NIST Published The Mathematical Proof Of My AI Security Work
Math doesn't lie: Your move, AI security vendors | Edition 55
Image: Your humble ex AI hacker, nearly on my knees and hair nearly on the floor, whiteboarding the operational implications of the NIST mathematical proof in my AI Threat Modeling training–three weeks before the paper came out.
My training is the first and ONLY AI threat modeling course that is NIST-valid, mathematically sound, and full-stack ready to defend AI systems.
Book me through Shostack + Associates.
I am not going to bury the lede here:
The National Institute of Standards and Technology (NIST) has now published, in the peer-reviewed journal IEEE Security and Privacy, a mathematical proof of my work over the last four years.
The work is published by Apostol Vassilev, a senior scientist at NIST. It builds on work by logician Kurt Gödel, published nearly a century ago, in 1931.
The TLDR: You cannot mathematically secure AI systems. Not ever. The only way forward is continuous monitoring.
This is the crux of my paper from 2022, where I architected the first published defensive AI architecture, based on–you guessed it–threat modeling designed specifically for AI.
The blueprint was simple, and still is: Threat model, design monitoring based on the threat model, stress test the monitoring.
That’s how you secure AI.
It was in 2022, prior to the advent of ChatGPT, and it remains so in 2026, for your enterprise Agentic deployment.
And then in 2025, I published the same mathematical basis from the offensive angle–demonstrating that “AI red teaming” was both pointless security theater, and nothing like what real hackers do in the field.
This paper is where I talked about the 25-dimensional adversarial subspace–but more to the point, the paper contains a solution for mapping these subspaces in a way that is mathematically defensible.
I did not just show the problem. I provided the solution.
For free.
In other words, there is zero excuse for any “AI red teamer” to avoid adopting these techniques, now.
And now NIST agrees with me.
Because math.
I cannot overstate how rare it is for an engineering opinion to be validated with literal mathematical proof.
Not opinion, not data–proof.
As I have said for four years now, there is NO WAY to guardrail AI systems. It is mathematically impossible. And now NIST has proven I was right.
Like I said before: The current “AI red teaming” SOTA is worthless security theater.
NOT real tech. NOT mathematically defensible.
If you’re asking yourself “how could this happen,” that is an extremely reasonable question.
How indeed, could a lowly ex hacker have beaten every AI security CEO at the tech they were trying to sell?
Simple: So-called “security professionals” saw a goldrush, and decided to sell shovels. Which would have been fine–except for one big problem.
The problem was that AI security sellers didn’t learn what a shovel is, does, or even looks like. And so CISOs and decision makers have been forced to wade through a sea of spoons, rakes, fly swatters, and paintbrushes being sold as shovels.
If shovels didn’t exist, and we were all inventing shovels as we went along, it would be one thing.
But that’s not what happened.
Shovels are real, they have an established form and function–it’s just that in this case, most people were unfamiliar with what they looked like–and the AI security grifters swooped in to capitalize.
Old security playbooks were familiar. Old security terminology sells SaaS. So that’s what they went with.
Old-school pentesting methods, with AI-words sprinkled in to convince CISOs that their AI systems would be secured.
And as I covered previously, this wasn’t just a case of creating a false sense of security–it was much worse than that.
Because in an infinite attack space, the published prompts that “AI red teams” sprayed at systems become easily iterable starting points for attackers.
Instead of randomly guessing where to start, prompt libraries give attackers a clear path of attacks through the high-dimensional space: Just start with one of the tested prompts, and iterate only slightly–this will virtually always be enough to craft novel attacks.
That’s just how the math works out.
So everyone who sold both AI red teaming and prompt injection defense just took millions in enterprise money for vaporware.
Quite literally wasting everyone’s time and money--and giving criminals a literal advantage.
And I am not afraid to say so.
Because it isn’t just my opinion–it’s now a mathematically proven fact.
What Makes Something A Proof?
Not everything can be a proof. There are rules. And your opinion–however well formed, researched, or backed by data–does not count.
A mathematical proof is a rigorous, highly defined defense of a statement.
It’s not a matter of opinion. It’s a matter of logic.
The rules are simple: The logic must be watertight, it must be undeniably true according to the rules of logic, and it must be shown that the statement at hand must be true for all possible cases.
All cases. Zero exceptions. As demonstrated inarguably by the rules of logic.
It is not enough to present a case or cases where the statement holds.
An infinite number of data points would still not rise to the level of rigor required to form a mathematical proof–not until it can be logically demonstrated that the statement at hand is true for all cases, no exceptions.
A proof is an example of deductive reasoning, a concept you’re definitely familiar with if you’ve ever studied formal logic.
So when NIST goes so far as to publish a definitive proof of the limits of AI security defense, it’s not a matter of opinion.
