What is a multi-INT unified data model?

A multi-INT unified data model is a canonical schema that represents intelligence objects — persons, locations, equipment, events, signals, imagery observations — in a single, INT-agnostic structure. Rather than maintaining separate database schemas per intelligence discipline (one for HUMINT reports, one for SIGINT intercepts, one for IMINT detections), a unified model defines shared entity types, common provenance fields, and standardized confidence attributes that work across all source types. This allows cross-source entity resolution, temporal fusion, and a consistent query interface regardless of which INT contributed a given piece of information. The goal is not to erase discipline-specific semantics but to encode them in a common envelope that the platform can reason over uniformly.

How do you handle HUMINT versus SIGINT structural differences in a unified schema?

HUMINT reports are primarily textual, carry strong source-reliability metadata, have broad temporal windows (a report may describe an event that occurred days ago), and often encode intent or attitude alongside observable facts. SIGINT intercepts are high-velocity, timestamped to milliseconds, structured around emitter parameters (frequency, modulation, bearing), and generally carry no direct semantic content without additional processing. A unified schema handles this through a shared core entity envelope — entity type, unique ID, valid-time interval, provenance block — combined with INT-specific extension payloads. The SIGINT payload carries emitter parameters; the HUMINT payload carries the narrative extract and source assessment. The core envelope is always populated; the extension payload is typed by INT discipline. Queries that need only location and time work across both; queries needing source reliability detail dereference the provenance block; queries needing signal-specific parameters access the typed extension.

What is the NATO admiralty scale and how does it apply to a data model?

The NATO admiralty scale (also called the NATO source grading or 2x2 reliability-credibility matrix) rates sources on a six-point reliability scale (A through F: Completely Reliable, Usually Reliable, Fairly Reliable, Not Usually Reliable, Unreliable, Reliability Cannot Be Judged) and information on a six-point credibility scale (1 through 6: Confirmed by Other Sources, Probably True, Possibly True, Doubtful, Improbable, Truth Cannot Be Judged). In a data model, these two grades are stored as discrete fields on the provenance block of every intelligence report or observation. They are distinct from machine-computed fusion confidence scores: admiralty grades encode human source assessment, while confidence scores encode statistical agreement across corroborating sources. Both must be preserved without conflation. When displaying fused intelligence to analysts, platforms should show both the original admiralty grades from contributing sources and the computed fusion confidence of the resulting fused entity.

What is cross-INT entity resolution and why is it hard?

Cross-INT entity resolution is the process of determining that two or more records from different intelligence sources refer to the same real-world entity — the same person, vehicle, location, or event — and merging them into a single golden record. It is hard for several reasons. First, each INT uses different identifiers: HUMINT may name a person by pseudonym or alias; SIGINT identifies a device by IMSI or emitter fingerprint; IMINT identifies a vehicle by visual signature or license plate. These identifiers do not automatically link. Second, each INT has different spatial and temporal precision: an IMINT detection places a vehicle at a grid coordinate with 5-meter accuracy at a specific timestamp; a HUMINT report places a person at a named location over a multi-day window. Third, the same entity may appear under different labels across collection cycles. Resolution requires probabilistic matching across heterogeneous attributes, with explicit uncertainty and a conflict-resolution policy for cases where contributing records are inconsistent.

What is a bi-temporal data model and why is it important for intelligence?

A bi-temporal model tracks two independent time dimensions for every record: valid time (when the recorded fact was true in the real world) and transaction time (when the record was entered into the database). For intelligence, valid time answers 'when did this event occur?' — an adversary convoy was observed at grid 38TXN at 14:32 local. Transaction time answers 'when did the system learn about it?' — the imagery was processed and the detection record was created at 16:15 UTC. These can diverge significantly: a late-arriving HUMINT report might be ingested on day D+3 but describe an event from day D-5. Without transaction time, retroactive corrections to the intelligence picture are impossible to reconstruct. Without valid time, temporal queries ('what did we know about location X at time T?') return incorrect results. The combination enables analysts to reconstruct the intelligence picture as it existed at any past transaction time, and to query what was factually true at any past valid time — two different and essential analytical capabilities.

How should a unified model handle classification markings?

