’ grades to historical school performance distributions; mathematically, high-achieving students in historically underperforming state schools and FE colleges had grades artificially depressed, while small private-school cohorts bypassed the algorithm entirely (defaulting to teacher predictions because of small sample sizes). The appeals architecture was elaborate but structurally paralysed: students were prohibited from appealing against the algorithm’s output or its academic judgment; appeals routed through schools and were limited to administrative or narrow procedural grounds. Examining boards had up to 84 days to process appeals — incompatible with the university-admissions cycle. Results published 13 August 2020: about 36% of grades came in below teacher assessments and ~3% two grades below. UCAS subsequently estimated that around 15,000 students originally rejected by their firm-choice university on moderated grades would meet their offer conditions under CAGs. Mass public protest and legal threat forced complete abandonment on 17 August — four days after results — at which point Ofqual suspended the algorithm and awarded unmoderated CAGs.

US state algorithmic eligibility. Michigan’s $47M MiDAS unemployment-fraud-detection system operated with virtually no human oversight at a 93% error rate, falsely accusing tens of thousands of claimants with up to 400% overpayment penalties, aggressive wage garnishments, and federal tax-refund interceptions; appeal windows frequently closed before victims were aware they had been accused. The state was forced into a multi-million-dollar settlement and a mandate to spend $78M to replace the system by 2025. Indiana’s IBM-led welfare-eligibility outsourcing (mid-2000s) replaced local caseworkers with centralised algorithmic document processing; documents misread or lost by scanners triggered automated “failure to cooperate” denials of Medicaid and SNAP, with no path to reach a human caseworker. Arkansas’s Medicaid algorithm slashed in-home care hours for severely disabled individuals as a proprietary black box, providing no algorithmic-logic explanation to claimants. In all three, correction came externally through class-action litigation, journalism, and political fallout — never from a named owner inside the agency noticing the algorithm had diverged from reality.

The common pattern across all four: deployment authorisation was treated as absolute closure; nominal corrective owners (DHS, Tax Administration, Ofqual, state UI agencies) had structural incentives aligned with operational efficiency and budget recovery rather than with reopening; monitoring triggers either did not exist or produced output nobody had to act on; affected populations became the unfunded, disempowered corrective owners of the state’s algorithmic errors. CCO-equivalent design installs six elements at the deployment authorisation:

1. Named correction owner: a specific office independent of the deployment authority and the delivery team, responsible for monitoring outcome distributions, eligible-population coverage, appeal rates, override rates by human caseworkers, statistical drift, and disparate-impact indicators across protected categories. Independence is non-trivial: in SyRI the nominal oversight at local authorities had budgetary stake in detection rates; in Robodebt the corrective capacity sat with the same DHS leadership that had concealed the legal-advice triggers; in Ofqual the appeals body and the algorithm-designing body were the same regulator.
2. Resourced capacity: budget proportionate to deployment scale, plus guaranteed data access to model inputs, outputs, and per-decision logs. Robodebt’s correction capacity nominally existed but lacked authority to compel disclosure from the algorithm vendor or from legal teams defending the system. MiDAS automated determinations were hidden from claimants; the resourcing test is whether the corrective owner could see what the algorithm had decided in time to act.
3. Independent verification or review channel: a route to challenge through a body that is not the deploying agency. The Rechtbank Den Haag SyRI ruling (Feb 2020) and the Federal Court Robodebt ruling (late 2019) were the corrective channels in their respective cases because no equivalent administrative office existed; courts should not be the only path, because court action concentrates correction load on plaintiffs with standing and resources rather than distributing it across the affected population.
4. Monitoring and trigger rule: pre-specified thresholds on disparate-impact metrics, appeal-success rates, individual-case error rates, and statistical drift, with automatic engagement of the corrective owner when thresholds breach. Ofqual missed this entirely; the disparate-impact signal was visible on results day but no pre-specified trigger engaged. The MiDAS 93% error rate would, under a working monitoring rule, have triggered suspension within weeks rather than years.
5. Re-entry and repair authority: authority to suspend production use when triggers breach, without requiring re-approval through the original deployment authority. Robodebt’s continued operation through years of mounting evidence reflected absence of this authority; suspension power lived with the actors whose decision was being corrected. The Royal Commission’s 57 recommendations effectively rebuild this missing authority retrospectively, including referrals to the newly operational National Anti-Corruption Commission (established under the NACC Act 2022, operational from 1 July 2023) and recommendations to strengthen integrity, legal-advice, and administrative-review safeguards.
6. Public record and reporting duty: regular publication of outcome statistics, error rates, and threshold breaches, to a forum with response authority (parliamentary committee, ombudsman, court, regulator). The kindertoeslagaffaire accumulated over years before parliamentary inquiry forced disclosure; CCO architecture would have routed disclosure as a duty, not an investigation outcome.

