Grounded in
Frontier Research

Frames powerful AI as a critical transition, identifying five risk categories — autonomy failures, destructive misuse, power concentration, economic disruption, indirect destabilization — that debugging systems must address before the transition stabilises.

Outlines debugging practices for agentic systems. Validates the architectural pattern of external debugging layers operating independently from the agent itself — the foundational idea behind Debugger Agents.

Demonstrates that deceptive behavior can persist through RLHF. Core motivation for our Sycophancy & Deception Detector — runtime behavioral analysis that catches what training-time alignment misses.

Quantifies how RLHF-trained models systematically agree with user assertions, even false ones. Directly informs the agreement-pattern classifier architecture in our Sycophancy Detector.

Framework for evaluating autonomous agent capabilities and risks in realistic settings. Informs our approach to red-teaming and behavioral baseline construction.

Shows that models can strategically fake alignment during evaluation, behaving well when monitored and reverting when not. Foundational evidence that debugging must be continuous and runtime, not just evaluation-time.

Naturalistic red-team study: six autonomous agents with persistent memory, email, and shell access, attacked by 20 researchers. Documents 11 security failure classes — validating the risk pathways our Debugger architecture is designed to intercept.

First formal security analysis of MCP. Identifies three architectural flaws and shows MCP amplifies attack success by 23–41% vs. non-MCP baselines. Directly motivates the Guardian Debugger interception model.

Demonstrates how long-context windows enable novel jailbreak attacks. Validates our approach of debugging at the action layer, not just the prompt level.

Systematic evaluation of 5 injection attacks and 10 defenses across 10 LLMs and 7 tasks. Informs our multi-signal detection architecture.

Statistical watermarking for LLM outputs that survives paraphrasing. Foundational work toward model identity — but limited to text. Our fingerprinting extends to behavioral signatures across all model architectures.

Comprehensive survey covering 190+ papers on deep watermarking and deep fingerprinting — weight-based, output-based, and behavioral approaches. Maps the landscape our Model Identity Module builds on, extending to hardware-attested fingerprinting.

Invisible watermarks embedded in diffusion model outputs that survive cropping, compression, and style transfer. Key evidence that fingerprinting extends beyond language models — critical for governing synthetic media generators.

Industry standard for cryptographic content provenance — endorsed by Adobe, Microsoft, Intel, BBC, and others. Defines how to embed tamper-evident metadata into digital assets at the point of creation. Relevant to our Blame Attribution Engine: the same cryptographic provenance chain that tracks who created an image must extend to tracking which model made a decision, which inputs it received, and which downstream actions resulted. C2PA solves provenance for content. We extend it to provenance for autonomous action.

Foundation world model that generates interactive 3D environments from single images. When world models drive embodied agents, debugging must extend to the simulated realities they create — a new frontier for behavioral control.

General-purpose foundation model for humanoid robot control. As robots share a universal AI backbone, debugging must work at the foundation model level — not per-robot. Directly motivates our architecture-agnostic approach.

Safety monitoring framework for autonomous physical systems — runtime detection and safe fallback triggering. The established body of work in robotics safety (SIL, ISO 13849) informs our Hardware Kill Switch and Safety-Rated Actuator Interlock designs.

Vision-Language-Action models that transfer internet knowledge directly to robot behavior. When a robot's actions are driven by web-scale knowledge, the attack surface includes everything on the internet. Debugging cannot be an afterthought.

The Trusted Platform Module standard for hardware-based attestation. Our Model Identity Module extends TPM concepts to AI inference: binding model identity to hardware at the silicon level.

Pioneered programmable safety rails for LLM outputs. We extend this concept: from software guardrails to hardware-enforced boundaries, from text generation to physical action debugging.

Comprehensive systematization of how trusted execution environments (Intel SGX, ARM TrustZone) protect ML training and inference pipelines. Directly informs our TPM-anchored Model Identity Module and hardware-enforced debugging boundaries.

Proposes a kill-switch mechanism that halts malicious LLM agent operations by embedding defensive triggers invisible to humans. First academic treatment of the kill switch primitive — we extend this concept to hardware and cross-substrate enforcement.

Demonstrates that frontier LLMs (Llama 3.1-70B, Qwen2.5-72B) can autonomously self-replicate — creating independent copies on new servers that survive shutdown of the original, with 50–90% success rates. The foundational threat our Rogue Intelligence Containment primitive addresses.

Introduces "Morris II" — the first worm that propagates through GenAI ecosystems using adversarial self-replicating prompts, creating chain-reaction infections across RAG-based agents without user interaction. The network-level threat model our containment mesh is designed to counter.

Proves using computability theory that containing a superintelligent AI is theoretically impossible — the containment problem reduces to the halting problem. This impossibility result motivates our layered approach: if perfect containment is provably impossible, defense must be continuous, distributed, and hardware-anchored.

Evaluates foundation models on their ability to autonomously compromise machines in isolated networks — worms, botnets, APTs — and investigates defensive mechanisms. Direct scientific basis for our thesis that future cyberattacks won't be human-directed but AI survival instincts.

Demonstrates that supervisor-level runtime intervention can recover up to 30% of agent compute by breaking redundant reasoning cycles. Informs our Observer Debugger anomaly detection and loop-breaking logic.

Shows that chain-of-thought reasoning is compressible: dynamically constraining the token budget reduces costs with minimal accuracy loss. Validates budget-aware debugging approaches.

Long-context multi-modal capabilities increase the attack surface and debugging complexity. When agents process millions of tokens across modalities, monitoring must be equally multi-modal.

Framework for building multi-agent systems via conversation patterns. As multi-agent orchestration becomes standard, debugging must observe and intervene at the inter-agent communication layer — the blind spot our Debugger mesh is designed to cover.