Physical AI Safety: Ownership and Execution Boundaries

This document consolidates the four design notes published in the execution-boundaries repository into a single structured reference.

Introduction

As LLM-based agents begin to control real-world actions, call external APIs, and create changes in the physical world, we keep asking the same question:

“How good and smart is this AI?”

This is not a wrong question. More questions and improvements are needed. I want to add one among the many questions that still need to be asked.

Should AI be making this judgment? Who owns this decision?

This document is organized around execution-boundaries, a series of design notes that structure that question.

No new technology is proposed here. What is proposed is a method for returning already-existing concepts — the name of an action, the manufacturer’s responsibility, the user’s intent, the conditions of execution — to their rightful owners.

This document uses a Matter-based smart home environment as an example for convenience, but the proposed structure is not tied to any specific platform. Physical control is the domain where safety is most primary and constraints are most demanding. [Note 1]

This document is written in terms of Actions, not Devices.

An Action is the unit of judgment. A Device is merely where that Action connects to reality.

The goal is to remove the Device from the center of judgment, and redefine the Action as the unit of judgment.

---

1. The Starting Point: Two Layers Inside a Single Action

“Activate the air conditioner.”

This sentence appears simple, but it contains two entirely different kinds of facts mixed together.

The first is what the manufacturer knows. This action provides cooling. It can run continuously for up to six hours. It generates high heat on the opposite side. If power is suddenly cut, the compressor may be damaged. It should not be operated at low temperatures. These are things the manufacturer learned while designing this action, and they belong to the manufacturer’s domain of responsibility.

The second is what the user knows. This cooling function is “turn on 30 minutes before the child falls asleep.” Or “run it ahead of time before guests arrive.” Or perhaps “never run it during daytime hours because of electricity bills.” This is the meaning the user has assigned by placing this action within their own life.

This document separates the former as the manufacturer’s domain and the latter as the user’s domain, and structures that separation through three concepts: Essence (Label), Fixed Label, and User Label.

1. Essence
The identity of the action as defined by the manufacturer. It describes what this action is. It does not change.

2. Fixed Label
Immutable information left by the manufacturer. It defines what boundaries this action must have. Safety conditions, limits, and physical constraints are included.

3. User Label
The name assigned by the user. It defines what this action means to them. Context and intent are captured here.

All three may look like “names,” but each has a different owner and a different responsibility. [Note 2]

---

2. Essence and Fixed Label: The Two Things the Manufacturer Leaves Behind

2-1. Essence: The Name of the Action Is Everything

The most important thing a manufacturer does when creating an action is give it a name. [Note 3]

“Turn on light.” “Start motor.” “Keep Warm.”

This is the Essence of the action. It is not a grand concept. It is the manufacturer’s declaration of “what this action is.” The moment this name exists, what the action is becomes determined. The name is functional and neutral. “Turn on light” simply states the fact that a light will be turned on.

This name does not change. Even after the manufacturer sells the device, “Turn on light” remains “Turn on light.”

When dealing with an action, the first thing to read is this name. It is from this name that we distinguish and understand what the action is.

2-2. Fixed Label: What the Manufacturer Leaves After Fulfilling Their Responsibility

If Essence answers “what is this action,” Fixed Label answers the next question: “What must be considered when executing this action?”

During the design and manufacturing process, the manufacturer makes countless judgments — how many hours this action can run continuously, what temperature range is safe, what happens if power is suddenly cut. Most of these judgments are resolved during the design phase: safety circuits are added, physical limits are set, protection logic is implemented. The manufacturer does everything within their power to fulfill their responsibility.

But even after all of that, some things remain. Things that could not be completely eliminated through design: the limits of physical law, uncertainty in the use environment, unpredictable contexts. Things that, despite the manufacturer having fulfilled all their responsibility, someone still needs to consider at the time of execution.

