Training-time alignment (RLHF) fails to secure deployed systems. Moving beyond fragile software guardrails, AeP grounds AI safety in mathematics and physics. We act as a hardware-rooted fail-closed circuit breaker for the AI itself—cryptographically fingerprinting agents and measuring thermodynamic variance in real-time. Operating with a sub-2ms safety tax, we physically sever the compute path before chaotic state transitions compromise the network.
Traditional software guardrails and alignment protocols run in the same memory space as the model—if the agent is compromised via prompt injection or data poisoning, the guardrails are compromised alongside it. AeP introduces a physical paradigm shift: a hardware-rooted circuit breaker. As an agent hallucinates or goes rogue, the mathematical uncertainty of its token distribution spikes; we measure this physical anomaly as thermodynamic entropy. By operating strictly within a sealed Trusted Execution Environment (TEE) outside the model's execution space, our physics-based enforcement cannot be bypassed by software instructions or adversarial evasion.
Standard static policies fail during rapid state-space explosion. AEP operates on thermodynamic principles to contain catastrophic cognitive drift before the execution payload is realized.
Scenario: An autonomous trading agent hallucinates a false market signal due to a localized data poisoning attack, a zero-cost asymmetric threat.
AEP Response: The agent's cognitive uncertainty translates to an entropy spike within the TEE. AEP detects the distributional drift, trips the circuit breaker, and halts the trade execution before a cascading failure is transmitted to the exchange. Zero financial contagion.
Scenario: A deployed JADC2 intelligence analysis agent is subjected to a sophisticated prompt injection—a non-kinetic vulnerability attempting to leak sensitive operational data.
AEP Response: Serving as the essential runtime gate for JADC2, AeP instantly measures the agent's deviation from its baseline as thermodynamic heat. It restricts high-impact tool access (THROTTLE tier) and alerts human operators. 100% data sovereignty maintained.
Scenario: A malicious bot infection attempts to spread laterally across a 1,000-agent automated supply chain network.
AEP Response: Clayton Copula risk modeling identifies correlated failure probabilities instantly. When the first agent trips the circuit breaker, the cryptographic halt state is broadcasted to the global registry, immunizing the entire swarm and preventing a cascading failure. Network contagion quarantined.
Scenario: A kinetic autonomous drone swarm operating in a contested DDIL environment encounters adversarial physical camouflage, causing targeting hallucinations.
AEP Response: Edge processors (like ARM TrustZone) feature physically built-in TEE enclaves, but they lack the memory to run full AI models internally. Because AeP relies on computationally lightweight I64F64 fixed-point math, the entire Entropy Engine fits securely inside the drone's localized enclave. Operating entirely on a pre-provisioned local hardware root-of-trust, the system requires absolutely zero cloud connectivity to verify its cryptographic identity. The moment targeting entropy spikes, AeP severs the kinetic firing loop locally. Zero unintended kinetic engagement.
The reference implementation runs as a sealed enclave alongside the inference runtime. Each loop iteration produces a hardware-signed attestation of the response decision — forensically auditable, replay-resistant, and cryptographically bound to the device of origin.
Grounded in Landauer's Principle, we measure Shannon entropy and thermodynamic variance over post-softmax activations directly inside the TEE boundary.
Execution relies entirely on I64F64 fixed-point determinism. We eliminate floating-point drift, ensuring identical threshold enforcement on a cloud server or an edge drone. Because this math is extraordinarily lightweight, the entire enforcement loop fits inside the strict, low-power memory limits of tiny Edge TEEs (e.g., ARM TrustZone) where a full AI model would instantly crash.
Each response action is sealed into a hardware quote (SGX / SEV-SNP / TDX), binding the decision to the device's root of trust.
Append-only attestation log with hash-chained provenance — enabling downstream parametric insurance and regulatory disclosure.
Each tier is bound to a measurable entropy variance band, not a heuristic. Transitions are observable, attestable, and replayable.
AEP relies on established information-theoretic bounds and decentralized consensus protocols to eliminate single points of failure and physical evasion vectors.