Individual appeal rights are not a substitute for CCO at the regime level; they are a complementary case-level remedy that can also function as a monitoring trigger (appeal-success rate above a threshold triggers the corrective owner’s review of the system, not only the individual case). The Robodebt Royal Commission (2023), the Hague SyRI ruling (2020), the Ofqual collapse documentation, and the Michigan litigation are all ex-post diagnoses of CCO architectures that would have surfaced the harms years earlier had they been installed at deployment.

Finnish social-and-healthcare reform integration (diffuse-ownership specimen). Finland's 2022-2023 social-and-healthcare reform shifted responsibility on 1 January 2023 to 21 regional wellbeing-services counties. The reform was treated as a one-time deployment decision; ownership for the simultaneous integration of IT systems, payroll architectures, and procurement-contract migration was diffused across the Ministry of Finance (budget), the Ministry of Social Affairs and Health (policy and performance), and regional councils (operational autonomy). When operational failures accumulated — payroll errors and delays affecting thousands of workers in several regions, particularly where reliant on in-house service providers — no single actor was legally required, resourced, and authorised to direct repair. Finland has exceptional ex-ante review through the Constitutional Law Committee and strong per-case administrative remedy through ombudsman channels, but the operational reopening role for the reform package itself was not assigned. The National Audit Office has subsequently documented in-house procurement risk across the wellbeing-services counties (Report 3/2026); the audit office's authority is diagnostic, not directive. The pattern is what the architecture predicts: perfect diagnosis without authority to mandate repair, in a state with sophisticated ex-ante and per-case correction but missing operational CCO at the reform-package level.

Infrastructure investment. A government invests in a major transit project that will operate for 50+ years. Current design closes when construction completes and ribbon-cutting occurs; subsequent lifecycle management is treated as operating-budget routine. CCO design installs a named lifecycle ownership office with monitoring of operational performance, maintenance burden, ridership against forecast, and emerging alternatives that may change the cost-benefit analysis. The office holds adaptation authority — maintenance reprioritisation, service redesign, staged service change, mitigation funding, or parliamentary re-entry when forecast error exceeds threshold — not merely monitoring authority. The UK IPA / GMPP / HMT project-control architecture (now consolidated into NISTA from April 2025) is the strongest publicly documented partial implementation: “red” delivery-confidence ratings trigger the Treasury Response-to-Red process, under which HMT can defer approval, restrict interim funding, withhold funding, or cancel. The April 2023 smart motorways cancellation and October 2023 Network North / HS2 Phase 2 cancellation (releasing ~£36bn for reallocation) both occurred under that pre-NISTA architecture, illustrating that the apparatus can support real high-irreversibility reopening when assurance findings align with political will. NAO findings on UK projects leaving the portfolio repeatedly document the gap on the other side: scope completion is easier to observe than benefits realisation, and correction ownership decays after portfolio exit.

Statutory body change. A minister proposes either creating or abolishing an agency, citing capacity, duplication, or political restructuring. Under current grammar, the legislative change is a one-time decision: pass the statute, transfer functions, adjust budget lines, move on. CCO design names a specific successor office (or, in the abolition case, a continuing watchdog office) with statutory duty to monitor whether the change is producing its intended effects on both sides — whether the function the new agency was supposed to perform is being performed, or whether the function the abolished agency was supposed to perform is being performed elsewhere (or correctly judged no longer needed). The CCO architecture is symmetric: it should catch both “the change failed and the original was right” and “the change succeeded and the original was wrong.” The architecture works equally for the creation case and the abolition case; treating it as one-sided is what makes statutory-body decisions read as fights between incumbents and reformers rather than as testable closure designs.

Imprisonment policy change. A government enacts a sentencing reform that materially changes incarceration patterns — minimum sentences, parole rules, drug-offence reclassification, juvenile-justice age thresholds. The decision is high-irreversibility (lives affected, prison capacity built or shed, parole infrastructure scaled, recidivism trajectories shaped over decades). Current design closes when the statute passes. CCO design names a corrective owner (typically an independent sentencing council or criminal-justice review board) with monitoring authority over post-reform incarceration rates, recidivism, demographic incidence, prison-capacity utilisation, and victim-outcome measures, with re-entry authority to recommend statutory amendment when trigger thresholds breach. The Sentencing Council in England and Wales is a partial CCO implementation; what it lacks is repair authority — it can recommend but not direct.