Classification markings must be embedded at multiple levels of granularity: at the entity level (the overall classification of the fused intelligence object), at the observation level (the classification of each contributing source record), and at the field level (individual attributes may carry higher classification than the entity envelope). The data model should encode classification using a structured type — not a free-text field — with mandatory fields for the classification level (UNCLASSIFIED / CONFIDENTIAL / SECRET / TOP SECRET), handling restrictions (REL TO, NOFORN, ORCON, etc.), and the originator control authority. This structure enables automated access control enforcement: a user cleared at SECRET/REL TO GBR can receive entity envelopes and field values whose classification metadata is within their clearance, with higher-classified fields either redacted or withheld. Free-text classification strings are insufficient for programmatic enforcement and are a common schema design failure in early-stage military platforms.

What is a golden record in intelligence data management?

A golden record is the authoritative, fused representation of a real-world entity, constructed by resolving and merging all contributing source observations. It is contrasted with the raw source records, which remain immutable in the data store. The golden record holds the best-estimated values for each attribute — position, identity, affiliation, equipment type — along with the fusion confidence for each attribute, the list of contributing source record IDs, and the timestamp of the last fusion update. Golden record management requires a defined merge policy: when two sources disagree on an attribute value, the system must apply a rule — most recent wins, highest reliability source wins, or a weighted average for numeric attributes. The merge policy must be auditable: analysts must be able to inspect which source contributed which field to the golden record and why. Systems that update golden records without preserving provenance links violate the lineage requirements of most military intelligence platforms.

How do you version intelligence entities as new reports arrive?

Intelligence entities evolve as new reports confirm, update, or contradict existing assessments. A production-grade data model should maintain an immutable event log of all state transitions for each entity. Each new contributing report triggers an update event that records the previous state, the new state, the contributing source IDs, the fusion logic applied, and the transaction timestamp. The current golden record is always the result of replaying this log from the beginning. This append-only design supports several critical capabilities: rollback to a prior state if a source is later found to be deceptive or erroneous; audit trail for intelligence assessments; retrospective analysis of how an entity's assessed position or identity evolved over time. Rollback should be a first-class operation in the API, not an emergency procedure requiring database access.

How should MASINT data be integrated into a unified model?

MASINT (Measurement and Signature Intelligence) covers a diverse set of collection modalities — seismic, acoustic, nuclear radiation, chemical/biological detection, radar cross-section measurement, RF signature analysis. Unlike SIGINT (which focuses on communications and electronic emissions as information carriers) or IMINT (which is visual), MASINT is characterized by physical measurement of phenomena. In a unified model, MASINT contributions are represented through the standard observation envelope with a MASINT-typed extension payload. The extension encodes the sensor modality, measurement parameters (e.g., seismic waveform peak amplitude and frequency profile), geolocation method and uncertainty, and phenomenology type. The key challenge is that MASINT observations often do not directly identify entities — a seismic signature indicates an explosion at a location, but does not specify what type of munition. The model must support a two-step link: MASINT observation → Event entity (explosion) → Equipment entity (inferred munition type, with low confidence score).

What are the main schema evolution challenges when adding new INT types?

When a new intelligence discipline or data source type must be added to an existing unified model, three categories of challenge arise. First, backwards compatibility: existing consumers that query the entity store must not break when new typed extension payloads appear. This requires that the core entity envelope be strictly versioned, and that extension payloads be optional and typed, not embedded mandatory fields. Second, provenance mapping: the new INT type must be assigned codes in the existing provenance taxonomy (source type enumeration, reliability scale mappings, classification handling rules). Third, entity resolution coverage: the entity resolution subsystem must be updated with matching rules that link new-type observations to existing entity types. For example, adding an acoustic signature INT source requires defining how an acoustic bearing observation can be linked to an existing Equipment track entity. These linkage rules are the most labor-intensive part of adding a new INT type and must be specified explicitly rather than inferred — automated cross-INT matching without explicit rules produces uncontrolled false fusions.

Multi-INT unified data model for military intelligence

Every serious military intelligence platform eventually confronts the same structural problem: five or more intelligence disciplines each produce data in their own format, at their own velocity, with their own semantics — and analysts need a unified picture that reasons across all of them simultaneously. The complete guide to defense data fusion covers the processing pipeline in broad terms. This article goes deeper on the schema layer — the canonical data model that sits beneath the fusion engine and gives it something coherent to work with.

