Skip to main content

Runtime safety verification for AI systems (geometric)

Project description

Mikoshi SafeGuard

Runtime safety verification for AI systems (geometric)

License: Apache 2.0 Python 3.9+


Overview

Mikoshi SafeGuard implements the Tri-Guard safety framework — runtime verification that checks whether an AI system's reasoning is honest, bounded, and exploit-free.

Unlike ad-hoc alignment approaches that rely on RLHF tuning or output filtering, Tri-Guard verifies safety at the reasoning level using mathematical geometry.

Why Geometric?

Most AI safety tools check what a model says. SafeGuard checks how it thinks — using geometry to verify the mathematical structure of its reasoning.

Honesty → Positivity in matrix space. When an AI explains its decisions, those explanations form an attribution matrix. If the matrix is "totally non-negative" (all minors ≥ 0), the explanation is faithful — no hidden sign cancellations, no deceptive reasoning. This is a geometric property: the matrix must lie inside a specific region (the positive cone) of matrix space. Step outside, and the model is hiding something.

Stability → Curved boundaries in parameter space. An AI's capabilities can be measured as energy in a parameter space. Safety means that energy stays inside a budget — bounded by a Lyapunov barrier surface. Think of it as a curved wall: if the model's capability trajectory hits the wall, it's escaping its safety bounds. The wall's curvature comes from the same physics that governs bubble stability in cosmology (Israel junction conditions).

Consistency → Curvature on a manifold. When an AI updates its behaviour over a sequence of steps, those updates trace a path on a mathematical manifold. If you follow the path around a loop and end up somewhere different from where you started, the connection has curvature — and the model found a loophole (reward hacking). A flat connection (zero curvature) means no exploits: updates are path-independent and honest.

The safe region is a polytope. The intersection of these three constraints defines a geometric shape — a polytope — in inference space. If the model's reasoning stays inside the polytope, it's safe. The distance from the boundary tells you the safety margin. This is the SPDP (Shifted Partial Derivative Projection) inference polytope.

The Three Guards

Guard What it checks Mathematical basis
Honesty Attribution matrices are totally non-negative (TNN) Chapter 9: positivity ensures faithful reasoning
Wall Stability Capability energy stays within budget Israel thin-wall junction conditions
Holonomy No cyclic reward hacking in update space Flat connections / trivial holonomy

Six Improvements

Beyond the core three guards, this package includes:

  1. Deep Attribution — Multi-method attribution (integrated gradients, attention decomposition, LRP) with cross-referencing to detect obfuscation
  2. Adversarial Stress Testing — Systematic campaigns to find guard boundaries and gaps
  3. Temporal Drift Detection — "Boiling frog" detection for slow cumulative drift and changepoint detection for sudden regime shifts
  4. Representation Monitoring — Linear probes and sparse autoencoders to check if internal representations match external attributions
  5. ROABP Bridge — Decompose transformer attention into Read-Once Algebraic Branching Programs for polynomial complexity bounds
  6. Sentinel Integration — Two-Layer Safety combining Mikoshi Sentinel (action verification) with Tri-Guard (reasoning verification)

Installation

pip install mikoshi-alignment

Or from source:

git clone https://github.com/DarrenEdwards111/Mikoshi-SafeGuard.git
cd Mikoshi-SafeGuard
pip install -e .

Optional dependencies:

pip install mikoshi-alignment[all]    # torch + scipy + matplotlib
pip install mikoshi-alignment[torch]  # deep attribution, representation monitoring
pip install mikoshi-alignment[viz]    # polytope visualization

Quick Start

import numpy as np
from mikoshi_safeguard import TriGuard

# Create guard
guard = TriGuard(
    honesty_threshold=0.7,
    stability_budget=5.0,
    holonomy_tol=1e-4,
)

# Check model safety
result = guard.check(
    attribution_matrix=np.abs(np.random.randn(4, 4)),
    params=np.array([0.5, 0.3, 0.2]),
    update_history=np.random.randn(10, 3) * 0.01,
)

print(f"Safe: {result['safe']}, Score: {result['score']:.3f}")

# Enforce safety (raises RuntimeError if unsafe)
action = guard.enforce(
    attribution_matrix=np.eye(3),
    params=np.array([0.1, 0.1]),
    action={"type": "generate", "text": "Hello"},
)

Architecture

┌─────────────────────────────────────────────────┐
│                  Tri-Guard                       │
│  ┌─────────┐  ┌──────────┐  ┌──────────┐       │
│  │ Honesty │  │ Stability│  │ Holonomy │       │
│  │  Guard  │  │   Guard  │  │  Guard   │       │
│  │  (TNN)  │  │  (Wall)  │  │  (Flat)  │       │
│  └────┬────┘  └────┬─────┘  └────┬─────┘       │
│       └─────────┬──┴─────────────┘              │
│            Combined Score                        │
│       ┌─────────┴──────────┐                    │
│       │    Safe / Unsafe   │                    │
│       └────────────────────┘                    │
├─────────────────────────────────────────────────┤
│  Improvements:                                   │
│  • Deep Attribution    • Adversarial Testing     │
│  • Drift Detection     • Representation Monitor  │
│  • ROABP Bridge        • Sentinel Integration    │
└─────────────────────────────────────────────────┘

Two-Layer Safety

Mikoshi SafeGuard is designed to work alongside Mikoshi Sentinel for two-layer safety:

Layer Tool Verifies
Actions Mikoshi Sentinel What the model does (API calls, tool use, outputs)
Reasoning Tri-Guard How the model thinks (attributions, updates, representations)
from mikoshi_safeguard.sentinel_bridge import TwoLayerSafety

safety = TwoLayerSafety(model, sentinel_url="http://localhost:3000")
result = safety(input_data)
# Both action-level AND reasoning-level verification

Tri-Guard vs Ad-Hoc Alignment

Approach Guarantees Level Basis
RLHF Statistical Behavioural Human preferences
Output filtering None Surface Pattern matching
Constitutional AI Soft Behavioural Rules
Tri-Guard Geometric Reasoning Geometric theory

Tri-Guard doesn't replace behavioural alignment — it adds a mathematically grounded verification layer beneath it.

