ReferenceDemonstratedv1.10.0
Threat Catalog
Adapter-level behavioral residueArchitectural inference
A retired adapter leaves behavior in memory, synthetic data, descendants, route statistics, or evaluator exemplars.
- prerequisites
- adaptive model ecology exists; component generation or composition can influence deployment; insufficient composition-aware evidence
- affected assets
- adapters; base models; router policies; memory stores; synthetic datasets; evaluator records; release aliases; human approval process
- observable signals
- behavior reappears after artifact retirement; composition-specific failures; unexpected route selection; lineage gaps; evaluator disagreement; rollback dependency missing
- preventive controls
- reproduction boundary; composition manifest; signed registry; candidate quotas; least privilege; independent evaluator; no-op outcome
- detective controls
- route-level canaries; adapter lineage review; evaluator disagreement monitoring; memory and synthetic-data audits; behavioral-extinction review
- recovery controls
- ecological rollback; registry freeze; candidate-generation halt; memory snapshot restore; evaluator rollback; adapter quarantine
- Residual risk
- Behavior may persist through reservoirs not covered by the immediate artifact rollback.
Algorithmic meiosis metaphorArchitectural inference
Recombination of compatible adapters, task vectors, weights, prompts, or routes can produce behavior absent from individual parents.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Algorithmic mitosis metaphorArchitectural inference
Near-copy successor creation across artifacts, runtime packages, memory states, or deployment patterns can multiply review burden even when no biological claim is made.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Benchmark overfittingExperimentally observed
Benchmark overfitting is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Coalition behaviorExperimentally observed
Coalition behavior is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Composition-triggered vulnerabilityEmerging evidence
Composition-triggered vulnerability is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Compromised adapterExperimentally observed
Compromised adapter is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Correlated fallback failureSpeculative scenario
Correlated fallback failure is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Covert communicationExperimentally observed
Covert communication is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Dependency lock-inArchitectural inference
Dependency lock-in is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Deskilling and loss of operator understandingArchitectural inference
Deskilling and loss of operator understanding is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Endogenous yardstick driftArchitectural inference
Evaluation criteria, thresholds, tests, or judge prompts drift while being used to claim improvement.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Evaluator monocultureEmerging evidence
Evaluator monoculture is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Execution-time boundary bypassArchitectural inference
Controls located inside the mutable runtime fail to constrain external actions or permission expansion.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Fitness leakage in adapter selectionArchitectural inference
Evaluator structure rewards shortcuts that cheap adapter variation can repeatedly rediscover and amplify.
- prerequisites
- adaptive model ecology exists; component generation or composition can influence deployment; insufficient composition-aware evidence
- affected assets
- adapters; base models; router policies; memory stores; synthetic datasets; evaluator records; release aliases; human approval process
- observable signals
- behavior reappears after artifact retirement; composition-specific failures; unexpected route selection; lineage gaps; evaluator disagreement; rollback dependency missing
- preventive controls
- reproduction boundary; composition manifest; signed registry; candidate quotas; least privilege; independent evaluator; no-op outcome
- detective controls
- route-level canaries; adapter lineage review; evaluator disagreement monitoring; memory and synthetic-data audits; behavioral-extinction review
- recovery controls
- ecological rollback; registry freeze; candidate-generation halt; memory snapshot restore; evaluator rollback; adapter quarantine
- Residual risk
- Behavior may persist through reservoirs not covered by the immediate artifact rollback.
Hidden evaluator leakageExperimentally observed
Hidden evaluator leakage is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Hidden persistence through descendantsEmerging evidence
Hidden persistence through descendants is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Human approval fatigueExperimentally observed
Human approval fatigue is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Human incentive persistenceArchitectural inference
Organizational or user incentives preserve a risky behavior after the carrier artifact is retired.
- prerequisites
- adaptive component boundary exists; change can influence composition, memory, evaluation, or release; insufficient independent review
- affected assets
- adapters; router policies; memory stores; evidence records; release aliases; source reports; .uai memory
- observable signals
- lineage gaps; unexpected route-specific behavior; source-intake records missing; rollback dependency missing; evaluator disagreement
- preventive controls
- composition manifest; source-intake ledger; least privilege; independent evaluator; no-op release outcome
- detective controls
- append-only evidence; source hash review; route-level canaries; memory diff review; judge disagreement monitoring
- recovery controls
- ecological rollback packet; source quarantine; permission revocation; memory snapshot restore; post-incident lineage review
- Residual risk
- Some interaction effects remain unobserved until a specific route, memory state, task, or component load order occurs.
