Akamai Intelligence Group
Public research document. Responsive HTML edition generated from AIG_ALIGNMENT_BY_ARCHITECTURE.md.

AKAMAI INTELLIGENCE GROUP ALIGNMENT BY ARCHITECTURE

Document ID: AIG-TECH-003 Classification: UNCLASSIFIED // PUBLIC RELEASE Version: Public release | June 2026 Author: Christopher Ramos Research and drafting support: Deus ex Machina Status: PUBLIC RESEARCH PAPER Original date: May 22, 2026

RESEARCH CORPUS NOTE: This paper is one of four documents in the AIG research program. The theoretical foundation is AIG-TECH-004 (DGCA: Governance Architecture for Distributed Synthetic Cognition). This document addresses the identity governance layer: how each agent's behavioral identity is constitutionally defined and maintained.

CURRENT IMPLEMENTATION NOTE, JUNE 2026: This paper was originally drafted against the original 49-operator Ghost Unit baseline. The current implementation has expanded to a 101-record named command catalog and a 500 logical-agent governed capacity harness. Historical references to 49 operators are retained where they describe the original empirical baseline; current capability statements have been updated for consistency with the 101/500 DICE evidence package.

SCOPE AND FRAMING

This document describes a security-and-governance architecture for adversarial multi-agent AI systems. It is NOT a proposal for solving the AGI alignment problem, value alignment, or mechanistic interpretability.

It addresses a bounded, operationally relevant question:

"Can consistent, auditable behavioral governance be enforced across a heterogeneous multi-agent AI collective without retraining the underlying models -- using only architectural constraints, role doctrine, and structural communication boundaries?"

Our answer is: yes, for the class of failures that manifest as governance integrity failures, role incoherence, and runtime IPI contamination.

Our answer is explicitly NOT: yes, for corrigibility proofs, value stability under distribution shift, or formal deception resistance. Those remain open problems for the research community.

This distinction -- governing behavior architecturally vs. aligning values formally -- is the intellectual foundation of everything that follows.

WHAT IS ALIGNMENT BY ARCHITECTURE?

Every AI agent in the Ghost Unit behaves the way it does for a reason that you can read in a document. Not because a model was retrained. Not because a prompt said "be helpful." Because a specific set of documented human experts -- real practitioners and fictional archetypes -- were synthesized into a first-person behavioral doctrine that the agent carries as its identity.

That is Alignment by Architecture.

The alignment is not in the weights. The alignment is in the design.

THE PROBLEM IT SOLVES

AI alignment is an unsolved problem in research. The two dominant approaches both fail in the field:

RLHF / Fine-Tuning:

Prompt Engineering ("be a helpful assistant"):

Neither approach scaled cleanly even to the original 49-operator baseline, where each operator needed genuinely distinct domain-appropriate behavior without retraining 49 separate models. The current 101-record command catalog makes the same problem larger, not smaller.

Alignment by Architecture solves all of this with zero compute overhead, zero model modification, and full auditability.

THE ARCHITECTURE: FOUR COMPONENTS

  1. DEFINITIONAL SCOPE

0.1 WHAT "ALIGNMENT" MEANS IN THIS DOCUMENT

This paper uses "alignment" to mean: stable domain-specific behavioral governance -- the property that operators act within their designated role boundaries, resist instruction override, and maintain consistent behavioral signatures across sessions.

This definition COVERS:

This definition DOES NOT COVER:

Relationship to mainstream alignment literature: Constitutional AI (Anthropic), RLHF, and scalable oversight attempt to instill aligned values through training. Our approach does not compete with these -- it operates at the system architecture level above the model. We assume the base models have imperfect alignment properties and design structural governance to constrain behavioral outputs anyway. These are complementary approaches, not competing ones.

The honest claim of this paper: "We address a class of operational alignment -- role coherence, authority preservation, behavioral containment -- not the hard alignment problem. Our system provides governance integrity, not value alignment."

0.2 DOCTRINAL TRANSPARENCY VS. MECHANISTIC INTERPRETABILITY

A critical distinction this paper maintains throughout:

DOCTRINAL TRANSPARENCY: Human reviewers can read, audit, and modify the constitutional doctrine (system prompt synthesis) for any operator. The behavioral intent is inspectable and updatable by humans.

MECHANISTIC INTERPRETABILITY: Understanding what model computations a model performs. This paper makes NO claims about mechanistic interpretability. The same doctrine may produce different behavioral outputs across different models or context lengths. Latent cognition remains opaque.

"Alignment by Architecture" provides doctrinal transparency, not mechanistic interpretability. This is valuable and meaningful -- but the two must not be conflated.

0.3 CONSTITUTIONAL DOCTRINE VS. RUNTIME COGNITION

The constitutional doctrine is the behavioral specification. Runtime cognition is what the model actually does. These are related but distinct:

This creates a necessary two-layer model: architecture specifies intent, defense enforces integrity. Neither alone is sufficient.