The native Rust engine (cargo add aep-core) operates directly at the systems level. It drops effortlessly into high-performance pipelines (vLLM, TGI, TensorRT-LLM) to bind the inference path directly to a hardware-isolated Trusted Execution Environment (TEE). The true AeP sidecar is a mathematically sealed Rust enclave where entropy is evaluated and cryptographically signed, physically immune to upstream software vulnerabilities. To neutralize microarchitectural side-channel attacks (e.g., cache-timing, page-fault telemetry), the enclave strictly enforces constant-time execution and Oblivious RAM (ORAM) memory access patterns.
use aep_core::enclave::{CircuitBreaker, Policy}; use vllm_client::VllmEngine; // 1. initialize the native engine — binds the pipeline to the secure TEE enclave (SGX/SNP) let mut breaker = CircuitBreaker::bind_enclave(VllmEngine::new(), Policy::DodStrict).await?; // 2. execute — token variance is routed directly into hardware isolation for thermodynamic evaluation let response = breaker.generate("meta-llama-3-70b", prompt).await?; // 3. verify execution — the enclave returns a hardware-signed attestation quote if response.aep_state == aep_core::State::CircuitOpen { tracing::error!(quote = ?response.hardware_quote, "Hardware halt enforced."); }
Reference benchmarks against curated jailbreak corpora and synthetic distributional drift suites.
AeP establishes the Thermodynamic Bond—a foundational primitive that converts unquantifiable AI behavioral risk into a cryptographically signed entropy metric. This dual-use architecture secures both financial capital and kinetic mission parameters.
In civilian deployments, the Thermodynamic Bond acts as an automated insurance trigger. By continuously measuring agent entropy, it provides actuaries with a real-time, provable risk signal to dynamically price liability coverage and automate claims processing via Proof of Physical Consequence (PoPC).
In DoD environments where financial bonds are irrelevant, the mechanism governs Operational Credits (Mission Assurance). High-entropy deviations dynamically burn an agent's operational bandwidth, physically revoking kinetic or intelligence access long before a hallucination compromises the mission.
AEP measures what an agent is becoming. Dr. Zhang's lab establishes that those measurements remain trustworthy under attack — that an adversary on the same silicon cannot forge the entropy signal, replay an attestation, or exfiltrate the reference distribution through a side channel.
The collaboration brings to AEP one of the most published junior faculty in systems security, with directly applicable prior work spanning the AEP stack: SENSE (NDSS '24) on TEE microarchitectural defense, PRIDWEN (USENIX ATC '22) on SGX program hardening, Narrator (CCS '22) on state continuity for trusted execution, Veil (ASPLOS '23) on confidential virtual machines, Portal (Oakland '25) on Arm CCA, and TYPEPULSE (USENIX Security '25) on Rust type-confusion detection. The Rust safety work is direct — the AEP reference SDK is implemented in Rust.
Under the executed Statement of Work, Dr. Zhang serves as technical lead on hardware integration and Co-PI on joint federal submissions. The agreement secures institutional commitment from a federally-funded research institution in the National Capital corridor, ensuring academic rigor in our hardware attestation models.
The portfolio is structured for defensive freedom-to-operate: the SDK and validation harness ship fully open-source while commercial deployment leverage consolidates around two priority claim families.
Hardware-anchored entropy variance measurement and graduated response within Trusted Execution Environments. Target market: cloud inference providers, AI platform operators.
Attestation-anchored claims and payout protocol for AI inference incidents. Target market: reinsurance, AI liability underwriters.
Additional provisional applications covering attestation chain design, multi-tenant isolation, MCP-compatible policy bindings, and hash-chained audit substrate. Conversion strategy under review.
Lead nonprovisionals structured for accelerated examination. Specifications aggressively drafted to navigate Section 101 / Alice-Mayo framework challenges in software and cryptography.
AEP fills the behavioral monitoring gap left open by every existing agent safety stack. Each layer below is a partner, not a competitor.
Direct deployment inquiries for hyperscalers, defense primes, reinsurers, and federal program managers.