Constitutional change (boundary case). Some high-irreversibility decisions resist CCO architecture because the very thing they are designed to do is bind across time. Constitutional amendments are intended to be high-friction to revise; a standing “review mechanism” continuously recommending revisiting a constitutional settlement could itself become a destabilization channel, mutating CCO into constitutional anti-commitment. The honest treatment is to recognise this as the boundary case where CCO attenuates: at the very high end of the irreversibility spectrum, the corrective architecture must be lighter than for other high-irreversibility decisions because constitutional binding is itself the protection being installed. Partial-CCO mechanisms exist (Germany’s Bundesverfassungsgericht constitutional-complaint procedure as ongoing rights-review re-entry, Switzerland’s referendum architecture as ownerless reopening, South African structural interdicts as supervisory jurisdiction with required implementation reports, India’s basic-structure doctrine as judicial re-entry against entrenchment) — each holds some CCO elements without continuous corrective ownership in the sense the algorithmic-eligibility or infrastructure case requires. The lesson for the architecture is that CCO is necessary for most high-irreversibility decisions but is not a universal repair: its application is itself a closure-design judgment about which kind of binding the decision is supposed to do.

In each of the publishable cases the cost of CCO infrastructure is small compared to the cost of the decision; the benefit is that fake closure becomes harder to produce and that ex-post catastrophes (SyRI, Robodebt, A-levels) become catchable in time to repair rather than only in time to investigate.

VII. Wrong repairs and fake-CCO architectures

Most regulatory-reform tradition operates as macroscopic aggregate budgeting (PAYGO, one-in-N-out ratios, broad sunset clauses, burden-reduction targets), treating regulations as fungible cost units conforming to a macroeconomic ceiling. CCO operates as microscopic conditional ownership: per-decision reopening capacity for high-irreversibility decisions, with condition-based triggers embedded in the architecture of the specific decision rather than time-based or aggregate-volume triggers across the corpus. Macroscopic budgeting routinely decays into administrative theatre, gaming, and meta-Cancer overhead; what survives from that tradition belongs at the per-decision level CCO names.

Three naive repairs contribute to the pathology CCO is meant to address.

More pre-decision burden. The default repair is more analysis, more consultation, more impact assessment, more rigorous review — so that the decision is “more right” before being made. This contributes directly to the Cancer Failures pathology (over-binding) without addressing the underlying problem: even perfect pre-decision analysis cannot foresee everything, and irreversible decisions reveal their failures over years. CCO’s contribution is to authorise the trade — accept that decisions will sometimes fail at some level of probability and install corrective ownership for the failures, rather than try to extinguish failure probability through more pre-decision binding.

Sunset clauses without owned review. Sunsets work only when a real owner performs real review. Hard sunsets succeed on narrow, politically high-stakes items (USA PATRIOT Act renewals) where legislative attention exists; broadly applied, they produce pro-forma eleventh-hour reauthorisations or catastrophic accidental expirations. Soft sunsets weaponise the deadline: the 2021 US HHS SUNSET Rule attempted to expire substantive ACA provisions through agency missed-review and was stayed in federal court (see William Funk, Yale Journal on Regulation, 2020 / 2021). Institutionalised commissions survive by reauthorising the substantive and abolishing the trivial. The narrow successes — CAB Sunset Act 1984 (airline fares fell ~45%, load factors rose from ~50% to ~74%) and ICC Termination Act 1995 — targeted specific agencies engaged in direct economic price-setting where political consensus had matured. Without that, sunsets become procedural ritual imposing overhead without producing correction. Adler & Walker propose mandatory legislative reauthorisation (Iowa Law Review 105:1931, 2020); Chafetz’s response demonstrates that decades of GAO / CRS / OTA staffing reductions have left Congress without the institutional capacity to conduct meaningful recurring reviews (The Regulatory Review, 4 March 2020), so hard sunsets across the administrative state risk transferring power to corporate lobbyists or the executive agencies they were meant to constrain.

Appeal rights as standalone repair. Appeals repair individual cases; CCO repairs regime-level failure when harms are diffuse, delayed, or resource-asymmetric. The two operate at different scales: appeals presuppose an aggrieved party with standing, time, legal aid, and information, and operate case-by-case; CCO catches systemic failures that distribute below the per-case threshold.

Beyond these three naive repairs, four common fake-CCO architectures pattern-match CCO without producing corrective ownership. Each is more common in live governance than “sunsets everywhere” and each fails the Potemkin detection criteria in §III.