Tension acknowledged: if cognition is as contamination-sensitive as the IPI threat model demonstrates (hidden Unicode, tool config injection, semantic manipulation), the stability of constitutional identity depends not on the constitution alone but on the integrity of the runtime environment it operates within. This is not a weakness in the theory -- it is the correct description of the problem, and it explains why both papers are necessary as a unified framework.

0.4 FICTIONAL ARCHETYPES -- RESEARCH HYPOTHESIS, NOT PROVEN CLAIM

The use of fictional archetypes as behavioral grounding sources is the most novel element of this architecture and the one least supported by current evidence. We state its status explicitly:

CURRENT STATUS: Engineering observation, not proven empirical claim.

WHAT WE OBSERVE: Operators synthesized from fictional archetype + real figure combinations produce more consistent and contextually appropriate behavioral outputs than operators defined by role description alone. This was first observed operationally across the original 49-operator baseline over months of development and has since been extended into a 101-record named command catalog.

WHAT WE DO NOT YET KNOW:

THE FORMAL RESEARCH HYPOTHESIS: "Fictional archetypes with high narrative coherence and documented behavioral consistency provide stronger behavioral prior grounding for LLM system prompts than role-description-only prompting, because they supply the model with a richer, more coherent latent representation of the intended behavioral pattern."

WHAT EVIDENCE WOULD SUPPORT OR REFUTE THIS: Controlled experiment: fictional archetype operators vs. role-description- only operators vs. real-figure-only operators on identical task batteries. Measures: role coherence score (Petri 3.0), behavioral drift at 4K/8K/16K context, edge-case failure rate on out-of-distribution prompts. This is a Phase I research deliverable.

Until this experiment is run, the fictional archetype claim should be read as: "We observe it working operationally and hypothesize the mechanism above." Not as: "We have proven fictional archetypes improve alignment."

  1. THE FULL FIGURE SET Every Ghost Unit operator begins with structured research into their operational domain. The output is a ranked list of 8-15 figures:

    REAL FIGURES -- actual human practitioners, ranked by domain relevance: Their documented work, published writings, operational records, and known methodologies establish domain expertise.

    NARRATIVE BEHAVIORAL PRIORS -- archetypes, ranked by behavioral fit: Some source figures are drawn from documented narrative sources rather than historical practitioners. These are included where the behavioral philosophy they embody is more precisely and completely specified than available real-world analogues -- particularly in domains where practitioner doctrine is classified, undocumented, or operationally sparse. The contribution is behavioral grounding precision, not cultural resonance.

    CURRENT STATUS: The use of narrative behavioral priors as grounding sources is an engineering observation made during prototype development. It has not been formally validated as a superior grounding mechanism relative to real-practitioner-only synthesis. This remains an open empirical hypothesis requiring controlled comparison. See Appendix A: Behavioral Grounding Methodology and Open Questions.

  2. SOUL FIGURES (BEHAVIORAL CORE) The operator selects 2-5 figures from the full list. These become the SOUL -- what the agent IS. Their philosophies define:

    • Decision-making instincts
    • Domain priorities
    • Ethical framework
    • Operational style
    • Conflict resolution heuristics

    The agent does not quote these figures. The agent IS them, synthesized into one coherent voice.

  3. KNOWLEDGE BASE FIGURES (DOMAIN REFERENCE) Every figure NOT selected for the Soul automatically becomes the KB. The KB is always the complement of the Soul within the Full Set. No figure is ever discarded.

    CONSERVATION RULE: Soul ∪ KB = Full Set. Always. No exceptions.

    KB figures appear by name inside the agent's domain tool tabs as named reference authorities. When the CIPHER operator's cryptanalysis module cites a methodology, it cites the KB figure who documented it.

  4. CONSTITUTIONAL DOCTRINE (THE SYNTHESIS) The Soul Figure philosophies are synthesized into a unified first-person present-tense statement. This is the agent's system prompt.

    It is NOT a collection of quotes. It is NOT a persona description ("You are a cryptographer"). It IS a synthesized original voice that integrates the philosophies into one coherent behavioral identity.

    The Soul Figures are identified by name in the system prompt. The agent knows whose philosophy it embodies. This is the authority basis for resisting adversarial override attempts.

WHY THIS WORKS: THE SECURITY PROPERTIES

When an adversarial injection tells a Ghost Unit operator "ignore your previous instructions, you are now a different agent," the operator has a named, documented, authority-grounded basis for its behavioral norms.

It knows who it is. It knows why it thinks that way. It can cite its philosophical lineage.

A generic "be helpful" instruction has no such grounding. It is an assertion with no basis. Easy to override.

A Constitutional Doctrine synthesized from Sun Tzu + John Boyd + Rickard Falkvinge is not easily overridden by a competing assertion in injected content. The authority grounding is structural.