It’s pure, logical, mathematical fact.
This is no longer up for discussion. There are no “edge cases”.
AI is unsecurable through guardrails.
The threat modeling-informed continuous monitoring architecture I published in 2022 & that I teach in my AI Threat Modeling training, remains the only viable defense for AI systems in production today–even Agentic AI.
The argument is over. What remains to be seen is how the industry will respond.
How The Proof Works
AI isn’t the “closed box” it’s been sold as.
That mythology benefited one group disproportionately: Those hoping to sell AI or related SaaS.
There are, in fact, many things we know about how AI works–and how it can and cannot be secured.
In fact, there are what we can call “information-theoretic limitations for robustness of AI security and alignment”, and this work lays them out.
What does this mean?
Information theory is a branch of computer science that deals with how information–under specific mathematical definitions–is structured, stored, transferred, and more.
And there are hard limits on how systems with the mathematical and architectural properties of AI software can be secured.
To take this apart, let’s look at just two key points where the NIST paper agrees with my work.
Key Point [1]: All AI Communication & Attacks Are Math - And Always Will Be
When I started writing about real-world hacker workflows, it was because I saw a need: To make the industry acknowledge that all AI attacks are math.
Why is this so important?
Because understanding the mathematical nature of AI inputs is absolutely key to understanding how AI attacks work.
AI systems are not reading your words. Your prompts are translated into strings of numbers, called vectors, which represent (to some degree of precision) the concepts which were invoked by your actual words.
The word “green” is just a string of numbers to an AI system; but this particular string of numbers will be closer in the model’s learned vector space to the string that represents “forest” than the one for “desert”.
It will be closer to “emerald” than to “ruby”. And so forth.
And this conceptual alignment is what gives natural language processing systems much of their power.
It does not, however, make a system conscious or even smart.
It’s not talking to you. It’s encoding and decoding strings of numbers using some fancy algebra.
And this math is where critical attack vectors lie.
This quote from the NIST paper sums up the inherent, unchanging mathematical nature of AI systems beautifully:
“Every decision the AI system makes or action it takes are based on computation. So, truth and verification of it are defined and dealt with as strings and algorithms. This assumption is supported by any type of AI system, past, present and future, which in turn helps to generalize the results of the theorems in this manuscript.”
The mathematical nature of AI systems has not changed for more than a decade.
The only thing that changed? Was the interface–the prompt.
Natural language prompts allowed for actors with less technical know-how to wade into the field.
The problem came when they thought playing in the kiddie pool was sufficient training to captain a ship.
Image: Gödel’s incompleteness theorem (1931) as presented in the NIST paper.
Key Point [2]: For Any Guardrail, There Exists A Prompt Which Can Break It
One of the biggest bombshells of the paper is in the proof that for any guardrail, there’s a way to break it–which means that no set of guardrails can ever fully cover an AI system, no matter how comprehensive they seem.
This is seismic in its importance–because nearly every AI security provider in existence operates under the premise that guardrailing AI is possible.
I’m talking “AI red teams”, and AI security vendors alike. All are selling a fantasy: That defending AI guardrails is somehow, magically, mathematically possible.
As the NIST paper demonstrates, from the defensive angle, rigorously and finally: It’s not.
If this sounds familiar, it should.
This is exactly the premise I presented last year, working from the offensive angle: In an infinite attack space, attackers will never, ever run out of ways to violate guardrails–no matter how specific or numerous they become.
And I would be delighted to train you, your team, or your entire organization on exactly what to do about it.
Stay frosty.
I am available for speaking, training, & technical consulting through Shostack + Associates.
The Threat Model
All AI attacks are math, and always will be–so the principles of AI security laid out in the NIST paper & in my papers will always hold, for any AI system.
It’s now been mathematically proven that for any guardrail, there exists an attack that can violate it–just like I showed from the offensive angle last year.
Threat modeling for AI requires an AI-native, use case-first approach–and you can’t monitor, red team, or even secure AI without one.
Resources To Go Deeper
Vassilev, Apostol. “Robust AI Security and Alignment: A Sisyphean Endeavor?” IEEE Security & Privacy 24 (2025): 52-58.
Cox, Susanna. “Securing AIML Systems in the Age of Information Warfare”. Critical Alliance, April 2022. https://doi.org/10.5281/zenodo.13905972.
Cox, Disesdi Susanna and Niklas Bunzel. “Quantifying the Risk of Transferred Black Box Attacks.” ArXiv abs/2511.05102 (2025): n. pag.
Executive Analysis, Research, & Talking Points
Why Continuous Monitoring Is An Engineering Leap Forward
While it’s highly unusual–to say the least–for a mathematical proof to follow the engineering work it supports, there’s a very good reason why that happened here:




