Knogin
[Developers]

Automated Classification Marking

Every item entering the platform receives a NATO STANAG 4774-compliant confidentiality marking automatically, eliminating manual classification backlogs and ensuring consistent, auditable labelling at any ingestion volum

Back to All Modules
Category: ModulesLast Updated: Apr 14, 2026
modulesaicomplianceblockchain

Overview#

Every item entering the platform receives a NATO STANAG 4774-compliant confidentiality marking automatically, eliminating manual classification backlogs and ensuring consistent, auditable labelling at any ingestion volume.

Security teams ingesting hundreds of documents, alerts, or intelligence items per day cannot manually assign a NATO classification level to each one without introducing inconsistency, delay, or fatigue-driven error. Decisions that should take seconds, based on content indicators such as operational details, personnel identifiers, and intelligence assessments, instead become a backlog. Automated Classification Marking solves this by applying a structured, audited first-pass classification to every item at ingestion time and surfacing only the uncertain cases for human review.

The module applies NATO STANAG 4774 Edition 1 (2017) confidentiality metadata labels to all ingested entities using content analysis. Every item receives a classification inference with a confidence score. Items scoring at or above the confidence threshold are auto-labelled; items below that threshold receive a safe RESTRICTED default and are queued for analyst review. All decisions, automated and human, are written to an immutable audit trail in accordance with STANAG 4774 label audit requirements. Analysts approve or override markings through the review queue, and every override is recorded with the reviewer identity and reasoning.

Key Features#

  • STANAG 4774 Marking Engine: Each ingested entity receives a full STANAG 4774 confidentiality label including classification level, releasability markings, NATO caveats, policy reference, creation date, and originator organisation. Labels are stored in structured form and can be exported as STANAG 4774-compatible XML, enabling interoperability with downstream NATO and partner systems.

  • Content-Based Inference: Classification inference analyses content against structured criteria for each NATO level (UNCLASSIFIED through COSMIC TOP SECRET) and returns a classification level, confidence score, plain-language reasoning, and the specific content indicators that triggered the decision.

  • Confidence-Gated Auto-Application: A confidence threshold separates automatic application from human review, consistent with STANAG 4774 guidance that automated systems should only assert classification autonomously when certainty is high. Below the threshold, RESTRICTED is applied as the safe default per the NATO security policy framework.

  • Human Review Queue: The review interface presents all items awaiting human decision alongside the suggested classification, confidence score, and auto-application timestamp. Analysts can approve the existing marking, override it to a different level, or re-trigger inference. All decisions are audited.

  • Immutable Audit Trail: Every classification event, auto-applied, human-approved, human-overridden, and escalated, is recorded with actor identity, old and new classification levels, timestamp, and reasoning, satisfying STANAG 4774 label audit requirements and European Defence Fund audit mandates for AI-assisted decisions on sensitive data.

  • STANAG 4778 Binding Metadata: Each marking record carries STANAG 4778 binding metadata fields, including the inference source identifier and a binding hash, enabling downstream systems to verify that a label was produced by an authorised process and has not been tampered with.

  • Colour-Coded Classification Badges: Classification levels are rendered with established colour conventions, green for UNCLASSIFIED, amber for RESTRICTED, orange for CONFIDENTIAL, red for SECRET, dark purple for COSMIC TOP SECRET, with full WCAG 2.2 AAA accessibility compliance.

  • EU Classification Support: In addition to NATO levels, the platform supports EU RESTRICTED and EU CONFIDENTIAL markings, covering joint NATO-EU operational environments and EDF/PESCO programme requirements.

Use Cases#

Defence and Intelligence Analysis#

Security-cleared analysts work through the human review queue, approving or overriding suggested markings with a recorded decision and audit entry, reducing manual classification effort to only the cases that genuinely require human judgement.

Multi-National Information Sharing#

Entities shared across Community of Interest channels carry STANAG 4774 markings that receiving organisations can validate against their own classification policies, ensuring consistent handling across coalition partners.

Automated Classification at Ingest#

All content ingested through connector pipelines, open-source intelligence, structured data feeds, uploaded documents, receives a STANAG 4774 classification marking without analyst intervention, keeping the review queue focused on uncertain cases.

Export Marking Compliance#

When entities are exported to partner systems, the STANAG 4774 XML binding is attached to the payload so the classification travels with the data, satisfying transfer requirements under NATO information security policies.

EDF and PESCO Audit Compliance#

The immutable audit trail satisfies the European Defence Fund requirement that all automated decisions on sensitive data are logged with actor, action, and provenance, supporting programme compliance reporting without additional instrumentation.

Integration#

The Classification Marking capability is accessible to customer applications and partner integrations through standard platform interfaces.

GraphQL API: Dedicated queries and mutations expose the full classification workflow. Customers can trigger classification inference for an entity, fetch its current STANAG 4774 label, submit a human review decision (approve or override), and retrieve the classification review queue, all through the same authenticated GraphQL surface used by other platform modules.

Ingestion Pipeline Hook: Classification runs automatically as part of the standard ingestion pipeline. Every connector, whether a threat intelligence feed, document upload, or structured data source, triggers classification inference on completion without requiring any additional configuration from the integrator.

Normalised Label Model: Classification markings follow a consistent schema across all entity types. The structured label includes classification level, releasability, NATO caveats, policy identifier, creation date, originator, and optional STANAG 4778 binding hash. This model is stable across platform versions and safe to persist in partner systems.

STANAG 4774 XML Export: Any classification label can be serialised to STANAG 4774-compatible XML for attachment to exported payloads, enabling interoperability with NATO and partner systems that consume labels in the standard binding format.

Authentication and Authorisation: All API access uses OAuth 2.0 / JWT bearer tokens scoped to the tenant. Classification review and override operations require appropriate analyst roles; read access to labels is available to any authenticated service within the tenant scope.

Open Standards#

  • NATO STANAG 4774 Ed.1 (2017), Confidentiality Metadata Label Syntax. Defines the structure of confidentiality labels including classification level, releasability markings, NATO caveats, policy reference, and originator. The platform applies and exports labels conformant with this standard.

  • NATO STANAG 4778 Ed.1 (2018), Metadata Binding. Defines cryptographic binding between security labels and message payloads. Each classification record carries STANAG 4778 binding hash fields so downstream systems can verify label integrity and authorised provenance.

  • EU Council Decision 2013/488/EU, Security Rules for Protecting EU Classified Information (EUCI). Governs EU RESTRICTED and EU CONFIDENTIAL markings applied by the platform in joint NATO-EU and EDF/PESCO contexts.

  • WCAG 2.2 (W3C), Web Content Accessibility Guidelines Level AAA. Classification badge components meet AAA conformance for colour contrast and screen-reader labelling.

  • OAuth 2.0 / JWT (RFC 6749 / RFC 7519), Open standard token framework used for all API authentication and tenant-scoped authorisation.

Security and Compliance#

Classification marking decisions are tenant-scoped: no label, audit record, or review queue entry is accessible outside the originating tenant. The audit trail is append-only; existing records cannot be modified or deleted through any API surface.

Automated decisions below the confidence threshold always resolve to the more restrictive RESTRICTED default, ensuring the platform fails safely when content signals are ambiguous. Human overrides to a lower classification level are recorded with mandatory reviewer identity and reasoning, creating an evidential trail for any subsequent compliance review.

The STANAG 4778 binding hash provides a chain-of-custody guarantee: any modification to a label after issuance will cause binding validation to fail in downstream systems, enabling tamper detection without requiring additional infrastructure.

Last Reviewed: 2026-04-14 / Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.