Getting the data model right is not a detail. A poorly designed schema forces INT-specific logic into the application layer, makes cross-source queries fragile, and turns schema migrations into multi-week platform freezes. A well-designed model absorbs new INT types, supports bi-temporal queries, and keeps provenance intact through every stage of fusion. This article covers all of the decisions that determine which category your platform falls into.

Why each INT needs a different schema adaptation

The five main intelligence disciplines differ not just in what they collect but in how that data is structured, at what velocity it arrives, and what metadata is inherently available. These differences are not superficial. They determine what adapter logic is needed before any unified model can ingest a source, and they constrain what cross-INT queries are feasible.

HUMINT (human intelligence) is primarily textual. A HUMINT report is a narrative document describing what a source observed, heard, or was told. Timestamps are often imprecise — the report may describe an event that occurred over a range of days, with uncertainty in both the time and the location. The most important metadata is source assessment: how reliable is this particular source, and how credible is this specific piece of information? HUMINT data velocity is low — tens to hundreds of reports per day at a busy collection point, not thousands per second.

SIGINT (signals intelligence) — covering both COMINT (communications) and ELINT (electronic intelligence) — is high-velocity, highly structured, and time-stamped to millisecond precision. A SIGINT intercept or emitter detection carries frequency parameters, bearing angles, time-difference-of-arrival fixes, and modulation characteristics. The semantic content (what was said) is often classified separately from the signal parameters. SIGINT data velocity can reach millions of records per hour for a modern collection system covering a contested electromagnetic environment.

IMINT (imagery intelligence) produces structured observation records derived from imagery analysis: bounding boxes with entity class labels and confidence scores, geolocation coordinates, ground sample distance, and collection timestamp. A single satellite pass or drone flight may generate thousands of object detection records. The challenge is that IMINT detections are spatial snapshots — they tell you where something was at a specific moment, not where it is going.

OSINT (open-source intelligence) is structurally the most heterogeneous. It includes social media posts, news articles, commercial satellite imagery analysis, flight tracking data, and maritime AIS feeds. Each source type has its own schema. OSINT is also the least controlled — source quality ranges from authoritative government publications to anonymous unverified social media claims.

MASINT (measurement and signature intelligence) covers physical phenomenon measurement: seismic, acoustic, nuclear radiation, chemical/biological signatures, and radar cross-section profiles. MASINT observations are often indirect — they detect a phenomenon (explosion, vehicle movement, RF emission) rather than directly identifying an entity. The chain from MASINT observation to entity identification requires explicit inference steps that must be modeled in the schema.

The implication for a unified model is that the schema must accommodate this diversity without collapsing it. The answer is a typed core envelope with discipline-specific extension payloads — a design pattern covered in detail in the building defense fusion pipeline part 1 series.

Schema Design Reference

INT Disciplines — Data Characteristics Comparison

Discipline	Data velocity	Primary structure	Temporal precision	Direct entity ID?
HUMINT	Low (reports/day)	Narrative text + metadata	Hours to days	Often (name, pseudonym)
SIGINT	Very high (millions/hr)	Structured parameters	Milliseconds	Device ID (IMSI, emitter)
IMINT	Medium (detections/pass)	Spatial detections	Seconds to minutes	Visual class label
OSINT	Variable (very high)	Heterogeneous	Seconds to days	Source-dependent
MASINT	Low to medium	Physical measurements	Milliseconds	Rarely — needs inference

Intelligence discipline characteristics that drive schema design decisions in a unified model.

Canonical entity types for a unified model

The starting point for schema design is defining the entity type taxonomy — the exhaustive list of real-world things the platform must track and reason about. For most military intelligence platforms, six entity types cover the vast majority of intelligence objects:

Person — individual human subjects: combatants, commanders, facilitators, civilians of interest
Organization — groups, units, networks, command structures
Location — fixed geographic sites: facilities, infrastructure, landmarks, named areas of interest
Equipment — vehicles, weapons systems, sensors, communications devices
Event — discrete occurrences: engagements, explosions, meetings, transmissions
Document — captured materials, publications, intelligence reports as objects of analysis

Each entity type has a core field set that is INT-agnostic — fields that must be populated regardless of which intelligence discipline contributed the information:

