The Direction No One Faces
A new RAND–Oxford framework maps how two governments could secure frontier AI. Every control in it points inward, toward the asset. The direction that faces outward — what a deployed system does on someone else’s surface — has no one standing in it.
A report published this month by RAND and the Oxford Programme for Cyber and Technology Policy lays out how the United States and the United Kingdom could secure frontier AI together. It is a serious document — the work of people who have spent careers protecting things that matter, written for the two governments that hold most of the world’s frontier AI between them. It proposes a clean framework: five clusters of security control, seven priority actions, all mapped to real threat vectors. Anyone who reads it carefully comes away with a sharper picture of what it takes to defend a frontier lab.
I read it from a different position than the one it was written from. The framework looks outward from the lab — at everything that could reach in and compromise the model. I have spent this work looking the other way: at what a model does once it is out, operating on a surface that belongs to someone else. From that side, one thing the report does not yet name comes into focus.
Everything the framework watches, it watches from inside
The five clusters protect the asset. Access and interfaces govern who can touch the weights. Development and supply chain secure the environment the model is built in. Personnel security addresses the people with privileged access. Physical security protects the buildings and the hardware. And the fifth cluster — monitoring, detection, and incident response — is exactly what it sounds like: continuous watching for the moment something tries to breach the system.
That fifth cluster is the one worth pausing on, because at a glance it looks like the exception. It is not. Its subject is the attacker reaching toward the lab — the intrusion, the exfiltration attempt, the anomaly inside the perimeter. It watches the asset’s own integrity. It is the castle’s guards turned attentively inward, scanning their own walls for breaches.
There is an old question that security frameworks have asked for two thousand years: who watches the watchers? This framework answers it in one direction. The labs watch themselves, and two governments help them watch better. That is real, and it is valuable. But it leaves the other direction open.
The direction is outward, after deployment
A frontier model is not built to sit in a vault. It is built to be deployed — to act, increasingly on its own, on surfaces that do not belong to the lab that made it. It fills out forms. It places orders. It reads pages and follows links. It arrives at someone else’s door and does something.
When it does, the question is no longer “is our asset secure?” It is “what did the deployed system actually do, here, on this surface, to the party that received it?” And there is no cluster for that. The framework, by design, does not face that way. It cannot — every instrument it describes points back toward the lab.
The report itself half-opens the door. Its conclusion notes that the threat landscape is being accelerated by agentic AI. But the agent appears there only as a weapon pointed at the infrastructure — never as a deployed system whose own conduct, observed by whoever is on the receiving end, might be worth a record. The symmetry is right there in the text, drawn on one side only.
Why this is not a sixth cluster
The reflex is to say: then add it. Make “deployed behavior” the sixth cluster and move on.
It cannot work that way, and the reason is structural rather than organizational. Every control in the framework is something the lab does to and for itself — it secures its own weights, vets its own people, monitors its own perimeter. A record of how a deployed system behaved on someone else’s surface cannot be one more thing the lab does to itself, because the party that produces the record cannot be the same party whose system is being recorded. The moment it is, you no longer have evidence. You have an account — the deployer’s own description of what its own system did. That is not a flaw in anyone’s integrity. It is what self-observation is. It attests; it does not evidence.
So the missing direction is not a gap inside the framework. It would be a layer beneath it — independent, sitting with the party that received the behavior, recording the fact of what happened rather than the intent behind it. The framework secures the thing that acts. The open direction is the record of what it did once it was out there, kept by someone with no stake in how the answer reads.
A note on what this is and isn’t
This is an interim report; its authors say plainly that the technical detail comes later and that they want the field to weigh in. So this is offered in that spirit — from a vantage the framework does not occupy.
The point is not that the castle is poorly defended. It is well defended, by people who know that work better than I ever will. The point is narrower and harder to design around: a system cannot be the sole authoritative witness of its own behavior. As autonomous systems move from static inference into persistent action across infrastructure they do not own, that limit stops being philosophical and becomes operational. The framework secures the thing that acts. What it does once it is out there — on someone else’s surface, in production, in real time — is a record that, by construction, only an independent party on the receiving end can keep.
That direction faces outward. For now, no one is standing in it.
This research note discusses publicly available work: Brianna Rosen, Kyle A. Kilian, Cortney Malone, Jamie Etheridge, and Lea Saade, “Advancing U.S.–UK Cooperation to Secure Frontier Artificial Intelligence”, RAND & Oxford Programme for Cyber and Technology Policy, interim report RR-A4764-1, June 2026. The interpretation and the framing of receiver-side evidence are the Observatory’s own and should not be attributed to RAND, Oxford, or the report’s authors.
BotConduct — independent behavioral observatory. Evidence, not enforcement.
