What Is a Circuit Breaker in a Financial AI System?
In power systems engineering, a circuit breaker opens the circuit when current exceeds safe thresholds — protecting the downstream load from the upstream fault. It does not negotiate. It opens.
The same principle applies to governed financial intelligence. A circuit breaker intercepts a compromised signal before it reaches a decision-maker — not because the system is being conservative, but because a compromised signal delivered with apparent confidence is worse than no signal at all.
"The most dangerous output in a financial intelligence system is not a wrong prediction. It is a wrong prediction delivered without any indication that it is wrong."
Fail-Closed vs. Fail-Open: The Fundamental Choice
Fail-closed architecture means that when a system cannot confirm data integrity, model validity, or signal quality, it suppresses or blocks the output rather than rendering it.
Fail-open — the default in most financial data systems — means the system continues to publish even when inputs are compromised: bad API responses become blank cells, stale data sources render their last value, models in invalid regimes still produce numbers.
This creates what SYZYG calls "ghosts" — signals that look valid because they render normally, but are built on corrupted or outdated inputs. Fail-closed architecture refuses to render ghosts.
The Four Circuit Breaker Triggers
| Trigger | Condition | Governance Response | RDL Record |
|---|---|---|---|
| STALE_DATA | Input age exceeds maximum freshness window | Suppress or force OBSERVE gate | suppression_reason: STALE_DATA + input_timestamp |
| CONF_DEGRADE | MPI confidence below threshold for current exec class | Downgrade exec class or suppress | suppression_reason: CONF_DEGRADE + confidence_tier |
| REGIME_MISMATCH | Model detected operating in unvalidated regime | Suppress or downgrade until re-confirmed | suppression_reason: REGIME_MISMATCH + regime_context |
| SCHEMA_DRIFT | Data pipeline structure change compromises input integrity | Full suppression — input integrity unverifiable | suppression_reason: SCHEMA_DRIFT + source |
Every trigger produces a specific suppression reason recorded in the Research Decision Ledger, making every suppression traceable and defensible.
The Output Gate Sequence
Every SYZYG output passes through a sequential gate sequence. Failure at any gate suppresses the output and triggers an RDL record.
Gate 1 — Data Freshness (HARD): Is every contributing input within its maximum staleness window? If no: STALE_DATA → suppress.
Gate 2 — Schema Integrity (HARD): Does incoming data structure match the validated schema? If no: SCHEMA_DRIFT → suppress.
Gate 3 — Regime Validator (SOFT): Is the active regime classified and stable? Is the model validated for this regime? If no: REGIME_MISMATCH → downgrade or suppress.
Gate 4 — Confidence Threshold (SOFT): Is combined MPI confidence sufficient for the requested exec class? If no: CONF_DEGRADE → downgrade or suppress.
Gate 5 — Plane Conflict Check (SOFT): Are signal planes in significant disagreement? If yes: force C1 (Conflicted) → OBSERVE regardless of MPI score.
Gate 6 — RDL Append (ALWAYS): All outputs — published, downgraded, or suppressed — are written to the RDL with full evidence packet.
Gate 7 — Governed Output (CONDITIONAL): Published only if all hard gates pass and soft gates produce a valid execution class.
Silence Is a Signal
The most counterintuitive property of fail-closed architecture: a suppressed output is not a failure. It is a success.
When a SYZYG circuit breaker suppresses an output, it provides the most honest signal it can: the conditions for a governed output do not exist right now. This prevents a decision from being made on false grounds — precisely the category of loss circuit breakers exist to prevent.
Circuit Breaker vs. Stop-Loss
A stop-loss is a post-decision control — it exits a trade when price moves adversely beyond a threshold. It acts after a decision has been made and a loss begins.
A circuit breaker is a pre-decision governance control — it prevents compromised intelligence from generating the recommendation in the first place. A stop-loss limits the damage of a bad decision. A circuit breaker prevents the bad decision from being made. Both are necessary; they operate at different points in the decision chain.
The RDL as Proof That the System Worked
Every circuit breaker suppression creates a record in the Research Decision Ledger: the trigger condition, the input state at suppression time, the model version, the regime context, and a replay reference.
This means an institution can prove — months after the fact — that its system correctly identified and suppressed compromised intelligence rather than delivering it as a recommendation.
"A governed system that refuses to publish is more valuable than an ungoverned system that always does."
See the Research Decision Ledger field specification for the complete evidence packet structure.
Market structure intelligence — not investment advice. Built by OptimaX Solutions LLC. Structure precedes price. Governance precedes trust.