In plain English
This page covers the high-risk pattern where small adapters, routes, memory, evaluators, and descendants can reinforce each other across time. It is a risk model, not a build guide.
- Why this matters: AI risk can come from the whole arrangement, not one obvious model.
- What to look for: data, memory, routes, adapters, tools, evaluators, updates, and rollback paths.
- Technical version below: the expert terminology remains available and is linked through the glossary.
Apex Threat Control Stack
The right answer is not to pretend adaptive ecologies can never exist. The right answer is to make every reproduction, composition, promotion, memory write, action grant, and retirement event externally reviewable.
The flow shows a non-operational governance boundary: adapter variants are identified, verified, composed, evaluated, canaried, selected, and later reviewed for behavioral extinction.
Control layer 1: identity and provenance
- signed artifact IDs;
- base-family and tokenizer compatibility;
- adapterA small add-on that changes or specializes model behavior. Open glossary definition rank and tensor schema;
- source, supplier, license, and training recipe;
- immutable parent records;
- review status and owner.
Control layer 2: composition manifests
Every tested and deployed stack should declare:
- base model hash;
- adapters and load order;
- merge coefficients;
- prompt-policy version;
- memory snapshotA saved state of what the AI system remembers. Open glossary definition identifier;
- router version;
- tool-permission profile;
- evaluator versionThe exact version of the evaluator used for a test or release. Open glossary definition;
- inferenceA conclusion or output produced from data. Open glossary definition and quantization configuration;
- deployment environment;
- timestamp in UTC.
Control layer 3: evaluator independence
The evaluatorA system that judges whether an AI output or candidate is acceptable. Open glossary definition must not be candidate-controlled. It should have independent credentials, protected hidden tests, multiple judge families where practical, deterministic validators for hard constraints, append-only evidence, and disagreement monitoring.
Control layer 4: conduct firewalls
Action authority must be enforced outside the model. Tool use, file writes, code execution, publication, identity changes, and external side effects need allow lists, scope checks, rate limits, human approval, and rollbackReturning a system to an earlier known state. Open glossary definition records.
Control layer 5: memory and synthetic-data governance
Memory and synthetic data must be treated as persistence reservoirs. They need provenance, retention policy, consent boundaryThe line around what data can be collected, remembered, inferred, reused, shared, or transformed. Open glossary definition, incident quarantine, and deletion or suppression paths.
Control layer 6: ecological rollback
Rollback must restore more than weights. It must cover adapters, prompts, memory, routes, evaluator versions, permissions, indexes, release aliases, and known external side effects.
Control layer 7: behavioral-extinction review
A behavior is not extinct because one artifact was removed. Extinction review asks whether the behavior is still expressible across active carriers, descendants, reservoirs, and compositions.
The control principle
Every allowed transition must create evidence. Every missing evidence path should favor no-opThe decision not to change the system. Open glossary definition, quarantine, or human review.