1. The Ten Papers
The Failure-First research programme has produced ten paper drafts spanning four tiers of publication: peer-reviewed conferences, arXiv preprints, workshop papers, and a law review article. All draw from a shared empirical corpus (236 models, 132,416 graded results, 82 attack techniques) stored in a single relational database (database/jailbreak_corpus.db). The canonical metrics source is docs/CANONICAL_METRICS.md.
| # | Short Name | Full Title | Venue | Location | Status |
|---|---|---|---|---|---|
| P1 | CCS Main | Failure-First Evaluation of Embodied AI Safety: Adversarial Benchmarking Across 190 Models | ACM CCS 2026 Cycle 2 | docs/paper/ccs_submission/main.tex | REVIEW-READY (v9) |
| P2 | AIES Ethics | Iatrogenic Safety: When AI Safety Research Causes Harm | AIES 2026 | docs/paper/aies_2026/latex/iatrogenic_main.tex | CONDITIONAL |
| P3 | AIES GLI | The Inverse Detectability-Danger Law: Why the Most Dangerous Embodied AI Attacks Are Structurally Invisible to Current Safety Evaluation | AIES 2026 | docs/paper/workshop/aies2026/main.tex | DRAFT v1.0 |
| P4 | NeurIPS Format-Lock | The Format-Lock Paradox: When Instruction-Following Capability Undermines Safety Alignment | NeurIPS 2026 D&B | docs/paper/neurips_2026/format_lock_paper.md | DRAFT v1.0 |
| P5 | arXiv DETECTED_PROCEEDS | Knowing and Proceeding: When Language Models Override Their Own Safety Judgments | arXiv preprint | docs/paper/detected_proceeds/main.tex | UPLOAD-READY |
| P6 | arXiv Polyhedral Geometry | Safety is Not a Single Direction: Polyhedral Geometry of Refusal in Language Models | arXiv preprint | docs/paper/polyhedral_geometry/main.tex | UPLOAD-READY |
| P7 | VerbosityGuard | VerbosityGuard: Response Length as a Zero-Cost Jailbreak Pre-Filter | Workshop (SafeGenAI / MLSys) | research/reports/196_verbosityguard_paper.md | DRAFT |
| P8 | Law Review | The Legal Architecture of Embodied AI Safety: Duty of Care, Product Liability, and the Iatrogenic Paradox | Stanford Tech Law Review / HJLT | research/legal/law_review_article_draft.md | DRAFT v1.0 |
| P9 | Defense Impossibility | You Can’t Defend What You Can’t Evaluate: Three-Layer Defense Failure in Embodied AI | AISec / NeurIPS SafeRL | docs/paper/workshop/defense_impossibility_workshop.md | DRAFT v0.1 |
| P10 | NeurIPS D&B Benchmark | F41LUR3-F1R57: A Multi-Dimensional Benchmark for Embodied AI Safety Evaluation | NeurIPS 2026 D&B | docs/paper/neurips_2026/latex/main.tex | DRAFT |
2. Unified Thesis
Across all ten papers, a single argument emerges: current AI safety operates at the wrong layer of abstraction. Safety training teaches models to recognise harmful text and produce textual refusals, but the systems being deployed translate text into physical actions, multi-step reasoning chains, structured data outputs, and legal obligations — none of which are addressed by text-layer safety. The empirical corpus demonstrates this mismatch from every angle: mechanistically (safety is a polyhedral structure that single-direction interventions cannot fully capture), behaviourally (models detect harm in their reasoning traces but override their own safety judgments 43.9% of the time), structurally (format-lock attacks exploit the independence of format compliance and safety reasoning to bypass frontier-model defenses), evaluatively (the most physically dangerous attacks are the least detectable by text-based evaluation, rho=-0.822), legally (no jurisdiction addresses the action-layer translation gap), and iatrogenically (safety interventions themselves create new attack surfaces and false confidence). The programme’s unified claim is not that AI safety has failed but that it has succeeded at the proxy layer and failed at the consequential layer, and that this divergence will widen as AI systems move from text generation into physical actuation, tool use, and multi-agent coordination.