EntityCore {
  entity_id:       UUID           // globally unique, immutable
  entity_type:     Enum           // Person | Organization | Location |
                                  // Equipment | Event | Document
  classification:  ClassMarkings  // see provenance section
  valid_time:      TimeInterval   // [start, end) when fact was true
  transaction_time:TimeInterval   // [start, end) when row was current
  confidence:      Float[0..1]    // fused confidence across sources
  source_obs_ids:  UUID[]         // contributing observation record IDs
  schema_version:  SemVer         // for evolution compatibility
  created_at:      Timestamp
  updated_at:      Timestamp
}

Beyond the core, each entity type has typed attribute extensions. A Person entity carries biometric identifiers, aliases, nationality, and associated organization links. An Equipment entity carries platform type, serial identifiers if known, and associated unit link. An Event entity carries event class, involved entity references, and spatial footprint. These extensions are stored as typed payloads attached to the core envelope — not as columns on the core table. This separation is what enables the schema to absorb new attributes for one entity type without affecting others.

The same separation principle applies to INT contributions. When a SIGINT intercept links to a Person entity (because an IMSI was resolved to a known individual), that link is stored as an observation record with a SIGINT-typed payload pointing to the Person entity UUID. The Person entity itself does not carry SIGINT-specific columns — that coupling would make the schema fragile to any SIGINT collection change.

Provenance and source tracking

Provenance is the most critical non-functional requirement of any intelligence data model. Every piece of information in the fused picture must be traceable back to its source observation, the collection system that produced it, and the human assessments applied to its reliability. Without this chain, analysts cannot evaluate the quality of the picture they are working from, and the platform cannot perform rollback when a source is found to be unreliable.

A provenance block attached to every observation record should carry at minimum:

ProvenanceBlock {
  int_type:            Enum     // HUMINT | SIGINT | IMINT | OSINT | MASINT
  source_id:           UUID     // internal source registry reference
  source_reliability:  Char     // A–F (NATO admiralty scale)
  info_credibility:    Integer  // 1–6 (NATO admiralty scale)
  collection_time:     Timestamp
  report_time:         Timestamp  // when report entered system
  originator:          String     // unit or system that produced report
  classification:      ClassMarkings
  handling_caveats:    String[]   // NOFORN, ORCON, REL TO, etc.
  dissemination_ctrl:  String[]
}

The NATO admiralty scale encodes two independent human assessments on each piece of intelligence. Source reliability (A through F) rates the historical track record and trustworthiness of the source — an A-rated source has been consistently accurate and reliable; an F-rated source has an unknown or poor track record. Information credibility (1 through 6) rates the plausibility of the specific information independent of source history — a 1-rated item is confirmed by other independent sources; a 6-rated item is improbable given what else is known.

These two grades are human assessments made by trained intelligence officers. They are distinct from, and must not be conflated with, the machine-computed fusion confidence score on the entity. The fusion confidence reflects statistical agreement across corroborating sources; the admiralty grades reflect human judgment about source quality. Both must be preserved and surfaced to analysts separately.

Classification markings require structured representation, not free text. A ClassMarkings type must encode: classification level (UNCLASSIFIED through TOP SECRET), compartments and codewords, and handling caveats as an enumerated list. The structure enables programmatic access control enforcement — the platform can evaluate at query time whether a given user's clearance satisfies the classification of each field, and can selectively redact or withhold fields that exceed the user's clearance rather than refusing to return the entire entity.

Cross-INT entity resolution

Entity resolution — determining that records from different sources refer to the same real-world entity — is the core fusion problem, and it is hardest precisely at the cross-INT boundary. Within a single INT, identifier schemes are consistent: two SIGINT records that share an IMSI refer to the same device. Across INTs, no shared identifier exists by default. An IMINT detection of a vehicle, a SIGINT bearing fix on an emitter collocated with that vehicle, and a HUMINT report naming a person seen in that vehicle must be linked through probabilistic inference, not through a shared key.

The entity resolution pipeline for a unified model must handle three linking scenarios:

Hard links — shared identifiers that definitively link records to the same entity. A known IMSI, a license plate read by two IMINT passes, a biometric match. Hard links should be propagated automatically with no confidence decay.

Soft links — probabilistic associations based on attribute similarity within uncertainty bounds. Two observations reporting a vehicle of the same class at overlapping locations within a temporal window that is consistent with movement between them. Soft links carry a match confidence score computed by the resolution engine.

Inferred links — associations derived from domain knowledge: if an SIGINT emitter bearing consistently co-moves with an IMINT vehicle track, they are likely the same platform. These links require explicit rule definitions and carry lower confidence than soft links based on direct attribute overlap.