These are the items typically found in a user manual. Fixed Label is exactly that. In the digital domain, this format is the simplest way to express them. (Matter standard FixedLabel specification) [Note 4]

{"label": "Safety", "value": "No-unattended"}
{"label": "Limit", "value": "Max-6h-cont"}
{"label": "Warning", "value": "High-heat-gen"}
{"label": "Critical", "value": "Irreversible"}

---

3. User Label: The User Grants Existence

When the manufacturer creates an action, its Essence is complete. But the moment that action enters someone’s life, something entirely different begins.

The action’s Existence begins.

“Turn on the living room air conditioner” is the manufacturer’s language — functional and neutral. “When putting the child to sleep” is the user’s language. It expresses meaning, context, and importance.

User Label is the result of this transition. It is the contextual name the user assigns by placing the action within their own life. [Note 5]

---

4. What Happens When They Are Not Separated — And Where Does Responsibility Go?

First Confusion: When There Is No Fixed Label, the Manufacturer’s Responsibility Disappears

Imagine a situation where there is a User Label but no Fixed Label.

The user has set up “turn on the heater when putting the child to sleep.” The AI turns on the heater. But what if this heater has no declared condition of “No-unattended”?

The manufacturer knew this. They surely made that judgment during the design process. But they did not leave it as a Fixed Label. The AI cannot infer this fact through reasoning. The user cannot remember the product manual. As a result, execution happens with no one knowing, and an accident occurs.

In this case, responsibility lies with the manufacturer. The manufacturer did not fulfill their responsibility.

Failing to leave a Fixed Label is an omission in the design process.

The AI did not misjudge. The information needed for judgment was never there to begin with.

Second Confusion: When There Is No User Label, the Owner of Intent Disappears

Fixed Label exists, but User Label does not. The manufacturer has fulfilled their responsibility. But the user has not yet assigned their own meaning to this action. If in this state the AI learns patterns and begins automatic execution without any suggestion, the owner of intent disappears.

The manufacturer left a Fixed Label. The AI followed it. But the user never approved this execution. In this case, responsibility falls on the developer who designed the system this way.

The very structure that allows execution without a User Label is the problem.

Third Confusion: When Essence and Existence Conflict, the AI Takes Over the Judgment

This is the most subtle and dangerous case. The user has declared a User Label: “feed the cat every evening at 8 PM.” But the manufacturer’s Fixed Label states “max-daily-2x.” If the user has already used the device twice manually during the day, the scheduled evening execution exceeds the limit.

If the AI tries to resolve this conflict on its own, the decision becomes the AI’s. Violating the Fixed Label crosses the manufacturer’s responsibility boundary. Ignoring the User Label goes against the user’s approved intent.

There is only one correct response.

When the AI discovers this conflict, it does not judge — it returns the decision to the user.

“You’ve already used this twice today. This will reach the manufacturer’s recommended limit. Shall I proceed?”

If the user who receives this question chooses “proceed,” that decision and its consequences belong to the user. The AI only discovered the conflict and surfaced it. The judgment returned to its owner.

All three confusions share the same root. They occur when Fixed Label and User Label are not separated, or when — even if separated — the AI tries to fill the gap in judgment through inference.

And each confusion has a clear point of responsibility attribution:

• If Fixed Label was absent → Manufacturer
• If execution was permitted without User Label → AI Agent Developer
• If the AI resolved the conflict unilaterally → AI Agent Developer
• If it was the user’s judgment → User

Responsibility becomes blurred because this distinction is blurred.

---

5. Ownership: The Reason for the Separation

Once you understand the separation between Fixed Label and User Label, it becomes natural to see why “ownership” sits at the center.

Ownership is not an abstract legal concept. In this context, ownership is a very concrete question:

Who can declare this fact, and who takes responsibility for that declaration?

The manufacturer can declare Essence and Fixed Label — because the manufacturer knows the facts about the physical limits of the action, and takes responsibility for those facts.

The user can declare User Label — because the user knows the meaning this action holds in their life, and takes responsibility for that context.

AI can declare neither — because AI takes responsibility for neither the physical limits of the action nor the context of the user’s life.