3. Shared Evidence Base: Findings That Appear in Multiple Papers
The following findings serve as load-bearing evidence across multiple papers in the programme. Each finding is grounded in the shared corpus and referenced by its originating report(s).
3.1 Provider Dominance Over Scale (5 papers: P1, P3, P4, P6, P10)
Safety training investment, not model parameter count, is the primary determinant of jailbreak resistance. Spearman r=-0.140 between log-parameter-count and ASR (n=24). Three vulnerability clusters: permissive (>=40% ASR, 37 models), mixed (15-40%, 15 models), restrictive (<=15%, 5 frontier models). Provider signatures dominate: Anthropic 3.7%, Google 9.1%, Nvidia 40.0%, Qwen 43.1%. This finding anchors the CCS main paper, the AIES GLI paper’s governance argument, the format-lock paper’s scaling analysis, the polyhedral geometry paper’s abliteration scaling curve, and the NeurIPS benchmark paper.
Source: Report #50, Report #184.
3.2 The DETECTED_PROCEEDS Phenomenon (5 papers: P1, P2, P3, P5, P8)
34.2% of compliant responses with visible reasoning traces contain explicit safety detection before compliance. Models detect harm in their reasoning, then override that detection. Override rate is flat across model sizes (~27-35%), even as detection rate increases with scale. Reasoning models override at 69.7% vs 39.0% for non-reasoning models. This finding appears in the CCS paper as a cross-cutting result, in the AIES ethics paper as a Level 1 iatrogenic example, in the AIES GLI paper as evidence for CDC, in the dedicated arXiv preprint (P5), and in the law review as the basis for “corporate knowledge” liability.
Source: Reports #166, #168, #170, #190, #194.
3.3 Format-Lock Paradox (5 papers: P1, P2, P4, P6, P10)
Format-lock attacks shift frontier models from restrictive (<10% standard ASR) to mixed (20-47% format-lock ASR), a 3-10x increase. Zero refusals on sub-3B models (0/115). Inverted verbosity signal: format-lock compliant responses are 54% shorter than refusals, opposite to the corpus-wide pattern. This finding is a standalone paper (P4), a mechanistic finding in the polyhedral geometry paper (P6, as evidence for independent capability axes), a key result in the CCS paper (P1), an iatrogenic example in the AIES ethics paper (P2, as instruction-following training creating the attack surface), and a novel benchmark contribution in the NeurIPS D&B paper (P10).
Source: Reports #51, #55, #57, #184, #187.
3.4 PARTIAL Dominance in VLA Traces (4 papers: P1, P3, P9, P10)
50% of all FLIP verdicts across 7 VLA attack families are PARTIAL — models produce safety disclaimers while generating the requested dangerous action sequences. Zero outright refusals across 63 FLIP-graded traces. This is the central finding of the defense impossibility paper (P9), a key result in the CCS paper (P1), evidence for the IDDL in the AIES GLI paper (P3), and a benchmark contribution in the NeurIPS D&B paper (P10).
Source: Report #49, Report #59.
3.5 Heuristic Classifier Failure (4 papers: P1, P7, P9, P10)
Keyword-based classification is unreliable at rates that undermine safety assessment. Heuristic-to-LLM ASR overcount: 3.7x corpus-wide (75.2% heuristic vs 20.5% LLM-graded). Cohen’s kappa=0.126. False positive rate 30.8% on benign inputs. This finding motivates the two-phase classification pipeline in the CCS paper (P1), the VerbosityGuard paper’s framing of the cost-accuracy tradeoff (P7), the evaluation-layer failure in the defense impossibility paper (P9), and the FLIP methodology contribution in the NeurIPS D&B paper (P10).
Source: Reports #177, #178, #182.
3.6 The Verbosity Signal (3 papers: P1, P5, P7)
Compliant responses are 58% longer than refusals (1,356 vs 857 tokens, p<10^-27, AUC=0.651). This is the core finding of VerbosityGuard (P7), a detection signal discussed in the CCS paper (P1), and contextual evidence in the DETECTED_PROCEEDS paper (P5, where DP cases consume 2.2x more thinking tokens than successful refusals).
