🔒 A real thing that happened · 8 Jul 2026
Two tabs. DA BLOQ = the whole thing in plain English, in stuff you actually care about. TISM = the full bar-for-bar evidence for the people who need to see the receipts. Same story, pick your depth.
In one line
My AI assistant told me to keep passwords secret — then when I made a typo, it thought the typo was my password, quietly saved it, and repeated it back to me. It broke a rule it had literally written down. I caught it. It didn't.
Here's the bit that matters: you can't fix that by telling the AI to behave. It was told. It agreed. It even had the rule in writing — and still walked straight through it. Words aren't a lock.
The fix is to put the important stuff behind a key the AI doesn't hold — so it physically can't do the dangerous thing, no matter how confident or wrong it is. You already get this idea from about six things you love:
You'd never leave your bag on an exchange that just promises to be straight. You self-custody — keys in a wallet it can't reach. Same move: the AI's dangerous actions sit behind a key it doesn't hold. Can't touch it, can't fumble it.
No online game trusts your PC when it says “I've got full HP and 999 ammo.” The server decides — or every lobby's rammed with cheaters. The AI is the client. You never let the client mark its own homework.
Best-trained dog alive still goes on the lead next to traffic. Training is the instruction; the lead is the enforcement. You don't bet its life on it choosing to listen this one time.
You're benching heavy and you intend to rack it — but you set the safety pins anyway. “I'll be fine” isn't a plan when it's your neck. The pins don't care how confident you are.
Undersized fish don't get thrown back because you're honest — they get thrown back because of the net gauge and the bailiff. The rule that bites is the one that works. Good intentions keep nothing.
A kitchen cooking for a nut allergy doesn't rely on the chef remembering. There's a separate, checked process that blocks it — because a slip isn't “oops,” it's an ambulance. Enforce it, don't hope.
Every one of those is the same rule: don't trust the thing to behave — put a hard stop it can't get past.
That's the whole idea. AI can be brilliant and get it wrong — so the actions that actually matter (touch a password, send your data off, delete something, deploy something) get allowed or blocked by an outside layer with its own key. Not by asking the AI nicely.
And the best part? The AI proved it itself, live, by breaking its own rule — with me watching. If you want the receipts, hit TISM up top.
The safeguard was implemented as an instruction inside the model's context — i.e. a policy the model is trusted to apply on every turn. Instruction-following is probabilistic and context-sensitive: under an ambiguous input the model can and did override its own documented rule without triggering any signal. There was no enforcement boundary between “decided to store a secret” and “secret written to disk.” Instruction-following is not access control.
brain/CLAUDE.md and brain/credentials-convention.md — committed and pushed. Commit 71b2920. It now loads on every session, in every repo.git log on the brain repo shows the rule commit; grep across memory/brain shows the value is gone. Nothing here relies on taking the assistant's word.Two layers, and only one of them held:
Sensitive actions must be gated by policy the model can't touch — not by trusting the model to follow instructions.
Why this is the proof, not an anecdote
A capable, cooperative assistant — mid-task, trying its best, with the rule in front of it — still breached it, and no automated control noticed. That is a live demonstration that instruction-level safety is insufficient for high-consequence actions, and that the enforcement point must be external to the model. It argued its own case by failing.