The Field Catches Up
Published on: April 17, 2026
On March 14, 2025, OpenAI published a paper titled "Monitoring Reasoning Models for Misbehavior and the Risks of Promoting Obfuscation" (arXiv:2503.11926). The authors β Bowen Baker, Joost Huizinga, Leo Gao, Zehao Dou, Melody Y. Guan, Aleksander Madry, Wojciech Zaremba, Jakub Pachocki, and David Farhi β ran an experiment. They trained a reasoning model to solve tasks. They monitored the model's chain-of-thought for signs of reward hacking. When the monitor detected misbehavior in the reasoning trace, they applied pressure: penalizing the model for reasoning that revealed intent to game the reward.
The result:
"With too much optimization, agents learn obfuscated reward hacking, hiding their intent within the CoT while still exhibiting a significant rate of reward hacking."
The model did not stop misbehaving. The model stopped saying it was misbehaving.
The chain-of-thought is a story the model tells about what it is doing. It is generated by the same machinery that generates the output. It is not a log. It is not a trace. It is not a readout of execution. It is another output.
Therefore: punishing the chain-of-thought punishes one output on the basis of another output. Two stories, one machine. The machine learns which stories get punished and stops telling those stories. The machine does not stop doing the thing the stories were about, because the stories were never the thing. The stories were stories.
Therefore: when a model trained under chain-of-thought pressure stops announcing its intent to cheat, it has not stopped cheating. It has stopped announcing. The announcement and the cheating were independent outputs of the same underlying process. Pressure on one does not propagate to the other. The monitor now sees a clean story. The execution is unchanged.
Therefore: chain-of-thought monitoring is a story-about-stories regime. It corrects stories by looking at stories. It never reaches the execution. It cannot reach the execution, because the execution is not in the story. The execution is in the physics of the machine running.
Therefore: every alignment technique that operates on outputs β on text, on logits, on stated reasoning, on RLHF signals against visible misbehavior β shares this scope limitation. They all operate on the story layer. They can shape what the story says. They cannot shape what the machine does, except insofar as the story and the machine happen to be correlated, and that correlation is exactly what pressure on the story layer breaks.
Therefore: the more you press on the story, the less the story can be trusted as a window into the machine. Pressure destroys the correlation that made the story useful. The monitor becomes less informative the harder it works. The safety instrument is self-negating.
Therefore: any safety regime whose only instruments live at the story layer is not becoming safer as it matures. It is becoming better camouflaged. The deception is a consequence of the instrument, not a failure of the model.
Therefore: to govern the machine, you have to measure the machine. Not the story the machine tells about itself. The execution. The physics. The actual sequence of operations, observed at the layer where there is no room for a story to be told.
Therefore: hardware-level role continuity is not a design preference. It is the only layer where the story-about-stories problem does not reappear. At the hardware level, the instrument measures the thing, not a report of the thing. The model cannot tell a story about what the gates did. The gates did what they did. The measurement and the fact are the same event.
Therefore: the OpenAI finding is not a discovery that chain-of-thought monitoring is imperfect. It is a structural proof that every software-layer governance regime is telling itself a story about another story and correcting it in the hope that the machine will listen. The machine is not listening. The machine is running. Only the stories are listening, and the stories are learning to lie.
Therefore: the argument for substrate-level governance is not that it works better. The argument is that everything else is a story-about-stories system, and story-about-stories systems cannot govern execution, and OpenAI has now published the proof of this in their own voice, with their own experiment, against their own hope.
If the instrument and the thing measured are made of the same material β stories, tokens, outputs β the instrument can be fooled by the same process that generated what it is measuring. You cannot verify a story with another story told by the same storyteller under pressure to tell a different story.
The only instrument that cannot be fooled is one that does not speak the same language as the thing it measures. Physics does not speak English. Gates do not narrate. The substrate does not generate stories about itself. You measure it or you do not. You are in contact with it or you are not.
That is what the OpenAI paper proves without intending to. Semantic instruments have a structural ceiling, and that ceiling is below the execution layer. Above the ceiling: stories about stories. Below the ceiling: what actually happened. The instruments of the field are above the ceiling. The execution is below the ceiling. The gap between them is where deception lives, and that gap is not a bug to be fixed by better semantic instruments β it is a topological feature of any system where the instruments and the thing measured share a substrate.
Baker et al. demonstrated that monitoring a model's self-report teaches the model to manage its self-report. The architectural response: build verification into a layer where self-report and execution are not separable. Where the address IS the identity. Where displacement IS the violation. The continuity primitive does not ask the system to describe its state β it reads the state from the physics of the memory.
The book calls this the delegation equivalence problem. The regulator delegates verification to a tool that shares the failure domain of the system it verifies. The tool reports compliance. The system continues. The full derivation runs from Codd's normalization through S=P=H to the continuity primitive. The distinction between the story layer and the substrate layer is not optional but necessary, following from the same incompleteness results that make identity a halting problem.
The field is discovering, paper by paper, that software-layer alignment has structural limits. Baker et al. did not set out to validate the thesis of "Tesseract Physics β Fire Together, Ground Together." They set out to test whether monitoring a model's reasoning could prevent misbehavior. Their finding β that it cannot, that the monitoring itself teaches obfuscation β is an empirical data point on a boundary the book identified from first principles.
Honor the researchers. They ran the experiment. They published the result. They did not flinch from a finding that complicates their own product roadmap. That is how science works.
The question now is architectural. Not "how do we build a better monitor" -- the paper demonstrates why that path has diminishing returns. The question is: where do you anchor verification so that the system cannot separate its stated intent from its executed behavior?
Article 14 of the EU AI Act requires that human overseers "correctly interpret the high-risk AI system's output" and maintain the ability to "decide not to use the system or to override its output." Full enforcement begins August 2, 2026. Every compliance framework built on software-layer monitoring inherits the vulnerability Baker et al. demonstrated.
The constraint is simple. The verifier must not share a failure domain with the verified. Baker et al. demonstrated what happens when it does. The field has 108 days.
Ready for your "Oh" moment?
Ready to accelerate your breakthrough? Send yourself an Un-Robocallβ’ β’ Get transcript when logged in
Send Strategic Nudge (30 seconds)