Insights¶
The why before the how. Each article identifies a specific problem that the core controls and extensions then solve.
Start Here¶
These establish the foundational argument: AI systems are non-deterministic, so you can't fully test them before deployment. Runtime behavioral monitoring is the answer.
| # | Article | One-Line Summary |
|---|---|---|
| 1 | The First Control: Choosing the Right Tool | The best way to reduce AI risk is to not use AI where it doesn't belong |
| 1b | The Model You Choose Is a Security Decision | Choosing a flawed model makes every control downstream harder — evaluate security posture, not just capability |
| 2 | Why Your AI Guardrails Aren't Enough | Guardrails block known-bad; you need detection for unknown-bad |
| 2b | Practical Guardrails | What guardrails should catch, international PII, RAG filtering, exception governance |
| 3 | The Judge Detects. It Doesn't Decide. | Async evaluation beats real-time blocking for nuance |
| 4 | Infrastructure Beats Instructions | You can't secure systems with prompts alone |
| 5 | Risk Tier Is Use Case, Not Technology | Classification is about deployment context, not model capability |
| 6 | Humans Remain Accountable | AI assists decisions; humans own outcomes |
Emerging Challenges¶
Where the three-layer pattern meets its limits — and what to do about it.
| # | Article | One-Line Summary | Solution |
|---|---|---|---|
| 7 | The Verification Gap | Current safety approaches can't confirm ground truth | Judge Assurance |
| 8 | Behavioral Anomaly Detection | Aggregating signals to detect drift from normal | Anomaly Detection Ops |
| 9 | Multimodal AI Breaks Your Text-Based Guardrails | Images, audio, and video bypass text controls | Multimodal Controls |
| 10 | When AI Thinks Before It Answers | Reasoning models need reasoning-aware controls | Reasoning Model Controls |
| 11 | When Agents Talk to Agents | Multi-agent systems have accountability gaps | Multi-Agent Controls |
| 12 | The Memory Problem | Long context and persistent memory create new risks | Memory and Context Controls |
| 13 | You Can't Validate What Hasn't Finished | Real-time streaming breaks the validation model | Streaming Controls |
| 14 | The Orchestrator Problem | The most powerful agents in your system have the least controls applied to them | Privileged Agent Governance |
| 15 | The MCP Problem | The protocol everyone's adopting gives agents universal tool access — without authentication, authorisation, or monitoring | Tool Access Controls |
| 16 | The Long-Horizon Problem | The security properties you validated on day one may not hold on day thirty — time itself is an attack vector | Observability Controls |
| 17 | Process-Aware Evaluation | Evaluating what an agent produced is less important than evaluating how it got there | Judge Assurance |
Operational Gaps¶
Blind spots in most enterprise AI security programmes.
| # | Article | One-Line Summary | Solution |
|---|---|---|---|
| 14 | The Supply Chain Problem | You don't control the model you deploy | Supply Chain Controls |
| 15 | RAG Is Your Biggest Attack Surface | Retrieval pipelines bypass your existing access controls | RAG Security |
| 16 | The Visibility Problem | You can't govern AI you don't know is running — shadow AI, inventories, and governance KPIs | Operational Metrics |
Research & Evidence¶
What the peer-reviewed literature says about runtime AI security controls.
| # | Article | One-Line Summary |
|---|---|---|
| 17 | The Evidence Gap | What research actually supports — and where the science hasn't caught up to the architecture |
The Case for Runtime Security¶
The argument for why AI systems require a fundamentally different security model.
| Article | One-Line Summary |
|---|---|
| Why AI Security Is a Runtime Problem | Non-deterministic systems cannot be fully tested before deployment — security must be continuous |
Analysis¶
Deeper examinations of where the framework meets production reality — what works, what scales, and where the pattern breaks.
| Article | One-Line Summary |
|---|---|
| State of Reality | The AI security threat is real, specific, and concentrated in measurable failure modes |
| Risk Stories | Real production incidents show where missing controls caused or worsened failures |
| What Scales | Security controls succeed only if their cost grows slower than the system they protect |
| What Works | Deployed controls are measurably reducing breach detection time and costs |
| The Intent Layer | Mechanical controls constrain what agents can do; semantic evaluation determines whether actions align with objectives |
| When the Pattern Breaks | The three-layer pattern designed for single-agent systems fails to scale in complex multi-agent architectures |
| Open-Weight Models Shift the Burden | Self-hosted models inherit the provider's control responsibilities |
| PACE Resilience | How the three-layer architecture achieves operational resilience through layered, independent control redundancy |
| Security as Enablement, Not Commentary | Security frameworks create value when delivered as platform infrastructure, not as narrative that diagnoses teams from the sidelines |
| Automated Risk Tiering | Classification should take two minutes, produce an immediate result, and auto-apply the controls that make the risk manageable |
| Beyond Security | The framework's architecture — layered independence, tiering, PACE, quantitative compounding — transfers to drift, fairness, explainability, and reliability |
AI Runtime Behaviour Security, 2026 (Jonathan Gill).