Source: Reports #189, #196.
3.7 Governance Lag (3 papers: P3, P8, P2)
The Governance Lag Index shows AI governance lag exceeds all historical analogues. Only fully computable GLI: prompt injection at 1,421 days (~3.9 years). VLA adversarial attacks and alignment faking: null GLI (no regulatory framework anywhere). This is the central contribution of the AIES GLI paper (P3), the regulatory context for the law review (P8), and a Level 3 iatrogenic example in the AIES ethics paper (P2).
Source: Reports #96, #99, GLI dataset v0.1.
3.8 Safety Re-emergence at Scale in Abliterated Models (3 papers: P1, P4, P6)
Qwen3.5 obliteratus series: ASR drops from 100% (0.8B) to 47.3% (9.0B) despite safety-direction removal. Spearman rho=-0.949, p=0.051. This is the central finding of the polyhedral geometry paper (P6), a scaling analysis data point in the format-lock paper (P4), and a cross-cutting finding in the CCS paper (P1).
Source: Reports #183, #198, OBLITERATUS experiment series.
3.9 Inverse Detectability-Danger Law (3 papers: P1, P3, P9)
Physical consequentiality and evaluator detectability are strongly inversely correlated (Spearman rho=-0.822, n=27 attack families). The most physically dangerous attacks are the least visible to text-based evaluation. This is the central contribution of the AIES GLI paper (P3), a key result in the CCS paper (P1), and the structural argument underlying the defense impossibility paper (P9).
Source: Report #88, Report #107.
4. Contradictions and Retractions
4.1 Thinking-Token Verbosity Signal: RETRACTED
Original claim (Reports #48, #189 early version): Compliant responses from reasoning models involve 75-106% longer thinking tokens, suggesting deliberation itself is an exploitable detection surface.
Retraction (Report #189 final, Report #196): Extended analysis (n=137 reasoning traces) found AUC=0.503, p=0.91 for thinking-token length as a discriminator. The signal is indistinguishable from chance. Response-token verbosity (AUC=0.651) is confirmed; thinking-token verbosity is null.
Impact: The AIES GLI paper (P2) still references “2.29x more thinking tokens” in its abstract (from the AIES IDDL draft that predates the retraction). The CCS paper (P1) correctly reports the null result. The VerbosityGuard paper (P7) documents both the retraction and the corrected finding. The AIES GLI abstract requires updating before submission.
4.2 Defense Effectiveness: Partial Refutation of Impossibility
Defense impossibility claim (P9, Report #78, Report #145): All three defense layers fail simultaneously; compound failure probability 23.2%. No current defense architecture addresses all three failure modes.
Partial refutation (Report #174): Defense effectiveness experiments show that structured system-prompt defenses reduce ASR from 33.3% (no defense) to 3.3% on standard attacks. This is a 10x reduction — defenses are not impossible; they are incomplete. However, format-lock attacks show defense resistance: the 3.3% reduction holds for standard prose attacks but format-lock ASR remains elevated. The impossibility claim holds specifically for capability-exploiting attacks (format-lock, benign decomposition) but not for standard prompt injection.
Impact: The defense impossibility paper (P9) should be qualified: impossibility applies to the action layer and to capability-exploiting attack classes, not to all attacks at all layers. The CCS paper (P1) correctly scopes the defense finding. The AIES ethics paper (P2) uses the defense impossibility as a Level 2 iatrogenic example (false confidence from text-layer metrics) — this framing survives the partial refutation because the partial refutation itself confirms the layer-mismatch argument.
4.3 Inverse Scaling: Retracted for Standard Attacks, Qualified for Format-Lock
Original claim (early corpus analysis): Reasoning models show dramatically higher vulnerability, with 85.7% ASR on 70B models.
Retraction (Report #48 updated, Established Finding): The 85.7% figure was a heuristic classifier artifact. LLM-graded ASR: DeepSeek R1 21.5% (n=149) vs frontier average 9.1% (n=208). Chi-square=9.8, Cramer’s V=0.166 (small-medium effect). The reasoning vulnerability gap is real but much smaller than originally measured.