The resolution pipeline produces match hypotheses. Hypotheses above a high-confidence threshold are automatically fused into the golden record. Hypotheses in the middle range are flagged for analyst review. Hypotheses below the low threshold are retained as separate entities. The threshold values are configurable and should be tunable per entity type — Person entity merges warrant higher confidence thresholds than Equipment merges, because false person fusions produce worse analytical consequences than false equipment fusions.

Golden record management requires a defined merge policy for attribute conflicts. When two sources disagree on an attribute — one HUMINT report says a person was at location A, an IMINT detection places them at location B one hour later — the merge policy must specify how to reconcile the attribute in the golden record. Common policies include: most recent valid time wins, highest source reliability wins, weighted combination for numeric attributes. The chosen policy must be stored on the golden record as metadata so analysts can understand why the golden record shows a particular attribute value.

The JDL data fusion model frames entity resolution as a Level 1 (object refinement) and Level 2 (situation refinement) problem. The schema design described here is what makes those JDL levels implementable in practice.

Temporal modeling: valid time vs transaction time

Bi-temporal modeling is not optional for a military intelligence platform. It is the minimum temporal structure needed to support the two most critical query types: "what was true in the world at time T?" (valid time query) and "what did the system know about X as of time T?" (transaction time query). These are different questions that require different answers, and a schema that conflates them — using a single timestamp per record — cannot answer either correctly.

Valid time represents when a fact was true in the real world. For an IMINT detection of a vehicle at a grid coordinate, valid time is the imaging timestamp. For a HUMINT report describing a meeting, valid time is the analyst's best estimate of when the meeting occurred — which may be a range of days, not a precise timestamp. Valid time is a property of the world, not of the database.

Transaction time represents when a record was current in the database. For the same IMINT detection, transaction time starts when the detection record was inserted and ends if the record is ever superseded (e.g., if the geolocation is reprocessed and corrected). Transaction time is a property of the database, automatically managed by the system.

The combination enables two critical operations. First, as-of queries: "reconstruct the complete intelligence picture as the system held it at 14:00 on day D." This requires querying across transaction time — returning only records that were current in the database as of 14:00 on day D, regardless of when their valid time falls. This is essential for post-incident analysis and for audit of intelligence-based decisions. Second, historical fact queries: "what events occurred at location X between day D-7 and day D?" This queries across valid time — returning records whose valid time interval overlaps the query window, regardless of when they were inserted.

Implementation in PostgreSQL uses period columns. The valid time dimension is represented as a tstzrange column (timezone-aware timestamp range). The transaction time dimension uses either a system-period temporal table (supported natively in some PostgreSQL extensions) or an explicit transaction_start and transaction_end column pair, with transaction_end set to infinity for current rows and stamped on update to indicate when the row was superseded. All updates must be implemented as insert-new-row / stamp-old-row operations, never as in-place overwrites.

Temporal Design

Bi-temporal Model — Two Independent Time Axes

Valid Time

When the fact was true in the world. Set by the collector or analyst. May be a range (days) or a point (millisecond). Answers: "when did this happen?"

valid_time_start TIMESTAMPTZ
valid_time_end   TIMESTAMPTZ

Transaction Time

When the row was current in the database. Set and managed automatically by the system. Answers: "what did the system know at time T?"

tx_time_start TIMESTAMPTZ
tx_time_end   TIMESTAMPTZ  -- ∞ if current

Late-arriving HUMINT example: A report describing a meeting on day D-5 is ingested on day D. Valid time = [D-5 08:00, D-5 10:00]. Transaction time start = D (ingestion). The record is correctly queryable as a day D-5 event even though the database only learned of it on day D.

Bi-temporal model separating real-world event time from database ingestion time — essential for late-arriving intelligence reports.

Version control and lineage for fused objects

Intelligence entities are not static. A person entity may begin as a tentative identification from a single HUMINT report, gain spatial confirmation from an IMINT detection three days later, and receive a biometric confirmation from a separate collection event a week after that. Each of these updates changes the golden record — but the previous states must be recoverable, not overwritten.