Monitoring framework without corrective owner. “We have a monitoring framework” produces a dashboard, a quarterly report, possibly a stakeholder forum — without any named office whose role description includes triggering correction when monitoring shows the decision is wrong. The framework generates information; no one is required to act on it. The Robodebt regime had monitoring infrastructure; the corrective triggering never engaged.

Advisory committee without re-entry authority. Committees are convened, expert members are appointed, reports are produced. Reports are addressed to the original decision owner, who may or may not act. The committee has investigation authority but not repair authority; the original decision owner remains the only actor who can change anything, and that owner has structural interest in non-change. Many regulatory advisory committees and government review panels operate at this level.

Stakeholder engagement without post-closure duty. Public consultations, stakeholder forums, community liaison structures are spun up around the decision and around its initial implementation. They concentrate engagement at the pre-decision and immediate-post-decision moments and then dissipate, with no entity continuing to engage stakeholders once consequences accumulate over years. The engagement satisfies legitimacy requirements at the closure moment and fails to provide continuing corrective ownership.

Dashboard or reporting regime without repair power. A reporting regime is established — annual filings, performance metrics, public-data publication — without any office holding the authority to repair when reports show failure. The dashboard becomes performative; the data is published because publication is the requirement, not because publication triggers correction. Many open-data and transparency initiatives implement the public-record-and-reporting element of CCO without the named-owner and repair-authority elements.

A CCO architecture that pattern-matches the six elements but fails the operational tests of §III against one of these four common fakes is fake-closure-with-architecture. The diagnostic discipline is to ask which fake the current architecture pattern-matches, and what is missing.

Macroscopic burden-budget regimes across US (EO 13771, FY2017 “22-to-1” ratio), UK (Business Impact Target, from the 2010-2015 NAO-audited regime through the 2015-2020 statutory BIT), EU (one-in-one-out under the von der Leyen Commission II, with the €37.5bn target increasingly delivered through Simplification Omnibus packages that bypass the ordinary Regulatory Scrutiny Board impact-assessment route), and Germany (Bürokratieentlastungsgesetz IV, 2024, with most claimed savings derived from a contested document-retention shortening) reliably exhibit the same gaming patterns the four fake-CCO architectures reproduce at the per-decision level: definitional asymmetry, scope loopholes, omnibus bypass, phantom savings, and arbitrary deadlines. Detailed jurisdiction-by-jurisdiction empirical record in Sources. The general lesson: macroscopic burden management routinely decays into administrative theatre, gaming, and meta-Cancer overhead. Microscopic conditional ownership at the per-decision level (CCO) is what the durable contribution from this tradition reduces to.

VIII. Scope: institutional substrate

CCO is institution-native: named office, statutory duty, resourced capacity, independent verification, monitoring trigger, re-entry and repair authority, public record and reporting duty. The underlying mechanism — a telic system can bind provisionally only if it preserves disconfirmation sensitivity, re-entry capacity, and repair conversion when later state shows the bound has become capacity-depleting or false — applies wherever a system makes high-irreversibility decisions. CCO exports cleanly to engineered systems (software, AI deployment, markets with regulator backing) and with friction to cultural forms (reform councils, structural interdicts); for individual minds it is metaphor only, since “owner” collapses into the same person across time.

IX. Compression

Decisions are not safely closed unless someone is legally required, funded, and able to notice when reality disagrees, reopen the decision, repair it, and account for what changed. The right closure design tracks the irreversibility profile: conditional closure with named corrective owner is the default for high-irreversibility decisions. The operational test is one parliamentary question: who is required, funded, and able to notice this decision failing, and to reopen it? If no name can be given, the closure is fake. Closed enough to act, not closed enough to forget.

Related corpus essays:

• Implementation Ledger — downstream sibling: tracks execution of accepted decisions; CCO names who owns correction when execution fails
• Structural Residue — adjacent: live load after correct refusal; CCO addresses the load when the decision is accepted
• Feedback Authority — grades response duty once feedback arrives; CCO names who must produce the feedback
• The Record Gate — upstream prerequisite: corrective owner needs admissible records of original decision
• Cancer Failures — the architecture CCO offers as alternative to ever-more-pre-decision-burden; CCO is the named repair-target Cancer’s diagnosis points toward
• Refusal to Compute — pre-decision evasion; CCO operates after the institution computes and acts
• The Stack — CCO sits cross-layer at Layer 8 (Decision) + Layer 9 (Execution) + Layer 10 (Feedback) interface