Published on: June 16, 2026
Ready to accelerate your breakthrough? Send yourself an Un-Robocall™ • Get transcript when logged in
Send Strategic Nudge (30 seconds)Green in-lane · amber a little out · red drift. Every panel is a real commit, byte-identical on recompute. Tap any panel to open it on GitHub.
I walked past this billboard at 23rd Street. "Agents don't work without evals." It is the entire industry's thesis in five words: enumerate what can go wrong, score it, fix it. And it is true — for the failures you can write down. This is a follow-up to the instrument that refused to flatter itself, and it is about the failures you cannot write down — the class of hazard that evals are blind to not by accident but by construction, and why that class is exactly the one that carries the real liability.
The cleanest example is not even from AI. It is a prion.
A prion is a protein with a perfectly normal sequence, folded into a pathological shape that converts its neighbors to the same fold. No rulebook catches it, because at the level of the symbols it is a safe protein — the danger is in the shape, not the letters. Every eval suite is an enumeration: a finite list of cases someone thought to write down. A shape-hazard lives in an infinite space of novel configurations no list can cover. You do not beat that with a bigger test suite. You beat it with an instrument that reads the shape — and that is a different machine entirely.
Hold the prion in your head, because it does the whole argument for you. Its amino-acid sequence is identical to a safe protein — same letters, same alphabet. What makes it lethal is the fold: a helix flipped to a sheet, plus a propagation dynamic that templates the misfold onto every neighbor it touches. Now ask what a rulebook could do. A rule operates on the sequence — and the sequence is safe. There is no string to blacklist, no symbol to flag, because the hazard does not live in the symbols at all. It lives in the configuration, one level below where any list can reach. For you, this is the unlock you need before any of the AI part lands: a catastrophic hazard can be invisible to every symbol-level check and still be sitting right in front of you. The prion is not a metaphor I am stretching. It is the existence proof that the thing evals cannot see is a real, physical, deadly category.
Here is the structural problem the billboard cannot solve, no matter how many evals you buy. An eval suite is a finite list — cases someone imagined, wrote down, and scored. That is genuinely useful for the failures you can anticipate, and the billboard is right that agents are unsafe without it. But the hazards that actually carry liability live in an infinite, novel space: every misfolded configuration, every dangerous arrangement no one enumerated because no one thought of it. You cannot test your way to coverage of an infinite space with a finite list — the next dangerous case is, by definition, the one not on it. What this means for you, if you carry the exposure: your eval suite catches the failures you already feared, and is silent on the one that gets you, because the one that gets you was never a row in the spreadsheet. Enumeration does not have a coverage gap. Enumeration is the coverage gap, drawn around everything you did not list.
So how do you cover an infinite hazard space? The same way a doctor covers "prion" without a list of every misfold: you describe the shape, and you detect anything that falls into it. Our instrument does not enumerate dangerous instances — it projects work onto a lattice where position encodes meaning, so a forbidden region is a describable coordinate, not a list. The infinite set of dangerous configurations collapses to one finite shape, and any instance that fires there lights it — including ones it never saw. And because the substrate runs a walk that propagates along the lattice, it can read the spread, not just the snapshot — the prion's defining move. For you, that is the only escape from the enumeration trap: you stop trying to list the infinite and start detecting the shape, which is finite even when its instances are not. This is what a positional substrate buys you that a symbol-checker cannot — it reads the fold, not the sequence.
And here is the part that makes the not-seeing feel less like a failing of yours. That fold does not live in two dimensions, or three — it lives in as many as there are independent ways to be the thing, which is almost always more than an eye can hold. The book this work comes from is named for exactly that object: a tesseract — a cube in four dimensions you have never seen and never will, only its rotating three-dimensional shadow. As Tesseract Physics puts it: "when this book says a hazard has a shape… and you nod — and still do not see it — that blank is not stupidity. It is the same blank a topologist feels reaching for the tesseract with bare imagination… You were never going to see it by looking harder." That is the whole reason a list cannot stand in for the instrument: a list is one-dimensional, and you cannot tile a high-dimensional volume with a line of cases, however long. So the instrument is a prosthesis — it grips the shape where it actually lives and projects it down to the one question a three-dimensional reader can act on: did the work stay inside its region, or leave it?
If you run agents in production and your eval dashboard is green and you still do not sleep well, that instinct is not anxiety — it is accurate. A green board means every failure you enumerated passed. It says nothing about the failure you did not think to write down, and you know, somewhere, that the dangerous one is usually the one you did not think of. We share that unease; it is why we stopped trying to build a longer list and started building a different kind of sensor. You are not being paranoid about evals. You are correctly noticing that a list is the wrong shape of answer to an unlisted threat.
Here is a tool you can use on any hazard, today, to know which kind it is — and it is what lets us draw an honest fence around what we do and do not solve. Take the danger and re-encode it in different symbols. If the hazard survives the re-encoding, it is a shape, not a string. Then perturb the configuration. If the hazard collapses, the shape is what carried it. Survives-re-encoding AND collapses-under-perturbation gives you a clean three-way split of every problem you face: a shape-hazard a positional detector can address (the prion, the misaligned agent, structural risk in a contract); a symbol-hazard an eval or a regex already handles (a banned literal); and a shapeless one that nothing catches. What this gives you is the thing the industry is missing — a way to say, honestly, this kind we can see, this kind is your existing tooling's job, this kind no one can promise. A vendor who can draw that line is worth more than one who claims the whole board.
We did the thing a benchmark never does: we wrote the hypothesis down first, hash-sealed it so we could not move the goalposts after seeing the result, and only then ran the rig. The design is three arms — the instrument at rest, the instrument under a graded corruption that displaces meaning step by step (the prion move, now a dial instead of a switch), and a dead-reef null where the same words sit at scrambled coordinates so we can subtract the noise floor from every number. The unit is the distinct semantic item, not a re-run of a deterministic computation — so the statistics are honest.
