What a NIST Mathematician Proved, Why the Internet Got it Wrong, and What Your AI Security Program Should Look Like

Years ago, running an MSSP, I had a vendor pitch us a next-gen firewall on a single promise: one hundred percent bulletproof, no asterisk. As proof, they pointed at SolarWinds. Had their box been on the network, they said, that breach never would have happened. I asked to look under the hood, which is a question I've never watched a security product answer gracefully, and this one was no exception. Peel off the branding and it was a repackaged version of Snort, a decades-old open-source intrusion detection tool, with some custom rules bolted on.

Nothing under the hood would have caught a slow, signed, legitimate software update from a trusted vendor, which is exactly what SolarWinds was. They took a legitimate tool, wrapped it in a claim it couldn't back up, and used a national-scale intrusion as the closer.

I hear the cousin of that pitch almost every week, just dressed differently. Security has to be complete or it's not worth doing, and with no guaranteed outcome, why bother deciding what to fix first? So the organization freezes because the pile looks like a mountain, or it thrashes, doing a little of everything badly because triage feels like admitting defeat. Both are what happens when someone has quietly accepted that perfect is the only score that counts.

A paper out of NIST just handed that mindset a proof it didn't need and doesn't deserve.

What the NIST Paper Proved

That mindset picked up an unlikely piece of support a few weeks ago: a paper by Apostol Vassilev at NIST, arXiv 2512.10100, titled "Robust AI Security and Alignment: A Sisyphean Endeavor?" Most claims that guardrails are hard are just vibes with a slide deck. Vassilev brought a proof. He shows, mathematically, that a perfect AI guardrail cannot and will never be built, for any policy, against a rich enough space of adversarial input.

Here's the mechanism, stripped down. A guardrail is essentially a checker, an algorithm that reads a prompt and decides whether it violates a policy. To understand why a perfect checker is impossible, it helps to know a little about Gödel's incompleteness theorem. In the 1930s, mathematician Kurt Gödel proved that any logical system complex enough to be useful will always contain true statements it cannot prove on its own. Think of it like a rulebook that can never fully describe all the situations it will encounter, no matter how many rules you add. Vassilev applies that same principle to AI guardrails. Using a related idea from mathematician Gregory Chaitin, he shows that a perfect checker would need to contain more knowledge than it's capable of holding, which makes it mathematically impossible. The result: for any policy you write, there will always be prompts that slip past it, not because the policy is poorly written but because no checker can fully verify its own limits.

And that's true whether you're talking about a hypothetical AI with unlimited power or the real tools available today. The volume of possible prompts will always exceed what any guardrail can cover, and that gap survives every jailbreak technique we already have names for, from gradually escalating requests to hiding forbidden instructions inside images or unusual formatting that security filters weren't designed to catch.

Why the Sisyphus Framing Gets It Wrong

So the title is a strange choice, because Sisyphus isn't a metaphor for hard work. He's the figure condemned to roll a boulder uphill forever precisely so his labor would accomplish nothing, on purpose, as punishment. Vassilev hangs the whole paper on that frame, then spends his recommendations describing the opposite of pointless. The proof he delivers doesn't give attackers a recipe. It shows that somewhere in the universe of possible prompts, an unbeatable one exists, but it doesn't tell anyone where to find it. That uncertainty belongs equally to both sides. His actual advice is to keep discovering new adversarial prompts and keep updating the policy in response, which is the same continuous improvement cycle security teams have always run, just applied to a new problem.

A boulder that rolls back down is the normal condition of every adversarial field there has ever been, and none of them are Sisyphean in the sense the myth means.

Where the Proof Runs Out of Road

Notice where the math stops: at one layer, deciding one thing, in isolation. "This one layer is imperfect" and "the whole system fails" are different claims that need different proofs, and Vassilev only supplied the first. He also quietly treats "the prompt beat the classifier" as if it were "the system is compromised," and those aren't remotely the same event. Beating a guardrail and causing harm are different events entirely. The harm happens downstream, where the rest of your controls are supposed to be waiting.

Stack two independent controls that each catch ninety percent of what slips past the last, and you're near ninety-nine before you've done anything clever. The attacker who only needed one way in now needs a clean path through every layer at once, and the asymmetry flips to your side. That's the whole premise of Zero Trust and defense in depth: a refusal to let one guardrail decide whether the day goes badly.

Point that at a real AI deployment and it stops being abstract. The guardrail on the model is one layer, and it will be beaten, because Vassilev proved it can be. A model that gets jailbroken but can't reach sensitive data breached nothing. An agent talked into a hostile instruction it can't execute without a human signing off is a contained incident, not a compromise. Least privilege, segmentation, scoped credentials, monitoring, a review gate on anything irreversible: none of those are prompt guardrails, and every one of them is still standing after the prompt guardrail falls over. The proof kills the fantasy of a perfect front door and says nothing about the locked rooms behind it.

What This Means for Your Organization

Said plainly, because frankly, I need to: no AI is going to be bulletproof with guardrails, and no single policy, procedure, or technology is going to stop one hundred percent of anything, in AI security or anywhere else. That's the design constraint, and it's why the whole practice looks the way it does. We work in layers because no one control is trustworthy alone. We build a culture of security because a policy nobody follows protects nothing. We adopt frameworks and measure our posture against them so "are we getting better" has an answer instead of a gut feeling, and we chase the threats and risks specific to our own organization instead of inheriting someone else's. Any movement on security, AI or otherwise, beats waiting for a guarantee this paper just proved will never arrive.

If the practical side of all this is what you're after, that's exactly what built our upcoming AI security seminar around. It's a virtual half-day on July 22 covering what attackers are doing with AI right now, how to govern adoption before it outruns your program, the technical controls that belong at each layer, and the culture work that keeps any of it from falling apart. I open the day, so weight the recommendation accordingly, but it exists because "AI can't be made perfectly safe" keeps getting heard as "so why bother," when the honest response is to build in layers and keep going.

The Boulder Keeps Rolling. That's Always Been the Job.

None of this ever ends. It never did, and it never will. Nobody has solved fraud or crime, and nobody has called those efforts wasted for failing to reach a finish. AI security is just the newest name on that list.

Here's what the NIST paper actually gives defenders, if you read it carefully. Yes, it proves a perfect guardrail can never exist. But the same proof means attackers can never guarantee success either. The unbeatable prompt exists somewhere in theory, but nobody has a map to it, not the attacker and not you. What that means in practice is that the fight is genuinely even, and the side that wins is the one that keeps working. Layered controls, consistent improvement, and the discipline to treat every breach as a data point rather than a verdict. That's what the paper is arguing for, even if the title suggests otherwise.

The vendor was wrong about the guarantee. The work he was selling, though, was always worth doing. Security has never been about reaching a finish line. It's been about making the next incident harder to pull off than the last one, and that goal is as achievable today as it ever was.