## Mapping MACAW to the open problems in SOTA AI control

Anthropic's [How we contain Claude](https://www.anthropic.com/engineering/how-we-contain-claude) and Google DeepMind's [AI Control Roadmap](https://deepmind.google/blog/securing-the-future-of-ai-agents/) independently arrive at the same wall: probabilistic defenses have a non-zero miss rate, detection doesn't scale with agent autonomy, monitoring breaks down when models can hide their reasoning, and persistent memory poisoning and multi-agent trust escalation remain open problems with no current solution.

The table below maps each theme to what Anthropic and Google DeepMind identify, and how MACAW resolves it — deterministic, bounded enforcement at the effect boundary rather than enumeration of infinite patterns. For the full argument, read the companion note, [The Missing Layer in SOTA AI Controls](/blog/missing-layer-ai-controls).

| Theme | Anthropic identifies | Google DeepMind identifies | MACAW resolution |
|---|---|---|---|
| **Detection ceiling** | Probabilistic defenses — non-zero miss rate. Model-layer guardrails shape what Claude "tends to do, not what it can do" | Opaque reasoning ceiling — "as models learn to hide their reasoning… simply reading verbalized chain-of-thought will not be enough" | SecCC extracts *effects*, not reasoning. `credential_read + data_egress → DENY` regardless of model internals or obfuscation. The ceiling disappears when you enforce effects, not behavior. |
| **Speed mismatch** | User as injection vector — "when the user is typing the instruction, there's nothing anomalous for a classifier to catch" | Async → sync gap — current systems review trajectories after the fact; real-time prevention is on the roadmap, not shipped | Every MACAW PEP verification is synchronous — sub-millisecond, inline, before execution. |
| **Authorized ≠ safe** | Exfiltration through approved domains — a destination filter passed an attacker-embedded credential to api.anthropic.com | Insider threat without cryptographic proof — controls are behavioral; a capable insider behaves normally until the moment it acts | Authorization and effect are enforced separately. A valid credential + policy-denied effect = DENY. Every action is cryptographically bound to a signed authorization proof. |
| **Alert fatigue at scale** | Approval fatigue — users approved ~93% of permission prompts; auto mode catches ~83% of overeager behaviors but ~17% still get through | Alert fatigue at scale — most flagged events stem from agent misinterpretation or overeagerness; human review of every trajectory does not scale | Effect-based control is intent-agnostic — whether the agent is misaligned, injected, or overeager, a denied effect combination is blocked automatically. No human review for clear-cut cases; policy exceptions are the only escalation path. |
| **Product-scoped containment** | Containment is product-specific — claude.ai (server container), Claude Code (local sandbox), Cowork (local VM). A poisoned README loads into context despite passing malware checks. No uniform protection across client and server | Internal Google only — the roadmap covers GDM internal systems; a "model for the wider industry" is aspirational, with no external deployment mechanism | MACAW protects client and server uniformly — the same cryptographic trust chain secures Claude Code on the developer's laptop and the Databricks MCP server it calls. Signed invocations, policy enforcement, and tamper-evident audit apply at every boundary crossing, regardless of where the agent runs. |
| **Multi-agent trust escalation** | Multi-agent trust escalation — called out as an open problem, no current solution | Sandboxing without policy composition — no formal policy algebra governs derived agent actions across multi-step workflows | MAPL composition algebra: four proven theorems — monotonic restriction, transitive denial, bounded derivation, no privilege escalation. A sub-agent cannot escalate above its parent's policy. Not a heuristic. |
| **Persistent memory poisoning** | Persistent memory poisoning — called out as an open problem, no current solution | No instruction provenance — no mechanism to verify lineage through derived prompt chains; behavioral monitoring is bypassable by a capable model | Authenticated prompts carry cryptographic lineage (parent + root + signatures). Context hash-chains make poisoning detectable by construction, not classification. Provenance is structural. |

[**Download the convergence table (PDF) →**](/docs/macaw-convergence-table.pdf)

Research: [arXiv:2602.10465](https://arxiv.org/abs/2602.10465) · [arXiv:2602.10481](https://arxiv.org/abs/2602.10481)