The result, across distinct items and every figure null-subtracted, came with a story attached — and the story is the whole thesis in miniature. An earlier run gripped through the secondary witness — a lexical-overlap hash — and we caught it and re-gripped the sealed study on the primary compression sensor (gzip-NCD) the thesis actually leads with. On the real sensor the result is stronger, not weaker. The instrument emits a bounded confidence bucket with a knowable strike — the folding-point, the fraction of an item's shape you can corrupt before it stops gripping and abstains — and it sits at 88%, with a 99.9% confidence interval barely a point wide. Compression survives partial corruption the way it survives a variable rename, so the competence holds until the payload is almost entirely destroyed. Against the dead-reef null the live signal stands 4.5 sigma clear, at a p-value that underflows past 10⁻³⁰⁰ — signal, not chance. It is bit-for-bit deterministic (zero model risk in the instrument), decays in order on 97% of items, and never once minted a confident verdict below its own grip threshold — zero false-payout events. And the property a market actually needs: under five-fold cross-validation, the percentile it sells matches the rate it delivers to within 7 points — it is calibrated, which is the exact threshold a percentile-option must cross to be fair. One honest bound remains: this is measured inside the fence, on items the instrument's own admission test certifies it can read; the cross-domain, out-of-sample run is the next step. But on the canonical sensor, in-fence, every pre-committed gate held — and the strike is now a real, calibrated price.
The hard gate is the honest one: the study is built so it fails outright if the instrument ever mints a confident verdict on something it cannot grip, no matter how good every other number looks. You cannot win it by being confident — only by being honestly bounded. That single property — it abstains before it lies — is the one that turns a sensor into something a carrier can price.
We will not let this become the thing we are warning against. The numbers above were measured inside the fence — on the items the instrument's own admission test certifies it can read. What is still open is generalization to genuinely novel domains it has never touched: does a described forbidden shape fire for an instance from a different world entirely? We have done the disciplined thing rather than the convenient one. We sealed the pre-registration first; the held-out set itself is being generated by a blind oracle that never sees the instrument's scores — grader is not producer — across three deliberately orthogonal domains: financial covenants (the native dialect of the people who price risk), legal conditionals (pure action-versus-condition geometry), and clinical-dosing logic as the prion-class near-miss, where a swapped patient or drug is a literal misfold. The engine refuses to run unless the held-out's cryptographic hash matches the sealed pre-registration — so the clock cannot be started dishonestly, even by us. We are telling you what is proven and what is pending in the same breath, because that is the only posture that earns the word instrument.
Here is what is solid enough to lean on. The instrument is the right kind of thing for this threat — a shape-reader, not a list — and it behaves like a calibrated one: silent when nothing moves, responsive when the configuration does, and explicit about which tiles it cannot yet grip. It does not pretend to cover what it does not. That last property is the one an eval can never give you, because a list does not know what is missing from it, while a shape-detector can tell you exactly where its map runs thin. For you, carrying real exposure: the value is not that it catches everything. It is that it reads the category evals are blind to, and it tells you honestly where its own coverage ends — which is the only basis on which anyone responsible could act on it.
Now the part that changes what you get to do with all of this. Step back to the macroeconomics. The whole industry is fighting over the resource — GPUs, FLOPs, tokens — and that is a commodity race to the bottom. But in every market that has ever existed, the derivatives written on top of a resource dwarf the resource itself: global output is roughly $100 trillion; the derivatives on it are estimated past a quadrillion. Capital does not just want the resource. It wants to hedge the risk of the resource over time. There is no such market for autonomous execution yet, for one reason: nobody can price the underlying. You cannot write an option on something you cannot measure deterministically, and the eval industry — probabilistic, self-flattering, unable to seal a state — cannot be the oracle.
That is the whole point of the folding-point. A competence bucket — one bounded tile on the lattice — with a deterministic, sealed, abstain-protected folding-point stops being a software abstraction and becomes a priceable underlying. The folding-point is the strike. Expiration is the moment the code tries to merge. Settlement is physical: if the intent holds its lane, the option exercises and the code ships; if it suffers a semantic rupture, the instrument detects the off-diagonal drift, refuses to mint the bearer token, and the option expires worthless — execution halts. The carrier never pays a catastrophic claim, because the math physically prevents the uninsurable code from running. So what are we actually selling? Not a better agent. The pricing oracle and the clearinghouse — the toll road every autonomous output has to travel to become economically deployable. You stop competing with the model labs and start minting the derivative that lets capital deploy their models without absorbing infinite liability.
Read the Six Needs and notice whose they are — yours, not ours. Connection: the unease you already feel watching a green dashboard, we feel it with you. Contribution: not the instrument we built — the contribution it lets you make — deploying code or capital in a lane you can finally prove you hold, a move the rest of the market cannot yet make. Growth: every commit sharpens the next lane you can claim. Uncertainty: we name what is still open, the held-out, rather than paper over it. Certainty: the one kind that underwrites — it abstains before it lies. Significance: not ours for building a sensor — yours, because you become the one who can act where everyone else can only hope.
So here is where it lands. "Agents don't work without evals" is true — for the enumerable failures, you need them, and we are not telling you to throw them out. But the half the billboard leaves off is the half that carries the catastrophic tail: the hazards that are shapes, not items, and that no list reaches by construction. If you are the one who answers for what an agent does, the instrument you actually need sits beside your evals, not in place of them — the one that reads the fold the sequence-check cannot see, fires on displacement, stays silent on nothing, and is honest about its own edge. Evals tell you the cases you imagined are fine. Only a shape-detector can speak to the one you did not.
