A designer of Keykos applications is often called upon to display “foresight” as in when you pass a RO cap to a segment, remember to pass a rescindable version.
This is not always practical.
I can imagine a Keykos system having run for some years suddenly needs to accommodate an application with moderate real time requirements and the system can afford to accommodate those needs.
If the original big bank had not reserved a high spot in the chain of meters then it seems implausible to establish such a sort later.
Experience teaches one foresight but that is not very helpful here.
One fanciful yet plausible tactic here is to get informal permission for the following from those with legitimate concerns on system integrity.
Some mutually trusted user buys a node and puts a data key with some unique number in it.
One writes a program S that runs in place of the kernel with the kernel’s authority.