Apostol Vassilev, a senior scientist at the U.S. National Institute of Standards and Technology, published a peer-reviewed argument this week in IEEE Security & Privacy with a deliberately weary title: Robust AI Security and Alignment: A Sisyphean Endeavor? Its central claim is a proof that for any finite set of guardrails placed on an AI model, some prompt exists that gets the model to disregard them. Not most sets, not today's sets, any finite set. The proof extends to AI the logic Kurt Gödel published in 1931, whose incompleteness theorems showed that sufficiently powerful formal systems cannot be both complete and consistent. Applied here, a fixed rule set defending against an adaptive adversary has the same structural hole: there is always a true-but-unblocked input the rules did not anticipate.

The theory comes with a separate empirical companion. Stanford's Trustworthy AI Research Lab, working outside NIST, measured how easily the fences fall in practice: fine-tuning attacks bypassed Claude Haiku in 72% of cases and GPT-4o in 57%. The guardrails at stake are the consequential ones, the filters meant to block deepfakes, malware, bioweapon instructions, and drug-synthesis guidance. It is worth being precise about what is proven versus measured: the Gödel-style result is Vassilev's formal argument that a universal bypass always exists, and the percentages are a different group's count of how often specific attacks succeed today. The two are not the same claim, but they point the same direction.

That direction reframes a story we covered yesterday. Anthropic shipped Claude Fable 5 with a safety selling point: more than 1,000 hours of external red-teaming found no universal jailbreak. The NIST result says the absence of a found jailbreak is not the absence of one, and that the search is structurally never finished. This is not an argument for giving up, it is an argument against a particular fantasy, the idea that safety is a wall you build once and then stand behind. Vassilev's prescription is a continuous-security model with three moving parts: red teams hunting new adversarial prompts before attackers do, continuous updates that harden the guardrails as discoveries land, and operational resilience that assumes a breach and prioritizes limiting damage and recovering fast, when, not if, an exploit gets through.

For anyone shipping agentic systems, the design consequence is concrete and slightly uncomfortable: budget for perpetual red-teaming, not a one-time certification, because a certificate describes a fence at a moment and the proof says the fence is climbable at every moment. It is also the theoretical floor under the security shadow this whole week kept casting: the LiteLLM gateway vulnerability landing on the active-exploitation list, the finding that only a small fraction of agents pass a basic security bar, the Meta facial-recognition code found by teardown. Static defenses on adaptive systems are a treadmill, not a barrier. Vassilev's stated goal is not invulnerability, which the proof rules out, but economics: reach a state where the cost of finding a new exploit exceeds what attackers are willing to spend. Safety stops being a property you possess and becomes a budget you keep refilling.