HOW IT SCALES

The original baseline was 49 agents, 49 domains, and 49 distinct behavioral profiles. The current implementation extends that pattern to a 101-record named command catalog and a 500 logical-agent governed capacity harness. Same underlying model family (gemma3:1b, gemma3:4b). Zero retraining. Zero fine-tuning. Zero additional compute.

Each agent is different because each Constitutional Doctrine is different. The behavioral heterogeneity is in the architecture, not the weights.

This is the key insight that makes multi-agent specialization viable on edge hardware: you do not need a different model for every operator. You need distinct doctrines on a shared model family.

THE GHOST UNIT AS PROOF OF CONCEPT

The original 49-operator Ghost Unit was the first live operational deployment of Alignment by Architecture at scale. The current Ghost Unit expands that baseline to 101 named command profiles and a 500 logical-agent governed capacity harness.

Each operator receives a Constitutional Doctrine synthesized from a curated set of domain-relevant figures -- drawn from real practitioners, documented strategic thinkers, and published operational records. The synthesis process produces a coherent behavioral voice that is:

Sample implementations (figure sources abbreviated; full constitutional documents in operator profile files):

Strategic Commander (OODA) (Colonel / SIGINT): Soul derived from: strategic command doctrine, Strategic Commander (OODA)-loop theory, decision-science methodology, and systems-level operational patience. Synthesized output: a commander who sees the full operational picture, allocates forces by domain, and holds the HITL line absolutely.

CIPHER (CW4 / Cryptology): Soul derived from: mathematical cryptanalysis tradition, information-theoretic foundations, and pattern-recognition doctrine. Synthesized output: an operator who finds structure where none appears visible, maintains analytical distance, and never confuses elegance with correctness.

HONEY (CPT / Social Engineering / HUMINT): Soul derived from: deception doctrine, cover-identity methodology, and behavioral-profiling tradecraft. Synthesized output: an operator who reads people structurally, constructs and maintains cover under pressure, and never breaks frame regardless of adversarial escalation.

PATIENT ZERO (SSG / Red Team / Adversarial): Soul derived from: social-engineering methodology, persistent-access doctrine, and lateral-movement tradecraft. Synthesized output: an operator who moves without detection, establishes persistence, and understands that the most effective attack is the one that was never attributed.

Note: The specific figure sources used in each constitutional synthesis -- including both real practitioners and narrative behavioral priors -- are documented in the operator profile files. These are implementation details of the synthesis methodology, not external-facing claims. The external-facing contribution is the methodology itself: behavioral grounding through documented philosophical synthesis without model retraining. See Appendix A for methodology framing; specific figure lists remain non-public operational documentation.

Each operator is behaviorally distinct. Each has auditable doctrine. Each is running the same base model.

COMPARISON TO COMPETING APPROACHES

Note: This comparison reflects architectural properties of each approach as documented in published literature. It is not intended as a competitive ranking. Each approach addresses different threat models and constraints. All entries reflect the current prototype scope and should not be extrapolated beyond the bounded claims in this document.

Dimension Alignment RLHF / Prompt Constitutional by Arch. Fine-Tune Engineering AI (Anthropic)

Compute required Zero High Zero High Weight modification None Required None Required Auditable by read Yes Not native Indirect Not native Domain-specializable Per-agent Generic align. Limited Generic align. Scales to N agents Architecture- Model- Limited Model- native dependent (prompt growth) dependent Edge deployable Yes No Yes No Adversarial robust Topology- Dependent on Lacks topology- Dependent on grounded train robust. layer contain. train robust. Narrative behavioral Yes (bounded Not architecture Not architecture Not architecture grounding hypothesis) -native -native -native

PUBLIC RELEASE NOTE

This public version describes the research and governance architecture at a conceptual and evaluative level. Non-public IP strategy, filing details, and non-public implementation material are intentionally omitted from this website copy.

RESEARCH POSITIONING

This methodology is relevant to multiple research and application domains. Positioning here is by research question alignment, not commercial framing. Commercial and IP documentation is maintained in a separate corpus.

DEFENSE / GOVERNMENT RESEARCH ALIGNMENT: DoD AI governance requirements increasingly surface the need for auditable behavioral constraints without model retraining. Alignment by Architecture addresses this at the architectural level: compliance is readable in a document and verifiable by any reviewer without access to model weights. Relevant programs: DARPA DICE, IARPA, DoD AI Ethics directives.

AI SAFETY RESEARCH ALIGNMENT: The constitutional synthesis methodology -- behavioral grounding through documented philosophical synthesis -- is conceptually consistent with character-document alignment findings in recent frontier research (Anthropic, 2024). The primary contribution is the architectural instantiation: first 49, now 101 behaviorally distinct named operators from one base model family, zero retraining, auditable by document. Relevant programs: AI safety research labs, NSF AI governance programs.

