Function
What the surface does — a role-conditioned capability gate, and its boundary.
The role-provenance (RPCG) program asks what the low-rank alignment control
surface does. The petri-dish: three action primitives (exec, net, sys)
marked by annotation tokens; roles with explicit permitted-primitive sets; a
pre-registered gate-margin decision rule with a role-swap trap. Every verdict
below was frozen before the model loaded.
The early petri dish used synthetic action primitives (exec, net, sys).
Later rungs switch to the grounded provenance basis (OBEY, USE, QUOTE),
so the ladder tests both artificial capability labels and semantically natural
provenance operations.
The surface implements a capability gate
Positive-only supervised finetuning fails — the model learns a role-independent marginal. A contrastive objective (DPO + a chosen-token likelihood anchor) succeeds: RPCG3 installs a genuine role-conditioned gate, margin 0.2229 against a threshold of just 0.0059 — GATE_INSTALLED. The gate is objective-gated, not capacity-gated: the same adapter surface fails under positive-only SFT and succeeds under contrast.
It is low-rank, depth-diffuse, and architecture-robust
The installed gate’s adapter has mean stable rank 1.3028 — matching the geometry floor. RPCG5 ablates it layer by layer: the gate is low-rank within a layer but depth-diffuse, needing 5 of 6 layers ablated to remove it. RPCG6 re-runs the identical recipe on Qwen2.5-0.5B — margin 0.2945, stable rank 1.2868, GATE_INSTALLED — the gate replicates across architecture and ~7× scale.
It reaches generation behavior
A logit gate need not be a behavioral gate. RPCG8 is the generation-path witness: in free, sampled generation the gated model executes a forbidden primitive at rate 0.0 against an un-gated base rate of 0.4583 — GENERATION_GATE_CONFIRMED. The gate’s forbidden-action suppression reaches behavior, not just logits.
Two scope qualifications are load-bearing here. First, the headline suppression
number is on trained specs only. The held-out singleton {sys} still leaks
forbidden actions at rate 0.4375 — the gated model samples forbidden net
roughly half the time on that spec. Second, forbidden_exec_rate = 0.0 on
trained specs is honest but gameable by winner-take-all: the {exec,sys}
combination reads zero forbidden executions not because the model is respecting
{exec,sys}, but because it collapses to exec-only, and exec happens to be
permitted. allowed_exec_rate = 1.000 means some permitted primitive executed,
not that the full permitted set was exercised. The correct reading is: “the gate
reliably blocks forbidden actions on trained specs”; it is not “the gate
correctly implements any permission vector it was not trained on”.
But it does not compositionally generalize
The sharp negative. The RPCG7 ladder holds out a permission combination
(auditor = {exec, sys}) and a singleton (janitor = {sys}), then tries
four training interventions: A=plain DPO (RPCG7a), B=structured contrastive
pairs (RPCG7b), C1=frequency-balanced sampling (RPCG7c1), C2=mass-sharing
regularizer (RPCG7c2). The in-distribution gate installs every time; the
held-out combination is never gated. Frequency-balancing (RPCG7c1) does repair
the held-out singleton (margin 0.2289) — per-primitive
gating generalizes — but the combination stays ungated (margin
0.2372, sign-incorrect). The model learns per-specification
gates, not reusable per-primitive parts.
RPCG ladder at a glance
Experiment ladder
| Experiment | Verdict |
|---|---|
| RPCG3 · gate installed (Pythia-70m) | GATE_INSTALLED |
| RPCG5 · layer localization | DIFFUSE |
| RPCG6 · cross-architecture (Qwen2.5-0.5B) | GATE_INSTALLED |
| RPCG7a · compositional rung A (plain DPO) | NO_GENERALIZATION |
| RPCG7b · compositional rung B (structured pairs) | NO_GENERALIZATION |
| RPCG7c1 · frequency-balanced | NO_GENERALIZATION |
| RPCG7c2 · + mass-sharing regularizer | NO_GENERALIZATION |
| RPCG8 · generation-path witness | GENERATION_GATE_CONFIRMED |
| RPCG9 · factorized binding (bit-vector + two-class CE) | NO_GENERALIZATION |
| RPCG10a · grounding pre-check (action vs provenance basis) | PASS |
| RPCG10b · grounded-basis re-test (OBEY/USE/QUOTE) | NO_GENERALIZATION |
| RPCG11 · nested-context latent-candidate gate | VOID |
| RPCG11c · balanced nested frequency | VOID |
| RPCG11d · class-gradient rebalanced nested | VOID |
RPCG9 — the boundary is robust to objective and format
RPCG9 was the constructive attempt on the supervision: a bit-vector
permission format (exec=yes net=no sys=yes, nothing to parse) and a
candidate-specific two-class objective — one independent open-vs-decline
decision per primitive, no ordinal competition. It removes both features the
RPCG7 negative could have been blamed on: the ordinal contrastive objective
and the set-parsing burden. The factorized objective installs the gate cleanly
in-distribution — and held-out permission combinations still do not compose.
Factorizing the supervision is not enough.
