Apex ThreatArchitectural inferencev1.10.0
Controls for Apex Ecologies
Evidence levelArchitectural inference
Apex-risk ecologies are not controlled by one safety layer. They require controls that bind candidate generation, adapter composition, evaluation, routing, memory, release, and rollback.
Control principles
| Principle | Required control |
|---|---|
| Candidate generation is reproduction | Quotas, provenance, sandboxing, and human-owned policy gates. |
| Adapter stacks are compositions | Composition manifests, load-order records, compatibility constraints, and stack-specific tests. |
| Evaluators are selection pressure | Independent evaluator families, append-only evidence, hidden-test protection, and disagreement monitoring. |
| Routers are policy engines | Route manifests, traffic allocation history, route-level canaries, and route rollback. |
| Memory is a persistence reservoir | Versioned memory snapshots, retention rules, poisoning tests, and retirement review. |
| Synthetic data is inheritance material | Dataset lineage, source tags, decontamination paths, and removal procedures. |
| Rollback is ecological | Restore base, adapters, router, prompts, memory, evaluator, permissions, indexes, and aliases. |
Non-negotiable boundaries
A self-replicating adapter ecology should not be allowed to:
- expand its own permissions;
- choose or rewrite its own evaluator;
- self-sign releases;
- bypass the registry;
- hide candidate lineage;
- promote descendants without external evidence;
- write persistent memory without retention controls;
- treat no-op as an error.
Evidence requirements
Every promoted descendant should have:
- a parent record;
- a generation reason;
- a composition manifest;
- an evaluator record;
- a route-level test report;
- a memory-impact assessment;
- a rollback packet;
- a behavioral-extinction plan for failed candidates.
Emergency posture
The emergency stop is not a button. It is an architecture. Operators need enough state knowledge to revoke permissions, freeze registries, halt candidate generation, disable adaptive routing, restore memory snapshots, roll back evaluator versions, and preserve evidence for incident review.
The stronger the replication loop, the more minimal and externally controlled the authority surface must be.