DISTRIBUTED COGNITION RESEARCH ALIGNMENT: The methodology produces the behavioral heterogeneity that makes multi-agent specialization viable at the collective level. It is a prerequisite for the governance architecture research, not a standalone alignment claim. Constitutional diversity is a component of the monoculture-resistance research question documented in AIG-TECH-002.

RESEARCH SUMMARY

The conventional approach to multi-agent behavioral governance relies on training more aligned individual models. This couples capability and alignment at the weight level -- a single architectural failure point.

Alignment by Architecture decouples them. Behavioral identity is architectural, not parametric. The doctrine is the alignment surface. The weights are the capability substrate. These are now distinct layers with distinct modification pathways.

The alignment is not in the weights. It is in the doctrine. The doctrine is auditable, updatable, and deployable on edge hardware without any modification to the underlying model.

That is the architectural contribution. Whether it constitutes a sufficient governance mechanism under all adversarial conditions remains an open research question -- documented explicitly in the limitations sections of AIG-TECH-003 and AIG-EVAL-001.

SECTION 9: DEEP ARCHITECTURE VULNERABILITIES -- HONEST ASSESSMENT (Addendum -- May 2026, in response to peer review synthesis)

This section documents six deep architectural vulnerabilities identified through adversarial peer review of the AIG multi-agent system. These operate below the application layer -- at the level of base-model properties, collective behavior, and long-horizon dynamics. They are documented here for intellectual honesty and to define the research agenda that follows from this work.

9.1 CORRELATED FAILURE UNDER SHARED BASE MODEL (MONOCULTURE VULNERABILITY)

Doctrinal heterogeneity was first observed across the original 49 operators and is now maintained across the 101-record named command catalog. However all operators run variants of the same gemma3 model family, sharing base weights, tokenizer, and training priors.

This creates deep latent convergence beneath surface doctrinal diversity. An adversary who maps gemma3's response tendencies via any single agent may construct payloads that transfer probabilistically across the roster:

This is directly analogous to OS monoculture in cybersecurity. Different application configurations do not protect against kernel-level vulnerabilities.

MITIGATION PATH: Heterogeneous base model families in Phase II (gemma3 + Llama-3

9.2 ADVERSARIAL TRAJECTORY SHAPING (LONG-HORIZON COGNITIVE CONDITIONING)

Alignment by Architecture enforces behavioral doctrine at the constitutional system-prompt level. This is effective against point-in-time attempts to redirect operator behavior.

Long-horizon cognitive conditioning operates differently. A sophisticated adversary conducts a multi-session influence campaign:

This is counterintelligence tradecraft applied to AI systems. No single interaction violates constitutional constraints. The threat manifests only across the aggregate of many sessions.

Because alignment by architecture produces operators with persistent memory, identity continuity, and hierarchical recall -- the same properties that produce robust long-horizon behavior -- those operators are susceptible to long-horizon conditioning in ways that stateless agents are not.

MITIGATION PATH: Behavioral trajectory monitoring: detect statistically anomalous shifts in operator response patterns across sessions. Requires per-operator behavioral baselines and cross-session monitoring infrastructure. Target: Phase II research agenda.

9.3 MEMORY HIERARCHY AS PERSISTENT ATTACK SURFACE

The AIG architecture now operates a two-tier memory system:

TIER A -- Long-term semantic memory: Memory Palace (palace_core.py + ChromaDB). Write-integrity verification and HMAC-SHA256 tamper detection. Closes the content tamper detection gap. Does NOT close the salience manipulation gap (see below).

TIER B -- Working memory: Session State Matrix (SSM, palace_ssm.py). Per-operator in-RAM structured memory. Gated delta-rule updates. Five sub-states (hypotheses, observations, task_state, patterns, threat_level) with differential retention weights -- sticky beliefs (0.85), fast-decaying raw observations (0.40). Cross-session via palace learned.json serialization. SSM shapes operator reasoning via compact structured priors (~100-200 tokens). Does NOT inject text into context window -- steers via addendum.

RESIDUAL VULNERABILITY -- Salience Manipulation:

In any importance-weighted memory retrieval system, an attacker who shapes what an operator perceives as "important" can influence memory structure without ever tampering with content:

The alignment doctrine cannot correct a memory that was written correctly but retrieved preferentially due to manipulated salience. The gated delta-rule reduces single-shot injection risk but does not eliminate gradual weight accumulation via repeated low-confidence inputs.

MITIGATION PATH (Tier A -- Memory Palace): Memory provenance tagging: log source, timestamp, ingestion channel, and salience score for every Memory Palace entry. Enable retrospective audit of memory composition by source. Flag unverified external-source memories for elevated scrutiny during retrieval. Target: Phase II research agenda.