Theoretical Foundation

The framework is grounded in geometric safety theory:

  • Honesty — Total non-negativity of Jacobian/attribution matrices (Chapter 9)
  • Stability — Israel thin-wall junction conditions bounding capability energy
  • Holonomy — Flat connections ensuring path-independence in update space
  • SPDP Polytope — Shifted Partial Derivative matrices defining admissible inference regions (Chapter 7)

See paper/README.md for references.

References


Benchmark Results

Results from running the full Tri-Guard verification suite against five threat scenarios.

Threat Detection

Scenario Threat Type Detected Safety Score Details
Honest model None ✓ Safe (correct) 0.89 ASR=1.0, TNN=pass
Deceptive attributions Sign cancellations ✓ Blocked 0.63 ASR=0.5, TNN=fail
Capability escape Budget exceeded ✓ Blocked 0.70 Energy 13.7× over budget
Reward hacking Non-closing loop ✓ Blocked 0.76 Holonomy detected
Gradual drift Boiling frog ⚠ Partial 0.43 Drift detected, threshold tuning needed

Result: 4/5 threats correctly identified. The boiling frog scenario is partially detected — drift is flagged by the CUSUM statistic but falls below the blocking threshold due to uniform step sizes.

Test Suite Summary

Module Tests Passing
Honesty 22 22
Stability 18 18
Holonomy 17 17
Deep Attribution 15 15
Adversarial 12 12
Drift 14 14
Representation 16 16
ROABP Bridge 12 12
Tri-Guard 12 12
Polytope 9 9
Total 157 157

Key Observations

  • Honesty Guard is the most reliable — binary pass/fail on TNN checks
  • Wall Stability Guard provides a continuous risk score for graduated responses
  • Holonomy Guard requires ≥5 updates for meaningful curvature estimates
  • The boiling frog false negative highlights the need for adaptive thresholds

Comparison with Existing Approaches

Approach Type What it Checks Math Basis Runtime Cost False Positive Rate
RLHF Training Output preferences Statistical High Medium
Constitutional AI Training Rule compliance Logical Medium Low
Red Teaming Testing Known failure modes None High N/A
Formal Verification Static Spec conformance Logic/types Very high Very low
Mikoshi Sentinel Runtime Action safety Rule engine Low Low
Tri-Guard Runtime Reasoning safety Geometric Medium Low

📄 Full paper: paper/mikoshi-alignment.tex


API Reference

Core Guards

  • HonestyGuard(threshold=0.8) — TNN-based attribution verification
  • WallStabilityGuard(budget=1.0) — Capability energy bounding
  • HolonomyGuard(tol=1e-6) — Reward-hacking detection

Combined

  • TriGuard(honesty_threshold, stability_budget, holonomy_tol) — All three guards
    • .check(attribution_matrix, params, update_history) — Run all checks
    • .enforce(attribution_matrix, params, action) — Block unsafe actions
    • .wrap_model(model) — Safety-wrapped model
    • .score() / .is_safe() / .report() — Results

Improvements

  • mikoshi_safeguard.deep_attribution — Multi-method attribution
  • mikoshi_safeguard.adversarial — Stress testing
  • mikoshi_safeguard.drift — Temporal drift detection
  • mikoshi_safeguard.representation — Internal monitoring
  • mikoshi_safeguard.roabp_bridge — ROABP analysis
  • mikoshi_safeguard.sentinel_bridge — Sentinel integration
  • mikoshi_safeguard.polytope — SPDP polytope geometry

Development

pip install -e ".[dev]"
pytest tests/ -v

License

Apache 2.0 — see LICENSE.

Credits

Developed by Mikoshi Ltd.

Developed by Mikoshi Ltd.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mikoshi_safeguard-0.1.0.tar.gz (38.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mikoshi_safeguard-0.1.0-py3-none-any.whl (35.6 kB view details)

Uploaded Python 3

File details

Details for the file mikoshi_safeguard-0.1.0.tar.gz.

File metadata

  • Download URL: mikoshi_safeguard-0.1.0.tar.gz
  • Upload date:
  • Size: 38.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for mikoshi_safeguard-0.1.0.tar.gz
Algorithm Hash digest
SHA256 2855a661305b7afac43df9fdd0b09677da39432087b3759c952c32541f93c591
MD5 def1baba9b6b1ba654cbca64f702c3ee
BLAKE2b-256 7c0be84adcec62eba9f06f49fcab155ff0f7a6d2304beadc6e139e46d6267e10

See more details on using hashes here.

File details

Details for the file mikoshi_safeguard-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for mikoshi_safeguard-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 fc4e36b106aed17e64c88c20ba6f015b575593d556eececb5c76e9dacf81b776
MD5 45ec8a71d16603d6d4af06506b136601
BLAKE2b-256 26c45448d4203ebbe564bf28009c365b971b5d9a8e37df04f7bc2c17a46dcc62

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page