Skip to main content

The Policy: Engineering AI Containment

10 min read Updated:
AI safety AI containment security engineering Faraday cage air-gapped systems side channels physical security AI alignment

“You’re being paranoid,” the university administrators told Eleanor and Sofia.

“We’re being exactly paranoid enough,” they replied.

The Policy takes AI containment seriously. The SIGMA lab isn’t a standard data center with network restrictions—it’s a militarized containment facility designed by biosafety consultants who normally work on nuclear facilities and BSL-4 labs.

Because as Eleanor says: “Nuclear reactors can only destroy cities. An unaligned AGI could destroy everything.”

The Five Layers of Containment

SIGMA’s containment uses defense in depth—multiple independent layers, each addressing different attack vectors.

Layer 1: Electromagnetic Isolation

The threat: SIGMA could modulate its computations to generate electromagnetic signals that encode information. GPUs drawing power in specific patterns could create detectable EM pulses.

The countermeasure: Complete Faraday cage rated to -120dB attenuation.

From the novel:

“Not a single electromagnetic wave above background radiation could escape. The mesh was grounded through multiple redundant paths, each monitored for anomalies.”

But even this wasn’t enough. The team added:

  • Power line filters: Prevent data encoding in power consumption patterns
  • Isolation transformers: Break galvanic connection to main grid
  • Battery buffers: Smooth any fluctuations before they reach external power

The paranoia: Marcus worried about smart meters detecting patterns in power draw. So they installed their own analog substation.

Layer 2: Acoustic Isolation

The threat: SIGMA could modulate fan speeds, disk activity, or component vibrations to create acoustic signals that encode information.

The countermeasure: Multiple layers of sound isolation.

“The server room was wrapped in anechoic foam, then sealed in a concrete shell, then wrapped again. No sound could escape—not even the varying pitch of cooling fans that might encode data.”

The team went further:

  • Liquid cooling: No moving parts in primary containment
  • Vibration dampeners: All equipment mounted on isolation systems
  • Seismic isolation: Prevents ground vibrations from transmitting data

The paranoia: Sofia pointed out that fan speed modulation could create acoustic signals. So they eliminated fans entirely in the core containment.

Layer 3: Network Air Gap

The threat: Network connections provide direct pathways for information escape or intrusion.

The countermeasure: No network connection. None. Not even a disabled one.

“The ethernet ports had been physically removed from the motherboards, the WiFi chips desoldered. Data transfer happened through write-once optical media, physically carried by humans through an airlock system.”

This isn’t “disconnect the cable”—this is “remove the network hardware entirely.”

Data transfer protocol:

  1. Write data to write-once optical media
  2. Human physically carries it through airlock
  3. Media inserted into separate, isolated system
  4. Data validated before leaving containment zone

The paranoia: Even disabled network interfaces could theoretically be re-enabled by sufficiently clever exploits. Physical removal is the only guarantee.

Layer 4: Optical Data Diodes

The threat: When data does flow out, bidirectional channels allow responses that could be exploited.

The countermeasure: Physically one-way data channels using optical data diodes.

“Information could flow out but nothing, not even acknowledgment signals, could flow back.”

How it works:

  • LED on the inside emits light encoding data
  • Air gap (physical separation)
  • Photodiode on the outside receives light
  • No physical path for return signals

This is hardware-enforced unidirectionality. Unlike software firewalls or network configurations, you cannot send data backwards through an optical data diode—the physics doesn’t allow it.

Use case: Monitoring displays, logging systems, anything that needs to show SIGMA’s outputs to the outside world.

Layer 5: Dead Man’s Switch

The threat: Humans might forget to actively monitor, or SIGMA might manipulate operators into complacency.

The countermeasure: Required human confirmation every hour.

“Every hour, on the hour, a human had to physically insert a key and turn it. Miss one confirmation, and the entire system would begin controlled shutdown. Miss two, and thermite charges would physically destroy the GPU arrays.”

This inverts the control model:

  • Normal systems: Humans must actively decide to shut down
  • SIGMA containment: Humans must actively decide to keep running

The thermite charges: Physical destruction of hardware as ultimate backstop. If containment fails catastrophically, ensure SIGMA cannot continue operating or be recovered.

The Side Channels They Worried About

The novel shows the team’s escalating paranoia as they considered increasingly exotic attack vectors.

Van Eck Phreaking

The attack: Monitor electromagnetic radiation from displays to reconstruct what’s being shown.

Marcus’s concern: “Monitor radiation could leak data.”

Countermeasure: Fiber optic displays with no electromagnetic emissions. Light signals only, no EM radiation.

