Featured · Continuity
The quiet end of one-and-done governance.
NIST published a mathematical proof that no fixed set of AI guardrails can ever be complete. Read as governance, it ends the static policy binder as a matter of fact, not opinion.
NIST just did something rare. It published a mathematical proof. Apostol Vassilev, a senior scientist at NIST, took Kurt Godel's incompleteness theorems, the 1931 result that ended the dream of a complete and consistent system of mathematics, and applied the same logic to AI guardrails. The conclusion, peer-reviewed in IEEE Security and Privacy: there is no finite set of guardrails that is universally robust against adversarial prompts. For any fixed set of rules, a prompt that defeats them exists. It is only a matter of finding it.
Read that as a security finding and it tells you to keep red-teaming. Read it as a governance finding and it is bigger. It means a rule set you approve once cannot, even in principle, be complete. The static policy, written, signed, and filed in a binder, is not incomplete because someone was lazy. It is incomplete by proof. You cannot finish it. You can only keep working it.
That is the quiet end of one-and-done governance. Not a best practice anymore, a mathematical fact. A control that can never be complete cannot be approved and forgotten. It has to be owned, continuously, by someone whose job is the loop that never closes.
NIST's framing is Sisyphean, and it means that as a warning. I would read it as a job description. The rock does not stay at the top. The only question the proof leaves you is who is assigned to keep pushing it.
First shared on LinkedIn.