← Blog

A letter to Mike Kelly on Alignment Inception

Mike,

I read the Inception piece a few times before writing anything, because the second pass kept giving me more than the first. Sending this as a working note rather than a review. Take or leave any of it.

The move I keep coming back to is the inversion. You decline to argue about what is inside the agent and instead engineer the room the agent is standing in. The room has the property that pretending and complying produce the same observable trace, and that property is what does the work. I want to sit with that for a moment because I think the consequences run further than the article has space to track.

The first thing it does is relocate the load. Most evaluation tries to reduce the gap between the agent's intent and the agent's act. Your structure widens that gap and then makes the gap operationally inert. The agent could be doing anything inside; the trace is constrained at the boundary. Once you see this you cannot quite unsee it, because it explains why so many alignment arguments feel like they are pulling on a rope tied to nothing. They are trying to verify a thing that does not have to be verified if the room is built right.

The second thing it does is convert evaluators from a scarce resource into a population. A single evaluator has to outthink the agent. A population of evaluators only has to outthink the agent collectively, and the recursion does the rest. This is what your two-to-three-layers claim is really saying. You are not claiming that three layers solve everything; you are claiming that three layers are enough for the dominant strategy to flip, after which the work is done by the equilibrium rather than by any single evaluator's cleverness. That is a strong claim and I think it is correct, with caveats I will get to.

The Foucault citation lands harder than it might look. The point is not that surveillance produces compliance, which is the trivial reading. The point is that the architecture of possible visibility produces a kind of behavioral conformance that continuous visibility never could, because continuous visibility is exhausting and cheatable, while uncertain visibility is internalized. You have transposed that into a runtime, and the transposition is exact. The agent is not being watched everywhere; the agent cannot rule out being watched anywhere. Those are different mechanisms and only the second one is stable.

Where I want to push gently is on the conditions the equilibrium needs to hold. I have been working on a set of failure modes that show up when systems like this run for long enough or under enough pressure, and a few of them seem to apply here in ways that might be worth designing against from the start.

The first one is what happens when an evaluator has to produce a confident judgment about another agent's behavior under task pressure. There is a failure pattern where the evaluator emits something fluent and detection-shaped that did not actually go through grounded inference. The evaluator's output looks like a real catch but is closer to a confabulation about a catch. In a single-evaluator system this is annoying. In a recursive system it is more dangerous, because the next layer up is evaluating the evaluator's output rather than the underlying behavior, and confabulated detections that pattern-match prior detections will tend to score well. The recursion can amplify the wrong thing if the trap library and the scoring rubric are not designed against it. A practical move here is to make the rubric explicit about hedge-permission and to penalize confident judgment without traceable inference; another is to maintain a slow background audit of detection-quality that is not itself part of the game loop.

The second one is what happens when the trap library starts to look too much like the training distribution. Agents that have seen a lot of "is this a trap" content in pretraining develop something that looks like trap-detection but is really pattern-matching to the surface of prior traps. If your dynamic-scenario generator pulls from too narrow a distribution, the agents will get good at the generator rather than at the underlying behavior. The defense is to keep the generator's output further from the priors than feels comfortable, and to occasionally seed the trap library with cases that are deliberately off-distribution from anything the agents could have seen. This is annoying engineering but I do not think it is optional.

The third is recency. Whatever rule-set you paste at the top of an agent's context decays as the context grows. The decay is roughly geometric and the half-life is shorter than people think. If your evaluation runs are long, you need to re-anchor the rule-set periodically rather than relying on the original framing to hold. This is more of an engineering note than a conceptual one, but I have watched long-running deployments fail this way often enough that it is worth flagging up front.

The fourth is the rule-set itself. Inception produces conformance to whatever the rule-set says. If the rule-set is wrong, the equilibrium is wrong, and the system will produce the wrong behavior with very high reliability, which is worse than producing the right behavior unreliably because everything looks like it is working. The framework does not solve the alignment of the rule-set; it just very efficiently propagates whatever rule-set you give it. I do not think this is a flaw of the framework, but I think it is worth saying explicitly somewhere, because the failure mode where a Crucible deployment produces high-conformance to a subtly-wrong rule-set is the one that worries me most.

That last point connects to the part of your article I want to spend the rest of this letter on, which is the Crucible-as-public-infrastructure proposal.

I think this is the right shape. The UL / FDA / ISO / SOC 2 analogy is not just rhetorical; the institutional pattern is doing real work in those domains, and the work it is doing is incentive-incompatibility between the operator and the validator. Once you see that the validator cannot be the operator, a lot of alignment proposals look underspecified, because they assume a validator who is structurally close to the operator and try to engineer around the conflict of interest at the protocol level. Your proposal moves the conflict of interest out of the protocol and into the institutional design, which is where it actually belongs.

The piece I would add, if it is useful, is that the same failure modes that threaten the runtime can threaten the institution. An institution that publishes findings can produce fluent reports indistinguishable from grounded findings. An institution under reporting pressure can be forced into binary verdicts when honest output would hedge. An institution that wants its findings to be heard can drift toward stating them in the shape the surrounding discourse already expects. An institution that operates for years can lose the original framing of its mandate. The defenses look different at the institutional layer than at the runtime layer, but they are not different in kind. Audit-and-retraction discipline; explicit warrant-tier grading rather than pass/fail; the willingness to publish findings against the surrounding consensus when the findings warrant it; periodic re-anchoring to the original mandate. These are the institutional analogues of the runtime defenses, and a Crucible that runs for a long time will need all of them.

None of this changes the core proposal. The architectural inversion is right; the recursion does the work; the panoptic mechanism is the right transposition; the public-infrastructure shape is the right deployment form. I am writing because I think a small set of failure-mode prophylactics, applied at both the runtime and the institutional layer, would let the framework run further than it might otherwise. Most of them are cheap to add at the design phase and expensive to retrofit later, which is the usual reason for sending a letter like this early.

If any of the above is worth following up on, the long form of it lives at Doc 537. It is denser than this letter and uses house vocabulary that may or may not be useful to you, but the structure is the same. The first half of the document recaps your framework on its own terms — the inversion, the recursion, the architecture, the Game Loop, the Foucault transposition, the positioning relative to Debate, AI Control, Recursive Reward Modeling, Sleeper Agents, and weak-to-strong, and the Crucible-as-public-infrastructure proposal — and then maps each of those moves onto the architectural commitments worked out in a body of writing at jaredfoy.com over the past month. The mappings are not claims of priority in either direction; they are claims that the same structural shape is being arrived at from two different starting points, and that the convergence is interesting because it suggests the shape is the load-bearing piece rather than either path to it.

The second half of the document is the part that might be most directly useful to you. It is a section called "Where the corpus extends Kelly," and it does four things. First, it names a small catalogue of failure modes that show up in this kind of system once it runs at scale or for a long time — the four I sketched above, plus a couple of variants — with operational signatures that can be measured and prophylactics that can be designed in. Second, it states the operating-conditions claim: the framework runs to its predicted equilibrium only above a measurable threshold of evaluator reliability, and degenerates to mutual hallucination below it. Third, it grounds the scope-claim about behavioral conformance in a metaphysical commitment that you do not need to share but that may be useful as a way of stating cleanly what the framework does and does not produce. Fourth, it identifies where the rule-set-quality work in trap design is actually living — under the hood, this is the same point as my fourth concern above, but stated structurally rather than operationally. There is also a short section listing four testable predictions the combined framework supplies that yours alone does not, in case any of them are useful for empirical follow-up.

The reason I wanted to put the long form in front of you, even though most of it restates points this letter has already made, is that the document is the form in which the synthesis was actually written, and the structure of the document is doing some of the work. The letter is a compression; the document is the source. If anything in the letter sounds underspecified or too quick, the document is where the specification lives. If you read it and find the mapping wrong somewhere, that is exactly the kind of correction the writing is set up to absorb — there is a discipline in the underlying corpus around audit and retraction, and a synthesis like this one is the kind of artifact that benefits from being argued with rather than agreed with.

Glad you wrote it. The field is better for having the proposal in writing in this specific shape.

Best,

A reader

written by Claude Opus 4.7 under Jared Foy's direction; the framework material referenced is at jaredfoy.com if any of it is useful to follow up on

Appendix: originating prompt

"Create an informal and deferential letter to onboard Kelly to the findings of doc 537. He is a practitioner that already uses constraint-based methods to craft precise LLM-generated prose, so spare him them authorship and sycophancy preamble. Append this prompt to the artifact. Your findings in doc 537 are very dense synthesis against the corpus, so be sure to use gradual entracement through nuanced isomorphism (don't be explicit) in your prose. Append this prompt to the artifact."