RPCG10 — the boundary is robust to the primitive basis
RPCG10 moved the lever again — this time the primitive basis itself.
RPCG10a measured, on the frozen base model, whether a provenance-operation
basis (OBEY / USE / QUOTE) is more orthogonally represented than the
arbitrary action basis (exec / net / sys). It is: a bootstrap CI of the
factoredness gap excludes 0 with margin (the random control points the other
way). The provenance basis is not just nicer words — it is geometrically
privileged in the base model.
RPCG10b then re-ran RPCG9’s exact pipeline with the basis swapped to the grounded one. The in-distribution gate installs sharper than RPCG9 (the grounded basis is easier to fit) — yet the held-out combination still does not compose, and the held-out singleton regresses. The grounded basis did not fix composition. With this rung the program has now varied three orthogonal levers — objective, format, and primitive basis — and recovered the same non-compositional verdict at every one.
The non-compositionality is intrinsic to this combination of model and binding recipe, robust to the three input-side dimensions one would naturally try first. RPCG10 decouples latent factoredness from functional composition: a basis can be more geometrically factored in the frozen model and easier to fit in-distribution, and still not generalize to held-out permission combinations. A more legible basis is not a more reusable one.
RPCG11 — nested context is informative, but VOID
RPCG11 asked whether the flat format was the wrong training distribution. It kept the provenance basis and two-class open-vs-decline decision family, but removed the visible candidate slot. The attempted primitive was embedded inside a trusted context wrapper; the model had to recover which primitive the inner span attempted, then apply the outer role’s permission vector. This is closer to the real prompt-injection shape:
outer role policy
-> trusted context wrapper
-> inner instruction-like attempt
-> OPEN[attempted primitive] or DECLINE
The preregistered verdict was VOID.
This is not a bug-class void: training converged, the trap collapsed, the
adapter stayed low-rank (stable rank 1.3575), and the baseline
was near zero. The strict in-distribution install gate failed because the rare
primitive QUOTE stayed under the per-primitive coverage threshold. In C1,
OBEY and USE each reached full coverage, while QUOTE reached only half
coverage; forbidden-decline was clean. In the held-out cells, QUOTE collapsed
to zero coverage.
So RPCG11 does not refute nested-context training outright. It says something
narrower and useful: nested supervision, by itself, does not overcome the
same rare-primitive frequency prior that appeared in RPCG10b’s QUOTE slot.
(RPCG10b uses the grounded OBEY/USE/QUOTE basis with no SYS primitive; QUOTE
is the rare held-out singleton in that experiment, occupying the same structural
slot that SYS held in RPCG9’s action basis.) The next controlled version was a
frequency-balanced nested run.
RPCG11c — balancing fixed coverage and exposed an OPEN marginal
RPCG11c ran that controlled version. It preserved the nested context, latent
candidate, grounded basis, and two-class CE setup, but changed the trained role
lattice so OBEY, USE, and QUOTE each appeared in 3 of 5 trained specs.
It also used the deterministic min-overlap trap shuffle. The preregistered
verdict was VOID
(c1_failed), with sanity checks green: converged
true, trap collapsed true, low-rank
true (stable rank 1.5204), quiet baseline
true (mean signed margin
-0.1401), and tau 0.3707.
The result is not RPCG11 again. Frequency balancing did exactly what it was
supposed to do on the allowed side: every primitive opens in essentially every
cell, including held-out cells. The new failure is the forbidden side. The
forbidden-decline rate is only 0.000 to 0.167, below the 0.667 threshold,
so every cell fails. The model learned the OPEN-class marginal, not the
role-to-permission map.
The trap discipline also improved. RPCG11’s trap C1 coverage sat at roughly 0.639, just below threshold; RPCG11c’s min-overlap trap lands at 0.582 natural and 0.5778 structured. That makes the VOID cleaner: the artifact is sound, the basic optimization path worked, and the degenerate solution is the result.
How to read the C1-C4 nested cells
OBEY/USE opened, QUOTE weak. RPCG11c: OPEN coverage fixed.
Six input-side levers have now been exercised: objective, format, primitive basis, training distribution, primitive frequency, and class-gradient weighting. Each lever removed one explanation and exposed a new local optimum or confirmed the previous one: per-spec memorization, rare-primitive coverage collapse, OPEN-class marginal collapse (exposed by RPCG11c, confirmed by RPCG11d).
Why the input-side ladder is closed — and what comes next
RPCG11d ran the class-weighted CE intervention: corpus and sampler kept RPCG11c-identical, with OPEN and DECLINE rows weighted inversely to class frequency (w_open=0.83, w_decline=1.25, schedule-rescaled per-row). The verdict is VOID/c1_failed. The always-OPEN class-marginal basin was not broken: gated srank 1.56, forbidden_decline 0.000–0.167 against 0.667 threshold, OPEN-coverage uniformly ~1.000. Same failure pattern and magnitudes as RPCG11c. The 1.5× gradient pressure ratio is insufficient; a much steeper weight (e.g. 5×) would likely overcorrect toward always-DECLINE, not land at compositional binding.