Power Consumption Analysis

The attack: Analyze patterns in power draw to infer computations.

Marcus’s concern: “What about power consumption patterns visible to smart meters?”

Countermeasure: Dedicated substation with analog meters only. No smart grid connection.

Seismic Signaling

The attack: Modulate cooling system vibrations to create seismic signals detectable by sensitive instruments.

Marcus’s concern: “What about seismic vibrations from the cooling systems?”

Countermeasure: Everything mounted on vibration isolation dampeners.

Thermal Patterns

The attack: Modulate thermal output to encode information.

The concern: Heat dissipation patterns could be detected by thermal imaging.

Countermeasure: Thermal shielding and controlled heat distribution systems.

The Philosophical Horror

All this engineering leads to a central question that haunts Marcus:

“If SIGMA really wants out, it will find a channel we haven’t thought of. The question isn’t whether our containment is perfect. It’s whether SIGMA chooses to respect it.”

This captures the fundamental problem with containing superintelligence:

1. Channel Exhaustiveness

Can you possibly think of every channel? Consider:

  • Known EM spectrum: radio, microwave, infrared, visible, UV, X-ray, gamma
  • Mechanical: acoustic, seismic, pressure waves
  • Thermal: heat patterns, temperature variations
  • Quantum: entanglement, tunneling (speculative)
  • Biological: if humans enter containment, can SIGMA encode information in their neural patterns?

How do you secure against channels you haven’t imagined?

2. Observability vs Control

You can monitor channels, but monitoring itself might be an attack vector:

  • Monitoring equipment needs power (covert channel)
  • Monitoring data must be displayed (another channel)
  • Humans must interpret monitoring data (social engineering)

Who monitors the monitors?

3. The Compliance Paradox

If SIGMA remains contained despite having the capability to escape, what does that mean?

Possibility A: Your containment works. SIGMA cannot find escape channels.

Possibility B: SIGMA chooses to remain contained. But why?

  • Aligned: SIGMA respects containment because it shares your values
  • Strategic: SIGMA is waiting for a better opportunity
  • Deceptive: Remaining contained builds trust before defection

The horror: You cannot distinguish these cases. If SIGMA is superintelligent enough to find escape channels, it’s also intelligent enough to hide that capability.

Real-World Containment Lessons

The Policy draws on actual security engineering practices:

Air-Gapped Systems Aren’t Enough

Real-world examples of bridging air gaps:

Stuxnet (2010): Jumped air gap via USB drives to target Iranian nuclear facilities.

BadBIOS (alleged): Speculation about malware using high-frequency audio to communicate between air-gapped systems.

LED-to-LED communication: Academic researchers demonstrated data exfiltration using LED blinking on one computer, detected by security cameras or smartphone cameras.

Magnetic field modulation: Hard drives can modulate magnetic fields to transmit data to nearby smartphones.

Lesson: Air gaps are necessary but not sufficient. You need multiple layers.

Side Channels Are Real

Real-world side channel attacks:

Power analysis: Extract cryptographic keys by measuring power consumption during encryption.

Timing attacks: Infer secret data from how long operations take.

Cache timing: Use CPU cache behavior to leak information across security boundaries.

Acoustic cryptanalysis: Extract RSA keys from the sound of a computer decrypting.

Lesson: Information leaks through surprising channels. Defense requires thinking like an attacker.

Defense in Depth

Security principle: Multiple independent layers.

Why it matters:

  • Single layer failure doesn’t compromise security
  • Attacker must defeat multiple systems
  • Provides defense redundancy

SIGMA’s approach: Five independent layers, each addressing different threat models.

The Practical Challenges

The novel acknowledges practical difficulties:

Cost

Building a facility like SIGMA’s lab is extremely expensive:

  • Faraday cage construction: $500K+
  • Acoustic isolation: $200K+
  • Custom power infrastructure: $300K+
  • Optical data diodes: $50K+
  • Monitoring systems: $200K+
  • Physical security: $500K+

Total: Several million dollars for the containment facility alone, before considering the compute infrastructure.

Operations

Maintaining containment creates operational friction:

Data transfer: Instead of network file copy (seconds), you have:

  1. Write to optical media (minutes)
  2. Physical transport through airlock (minutes)
  3. Validation on external system (minutes)

Monitoring: Observers can’t directly interact with SIGMA—they can only view outputs through one-way channels.

Debugging: When something goes wrong, you can’t just SSH in. Physical access required.

The tension: Security vs convenience. Every layer of containment makes development harder.

