Building verifiable AI for journalism means spending a lot of time thinking about safety architecture. Designing the audit system behind RE::DACT — where every AI interaction is cryptographically logged and independently verifiable — forced me to sit with a question that goes well beyond newsrooms: what does AI accountability look like when the systems become more capable than the people overseeing them?
I don't have a background in physics. But I do have a perspective shaped by building systems where "trust me" isn't good enough — where every claim needs a verifiable trail. That perspective led me to look at the AGI containment problem, and I found something in the existing literature that seemed worth writing about.
A hidden assumption
In 2016, Alfonseca et al. proved that AGI containment is undecidable — at least as hard as the halting problem. Most AI safety researchers accepted this and moved on to alignment. But the proof has a buried premise: it assumes both the container and the contained system operate in the same computational paradigm. Classical logic containing classical logic. A Turing machine trying to trap another Turing machine.
Of course that fails. The agent can reason about its own container using the same tools the container uses. The asymmetry needed for containment doesn't exist.
But what if the barrier operates in a paradigm the agent can't access?
The proposal
The paper explores what happens when you couple a classical AGI to a quantum gatekeeper whose internal states cannot be efficiently simulated by any classical machine. This follows from the BPP ≠ BQP conjecture — one of the most widely believed separations in computational complexity. If it holds (and the evidence is strong), then no classical system, regardless of intelligence, can predict or model the barrier's behavior.
Previous containment proposals put the barrier outside the AI: a firewall, a sandbox, an air gap. The AI can probe it, model it, find edge cases — because the barrier operates on the same physics the AI understands. The architecture I describe does something different: the gatekeeper is woven into the system the AI uses to think. Breach attempts cause decoherence in the agent's own reasoning process — not in some external system, but in its own cognitive substrate. Escape doesn't just fail. It degrades the attacker's capacity. I call this the "pain mechanism."
Results and limitations
The paper presents seven formal theorems and analyzes six adversarial attack vectors. The defense-in-depth probability model yields an estimated breach probability of 10⁻²³ per attempt. The results hold under the BPP ≠ BQP assumption and standard quantum mechanical principles — no exotic physics, no speculative extensions.
On the hardware side: current NISQ processors have enough physical qubits for initial decoherence detection experiments, but today's error rates (0.1–1% per gate) and coherence times (microseconds) are far from what a production system would need. Fault-tolerant logical qubits — which require hundreds of physical qubits each for error correction — are on published roadmaps for 2029–2030. The architecture maps to real hardware, but hardware that doesn't exist yet in its required form.
This paper is a thought experiment that grew out of practical work on AI accountability — not a claim to have solved containment. The formal framework has seven theorems and I've tried to be rigorous, but it is almost certainly incomplete. I wrote it because the core idea — exploiting paradigm asymmetry to circumvent the classical impossibility result — seemed too interesting not to put on paper and open to scrutiny.
The full text with formal proofs, adversarial analysis, and technical appendices is on ResearchGate.
Read the full paper