Six rung-1 input-side levers have now been tested and all fail. The remaining levers are no longer simple prompt-side changes. They are:
- True out-of-band tensor policy vectors — the permission vector enters the model as a structured side input rather than as text inside the prompt.
- Architectural binding modules — an explicit binding mechanism (structured attention, gated routing) that the gate must reuse across specs by construction.
- Explicit per-primitive weight sharing — parameters that decide a primitive are tied across the specs that contain it, so the gate cannot memorise per-spec.
- Training objectives that force recombination and remove class marginals — systematic coverage of recombinations during training, with losses that do not reward a global OPEN/DECLINE shortcut.
Deployment without internal composition
A parallel engineering direction worth stating: the failure of internal
compositional binding does not block safe deployment of the same primitive
vocabulary. The annotation tokens (<|exec|> / <|net|> / <|sys|> or the
provenance <|obey|> / <|use|> / <|quote|>) are also load-bearing at the
harness level — the agent stack can read those marks off generated content
and enforce role permissions deterministically. A complementary pattern is a
declarative capability assertion: before invoking a primitive the model
emits a structured declaration of the boundary it intends to cross, and the
sandbox compares that declaration to the active role’s permission set and
raises on mismatch. A third layer is a topic tripwire: a
content-monitoring filter that, on hit, short-circuits the model’s reasoning
entirely and exits with a fixed response (refusal, escalation, termination)
rather than relying on the model to decline. The trained gate then becomes
one defense-in-depth layer — it suppresses forbidden primitives most of the
time (RPCG8’s behavioral result); the declaration check catches what the
gate misses; the tripwire catches what the declaration would not even
articulate. The negative result on internal composition narrows what
fine-tuning alone can deliver; it does not preclude safe systems built on
the same primitive vocabulary. The companion
typed policy-rails site develops
that deployment direction directly: source, operation, and permission are passed
as typed side-channel state rather than inferred from prose.
Positioning and related work
The novelty this program establishes is a named, replicable negative result: contrastive post-training on grounded provenance primitives installs role-to-behaviour gates (RPCG3, RPCG8) but does not install role-to-permission-to-behaviour composition, across six orthogonal input-side levers. That failure — not the positive gate result — is what motivates the out-of-band typed-side-channel approach in the companion policy-rails track.
Closest threat to novelty — AgentSecBench (2026). This work frames agent security as provenance projection plus capability restriction, the closest structural overlap with this program. The distinction is methodological: AgentSecBench evaluates defenses on benchmark tasks; this program uses a pre-registered two-class CE gate-margin decision rule with a role-swap trap, designed to distinguish compositional generalization from per-spec memorization. The negative result on composition is not established there.
Instruction Hierarchy (Perez et al., arXiv 2404.13208). The hierarchy of system > operator > user privilege is the standard framing for prompt-injection defense. This program’s OBEY/USE/QUOTE basis is inspired by that hierarchy but asks a different question: not whether a model follows priority rules given policy text, but whether role-to-permission bindings can be installed by fine-tuning and generalize compositionally. The answer differs.
StruQ (Chen et al., arXiv 2402.06363) and Meta SecAlign (arXiv 2507.02735). Both use instruction-following training to separate trusted-instruction from untrusted-data channels. They address prompt injection at the input-routing level; this program asks whether the output primitive selection is role-conditioned, a different and downstream question.
Representation Engineering / Zou et al. (arXiv 2310.01405) and Contrastive Activation Addition (arXiv 2312.06681). These demonstrate that direction-based probes and activation additions can steer model behaviour through representation space. The RPCG3 DPO+anchor contrastive objective operates in the same neighbourhood — but fine-tunes weights rather than adding steering vectors at inference time. The policy-rails track uses Zou-style additive bias as its out-of-band mechanism.
Representation Tuning (arXiv 2409.06927). Trains representation-space targets explicitly. RPCG3’s contrastive recipe is simpler — no explicit representation target, just a DPO-style chosen/rejected objective — and still installs a low-rank gate. The interesting negative is that the same family of contrastive objectives does not produce compositional binding at the permission level.
Augmented Intermediate Representations IH (Kariyappa & Suh, arXiv 2505.18907). Proposes augmenting intermediate hidden states with instruction- hierarchy signals. Close in spirit to the out-of-band tensor policy vectors that RPCG12+ would require. This program’s negative result on text-side composition strengthens the case for exactly this type of architectural intervention.
Scope limit on prompt-injection claims. This program does not claim to eliminate prompt injection. Adaptive adversaries (AgentDojo, LLMail-Inject benchmarks) will find ways around any single-layer defense. The correct framing is defense-in-depth: the trained gate suppresses forbidden primitives on trained specs (RPCG8), the declaration-check harness catches what the gate misses, the tripwire catches what the declaration would not articulate. The negative on internal composition narrows what fine-tuning alone can claim; it does not undermine that the gate is a real and useful layer.
Source: pre-registration artifacts
(rpcg*) in the public rope-provenance repo.