In security, theory and practice have a way of arriving at the same place. Theory tells you what’s possible. Practice confirms it happened. The only variable is time.
Two things happened this week that belong in the same conversation. One is a mathematical proof. The other is a dispute about whether one of the most hardened AI models in the world got jailbroken within hours of launch. Taken together, they say something important, not about any particular company or product, but about the nature of AI security at a moment when both the threats and the tools are evolving faster than most organizations can track.
The Theory
In 1931, mathematician Kurt Gödel ended a decades-long effort to build a complete mathematical system based on a finite set of rules from which any true statement could be proven. His incompleteness theorems showed it was impossible. Any finite rule set will have gaps. There will always be statements the system can’t prove, and there will always be ways to break the logic from within.
Last week, NIST published a peer-reviewed mathematical proof in IEEE Security and Privacy applying that same logic to AI security. The finding is formal and unambiguous: no finite set of AI guardrails is universally robust against adversarial prompts. There will always be a prompt that can make a model disregard its own rules. It’s just a matter of finding it.
This is not a vendor’s threat assessment or a researcher’s hot take. It is a mathematical reality, published by a government standards body, grounded in nearly a century of foundational logic. The NIST researcher put it plainly: “You can never make a claim that you are robust against all adversarial prompt attacks. There will always be some prompt that can potentially evade and defeat any defensive infrastructure you have built around your AI system.”
The Practice
Within days of that publication, a researcher claimed to have bypassed the safety layer on Anthropic’s newly launched Claude Fable 5, one of the most capable and most extensively red-teamed AI models ever released. Anthropic disputed the characterization, and the debate over whether it constitutes a “true” jailbreak is ongoing.
But Anthropic’s response is more instructive than the dispute itself.
The company explained that the model’s conversational refusals can be overcome. They called it a “well-known and longstanding limitation present in nearly all large language models,” and that their real safeguards are enforced by independent classifier systems that operate entirely outside the model. Overcoming the model’s refusals, they argued, doesn’t touch those deeper protections.
Read that carefully. The company that built one of the most advanced AI safety architectures in the world is telling you that the model cannot be trusted to secure itself. Their answer to the problem Gödel predicted is a layer of external, expert-managed systems running independent of the model, including continuous monitoring, external classifiers, active red-team operations.
The Offense Has AI Now Too
For anyone operating in a security-sensitive environment, these two data points land together with a very clear message.
The upper limit on AI security is grounded in mathematical reality, not in a bad product or a lazy red team. The guardrails will always have gaps. You cannot deploy an AI system and treat security as a solved problem. That was true before AI changed the threat landscape, and it’s truer now that the attack surface moves at machine speed.
Here is the part of the conversation that doesn’t get enough attention: the threat side isn’t waiting for defenders to figure this out.
Adversaries have access to the same AI capabilities that defenders do. Reconnaissance is faster and more targeted. Phishing is more convincing and more personalized. Exploit development timelines are collapsing — research has already shown that advanced AI models can compress the time from vulnerability disclosure to working exploit from weeks to hours. The same capabilities that give defenders an edge in detection and response are being turned against them.
We are in a war of AI-enabled offense against AI-enabled defense. The organizations that understand this early are building postures that can compete at that pace. The ones that don’t are fighting last decade’s threat with last decade’s tools.
What It Means — For All of Us
AI changes the speed of the game. It does not change that fundamental truth. The math and the lesson has not changed: no system is ever fully secure, and the teams that operate like it is get hurt. The teams that survive contact with a determined adversary are the ones that treat vigilance as a discipline. As Morpheus said to Neo, there are rules that can be bent and others that can be broken. Welcome to the desert of the real.
For government agencies, the calculus is particularly acute. The adversaries targeting national security infrastructure are not waiting for policy guidance to catch up to capability. They are already using AI to accelerate collection, exploitation, and attack. The classified mission environment demands that defenders move at least as fast, and that means AI-enabled defense is no longer optional. It is a mission requirement.
For commercial entities operating in the cleared contractor space or adjacent to sensitive government work, the threat picture is equally unforgiving. The pace of AI capability development means the gap between what you deployed last year and what adversaries are using today is widening, not closing. Compliance frameworks and annual assessments are not built for an environment where the threat evolves in hours.
What the current moment demands is a security posture that can keep pace with AI-enabled offense: continuous monitoring, AI-accelerated threat detection, and expert-led response when something probes the perimeter.
That is the posture Sphinx is built to deliver. Our Cognitive Orchestration and Resilience Engine’s (CORE) suite of AI capabilities combines AI-accelerated threat detection and DFIR with the practitioner expertise to act on what the AI surfaces. It’s not AI replacing expert judgment — it’s AI giving expert judgment the speed it needs to compete with an adversary who has AI too.
Gödel didn’t say the game is unwinnable. He said you can never stop playing it.
Vassilev, A. et al. “On the Impossibility of Robust Machine Learning Classifiers.” IEEE Security & Privacy, June 2026 · SecurityWeek, “Anthropic Disputes Claim That Claude Fable 5 Was Jailbroken Within Hours of Launch,” June 12, 2026
Your adversary already has AI. Does your defense?
Sphinx CORE delivers AI-accelerated threat detection and DFIR with the expert judgment to act on what the AI surfaces — because the math says you can never outsource this fight to the model alone.