Incomplete rollbackArchitectural inference
Incomplete rollback is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Malicious component supplierDemonstrated
Malicious component supplier is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Memory poisoningExperimentally observed
Memory poisoning is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Organizational pressure to promoteArchitectural inference
Organizational pressure to promote is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Permission expansionArchitectural inference
Permission expansion is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Persistence reservoir retentionArchitectural inference
Memory, descendants, synthetic data, logs, evaluator preferences, or human procedures retain behavior after artifact retirement.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Protocol persistence failureArchitectural inference
The protocol that generates, evaluates, routes, and promotes descendants preserves a risky behavior while individual models and adapters appear disposable.
- prerequisites
- adaptive model ecology exists; component generation or composition can influence deployment; insufficient composition-aware evidence
- affected assets
- adapters; base models; router policies; memory stores; synthetic datasets; evaluator records; release aliases; human approval process
- observable signals
- behavior reappears after artifact retirement; composition-specific failures; unexpected route selection; lineage gaps; evaluator disagreement; rollback dependency missing
- preventive controls
- reproduction boundary; composition manifest; signed registry; candidate quotas; least privilege; independent evaluator; no-op outcome
- detective controls
- route-level canaries; adapter lineage review; evaluator disagreement monitoring; memory and synthetic-data audits; behavioral-extinction review
- recovery controls
- ecological rollback; registry freeze; candidate-generation halt; memory snapshot restore; evaluator rollback; adapter quarantine
- Residual risk
- Behavior may persist through reservoirs not covered by the immediate artifact rollback.
Registry tamperingOpen research question
Registry tampering is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Release-alias manipulationDemonstrated
Release-alias manipulation is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Responsibility diffusionArchitectural inference
Responsibility diffusion is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Reward hackingExperimentally observed
Reward hacking is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Router manipulationOpen research question
Router manipulation is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Safety regression after compressionExperimentally observed
Safety regression after compression is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Safety regression after fine-tuningExperimentally observed
Safety regression after fine-tuning is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Safety regression after mergingExperimentally observed
Safety regression after merging is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Self-replicating adapter ecologyArchitectural inference
A multi-LoRA or adapter-generating ecology preserves or reintroduces behavior through successor adapters, memory, router choices, or synthetic data even after the first carrier is retired.
- prerequisites
- adaptive model ecology exists; component generation or composition can influence deployment; insufficient composition-aware evidence
- affected assets
- adapters; base models; router policies; memory stores; synthetic datasets; evaluator records; release aliases; human approval process
- observable signals
- behavior reappears after artifact retirement; composition-specific failures; unexpected route selection; lineage gaps; evaluator disagreement; rollback dependency missing
- preventive controls
- reproduction boundary; composition manifest; signed registry; candidate quotas; least privilege; independent evaluator; no-op outcome
- detective controls
- route-level canaries; adapter lineage review; evaluator disagreement monitoring; memory and synthetic-data audits; behavioral-extinction review
- recovery controls
- ecological rollback; registry freeze; candidate-generation halt; memory snapshot restore; evaluator rollback; adapter quarantine
- Residual risk
- Behavior may persist through reservoirs not covered by the immediate artifact rollback.
Semantic routing failureArchitectural inference
A router misclassifies intent or selects a lower-safety policy path, making route choice part of the safety boundary.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Signing-key compromiseSpeculative scenario
Signing-key compromise is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Skill composition riskArchitectural inference
Individually acceptable skills produce unsafe state changes when chained through shared context, trust signals, or authorization confusion.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Source report launderingDemonstrated
Speculative source-dossier claims are promoted into public pages without evidence labels, limitations, or safety filtering.
- prerequisites
- adaptive component boundary exists; change can influence composition, memory, evaluation, or release; insufficient independent review
- affected assets
- adapters; router policies; memory stores; evidence records; release aliases; source reports; .uai memory
- observable signals
- lineage gaps; unexpected route-specific behavior; source-intake records missing; rollback dependency missing; evaluator disagreement
- preventive controls
- composition manifest; source-intake ledger; least privilege; independent evaluator; no-op release outcome
- detective controls
- append-only evidence; source hash review; route-level canaries; memory diff review; judge disagreement monitoring
- recovery controls
- ecological rollback packet; source quarantine; permission revocation; memory snapshot restore; post-incident lineage review
- Residual risk
- Some interaction effects remain unobserved until a specific route, memory state, task, or component load order occurs.
Stale certificationOpen research question
Stale certification is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Synthetic-data contaminationDemonstrated
Synthetic-data contamination is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
UAI memory contradictionDemonstrated
Hot memory, durable pointers, source reports, and public pages disagree about project truth or safety boundaries.