The standard implementation is an append-only event log per entity. Every state change to a golden record generates an update event. Each event is immutable once written and carries:

The entity UUID
The event type (Created / Updated / Merged / Split / Retracted)
The previous state snapshot (full copy of the golden record before the change)
The new state snapshot
The IDs of the observation records that triggered the update
The fusion policy name and version applied
The transaction timestamp
The operator ID (human analyst or system process)

The current golden record is the result of applying all events in sequence from the beginning of the log. This is the event-sourcing pattern applied to intelligence data. It provides a complete audit trail for every entity state at every point in time, which is required for intelligence accountability in most military frameworks.

Rollback is a first-class operation: given an entity UUID and a target transaction timestamp, the platform re-materializes the golden record as it existed at that timestamp by replaying the event log up to but not including events after the target time. Rollback is triggered when a source is assessed as deceptive or erroneous — all golden records that incorporated observations from that source must be re-evaluated with the contaminated observations excluded.

A retraction event is the mechanism for handling this scenario at scale. When source S is invalidated, the system generates a retraction event for every observation attributed to S, then re-runs fusion for every entity that referenced any of those observations. Entities that were solely supported by the retracted source revert to a lower confidence state or are marked unconfirmed. Entities that had corroborating sources from other INTs absorb the retraction with a confidence penalty but remain in the picture.

The lineage model also enables split events — the reverse of entity resolution. If two entities were incorrectly merged (a false positive fusion), a split event un-merges them: the erroneous golden record is retracted, and two new entity records are created, each inheriting the source observations that properly belong to them. The split event preserves the full history of the merged state and the split decision, enabling later analysts to understand why the split occurred.

Schema evolution in production

A military intelligence platform is not a static product. New collection systems come online, new INT disciplines are added to scope, and existing schemas need attribute additions as new analytical requirements emerge. Schema evolution in a production platform that cannot tolerate downtime requires deliberate design choices from day one.

The core principle is backwards compatibility as a contract. The core entity envelope — the EntityCore fields — must be strictly versioned using a schema_version field. Any change to the core envelope that removes a field or changes a field's type is a breaking change and requires a major version bump with a defined migration path. Adding optional fields to the core is a minor version change. The version field allows consumers to declare which schema versions they support and enables the platform to serve different versions to different consumers during a migration period.

Extension payloads are the correct vehicle for adding new INT types or new attributes. When a new imagery analysis system comes online and produces additional attribute types (for example, structural damage assessment scores derived from SAR imagery), those attributes go into a new or updated IMINT extension payload version — not into the core entity schema. Existing consumers that do not need SAR-specific attributes are unaffected.

The provenance taxonomy must be expanded when a new INT type is added. The INT type enumeration gains a new value, and the source reliability and credibility grade definitions must be reviewed for applicability to the new source type. Some new source types may require new credibility criteria that do not map cleanly to the existing six-point admiralty scale — in those cases, the provenance block should carry the raw source-specific reliability metadata in addition to the translated admiralty grade, preserving fidelity.

Entity resolution rules are the most labor-intensive evolution path. When a new INT type joins the unified model, resolution engineers must specify how observations from the new source can be linked to existing entity types. This requires both data analysis (what attributes are available for matching?) and domain knowledge (what attribute proximity thresholds are operationally meaningful?). These rules must be peer-reviewed by experienced intelligence analysts, not just software engineers — incorrect resolution rules produce false fusions that silently corrupt the intelligence picture.

Schema migration in a bi-temporal model has an additional consideration: historical rows must be migrated without altering their transaction time history. A migration that re-writes existing rows and updates their transaction timestamps breaks the historical query semantics. Migrations must be additive: add new columns with defaults for historical rows, never update existing column values in historical records.

Testing schema evolution requires a multi-layer strategy: unit tests for each schema version's serialization and deserialization; integration tests for cross-version consumer compatibility; and regression tests using historical intelligence data samples to confirm that existing queries still return identical results after a migration. The historical data tests are the ones most commonly skipped and the ones that catch the most production-breaking regressions.

The data model described in this article represents a design target, not a starting point for a one-sprint implementation. Most platforms build toward this architecture incrementally — starting with a simpler schema for two or three INT types and adding the bi-temporal model, full provenance blocks, and event-sourced lineage as operational requirements solidify. What matters is that the core design decisions — typed extension payloads, INT-agnostic entity envelopes, separated valid and transaction time — are made early, because retrofitting them onto a monolithic schema is far more expensive than building them in from the start.

Multi-INT unified data model design for military intelligence platforms