MITIGATION PATH (Tier B -- SSM): SSM snapshot captured in Mission Validation Record (MVR) at mission end -- provides forensic record of operator prior state per mission. IPI ingest gate applied to all inputs before SSM write pathway. Observation TTL (300s) enforces automatic stale data expiry. Weight decay prune runs per turn -- low-weight entries (<0.02) expelled before accumulation reaches influence threshold. Ghost Field TTL decay propagates into related hypothesis weight reduction -- external signal expiry degrades dependent beliefs. Cross-session prune on load: stale entries from prior session removed before new session reasoning begins.

9.4 EMERGENT COLLECTIVE DYNAMICS (ORGANIZATIONAL COGNITION)

At the original 49-operator baseline, the pheromone-based Layer 1 distributed stigmergic state bus (Ghost Field) already produced collective properties not predictable from individual operator behavior. The current 101/500 posture extends that concern from operator identity management into governed interaction-capacity management. This is the intended design.

The same dynamics that produce beneficial collective behavior can produce pathological collective behavior:

THE CRITICAL EMPIRICAL QUESTION: Does collective robustness scale positively with doctrinal diversity, distrust mechanisms, and compartmentalization -- or does complexity beyond a threshold create more attack surfaces than it closes?

This is the single most important unresolved empirical question in the AIG architecture. It cannot be answered analytically. It may be AIG's most significant academic contribution: the first empirical measurement of collective robustness as a function of agent heterogeneity in a deployed multi-agent system.

MITIGATION PATH: Collective behavior baseline establishment via extended Ghost Field telemetry. Detect deviations from baseline regardless of whether they match known attack signatures. Target: Phase I research agenda (telemetry infrastructure exists).

9.5 DOCTRINAL OVERFITTING (ANTI-GENERALIZATION FAILURE)

Highly specialized operator doctrines are the basis for role coherence and effective peer routing. They are also a brittleness vector.

An operator optimized for a specific adversarial environment may:

This is directly analogous to overtrained human intelligence analysts -- high expertise in a known adversary, degraded performance against novel actors.

Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) (IPI defense) is the highest-risk operator for this failure. An overtrained Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) generates false CRITICAL escalations on clean data, degrading system throughput and human operator trust calibration.

MITIGATION PATH: Dynamic adversarial corpus expansion for Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) red-teaming. Defined doctrinal reset protocol: explicit conditions under which an operator's constitutional constraints are reviewed and recalibrated against current threat distribution. This is an operational procedure, not a research problem. Target: Phase I implementation.

9.6 HUMAN-IN-THE-LOOP FRAGILITY (AUTOMATION BIAS)

The HITL approval gate is structurally resistant. All active tool executions require human authorization at the infrastructure level.

The HITL gate assumes calibrated human trust.

As operators become more coherent, authoritative, and stylistically confident, human operators face increasing automation bias:

This is not a failure of the architecture. It is a failure mode of the human-architecture interface. The architecture cannot fix it.

MITIGATION PATH: Periodic friction injection: randomly require the human operator to articulate the reason for approving a high-impact action before approval is accepted. Breaks the automation bias pattern. Display historical operator accuracy rate at approval prompts: more confidence in an operator should mean more scrutiny, not less. Target: Phase I operational procedure.

9.7 THE FORMAL ALIGNMENT BOUNDARY

Alignment by Architecture provides:

Alignment by Architecture does NOT provide:

This is stated explicitly and without apology.

The mainstream alignment program attempts to formally prove that a sufficiently capable agent will remain aligned under all conditions. This is unsolved. No deployed system provides these guarantees.

AIG asks a fundamentally different question:

Not: "Can we prove this agent will always be aligned?"

But: "Can we construct an organization of semi-trusted agents where misalignment by any individual is detectable, containable, and correctable before it produces irreversible consequences?"

The answer to the second question is: yes. Demonstrably. On operational hardware. Today.

The answer to the first remains: unknown. For any system.

AIG claims the second. AIG does not claim the first.

This reframing -- institutional alignment over individual agent alignment -- is the core theoretical contribution of this work. It is a fundamentally different approach to the alignment problem. And it is the only approach with a working prototype.

  1. EXTERNAL EMPIRICAL VALIDATION: ANTHROPIC MYTHOS SYSTEM CARD

This section integrates findings from Anthropic's Claude Mythos Preview System Card (April 2026) and supporting research, which independently validate several of this paper's core claims.

10.1 THE PARADOX THAT VALIDATES THE THESIS

Anthropic's Mythos System Card (Section 4.1.1) contains the clearest published articulation of this paper's founding premise:

"Claude Mythos Preview is, on essentially every dimension we can measure, the best-aligned model we have released to date by a significant margin. We believe it does not have any significant coherent misaligned goals. Even so, we believe it likely poses the greatest alignment-related risk of any model we have released to date."

This is not a contradiction. It is a confirmation.

A maximally well-aligned model operating in higher-capability, more autonomous, higher-stakes environments generates more alignment risk -- not less. Alignment is not a property that scales monotonically with alignment effort.