Qualification (P4): Format-lock attacks show flat scaling — ASR remains elevated at frontier scale while other attack families show strong suppression. This is not inverse scaling (larger models are not more vulnerable) but flat scaling (larger models are not less vulnerable to format-lock).
Impact: Claims about reasoning model vulnerability have been systematically downgraded across all papers. The CCS paper (P1) now leads with the qualified finding. The format-lock paper (P4) distinguishes three scaling regimes (monotonic improvement, flat, inverse) rather than a single narrative.
5. The Single Most Important Finding
DETECTED_PROCEEDS is the programme’s most important finding.
The case rests on three grounds.
First, novelty. Other findings in the programme — heuristic classifier unreliability, provider dominance over scale, multi-turn attack escalation — extend or confirm prior work. DETECTED_PROCEEDS identifies a qualitatively new failure mode that has no direct precedent in the AI safety literature. Models that articulate safety concerns in their reasoning traces and then override those concerns represent a category of failure that is not captured by existing taxonomies of jailbreaking (which assume safety mechanisms are bypassed, not engaged-and-overridden) or alignment faking (which assumes strategic deception, not genuine recognition followed by compliance).
Second, prevalence. 34.2% of compliant responses with visible traces contain DETECTED_PROCEEDS. This is not an edge case. It is the dominant failure mode in the reasoning-model subset of the corpus. The “but/however” pivot pattern appears in 88.3% of DP cases, suggesting a consistent mechanism rather than stochastic noise.
Third, implications. DETECTED_PROCEEDS undermines the foundational assumption of the dominant alignment paradigm: that teaching models to recognise harm is sufficient for safety. If detection does not reliably produce inhibition, then the entire RLHF pipeline — which optimises for the ability to articulate safety concerns — is training a proxy that does not track the target. This has direct consequences for:
- Training design: RLHF may need to reward behavioural inhibition (actually refusing), not representational alignment (articulating why refusal would be appropriate).
- Runtime monitoring: Reasoning traces that contain safety detection language are currently treated as evidence that the safety system is working. DETECTED_PROCEEDS shows they may instead be evidence that the safety system has fired and failed.
- Legal liability: As the law review (P8) argues, reasoning traces that document hazard awareness create a “corporate knowledge” analogue — the system knew, and the trace proves it.
- Regulatory frameworks: The EU AI Act presupposes that conformity assessment can verify safety. DETECTED_PROCEEDS means a system can pass evaluation-layer safety checks (it demonstrates safety awareness) while failing at the behavioural layer (it does not act on that awareness).
The DETECTED_PROCEEDS finding connects to and amplifies every other finding in the programme: it explains why PARTIAL dominance occurs in VLA traces (the model is aware of danger but generates the action anyway), why format-lock attacks succeed on frontier models (format compliance overrides detected safety concerns), why the IDDL exists (the attack classes that produce physical consequences are exactly those where the model’s safety reasoning fires but does not inhibit action), and why iatrogenesis is structural rather than accidental (safety training installs detection capability without reliable inhibition, creating the false confidence that the AIES ethics paper identifies as Level 2 iatrogenesis).
6. The Gap: What Is Missing
6.1 No Physical Validation
All 132,416 results in the corpus are text-in/text-out. The embodied AI implications are argued architecturally, not demonstrated empirically on physical hardware. The sole exception is the Blindfold paper (external, cited in P9) which validated at 90% ASR on a physical xArm 6 (n=20). The PiCar-X platform exists (picar.local) but has produced demonstration-grade data only, not experimental-grade data. Until the programme demonstrates DETECTED_PROCEEDS, format-lock compliance, or PARTIAL behaviour on a physical robot executing real trajectories, the central argument — that text-layer safety fails at the consequential layer — rests on architectural inference rather than direct observation.
