Attritable systems are often framed in terms of cost.

Lower-cost platforms. Reduced consequence of loss. The ability to operate at scale without relying on highly specialised or tightly controlled hardware.

That framing is not wrong.

But it is incomplete.

The real challenge is not the cost of the system. It is the cost of trust.

Attritable systems, by definition, are expected to be lost. They are deployed in greater numbers, in more contested environments, and with fewer assumptions about control. Devices may be captured. Communications may be intercepted. Infrastructure may be degraded or unavailable.

In these conditions, the traditional approach to trust starts to break down.

A mismatch with the operating model #

Most security architectures are built on a set of implicit assumptions. That devices can be provisioned in advance. That identities can be established and maintained over time. That keys can be distributed and protected within a relatively stable environment. That compromise is exceptional, rather than expected.

Attritable systems violate each of these assumptions.

They are not deployed into stable environments. They are not always provisioned under controlled conditions. Their lifecycle is uncertain. The probability of compromise is not negligible, it is part of the operating model.

This creates a mismatch between how systems are designed and how they are expected to operate.

Much of the current discussion attempts to resolve this by extending existing approaches. Stronger authentication. More resilient communications. Additional layers of protection. These measures can improve performance at the margins, but they do not address the underlying issue.

They still assume that trust can be established once, and then carried forward.

At small scale, and under controlled conditions, this can be made to work.

At scale, and under conditions of attrition, it does not.

The economics of trust #

If trust is expensive to establish and maintain, it becomes a limiting factor. Manual provisioning does not scale. Persistent identities become liabilities when devices are captured. Long-lived keys create systemic risk. Centralised control mechanisms introduce points of failure in environments where connectivity cannot be guaranteed.

In this context, the economics of trust become as important as the economics of the platform itself.

Scaling attritable systems is not just a question of producing more devices at lower cost. It is a question of whether the surrounding system can support those devices without introducing disproportionate overhead or risk.

A different model is required.

From persistence to isolation #

Rather than treating trust as something that is assigned to a device or identity, systems need to treat trust as something that is established dynamically, at the point of interaction, and continuously re-evaluated over time.

This shifts the emphasis from persistence to isolation.

Interactions become more important than identities. Sessions become more important than devices. Trust is bounded in time and scope, rather than assumed to extend indefinitely.

In practical terms, this often involves the rapid establishment of shared secrets, frequent key rotation, and strong separation between sessions. Compromise, when it occurs, is expected and contained, rather than exceptional and systemic.

This approach does not prevent loss. It is not designed to.

Instead, it reduces the impact of loss.

A captured device does not grant indefinite access. A compromised key does not expose the entire system. The failure of one element does not propagate uncontrollably across others.

These properties are not optional in attritable systems. They are foundational.

Implications for system structure #

They also have implications for how systems are structured more broadly.

Reliance on persistent, external infrastructure becomes a liability in environments where connectivity is uncertain. Centralised control models become harder to sustain. Systems need to be capable of establishing and maintaining secure relationships with limited or intermittent access to external services.

This does not eliminate the role of centralised systems or higher-assurance components. But it does change where and how they are used.

Attritable systems are not simply a cheaper version of existing platforms.

They represent a shift in how systems are expected to operate. They assume uncertainty, loss, and compromise as baseline conditions, rather than edge cases.

In doing so, they expose the assumptions embedded in many existing security models.

The challenge is not simply to make systems more resilient within those models. It is to design systems that are aligned with the conditions in which they are expected to operate.

Attritable systems are often discussed as a procurement shift.

In practice, they are a forcing function.

They make visible the gap between architectures built for stability and environments defined by uncertainty. Closing that gap requires more than incremental improvement. It requires a different approach to how trust is established, maintained, and constrained over time.