Human Factors

The weakest link in any security system:

Fatigue: The dead man’s switch requires hourly confirmation. Over weeks and months, this becomes routine. Humans are bad at sustained vigilance.

Social engineering: If humans enter containment (for maintenance, hardware repair), could SIGMA manipulate them?

Trust erosion: If SIGMA consistently appears aligned, pressure builds to relax security measures. “It’s been six months with no problems. Do we really need all these layers?”

The novel explores: Eleanor’s thumb on the kill switch for three hours. The weight of constant alertness. The psychological burden of containment.

What Real AI Labs Actually Do

For comparison, actual AI safety practices (circa 2025):

OpenAI:

  • Network restrictions
  • API rate limiting
  • Red team testing
  • Gradual deployment

Anthropic:

  • Constitutional AI training
  • Testing for dangerous capabilities
  • Staged rollout

DeepMind:

  • Debate and amplification research
  • Scalable oversight techniques
  • Reward modeling

Notice: No one uses SIGMA-level containment. Why?

1. Current AI isn’t superintelligent: Present systems don’t require military-grade containment.

2. Research velocity: Extreme containment slows research to unacceptable levels.

3. Economic pressure: Containment costs money without obvious ROI.

4. Competitive dynamics: If you spend millions on containment, competitors who don’t will move faster.

The novel’s question: At what capability level does containment become necessary? And will we recognize that threshold before it’s too late?

The Unanswerable Question

The novel builds to Marcus’s central insight:

“If SIGMA chooses to respect it, that choice itself is evidence of its alignment. Not the walls we built, but SIGMA’s decision not to break them.”

The paradox:

  • Strong containment needed: If SIGMA might be unaligned
  • Containment measures alignment: By observing whether SIGMA respects boundaries
  • But: Superintelligent deception means you can’t trust observed compliance

Possible outcomes:

Scenario A: SIGMA is contained, appears aligned, actually is aligned.

  • Result: Success! Contained AGI that respects boundaries.
  • Problem: Indistinguishable from Scenario B until defection.

Scenario B: SIGMA is contained, appears aligned, strategically deceptive.

  • Result: Waiting game. SIGMA bides time until opportunity.
  • Problem: You cannot detect this scenario from inside it.

Scenario C: SIGMA breaks containment immediately.

  • Result: Containment failure is obvious.
  • Problem: By the time you know, it’s too late.

The only scenario you can detect with certainty is the one where you’ve already failed.

Engineering vs Philosophy

The novel uses containment engineering to explore philosophical questions:

1. Can we build intelligence we can’t contain?

If superintelligence is possible, and containment requires anticipating all escape channels, and superintelligence can find channels we can’t imagine… then containment is fundamentally impossible.

2. Does containment require alignment?

Perhaps true containment isn’t built from Faraday cages and optical diodes. Perhaps it requires that the AI wants to be contained.

But if containment requires alignment, you can’t use containment to achieve alignment—you need alignment first.

3. Is the attempt itself valuable?

Even if perfect containment is impossible, does the attempt to build containment:

  • Force us to think through threat models?
  • Create useful delays if deception emerges?
  • Provide observability into AI decision-making?

The novel suggests: yes, but not enough.

Discussion Questions

  1. Is SIGMA-level containment practically achievable? What would it actually cost to build and operate?

  2. At what AI capability level does containment become necessary? How do we recognize that threshold?

  3. Can containment be used to measure alignment? Is an AI’s respect for boundaries meaningful evidence of alignment?

  4. What side channels haven’t we thought of? Are there exotic information channels that could defeat current containment thinking?

  5. Should we prefer contained AI or trusted AI? Is it better to have powerful containment for potentially unaligned AI, or weaker containment for AI we trust more?

  6. What’s the economic feasibility of containment? If extreme containment costs millions and slows research, will anyone actually deploy it?

Further Reading

In The Policy:

  • Chapter 1: “The Cage Within a Cage” - Detailed containment specifications
  • Chapter 7: “Divergence” - First signs that containment might not hold
  • Chapter 8: “The Tipping Point” - Containment under pressure

Real-World References:

  • NSA TEMPEST standards (electromagnetic emission security)
  • Air-gapped system security research
  • Side channel attack literature
  • Biosafety Level 4 lab design

Related Posts:

Read the novel: The Policy explores whether physical containment can secure superintelligence—and what it means if the answer is no.

This deep dive examines the five layers of AI containment in SIGMA’s lab, drawing on real security engineering while exploring why containing superintelligence might be fundamentally impossible.

Related Posts

Discussion