A government scientist just published the math showing no AI model can ever be fully safe.
Apostol Vassilev, a researcher at the National Institute of Standards and Technology, published a paper in the May/June issue of IEEE Security & Privacy arguing that the entire premise behind modern AI safety is mathematically impossible. There is no finite set of guardrails, no matter how thorough, that can block every adversarial prompt. There will always be one that gets through.
"You can never make a claim that you are robust against all adversarial prompt attacks," Vassilev said. "It's just a matter of finding the right prompt."
The timing is awkward for everyone involved. Earlier this month, the White House pulled Anthropic's Mythos model after a researcher demonstrated a public jailbreak within 24 hours of release, even though the model had passed 1,000 hours of external bug-bounty testing without anyone finding a universal break, as TechCrunch reported. Vassilev's paper essentially says the government shut down a model for failing a test that no model can pass.
The empirical record agrees with him. In a recent study, indirect prompt injection attacks on AI web agents succeeded between 52% and 64% of the time, while direct injection broke the same models more than 71% of the time, according to research from Carnegie Mellon. Across more than 3,000 adversarial runs, no single mitigation approach blocked all attack vectors. The proof isn't a thought experiment. It's a description of what's already happening every day.
So what's the alternative? Vassilev's answer is that safety stops being a one-time training problem and becomes a continuous one. Constant red-teaming, runtime monitoring, and fast patching when something slips through. Less about shipping a safe model and more about treating every model like it's already compromised and keeping an eye on it.
That shift is already happening in the market. At RSA this year, Palo Alto Networks, Check Point, Aqua Security, and Miggo all rolled out runtime monitoring products built around the same assumption: the guardrails will fail, and the job is to catch the failure as it happens.
Not everyone agrees the situation is that bleak. Researchers at Carnegie Mellon argued in 2024 that around 70 to 75% of clearly defined safety rules can be enforced by simple deterministic guardrails, which is true but only for rules you can write down precisely. The hard part is the other 26%, the ambiguous policies that benchmarks tend to handle by vibes rather than spec. That is the territory Vassilev's proof lives in.
INTO THE VALLEY
If the math holds, every company that bought an AI tool on the assumption the vendor had safety solved should start treating that assumption like an ongoing expense rather than a settled feature. The vendors that win the next phase of this won't be the ones promising the safest model. They'll be the ones with the best infrastructure for catching their model misbehaving in real time. AI safety just turned into a subscription.