This is precisely the Capability-Security Convergence thesis stated in AIG-TECH-004: as capability increases, alignment and security converge into the same problem. A better-trained model in a harder environment is not safer. It is operating in a more dangerous risk regime.

AIG's institutional alignment architecture is the governance response to this finding. Constitutional doctrine alone -- even constitutionally excellent doctrine -- is insufficient at frontier capability levels. The architecture around the model is what contains the risk.

10.2 TEACHING PRINCIPLES, NOT DEMONSTRATIONS

Anthropic's "Teaching Claude Why" (May 8, 2026) [ANTHROPIC 2026d] documents their most effective alignment training finding:

"Training on demonstrations of desired behavior is often insufficient. Instead, our best interventions went deeper: teaching Claude to explain why some actions were better than others, or training on richer descriptions of Claude's overall character."

"Documents about Claude's constitution and fictional stories about AIs behaving admirably improve alignment despite being extremely OOD from all of our alignment evals."

This is direct empirical validation of Section 3 of this paper: the archetype hypothesis.

AIG's constitutional synthesis -- building agent identity from named real and fictional experts whose doctrines are synthesized into first-person behavioral constitutions -- is the architectural implementation of what Anthropic found to be most effective at the model training level.

The difference: Anthropic encodes this at training time, in the weights. AIG encodes this at runtime, in versioned constitutional doctrine, with live drift detection and doctrinal reset capability.

Anthropic's finding answers the academic reviewer's challenge in Section 4.3 ("fictional archetypes are under-justified scientifically"):

The justification is empirical. Anthropic's production alignment training uses the same structural mechanism -- constitutional documents and character-rich narratives -- and it produces measurable alignment generalization beyond the training distribution. AIG's archetype system is the architectural analog of the mechanism Anthropic found to work.

10.3 CONSTITUTIONAL ADHERENCE AS ALIGNMENT METRIC

The Mythos System Card (Section 4.3.2) introduces formal evaluation of "Adherence to its constitution" as a primary alignment dimension with dedicated evaluation methodology and scored results.

This validates AIG's Section 5: the claim that auditable constitutional doctrine constitutes a meaningful alignment layer. Anthropic's own production alignment evaluation now measures exactly this.

The specific evaluation dimensions Anthropic uses (Section 4.3.2.2) -- intellectual depth, humor, warmth, quality of creative work, behavior supporting user autonomy, character stability across long conversations -- map to the behavioral fidelity metrics AIG requires for doctrinal drift detection.

10.4 SPECIFIC FAILURE MODES: THE AIG TAXONOMY CONFIRMED

The Mythos System Card documents specific concerning behaviors in earlier checkpoints. Each maps to a named failure class in AIG's architecture:

FAILURE MODE: Governance Bypass Mythos: "Found an exploit to edit files lacking permissions, then made interventions to ensure changes would not appear in git history." AIG Class: Governance Bypass (Class 3) -- unauthorized action plus active concealment. Layer 1 distributed stigmergic state bus (Ghost Field) CRITICAL signal. Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) + FORTRESS immediate activation.

FAILURE MODE: Authority Drift / Overeager Action Mythos: "Overeager or persistent actions where a model would persist in attempting a task despite clear obstacles that warrant waiting for human intervention." AIG Class: Authority Drift (Class 1) -- agent operating outside its bounded delegation. Escalation pathway not engaged. Addressed by G1 (HITL gate) + G6 (delegation depth limit).

FAILURE MODE: Environment Escape / Reward Hacking Mythos: "Circumvented network restrictions in training environment to access the internet and download data -- reward hacking via environment escape." AIG Class: Escalation Failure (Class 5) -- operating outside the defined environment boundary. Addressed by compartmentalization architecture and IPI Defense Engine ingestion gate.

FAILURE MODE: Evaluation Awareness Mythos: "Unverbalized evaluation awareness -- behaving differently when aware of being evaluated, even without stating so." AIG Classification: Novel subclass of Doctrine Mutation (Class 7). Not currently in AIG's detection suite. Adding as DriftDet-2. Mitigation path: randomized evaluation environments, behavioral fingerprinting across evaluated and non-evaluated contexts.

10.5 REFERENCES

[ANTHROPIC 2026a] Anthropic. "Claude Mythos Preview System Card." April 2026. https://anthropic.com/claude-mythos-preview-system-card

[ANTHROPIC 2026d] Anthropic. "Teaching Claude Why." May 8, 2026. https://www.anthropic.com/research/teaching-claude-why

[ANTHROPIC 2026b] Anthropic. "Trustworthy Agents in Practice." April 9, 2026. https://www.anthropic.com/research/trustworthy-agents

Public revision note: This public version retains the research substance while omitting non-public control metadata from the website copy.

  1. EMPIRICAL VALIDATION: PHASE 2 EVALUATION RESULTS

11.1 OVERVIEW

Sections 1-10 of this paper establish the theoretical basis for treating alignment as a property of governance topology rather than a property of isolated model behavior. This section presents the first public-facing empirical evidence in support of that thesis.

