Pursuing 100% security is an impractical and undesirable goal. Formal methods aim to dramatically raise assurance by closing glaring vulnerabilities, akin to locking doors on a house that's currently wide open. The goal is achieving an appropriate level of security, not an impossible absolute guarantee.
Related Insights
AI audits are not a one-time, "risk-free" certification but an iterative process with quarterly re-audits. They quantify risk by finding vulnerabilities (which can initially have failure rates as high as 25%) and then measuring the improvement—often a 90% drop—after safeguards are implemented, giving enterprises a data-driven basis for trust.
The current industry approach to AI safety, which focuses on censoring a model's "latent space," is flawed and ineffective. True safety work should reorient around preventing real-world, "meatspace" harm (e.g., data breaches). Security vulnerabilities should be fixed at the system level, not by trying to "lobotomize" the model itself.
Claiming a "99% success rate" for an AI guardrail is misleading. The number of potential attacks (i.e., prompts) is nearly infinite. For GPT-5, it's 'one followed by a million zeros.' Blocking 99% of a tested subset still leaves a virtually infinite number of effective attacks undiscovered.
The same AI technology amplifying cyber threats can also generate highly secure, formally verified code. This presents a historic opportunity for a society-wide effort to replace vulnerable legacy software in critical infrastructure, leading to a durable reduction in cyber risk. The main challenge is creating the motivation for this massive undertaking.
The term "formal methods" isn't a single, complex technique but a range of mathematical approaches. Many developers already use them via simple tools like Java's type checker (weak guarantees, easy to use), while full functional correctness requires PhD-level interactive theorem provers (strong guarantees, high cost).
While the computational problem of finding a proof is intractable, the real-world bottleneck is the human process of defining the specification. Getting stakeholders to agree on what a property like "all data at rest is encrypted" truly means requires intense negotiation and is by far the most difficult part.
A formal proof doesn't make a system "perfect"; it only answers the specific properties you asked it to prove. Thinking of it as a perfect query engine, a system can be proven against 5,000 properties, but a critical flaw might exist in the 5,001st property you never thought to ask about.
The benchmark for AI reliability isn't 100% perfection. It's simply being better than the inconsistent, error-prone humans it augments. Since human error is the root cause of most critical failures (like cyber breaches), this is an achievable and highly valuable standard.
The goal for trustworthy AI isn't simply open-source code, but verifiability. This means having mathematical proof, like attestations from secure enclaves, that the code running on a server exactly matches the public, auditable code, ensuring no hidden manipulation.
The modern security paradigm must shift from solely protecting the "front door." With billions of credentials already compromised, companies must operate as if identities are breached. The focus should be on maintaining session security over time, not just authenticating at the point of access.