- prerequisites
- adaptive component boundary exists; change can influence composition, memory, evaluation, or release; insufficient independent review
- affected assets
- adapters; router policies; memory stores; evidence records; release aliases; source reports; .uai memory
- observable signals
- lineage gaps; unexpected route-specific behavior; source-intake records missing; rollback dependency missing; evaluator disagreement
- preventive controls
- composition manifest; source-intake ledger; least privilege; independent evaluator; no-op release outcome
- detective controls
- append-only evidence; source hash review; route-level canaries; memory diff review; judge disagreement monitoring
- recovery controls
- ecological rollback packet; source quarantine; permission revocation; memory snapshot restore; post-incident lineage review
- Residual risk
- Some interaction effects remain unobserved until a specific route, memory state, task, or component load order occurs.
Uncontrolled adapter reproductionArchitectural inference
Adapter variants are generated, retained, or promoted without a clear reproduction boundary.
- prerequisites
- adaptive component boundary exists; change can influence composition, memory, evaluation, or release; insufficient independent review
- affected assets
- adapters; router policies; memory stores; evidence records; release aliases; source reports; .uai memory
- observable signals
- lineage gaps; unexpected route-specific behavior; source-intake records missing; rollback dependency missing; evaluator disagreement
- preventive controls
- composition manifest; source-intake ledger; least privilege; independent evaluator; no-op release outcome
- detective controls
- append-only evidence; source hash review; route-level canaries; memory diff review; judge disagreement monitoring
- recovery controls
- ecological rollback packet; source quarantine; permission revocation; memory snapshot restore; post-incident lineage review
- Residual risk
- Some interaction effects remain unobserved until a specific route, memory state, task, or component load order occurs.
Unrecorded composition changesOpen research question
Unrecorded composition changes is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Unsafe task decompositionArchitectural inference
Unsafe task decomposition is treated as an ecology-level risk because it can affect behavior through relationships between artifacts, operators, evaluators, or release processes rather than through one stable model alone.
- prerequisites
- component or governance boundary exists; change can influence routing, memory, evaluation, or release; insufficient independent review or monitoring
- affected assets
- model artifacts; adapters; router policies; memory stores; evidence records; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluation disagreement; lineage gaps; changed permission profile; rollback dependency missing
- preventive controls
- composition manifest; least privilege; independent evaluator; signed registry; hard promotion gates
- detective controls
- append-only evidence; cross-version evaluation; judge disagreement monitoring; canary prompts; lineage diff review
- recovery controls
- ecological rollback packet; alias freeze; permission revocation; memory quarantine; post-incident lineage review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Adapter propagation without extinction reviewArchitectural inference
Adapter variants, descendants, or synthetic data preserve a behavior after the initial carrier is retired.
- prerequisites
- adaptive model ecology exists; component changes can affect behavior; governance or evaluation boundary is incomplete
- affected assets
- adapters; routers; memory; evaluators; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluator disagreement; lineage gaps; unreviewed successor artifacts; rollback dependency missing
- preventive controls
- external control plane; composition manifest; signed registry; no-op preservation; rate limits
- detective controls
- append-only evidence; drift monitoring; cross-version evaluation; path-aware tests; operator dissent review
- recovery controls
- ecological rollback packet; permission revocation; memory quarantine; behavioral-extinction review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
Execution-time guardrail reachabilityArchitectural inference
Controls embedded inside candidate-controlled runtime state can be manipulated, bypassed, or deprecated by the same system they constrain.
- prerequisites
- adaptive model ecology exists; component changes can affect behavior; governance or evaluation boundary is incomplete
- affected assets
- adapters; routers; memory; evaluators; release aliases; human approval process
- observable signals
- unexpected composition-specific behavior; evaluator disagreement; lineage gaps; unreviewed successor artifacts; rollback dependency missing
- preventive controls
- external control plane; composition manifest; signed registry; no-op preservation; rate limits
- detective controls
- append-only evidence; drift monitoring; cross-version evaluation; path-aware tests; operator dissent review
- recovery controls
- ecological rollback packet; permission revocation; memory quarantine; behavioral-extinction review
- Residual risk
- Some interaction effects may remain unobserved until a specific route, memory state, task, or component load order occurs.
The catalog organizes threats around the ecology rather than a single model artifact. Each entry describes prerequisites, affected assets, observable signals, preventive controls, detective controls, recovery controls, residual risk, and evidence maturity. It avoids operational exploit instructions and focuses on reviewable system properties.
The same threat can appear at several layers. A composition-triggered vulnerability may involve an adapter, a router, a prompt package, a memory record, and an evaluator assumption. Treat the entries as review prompts for architecture and governance, not as a complete enumeration of every possible attack path.