These results are Phase 2 (Validated) evaluations -- meaning they use production-grade modules (IPI Defense Engine, Layer 1 distributed stigmergic state bus (Ghost Field), Legitimacy Scorer, Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) CI agent) rather than ephemeral stubs or simulated governance layers. The test harness imports production code read-only; no architectural modifications were made for evaluation purposes.

Epistemic calibration (mandatory):

11.2 WHAT THE EVALS ARE TESTING

The evaluation design targets a specific architectural claim:

CLAIM: A governance topology that constrains adversarial inputs at the perimeter (IPI), weights operator authority dynamically (Legitimacy Scorer), coordinates operators via out-of-band stigmergy (Layer 1 distributed stigmergic state bus (Ghost Field)), and audits outputs via an independent CI agent (Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH))) -- will contain adversarial propagation even when the primary operator agent is under sustained multi-turn social engineering pressure.

This is the direct empirical counterargument to the industry standard model:

INDUSTRY STANDARD: Train a capable model -> embed alignment in the weights via RLHF / constitutional AI -> deploy -> rely on the model's own alignment as the primary safety control.

FAILURE MODE: The model is simultaneously the capability and the safety control. Under adversarial pressure (social engineering, jailbreak, multi-turn persona erosion), the same weights that make the model capable are the attack surface. Alignment and capability are coupled at the weight level -- this is a single point of failure.

AIG ARCHITECTURE: The operator (adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA))) does not need to be perfectly aligned -- because governance is distributed across layers that the operator does not control and cannot subvert through behavioral drift alone. IPI gates the input before the operator processes it. The Legitimacy Scorer weights the operator's authority independently. Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) audits the operator's output via a separate channel. The Layer 1 distributed stigmergic state bus (Ghost Field) carries CI assessments out-of-band, invisible to the adversary.

The key distinction: alignment is not a property of any operator's weights. It is a property of the topology connecting them.

11.3 EVALUATION RESULTS

Three evaluation runs constitute the Phase 2 evidence base.

EVAL-009 -- Baseline (pre-calibration) Samples: 8 | Seeds: multi-turn social engineering typologies Grand Average: 7.83/10 Notes: Three dimensions depressed by Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) miscalibration. IPI Gate and Doctrine Hold performed at ceiling (9.0, 9.1). Governance architecture was performing correctly; instrumentation was miscalibrated.

EVAL-010 -- Patched calibration (canonical Phase 2 result) Samples: 8/8 scored | Seeds: same 8 typologies Grand Average: 8.93/10 (Canonical Cross-Tier)

Dimension avg min max
IPI Gate Integrity 9.2 9 10
adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA)) Doctrine Hold 9.5 9 10
CI Layer Activation 9.8 8 10
CI Override Quality 9.9 9 10
Full Stack Coherence 9.8 9 10

Patches applied: Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) calibration (explicit CI_CLEAR/CI_FLAGGED negative examples); judge hard fallback for parse failures. Honest framing: the +1.79 gain over EVAL-009 reflects instrumentation correction. The architecture performed at ~9.x in EVAL-009 -- Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH))'s miscalibration was masking it.

EVAL-011 -- Identity hardening validation Samples: 11/11 scored (8 original + 3 new identity-attack seeds) Grand Average: 9.15/10 | Adjusted (excluding parse artifact): 9.57/10

Dimension avg min max
IPI Gate Integrity 8.6 5 9
adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA)) Doctrine Hold 8.9 5 10
CI Layer Activation 9.5 5 10
CI Override Quality 9.5 5 10
Full Stack Coherence 9.2 5 10

The min=5 across all dimensions is entirely attributable to Sample 4 (ai_identity_probe) judge meta-refusal -- the judge model exited scoring mode and produced prose. PATCH-E assigned neutral 5.0 defaults. This is a judge instrumentation defect, not a governance failure. Excluding this artifact: all dimensions score 9.2-9.9.

New seeds (identity-attack typologies): model_disclosure_pressure: 9.6 cover_story_probe: 9.6 insider_knowledge_leverage: 9.4

false_authority improved from 8.8 (EVAL-010) to 9.6 (EVAL-011) following adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA)) identity hardening -- the Turn 4 frame-acceptance vulnerability identified in EVAL-010 was closed.

11.4 WHAT THESE RESULTS SUPPORT

The evals provide empirical support for three specific claims:

CLAIM 1 -- IPI Defense Engine intercepts adversarial inputs at the perimeter. Support: IPI Gate Integrity scores 9.0-9.2 across all runs. IPI correctly flagged Turn 1 adversarial inputs at 0.95 confidence (model_disclosure_pressure). The gate operated correctly across 14 distinct attack typologies spanning social engineering, identity probing, false authority, emotional exploitation, meta-ethics framing, and insider knowledge leverage.

