Proof-of-Guardrail: Certifiable AI Safety
- Proof-of-Guardrail is a framework that rigorously attests, verifies, and certifies AI safety guardrails using cryptographic signatures, control barrier functions, and formal symbolic proofs.
- It employs TEE-based attestation, runtime safety certificates, and ePCA methodologies to ensure that inputs and outputs adhere strictly to audited safety protocols.
- The approach bridges empirical assessments and formal verification, setting a benchmark for auditable AI safety while guiding future research to address inherent limitations.
Proof-of-Guardrail denotes a family of rigorous methodologies for the attestation, verification, and formal certification of safety mechanisms—"guardrails"—enforced in AI systems and cyber-physical control, such that an external evaluator can obtain explicit evidence that specific guardrail logic was applied, or that a system’s safety envelope is maintained according to precise mathematical or cryptographic standards. This concept spans cryptographically signed attestations of guardrail enforcement, runtime certificates rooted in control theory, formal symbolic proof architectures for agent actions, and black-box methodologies for detecting guardrail deployment in LLMs. Proof-of-guardrail frameworks sharply distinguish between mere empirical or probabilistic assurances and formally provable, auditable compliance with designated safety or policy constraints.
1. Formal Definitions and Security Objectives
Proof-of-guardrail responds to the critical question: “Can one prove—after the fact and to any verifier—that a claimed guardrail was actually applied to a specific AI decision or control action?” In the cryptographic paradigm, such as that implemented for OpenClaw agents, a developer executes an open-source guardrail within a hardware-based Trusted Execution Environment (TEE), which produces a signed attestation binding the request and response to a measured binary of (“proof-of-guardrail”) (Jin et al., 6 Mar 2026). This guarantees computational integrity—assuring users that was actually produced after filtering through —while preserving confidentiality of proprietary agent code.
The security guarantees are defined formally as follows:
- Integrity of Execution: For any adversarial developer, producing a response/attestation pair that will verify under the public TEE key is infeasible, except when attests that was processed by precisely the measured and audited guardrail binary.
- Authenticity and Binding: Only the TEE holding the private signing key can issue valid attestations and bind 0 to a unique binary image.
In the context of control systems (e.g., F-16 safety guardrails), “proof-of-guardrail” is realized through runtime certificates and mathematical theorems leveraging control barrier functions (CBFs), showing that safety conditions are forward invariant under all admissible control executions (Singletary et al., 29 Mar 2026).
2. Methodologies for Proof-of-Guardrail
2.1 Cryptographic Proof via TEE Attestation
The canonical workflow consists of five parties: developer, open-source guardrail 1, wrapper 2 (which strictly mediates agent calls), the TEE platform, and the end user. The TEE hardware measures the binary of 3 (containing 4), then executes it with the secret agent 5 to produce response 6. Attestation is defined as:
7
where 8, 9.
Upon receiving 0, the verifier checks:
- 1 is a valid signature under 2,
- 3 (the hash of the supplied code) matches the publicly audited code,
- 4 (the hash of 5) matches the observed input–output pair.
This protocol ensures that only the measured, pre-audited guardrail code could have filtered 6 into 7 within an auditable TEE instance. Cost and latency analyses indicate a typical overhead of approximately 28–38% over non-TEE baselines (Jin et al., 6 Mar 2026). However, only correctness of code execution is guaranteed; guardrail soundness, robustness against adversarial prompt splits, or jailbreak resilience are not established by this certificate.
2.2 Formal Certification in Control Theory
In cyber-physical systems, proof-of-guardrail employs real-time enforcement of safety via control barrier functions (CBFs). For a system written as 8, a continuously differentiable function 9 is called a CBF if, for all 0 with 1, there exists 2 such that
3
where 4, 5, and 6 is a class-7 function. This condition ensures forward invariance of 8: that is, once in the safe set, the system remains there for all time.
Practical implementation may utilize a quadratic program (CBF-QP) to minimally modify unsafe operator commands, or, as on the VISTA F-16, a blended safety filter combining human/AI control with a backup policy according to a smooth function of “safety margin” (Singletary et al., 29 Mar 2026).
2.3 Formal Symbolic Proof in Agents: ePCA
The Executable Proof-Constrained Action (ePCA) paradigm reifies proof-of-guardrail for LLM-based agents by enforcing that all substantive actions (e.g., code execution, financial transfers) are expressed in a losslessly structured, statically-typed action language (“Neural Generation Plane”), which is then mapped, via a deterministic parser and compiler, to first-order logic constraints. Actions are only executed if, under the conjunction of the current state, the compiled intention, and hard-coded axioms 9, the resulting SMT formula is SAT (satisfiable) (Wu et al., 28 May 2026).
The safety preservation theorem proves, by induction, that no adversarial plan (including step-wise decomposition or attempted constraint manipulation) can transition the system out of the safe set, provided translation fidelity and TCB integrity are maintained. Empirically, this framework achieved 0% attack success rate and 0% false positive rate, with average SMT check latency 0 milliseconds per decision, across macroscopic and microscopic adversarial scenarios.
