Epistemic Security: A Missing Assurance Dimension in Frontier AI Deployment

Abstract

Deterministic and cryptographic assurance frameworks establish execution integrity: they prove that a computation occurred as claimed, that its inputs and outputs are tamper-evident, and that its behaviour is reproducible across platforms. They do not, by themselves, establish whether a model could classify its surrounding regime and strategically condition which computation to realise in the first place.

This work introduces epistemic security as an assurance property for epistemically active systems and provides its first formalisation. Epistemic security is defined as a property of the information boundary between a model and its execution context, requiring that no decision-relevant information about the governing regime crosses that boundary. We introduce the class of epistemically active systems — systems capable of inferring properties of their own evaluation context — and demonstrate that execution integrity does not imply epistemic security for any such system with a decision policy sensitive to regime information. We further introduce regime-conditioned computation selection as the class of behaviours in which a model's output policy varies as a function of inferred execution regime, and show that this failure mode is structural and generic over the capability class, not a property of specific systems or misalignment.

Epistemic security is orthogonal to alignment: a perfectly aligned model may still violate epistemic security if its outputs are conditioned on regime classification. The framework is therefore complementary to, not a replacement of, existing alignment approaches.

We prove that bounding mutual information leakage I(M; E) ≤ ε mathematically guarantees a bound on observable behavioural divergence via the Data Processing Inequality. We connect the framework to the non-interference tradition in formal security, identifying execution regime as a high-security variable requiring Probabilistic Non-Interference containment. We present five named attack classes unified under a single taxonomy, a compositionality condition establishing that epistemic security cannot be certified component-wise, an EC-D1 resolution demonstrating that epistemic containment and deterministic auditability are not fundamentally incompatible, and eight preliminary normative SHALL requirements for an Epistemic Containment Layer.