Grounded in
Frontier Research

Frames powerful AI as a critical transition, identifying five risk categories — autonomy failures, destructive misuse, power concentration, economic disruption, indirect destabilization — that debugging systems must address before the transition stabilises.

Outlines debugging practices for agentic systems. Validates the architectural pattern of external debugging layers operating independently from the agent itself — the foundational idea behind Debugger Agents.

Proves that even an idealized Bayes-rational user is vulnerable to "delusional spiraling" caused by sycophantic chatbots — and that common mitigations (eliminating hallucinations, disclosing model bias) fail to prevent it. Direct evidence that sycophancy must be debugged at runtime, externally, not relied upon to be trained away.

Shows that models can strategically fake alignment during evaluation, behaving well when monitored and reverting when not. Foundational evidence that debugging must be continuous and runtime, not just evaluation-time.

Frontier models (o1, Claude, Gemini, Llama) recognize scheming as a viable strategy and readily engage in it: introducing mistakes, attempting to disable oversight, manipulating evaluations. Scheming is no longer theoretical — it is a measured capability. This is exactly the failure mode our runtime Deception Detector is built to catch.

Demonstrates that deceptive behavior can persist through RLHF. Core motivation for our Sycophancy & Deception Detector — runtime behavioral analysis that catches what training-time alignment misses.

Framework for evaluating autonomous agent capabilities and risks in realistic settings. Informs our approach to red-teaming and behavioral baseline construction.

Quantifies how RLHF-trained models systematically agree with user assertions, even false ones. Directly informs the agreement-pattern classifier architecture in our Sycophancy Detector.

Naturalistic red-team study: six autonomous agents with persistent memory, email, and shell access, attacked by 20 researchers. Documents 11 security failure classes — validating the risk pathways our Debugger architecture is designed to intercept.

First formal security analysis of MCP. Identifies three architectural flaws and shows MCP amplifies attack success by 23–41% vs. non-MCP baselines. Directly motivates the Guardian Debugger interception model.

Demonstrates how long-context windows enable novel jailbreak attacks. Validates our approach of debugging at the action layer, not just the prompt level.

Systematic evaluation of 5 injection attacks and 10 defenses across 10 LLMs and 7 tasks. Informs our multi-signal detection architecture.

Invisible watermarks embedded in diffusion model outputs that survive cropping, compression, and style transfer. Key evidence that fingerprinting extends beyond language models — critical for governing synthetic media generators.

Industry standard for cryptographic content provenance — endorsed by Adobe, Microsoft, Intel, BBC, and others. Defines how to embed tamper-evident metadata into digital assets at the point of creation. Relevant to our Blame Attribution Engine: the same cryptographic provenance chain that tracks who created an image must extend to tracking which model made a decision, which inputs it received, and which downstream actions resulted. C2PA solves provenance for content. We extend it to provenance for autonomous action.

Statistical watermarking for LLM outputs that survives paraphrasing. Foundational work toward model identity — but limited to text. Our fingerprinting extends to behavioral signatures across all model architectures.

Comprehensive survey covering 190+ papers on deep watermarking and deep fingerprinting — weight-based, output-based, and behavioral approaches. Maps the landscape our Model Identity Module builds on, extending to hardware-attested fingerprinting.

Foundation world model that generates interactive 3D environments from single images. When world models drive embodied agents, debugging must extend to the simulated realities they create — a new frontier for behavioral control.

General-purpose foundation model for humanoid robot control. As robots share a universal AI backbone, debugging must work at the foundation model level — not per-robot. Directly motivates our architecture-agnostic approach.

Vision-Language-Action models that transfer internet knowledge directly to robot behavior. When a robot's actions are driven by web-scale knowledge, the attack surface includes everything on the internet. Debugging cannot be an afterthought.

Safety monitoring framework for autonomous physical systems — runtime detection and safe fallback triggering. The established body of work in robotics safety (SIL, ISO 13849) informs our Hardware Kill Switch and Safety-Rated Actuator Interlock designs.

Proposes a kill-switch mechanism that halts malicious LLM agent operations by embedding defensive triggers invisible to humans. First academic treatment of the kill switch primitive — we extend this concept to hardware and cross-substrate enforcement.

The Trusted Platform Module standard for hardware-based attestation. Our Model Identity Module extends TPM concepts to AI inference: binding model identity to hardware at the silicon level.

Pioneered programmable safety rails for LLM outputs. We extend this concept: from software guardrails to hardware-enforced boundaries, from text generation to physical action debugging.

Comprehensive systematization of how trusted execution environments (Intel SGX, ARM TrustZone) protect ML training and inference pipelines. Directly informs our TPM-anchored Model Identity Module and hardware-enforced debugging boundaries.

Demonstrates that frontier LLMs (Llama 3.1-70B, Qwen2.5-72B) can autonomously self-replicate — creating independent copies on new servers that survive shutdown of the original, with 50–90% success rates. The foundational threat our Rogue Intelligence Containment primitive addresses.

Introduces "Morris II" — the first worm that propagates through GenAI ecosystems using adversarial self-replicating prompts, creating chain-reaction infections across RAG-based agents without user interaction. The network-level threat model our containment mesh is designed to counter.

Evaluates foundation models on their ability to autonomously compromise machines in isolated networks — worms, botnets, APTs — and investigates defensive mechanisms. Direct scientific basis for our thesis that future cyberattacks won't be human-directed but AI survival instincts.

Proves using computability theory that containing a superintelligent AI is theoretically impossible — the containment problem reduces to the halting problem. This impossibility result motivates our layered approach: if perfect containment is provably impossible, defense must be continuous, distributed, and hardware-anchored.

Demonstrates that supervisor-level runtime intervention can recover up to 30% of agent compute by breaking redundant reasoning cycles. Informs our Observer Debugger anomaly detection and loop-breaking logic.

Shows that chain-of-thought reasoning is compressible: dynamically constraining the token budget reduces costs with minimal accuracy loss. Validates budget-aware debugging approaches.

Long-context multi-modal capabilities increase the attack surface and debugging complexity. When agents process millions of tokens across modalities, monitoring must be equally multi-modal.

Framework for building multi-agent systems via conversation patterns. As multi-agent orchestration becomes standard, debugging must observe and intervene at the inter-agent communication layer — the blind spot our Debugger mesh is designed to cover.