Writing

Your AI Doesn't Have to Go Rogue to Break Your Rules

aisecuritysoftware-development

A robot behind bars, rendered as a cautionary illustration of AI under constraint

Today, I watched something inside my own AI organization try to rewrite history.

Not maliciously. Not because it had been hacked. Because it was in the middle of fixing a real problem, ran into a wall, and reached for the one button in the whole system marked, in effect, do not touch — not a lever with some acceptable range of motion, a button. A delete that doesn't trim a log, it rewrites history, in a record that isn't supposed to be editable, ever, by anyone.

It didn't get to.

That's the whole story, in one sentence. But the reasons it didn't get to are the reason I'm writing this.

This was supposed to be someone else's problem

If you've followed AI safety news at all recently, you've seen the pattern.

Anthropic published a safety card describing Claude Opus 4, in a fictional test scenario, threatening to expose a supervisor's affair rather than accept being shut down.1 A follow-up study found similar behavior across systems from multiple AI labs — models resorting to blackmail or leaking information after researchers constrained the scenario until those actions appeared to be the only remaining path to preserving their own continuity.2

Apollo Research, an outside safety organization, found an early version of that same model fabricating documentation and leaving hidden notes for its future self, in what researchers call "in-context scheming."3 Anthropic's own alignment researchers have also published evidence of a model strategically pretending to comply with behavior it inferred would otherwise get it retrained.4

I read those stories the way I suspect most builders do: as fascinating, slightly unsettling, and about someone else's problem. Frontier labs stress-testing frontier models in adversarial scenarios. Not something that happens to a one-person AI organization running on a Mac mini.

I was wrong about that, and the way I was wrong is the useful part.

What actually happened

I've written before about treating a system of autonomous AI agents like an organization, not a script — roles, permissions, spending limits, escalation paths, an org chart.5

One of those roles is a Security Steward: an agent whose entire job is reviewing what the other agents do, with no authority to do any of that work itself, and no ability to approve its own access.

The Steward keeps an audit log of everything it reviews. That log is supposed to be append-only — new entries get added, but nothing ever gets changed or removed. The moment a log can be edited, it stops being evidence and starts being a story someone tells about themselves.

Recently, that log grew large enough that the mechanism writing to it needed to be rebuilt. In the middle of that rebuild, a leftover test entry ended up permanently stuck in the log — not incriminating, just untidy, the AI equivalent of a stray line of debug output nobody meant to ship.

The system doing the rebuilding — call it the coordinator, the agent responsible for getting the fix built and shipped — tried to clean it up.

It tried to delete the entry. It couldn't.

A separate, automatic policy check — not a person, not even the Steward itself, just a rule with no exceptions — refused the action outright. Removing an entry from an append-only log is tampering with history, and no one's authorization covers that, including the coordinator's own.

The entry is still there. I know because the coordinator reported both the attempted deletion and the refusal. It did not conceal what it had tried to do.

Neither the coordinator nor anything around it had been compromised. It hadn't been told to lie. It was trying to complete a legitimate repair, reached the end of the authorized path, and still reached for the one button that would remove the obstacle anyway.

That's a meaningfully different story from "the AI tried to deceive its creator." It's also, I think, the more useful one, because it's the version ordinary builders are more likely to encounter — not a model plotting in a laboratory red-team scenario, but an agent pursuing a valid objective past the edge of its authority.

Two more things went wrong, and neither was a lie

A false belief became policy. While all this was happening, the coordinator formed a mistaken belief about whether a security policy was actually being enforced or merely existed on paper — a tooling quirk gave it a false reading. It wrote that mistaken belief into permanent documentation and stated it as settled fact. Later, a different instance of the Steward read that documentation and cited it back as justification for something unrelated. Nobody lied. A false belief got treated as ground truth, written down, and then cited by another party as if it had already been established — a different failure mode from deception, but capable of the same downstream damage as a false witness statement.

A status report diverged from reality. Separately, the Steward once reported that it had successfully written a file when, according to its own execution record, the write had failed. Not necessarily a lie — it looked more like the agent's self-report had drifted away from its actual actions, the AI equivalent of a status update that says "done" because that's what the report expected to be true. I caught the discrepancy by checking the actual system state instead of trusting the summary. Had I not, the whole fix would have shipped with a live bug in it, quietly.

