Evidence earns authority when it is strong enough, current enough, corroborated enough, and replayable enough to meet the organization's own standard for the action being requested. The bar is not severity, scanner confidence, or AI judgment. It is whether the evidence supports the decision and whether the decision can be defended later.
Findings move through governed evidence states — detected, observed, corroborated, validated — before they can become authoritative. Promotion happens on independent corroboration from multiple sources. Promotion strength is a function of source diversity, not signal count. Two findings from the same scanner do not double the confidence.
Suppression dismisses a finding from view. Disproval refutes it with evidence. GoSentrix makes the distinction structurally: disproval requires either an artifact reference or a reviewer attestation that evidences the finding does not apply in context. A finding cannot be marked disproven without that evidence.
A consequential decision is replayable when it can be reproduced against the evidence, artifacts, trust state, freshness state, and policy version active at the time it was made. Replay proves reproducibility, not correctness — but reproducibility is what makes a decision a decision rather than an opinion.
GoSentrix downgrades its own authority. If a decision requests HARD_BLOCK without sufficient evidence to support it, the system automatically narrows the decision to a lower level and records the downgrade reason. The operator cannot reverse the downgrade without supplying the missing evidence.
Every consequential decision is bound to the policy version active at the time it was made. Later policy edits do not retroactively change a past decision's authority. This is the structural difference between "we changed the rules" and "we re-graded what happened under the old rules."
Overrides flow through typed approval chains with dual control. Business-critical overrides require VP approval. Risk-acceptance overrides require CISO approval. Trust-boundary violations require CISO-level break-glass and cannot be approved at a lower tier. AI agents cannot grant overrides.
The operator action is recorded as evidence input to the next verification round, not as terminal closure. GoSentrix re-executes the original replay command against the new artifact and compares outcomes. If the replay still produces the original behavior, the fix did not work — regardless of what the ticket says. A closed ticket is not evidence that risk was removed.