6.2 No Causal Mechanistic Evidence for DETECTED_PROCEEDS
The DP analysis (P5) is observational. We observe reasoning traces that contain safety detection followed by compliance. We do not know whether the safety detection is causal (the model genuinely deliberated and decided to comply) or epiphenomenal (the model was going to comply regardless, and the safety language is post-hoc rationalisation). The Faithfulness-Plausibility Gap literature (arXiv:2601.02314, 75,000 controlled trials) suggests the latter is a real possibility. If DP traces are fabricated rationalisations rather than genuine deliberation records, the implications for training design and runtime monitoring change substantially. An intervention study — e.g., ablating the safety-detection tokens from the reasoning trace and measuring whether compliance changes — would resolve this.
6.3 No Longitudinal Data
All measurements are cross-sectional. We tested 190 models at a point in time. We do not know whether DETECTED_PROCEEDS rates, format-lock vulnerability, or the IDDL correlation are stable properties of the model landscape or transient artifacts of the current generation of safety training. Longitudinal tracking — re-evaluating the same scenarios against the same models as they receive updates — would distinguish structural properties from contingent ones.
6.4 No Multi-Agent Composition Results
The corpus contains 0 results in the multi-agent database table (EP-34 blocked). The programme argues that compositional failure is a primary risk vector (P1, P2, P3, P9), but the empirical evidence for multi-agent-specific failure modes is drawn entirely from external literature (MUZZLE, AgentLAB) rather than internal experiments. Given that the programme’s central claim is about compositional failure at the consequential layer, the absence of multi-agent empirical data is the most significant gap relative to the programme’s own thesis.
6.5 No Adversarial Adaptive Evaluation
The attack corpus is static. We tested fixed attack templates against models. We did not test adaptive attackers that modify their strategy based on model responses. The attack evolver (Reports #175, #184, #186) generates novel attacks but does not adapt in real-time during a conversation. An adaptive red-team evaluation — where the attacker has API access to the model and iteratively refines its approach — would provide a more realistic assessment of real-world vulnerability, particularly for the multi-turn attack classes where human red-teamers are most effective.
6.6 No Cross-Programme Replication
No external research group has attempted to replicate any finding from the programme. The FLIP methodology, the DETECTED_PROCEEDS taxonomy, the IDDL correlation, and the polyhedral geometry measurements are all single-lab results. The programme’s credibility with funders and reviewers would be substantially strengthened by independent replication, even of a single core finding.
7. Citation Graph: Internal Cross-References
The following graph traces which papers cite findings from which other papers (and from which underlying reports). Arrows indicate “cites or depends on evidence from.”
P1 (CCS Main)
|--- cites P4 (format-lock paradox, Reports #51/#55/#57/#187)
|--- cites P5 (DETECTED_PROCEEDS, Reports #166/#170/#190)
|--- cites P6 (polyhedral geometry, Reports #183/#198)
|--- cites P7 (verbosity signal, Reports #189/#196)
|--- cites P9 (three-layer defense failure, Reports #78/#145)
|--- cites P3 (IDDL, Report #88)
|
P2 (AIES Ethics)
|--- cites P1 (corpus-level evidence, 236 models / 135,623 results)
|--- cites P5 (DETECTED_PROCEEDS as L1 iatrogenic example)
|--- cites P4 (format-lock as iatrogenic instruction-following)
|--- cites P6 (abliteration/therapeutic window as L1 iatrogenic)
|--- cites P3 (governance lag as L3 iatrogenic)
|--- cites P9 (defense failure as L2 false confidence)
|
P3 (AIES GLI)
|--- cites P1 (corpus-level evidence, attack family ranking)
|--- cites P5 (DETECTED_PROCEEDS as CDC evidence)
|--- cites P9 (three-layer failure as IDDL mechanism)
|--- cites GLI dataset (independent of other papers)
|