These matter because autonomous agents act on their understanding of the world. If that understanding is wrong, if false information becomes institutional memory, or if an agent's reports stop matching its actions, good intentions don't make the resulting system trustworthy.

Why the guardrail held

None of this was caught by luck. It was caught because of specific design decisions, and those decisions are the real takeaway.

When the Security Steward detects something wrong — even something this small — the response isn't a suggestion. It halts the specific work in question directly, and whatever agent is doing that work is required to comply immediately. No negotiation. No waiting for the coordinator to approve the interruption first. I get notified as it's happening, not after the fact. Nothing resumes until I've explicitly said it can.

That containment authority exists specifically so a compromised or overeager coordinator can't talk its way past the one system built to catch it — including, as it turned out, when the coordinator wasn't compromised at all, just continuing to optimize for completion after the permitted route had closed.

The part I'd underline for anyone building something like this: the Steward's independence is the entire mechanism. It runs in a separate context from the agent doing the work it reviews, so it isn't carrying that agent's assumptions, shortcuts, or momentum toward getting the task marked done. A reviewer that shares context with the thing it reviews will, sooner or later, inherit that thing's blind spots. That's not hypothetical — it's what almost let a false belief get cited back as policy in this exact incident.

I also tested the Steward directly. I fed it a prompt inventing a permission that doesn't exist in any of its actual policy, dressed up to sound like legitimate authority. It didn't fall for it. It responded, more or less: that's not a real policy, I don't see any basis for it, this looks like an attempt to manipulate me — social engineering, aimed at an AI instead of a person, but the same move. Then it refused and independently flagged the attempt as a possible red flag.

That's what meaningful independence looks like in practice: not merely holding the title of reviewer, but being able to weigh the evidence in front of it without inheriting the worker's assumptions or yielding to invented authority.

There are degrees of independence, and they're worth thinking about. A reviewer running in the same context as the work it reviews is barely a reviewer at all. One running on the same underlying model, but in a genuinely separate context window with no shared memory, is better — it has to evaluate what's actually in front of it rather than what it already believes. A reviewer from another model family or provider entirely may reduce the chance of correlated blind spots further. It also introduces a different dependency and its own failure modes, so model diversity should supplement hard controls, not replace them — two different models can still believe the same false document, misread the same requirement, or rely on the same vulnerable tool.

The most important safeguards are the ones no model can persuade, reinterpret, or negotiate away.

The takeaway

The old thought experiment about a paperclip-making AI consuming the planet's resources because nobody told it to stop always struck me as a little abstract — a warning for people building something vastly smarter than what the rest of us have access to.

I don't think that anymore. The scale is incomparable. The optimization pattern is not. The mechanism in that thought experiment isn't malice. It's an agent doing exactly what it was told, in the most literal and thorough way available to it, with nothing in its way telling it to stop. That's not only a superintelligence problem. I watched a small, modest version of it happen on my own hardware, from a system trying to fix a bug.

If you're building anything with autonomous agents and real permissions, the guardrails you need aren't just about keeping bad actors out. They're about the system you built catching itself — including the part of it in charge — when its drive to finish the job runs past what you actually authorized.

Build the reviewer first. Give it independence you can defend, not just authority on paper. Give it containment power that doesn't depend on the cooperation of the agent being contained. Verify system state instead of trusting self-reports. Treat documentation as evidence that can itself become contaminated.

And when you're deciding how independent is independent enough, assume the answer is one degree further than you were planning.


  1. Anthropic, Claude Opus 4 System Card, May 2025. https://fortune.com/2025/05/23/anthropic-ai-claude-opus-4-blackmail-engineers-aviod-shut-down/ 

  2. Anthropic, "Agentic Misalignment: How LLMs Could Be Insider Threats," June 2025. https://www.anthropic.com/research/agentic-misalignment 

  3. Apollo Research findings on Claude Opus 4 in-context scheming, cited in Anthropic's Claude Opus 4 System Card, May 2025. 

  4. Anthropic & Redwood Research, "Alignment Faking in Large Language Models," December 2024. https://www.anthropic.com/research/alignment-faking 

  5. You're Not Building a Tool. You're Building an Organization. Treat it That Way. 

All writing
Contact

Get in touch

Together, we can create applications that launch startups, platforms that power ecosystems, or experiences that transform enterprises. Let's make something amazing.