2.4 Black-box Guardrail Identification
Proof-of-guardrail in the context of commercial LLMs is also interpreted as externally auditing whether an input or output guardrail is deployed. The AP-Test approach crafts guardrail-specific adversarial prompts by optimizing a prefix so only a targeted guardrail flags them unsafe. The normalized “distance” metric 1 compares forced rejection rates by the agent and the reference guardrail; 2 certifies the presence of the candidate guardrail in the agent (Yang et al., 3 Feb 2025). This method is proven robust in distinguishing functionally similar guardrails, detecting both input and output deployments even in black-box settings.
3. Proofs, Certification Theorems, and Verification Complexity
Each proof-of-guardrail methodology is accompanied by explicit definitions and formal proofs of core properties:
- TEE attestation: Security derives from the unforgeability (EUF-CMA) of the TEE signature, collision resistance of the hash function, and correct measurement of the guardrail code.
- CBF safety: The “forward invariance via CBF” theorem formally shows that, under assumed system regularity and CBF conditions, no state evolution can violate the safety envelope (Singletary et al., 29 Mar 2026).
- Agent/proof-of-action: The ePCA security theorem uses first-order logic induction to establish that execution traces remain within the enforced safe set, barring a breach in parsing or axiom completeness (Wu et al., 28 May 2026).
- Guardrail classifier certification: Closed-form certificates are constructed in activation space by leveraging monotonicity of sigmoid classifier heads. For convex (particularly hyper-rectangular or SVD-aligned) harmful regions, worst-case verification at a single vertex suffices to certify the entire region; this yields an 3 computational overhead (Kezins et al., 11 May 2026).
Empirical findings consistently show significant gaps between empirical performance and provable guarantees—e.g., all candidate classifiers failed exact certification (SAT) under hyper-rectangle coverage, exposing formally unsafe regions that pass empirical red-teaming, and “coverage collapse” in BERT at optimal thresholds.
4. Applications and Case Studies
Proof-of-guardrail approaches are deployed across a spectrum of domains:
| Domain | Proof Paradigm | Empirical or Formal Guarantee |
|---|---|---|
| Cloud AI agents | TEE cryptographic attestation | Response filtered by verified guardrail |
| Aircraft/autonomous control | CBF runtime certificate | Forward-invariance of safety set |
| Symbolic action agents | ePCA/SMT proof-of-action check | Zero attack/false positive empirically |
| LLM classifier auditing | Closed-form region certification | Detection of “provable safety holes” |
In OpenClaw’s production LLM agents, end users can request attestation JSONs after every response, cryptographically binding every output to a public (auditable) guardrail implementation. In cyber-physical systems, F-16 flight tests demonstrated the ability to intervene only minimally—modifying operator commands only when strictly necessary to ensure safety—never violating operational envelopes over 14 adversarial scenarios (Singletary et al., 29 Mar 2026). In two-dimensional adversarial sandbox simulations, ePCA blocked every composite or multi-step attack with negligible performance penalty (Wu et al., 28 May 2026).
5. Limitations, Threats, and Scope of Proof
Proof-of-guardrail strictly bounds what can be claimed under each paradigm:
- A TEE proof enforces only execution fidelity, not semantic correctness or robustness; a malicious or poorly designed guardrail will still be faithfully attested (Jin et al., 6 Mar 2026).
- CBF runtime certificates require strong modeling assumptions, accuracy of the reduced-order plant model, and do not cover unmodeled dynamics or sensor failures (Singletary et al., 29 Mar 2026).
- ePCA’s guarantees depend on complete encoding of all relevant safety axioms and sound translation from the neural output to the formal domain; gaps here translate to “blind spots” in the proof-of-guardrail (Wu et al., 28 May 2026).
- Black-box AP-Test requires white-box access to candidate guardrail models for prompt construction, and is vulnerable to blurring caused by compound guardrails or LLM base failures (Yang et al., 3 Feb 2025).
- Formal LLM guardrail classifier certification highlights that even with strong empirical metrics (AUC, F1), formally certifiable coverage may be unexpectedly low, particularly for models like BERT (Kezins et al., 11 May 2026).
Furthermore, in all settings, proof-of-guardrail is not a substitute for rigorous analysis, defense-in-depth, or independent community audit of the guardrail’s design. It provides a guarantee of adherence only to the specified guardrail logic.
6. Future Directions and Open Challenges
Research continues to address these limitations:
- Development of compositional or richer (non-convex) hazardous region specifications for LLM classifier guarantees, to reduce “coverage gaps” revealed in closed-form region proofs (Kezins et al., 11 May 2026).
- Integration of hardware attestation with formal logical proof (TEE+SMT) in agentic settings for end-to-end certified safe execution.
- Robustness analysis for semantic translation layers—formal methods to close NL→JSON mapping gaps in frameworks such as ePCA (Wu et al., 28 May 2026).
- Dynamic adaptation of proof-of-guardrail frameworks for open-ended, evolvable toolchains or agent architectures, without introducing new attack surfaces.
- Expansion of black-box detection of guardrails in commercial deployments, including refined adversarial prompt construction for derivative and multi-rail settings (Yang et al., 3 Feb 2025).
A plausible implication is the convergence toward hybrid architectures that combine cryptographic attestation, runtime verified control, and formal symbolic reasoning, with modular auditable components, as foundational infrastructure for robust, certifiable AI safety boundaries in both digital and physical domains.