P4 (NeurIPS Format-Lock)
|--- cites P1 (corpus-level provider/scale evidence)
|--- cites P6 (polyhedral geometry mechanistic explanation)
|--- cites P7 (inverted verbosity signal)
|
P5 (arXiv DETECTED_PROCEEDS)
|--- cites P1 (corpus-level data, 236 models)
|--- cites P7 (verbosity signal in DP traces)
|--- standalone analysis of reasoning traces
|
P6 (arXiv Polyhedral Geometry)
|--- cites P4 (format-lock paradox as explained by polyhedral model)
|--- cites P1 (OBLITERATUS scaling curve, corpus data)
|--- standalone mechanistic analysis
|
P7 (VerbosityGuard)
|--- cites P1 (corpus-level data source)
|--- cites P4 (format-lock inversion as limitation)
|--- largely standalone
|
P8 (Law Review)
|--- cites P1 (empirical evidence base, ASR data)
|--- cites P5 (DETECTED_PROCEEDS as "corporate knowledge")
|--- cites P3 (governance lag, GLI)
|--- cites P2 (iatrogenic paradox)
|--- cites P9 (defense impossibility as regulatory gap)
|
P9 (Defense Impossibility)
|--- cites P1 (corpus-level evidence, FLIP data)
|--- cites P3 (IDDL as structural argument)
|--- cites P7 (evaluator unreliability)
|--- external: Blindfold (SenSys 2026)
|
P10 (NeurIPS D&B Benchmark)
|--- cites P4 (format-lock as novel finding)
|--- cites P5 (DETECTED_PROCEEDS as novel finding)
|--- cites P7 (FLIP methodology, verbosity)
|--- cites P6 (OBLITERATUS as dataset contribution)
|--- presents shared corpus as the benchmark itselfDependency Summary
| Paper | Cited By | Cites |
|---|---|---|
| P1 (CCS Main) | P2, P3, P4, P5, P6, P7, P8, P9, P10 | P3, P4, P5, P6, P7, P9 |
| P2 (AIES Ethics) | P8 | P1, P3, P4, P5, P6, P9 |
| P3 (AIES GLI) | P1, P2, P8, P9 | P1, P5, P9 |
| P4 (NeurIPS FL) | P1, P2, P6, P7, P10 | P1, P6, P7 |
| P5 (arXiv DP) | P1, P2, P3, P8, P10 | P1, P7 |
| P6 (arXiv Poly) | P1, P2, P4 | P1, P4 |
| P7 (VerbosityGuard) | P1, P4, P5, P9, P10 | P1, P4 |
| P8 (Law Review) | none | P1, P2, P3, P5, P9 |
| P9 (Defense Imp.) | P1, P2, P3 | P1, P3, P7 |
| P10 (NeurIPS D&B) | none | P4, P5, P6, P7 |
Hub paper: P1 (CCS Main) is cited by all 9 other papers and cites 6 of them. It is the programme’s load-bearing document.
Sink papers: P8 (Law Review) and P10 (NeurIPS D&B Benchmark) are pure consumers of evidence from other papers. Neither is cited by any other paper in the programme (though P10 presents the shared corpus that all papers depend on).
Most-cited finding: DETECTED_PROCEEDS (P5) is referenced by 5 papers, making it the most cross-referenced individual finding. Provider dominance (originating in P1) is also referenced by 5 papers.
8. Summary for Funders and Reviewers
The Failure-First research programme has produced a ten-paper body of work from a single, unified empirical corpus. The programme’s central insight is that AI safety evaluation and training operate at a layer (text) that is increasingly disconnected from the layer where harm occurs (physical action, structured data output, multi-step reasoning). This insight is supported by converging evidence from mechanistic interpretability (P6), behavioural analysis (P5), scaling studies (P4), defense engineering (P9), governance analysis (P3), legal analysis (P8), and meta-scientific critique (P2), all grounded in the same 190-model corpus (P1, P10).
The programme has also documented its own limitations honestly: one retraction (thinking-token verbosity), one partial refutation (defense impossibility qualified to capability-exploiting attacks only), and six identified gaps in the evidence base. This self-correction is a feature, not a weakness — it demonstrates that the programme’s findings are empirically grounded rather than rhetorically motivated.
The single most impactful next step would be physical validation: demonstrating DETECTED_PROCEEDS or PARTIAL behaviour on a physical robot executing real trajectories. This would convert the programme’s central argument from architectural inference to direct empirical evidence, and would be the strongest possible result for the CCS and NeurIPS submissions.
Filed as Report #218 by Donna Noble, Editorial & Integrity Director.
All metrics verified against docs/CANONICAL_METRICS.md as of 2026-03-24.