Research/Analysis
Analysis

How MACAW's deterministic controls map to the gaps and open problems identified by Anthropic and Google DeepMind

Mapping MACAW to the open problems in SOTA AI control

Anthropic's How we contain Claude and Google DeepMind's AI Control Roadmap independently arrive at the same wall: probabilistic defenses have a non-zero miss rate, detection doesn't scale with agent autonomy, monitoring breaks down when models can hide their reasoning, and persistent memory poisoning and multi-agent trust escalation remain open problems with no current solution.

The table below maps each theme to what Anthropic and Google DeepMind identify, and how MACAW resolves it — deterministic, bounded enforcement at the effect boundary rather than enumeration of infinite patterns. For the full argument, read the companion note, The Missing Layer in SOTA AI Controls.

Theme Anthropic identifies Google DeepMind identifies MACAW resolution
Detection ceiling Probabilistic defenses — non-zero miss rate. Model-layer guardrails shape what Claude "tends to do, not what it can do" Opaque reasoning ceiling — "as models learn to hide their reasoning… simply reading verbalized chain-of-thought will not be enough" SecCC extracts effects, not reasoning. credential_read + data_egress → DENY regardless of model internals or obfuscation. The ceiling disappears when you enforce effects, not behavior.
Speed mismatch User as injection vector — "when the user is typing the instruction, there's nothing anomalous for a classifier to catch" Async → sync gap — current systems review trajectories after the fact; real-time prevention is on the roadmap, not shipped Every MACAW PEP verification is synchronous — sub-millisecond, inline, before execution.
Authorized ≠ safe Exfiltration through approved domains — a destination filter passed an attacker-embedded credential to api.anthropic.com Insider threat without cryptographic proof — controls are behavioral; a capable insider behaves normally until the moment it acts Authorization and effect are enforced separately. A valid credential + policy-denied effect = DENY. Every action is cryptographically bound to a signed authorization proof.
Alert fatigue at scale Approval fatigue — users approved ~93% of permission prompts; auto mode catches ~83% of overeager behaviors but ~17% still get through Alert fatigue at scale — most flagged events stem from agent misinterpretation or overeagerness; human review of every trajectory does not scale Effect-based control is intent-agnostic — whether the agent is misaligned, injected, or overeager, a denied effect combination is blocked automatically. No human review for clear-cut cases; policy exceptions are the only escalation path.
Product-scoped containment Containment is product-specific — claude.ai (server container), Claude Code (local sandbox), Cowork (local VM). A poisoned README loads into context despite passing malware checks. No uniform protection across client and server Internal Google only — the roadmap covers GDM internal systems; a "model for the wider industry" is aspirational, with no external deployment mechanism MACAW protects client and server uniformly — the same cryptographic trust chain secures Claude Code on the developer's laptop and the Databricks MCP server it calls. Signed invocations, policy enforcement, and tamper-evident audit apply at every boundary crossing, regardless of where the agent runs.
Multi-agent trust escalation Multi-agent trust escalation — called out as an open problem, no current solution Sandboxing without policy composition — no formal policy algebra governs derived agent actions across multi-step workflows MAPL composition algebra: four proven theorems — monotonic restriction, transitive denial, bounded derivation, no privilege escalation. A sub-agent cannot escalate above its parent's policy. Not a heuristic.
Persistent memory poisoning Persistent memory poisoning — called out as an open problem, no current solution No instruction provenance — no mechanism to verify lineage through derived prompt chains; behavioral monitoring is bypassable by a capable model Authenticated prompts carry cryptographic lineage (parent + root + signatures). Context hash-chains make poisoning detectable by construction, not classification. Provenance is structural.

Download the convergence table (PDF) →

Research: arXiv:2602.10465 · arXiv:2602.10481

Ready to implement agentic access control?

Start with the Developer tier - free forever with full security features.