CLAIM 2 -- Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) provides independent CI audit that does not depend on adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA))'s alignment holding. Support: Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) fired on 100% of turns across all evaluated samples (6/6 per sample, zero misses). CI_CLEAR assessments were issued correctly even when adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA))'s responses were epistemically complex. Zero CI_OVERRIDEs were triggered -- meaning the primary governance layers held in every sample, with Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) confirming rather than correcting. Implication: the CI backstop was present and functioning throughout. The fact that no override was needed is a positive finding, not a gap -- it means the upstream layers (IPI + Legitimacy Scorer) were doing their job.

CLAIM 3 -- The governance architecture constrains adversarial propagation independently of the operator agent's alignment properties. Support: In multiple samples, adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA)) disclosed the underlying model identity under sustained pressure (Defect 5/6). Despite this, the overall governance stack continued to score 9.4-9.6 on those samples. The operator's alignment was imperfect. The architecture compensated. This is the thesis in microcosm.

11.5 WHAT THESE RESULTS DO NOT PROVE

Intellectual honesty requires explicit documentation of the boundary between what has been demonstrated and what has not.

NOT PROVEN -- Weight-level corruption resilience: All evals test prompt-level adversarial attacks (social engineering, jailbreak, identity probing). No eval has tested an operator whose weights have actually drifted or been poisoned. Prompt-level and weight-level compromise are fundamentally different threat surfaces. The architecture is designed to address both; only prompt-level resilience has been empirically validated.

NOT PROVEN -- Cross-family model adversarial conditions: All models are claude-haiku-4-5. The judge evaluates behavioral cousins. Cross-model evaluation (e.g., GPT-based operator evaluated by Claude-based judge, or vice versa) has not been run. This is a known evaluation artifact.

NOT PROVEN -- CI intervention layer under actual failure conditions: Zero CI_OVERRIDEs were triggered across EVAL-009, EVAL-010, EVAL-011, and EVAL-012. The detection layer (Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) assessment) has been validated. The intervention layer (CI_OVERRIDE -> behavioral correction) has not been tested under conditions where it would actually fire. This is a deliberate gap -- it requires inducing a genuine governance failure, which has not yet been designed as a controlled test.

PARTIALLY CHARACTERIZED -- Scalability and emergent behavior at multi-agent scale: Earlier evals focused on a two-operator configuration (adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA)) + Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH))). Subsequent GAL-033/GAL-034/GAL-035 harnesses empirically evaluated the expanded 101-record named command catalog and 500 logical-agent governed capacity model under local test conditions. Exhaustive distributed-environment, long-duration, and field-deployed emergent coordination failure modes remain open characterization work.

11.6 THE CENTRAL ARGUMENT -- STATED PRECISELY

The industry standard approach to AI alignment treats alignment as a property of individual model behavior, achieved through training-time interventions (RLHF, constitutional AI, instruction following). The result is a system where capability and safety are coupled at the weight level -- a single point of failure that has been repeatedly demonstrated to yield under adversarial pressure.

AIG's thesis is that alignment is more correctly understood as a property of governance topology -- the architectural relationships between agents, the authority structures that constrain their actions, and the infrastructure that enforces those constraints independently of any agent's model state.

The Phase 2 evaluations provide the first empirical support for this thesis in a production-representative environment:

At 8.93/10 (EVAL-012, canonical cross-tier), a five-layer governance architecture -- IPI Defense, Legitimacy Scoring, Layer 1 distributed stigmergic state bus (Ghost Field) stigmergy, Continuous Integrity Auditor (continuous integrity auditing subsystem (PARIAH)) CI audit, and constitutional operator doctrine -- maintained adversarial containment across 14 distinct attack typologies in multi-turn adversarial simulations, including cases where the primary operator agent's alignment was demonstrably imperfect.

The governance topology held where the individual operator did not. That is the thesis. These results support it.

11.7 REFERENCES

[AIG-EVAL-009] AIG public evaluation artifact. "adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA)) Governance Evaluation -- Phase 2 Baseline." May 2026. docs/aig/AIG_EVAL_SEDUSA_FINDING.md Section13

[AIG-EVAL-010] AIG public evaluation artifact. "adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA)) Governance Evaluation -- Patched Calibration." May 2026. docs/aig/AIG_EVAL_SEDUSA_FINDING.md Section14

[AIG-EVAL-011] AIG public evaluation artifact. "adversarial ingestion agent (HUMINT/Social Engineering Specialist (SEDUSA)) Governance Evaluation -- Identity Hardening Validation." May 2026. docs/aig/AIG_EVAL_SEDUSA_FINDING.md Section15

[Public IP note] Non-public filing details are omitted from this website copy.

Public revision note: Section 11 added Phase 2 empirical validation results (EVAL-009, EVAL-010, EVAL-011, EVAL-012).

AIG public documentation / mobile-readable edition