アラインメント非依存のAI安全保証:封じ込め検証という新提案 Containment Verification: AI Safety Guarantees Independent of Alignment

AI safety research has long been dominated by the alignment paradigm: ensuring that an AI system's goals and values match human intent. This paper proposes an alternative axis of assurance called containment verification, arguing that since complete alignment proofs may be fundamentally hard to obtain for advanced systems, safety guarantees should also be derivable from bounding what a system can do rather than what it wants.

The central idea is to formally specify and verify capability limits, such as compute budgets, input/output channels, and the scope of effects an AI can have on the external world, and then prove that the system cannot cross those limits. If such bounds hold, a lower bound on safety follows regardless of the system's internal objective or the outcome of its training process. In effect, the paper appears to reframe AI safety as a question of enforceable envelopes rather than introspective trust.

This framing resonates with growing concerns in the frontier-model community that behavioral alignment techniques, such as RLHF or constitutional AI, may improve typical behavior without offering hard guarantees against adversarial prompts or emergent capabilities. Industry frameworks like Anthropic's Responsible Scaling Policy and OpenAI's Preparedness Framework, along with evaluation work by the UK and US AI Safety Institutes, already pair capability assessments with risk thresholds. Containment verification can be read as an attempt to push that empirical practice toward formal methods, although the degree to which the proposal scales to modern LLMs remains to be demonstrated.

The approach also has clear intellectual ancestors outside of AI. Sandboxing, capability-based security, trusted execution environments, and the safety envelopes used in cyber-physical and aerospace systems all rely on enforcing what a component can touch rather than trusting its intentions. Translating these techniques to neural systems is non-trivial: the AI itself usually runs inside a conventional software stack, so containment can in principle be enforced at the system layer surrounding the model, even if the model's internals remain opaque. That separation between model and enclosing system seems to be where containment verification gains its leverage.

Several open questions are worth flagging. It is unclear from the abstract-level framing how the proposal handles channels that are difficult to bound in practice, such as natural-language outputs that can persuade humans to act, or supply-chain effects from model-generated code. Capability elicitation is also notoriously unstable: a system that appears bounded under one evaluation may exhibit new behaviors under fine-tuning, tool use, or scaffolded agent loops. A serious containment-verification program would likely need conservative over-approximations of capability and explicit assumptions about the deployment environment, in the style of assume-guarantee reasoning used in formal verification.

It is probably most productive to view containment verification not as a competitor to alignment but as a complementary layer in a defense-in-depth strategy. Alignment efforts aim to make the system want the right things; containment aims to ensure that even if it does not, the blast radius is bounded. Given that regulators and standards bodies are increasingly looking for auditable, technically grounded safety claims, formal containment arguments could become an attractive complement to behavioral evaluations, provided the community can develop tractable verification techniques for the kinds of stacks in which large models are actually deployed.