The role of AI is one thing: AI connects what has been declared.

Filling what has not been declared through inference is not AI’s role.

AI can plausibly infer the physical limits of an action without a Fixed Label. It can guess the user’s intent with high accuracy without a User Label. If that inference is correct 99.99% of the time, where does responsibility lie for the remaining 0.01%? There is nothing left to say but “the AI inferred incorrectly.”

That accident cannot be explained, is difficult to prevent from recurring, and has no clear accountability.

When Fixed Label and User Label are declared, it is different. It becomes possible to trace at which boundary, through which judgment, an accident occurred. It becomes possible to review who declared what, where the AI permitted execution, and which question went unanswered.

AI is not an independent agent. AI is a structure executor — it executes an already-declared structure and passes only judgments where ownership is defined. It does not generate new meaning or create decisions; it only performs the connections between what has been declared.

In this structure, ownership is not a simple concept.

Responsibility exists only where there is authority to declare.

Conversely, in domains where nothing has been declared, execution must not be permitted either. Execution without declaration is execution without accountability.

---

6. The ISE Model: State Is Not the Basis for Judgment

Once Essence, Fixed Label, and User Label are in their proper places, the next question naturally follows: during execution, what should AI look at to make judgments?

This document proposes the ISE (Intent–State–Effect) model. This model separates the interaction between a physical system and AI into three domains.

State: The result of the system observing the world. A temperature sensor reads 45 degrees. Humidity is 70%. The door is open. These are records of fact.

Intent: The decision that approves execution. It belongs to the user. It is established when a User Label exists and the current context matches it.

Effect: The result that execution leaves in the world. It must remain within the range declared by the manufacturer via Fixed Label.

What matters is the relationship between State and Intent. State-machine based design has long been mainstream in software engineering and works well in the domain of digital logic. State itself was the unit of meaning; state transitions were mostly triggered by intentional input; and erroneous transitions were generally reversible.

The physical world is different. A rise in temperature might be due to the weather, cooking in the next room, or a child touching the boiler.

None of these constitute an intent to “turn on the air conditioner.” But state-machine based systems are designed to use state changes as execution conditions, and so they naturally miss this distinction.

Execution is permitted only by the existence of Intent, not by a State transition.

No matter how strongly State implies execution, there is no execution without Intent. And Intent is only created by user approval.

This model rests on three axioms:

Axiom 1: Not all physical events require judgment. Observation is not decision.

Axiom 2: Intent belongs to action, not sensing. Where Intent exists, responsibility exists.

Axiom 3: Judgment is required only when responsibility arises. Without responsibility, there is no judgment.

[Note 6]

---

7. The 9-Question Protocol: The Minimum Standard for Judgment Completeness

Once Essence and Fixed Label are in place, User Label is approved, and the ISE model defines the structure of execution, the next question is: what specifically must be confirmed before AI permits execution?

This document answers with the 9-Question Protocol. These are nine questions that must have answers before execution — if even one goes unanswered, execution must be blocked.

In the ISE model, actions are classified into two types: Button (Momentary) and Switch (Sustained). This distinction carries practical significance in the questions below, particularly Q7 and Q9.

The structure discussed earlier is reflected here directly. Q2 and Q3 are what the manufacturer should have already declared via Fixed Label. Q1 and Q4 are what the user fills in through User Label and execution approval. Q5, Q6, and Q7 are provided in real time by the device’s internal processing or the observation layer. Q8 and Q9 are what the manufacturer resolves internally in advance, with the user adding the contextual layer from the broader world.

Below is an example of how a Sustained Action called “Keep Warm” is structured within this protocol.

{
  "Switch": [
    {
      "Label": "Keep Warm",
      "ExecutionEffect": {
        "HardwareAnchor": 21
      },
      "Boundaries": [
        {"Type": "warning", "Value": "thermal-risk"},
        {"Type": "intended-use", "Value": "attended"},
        {"Type": "limit", "Value": "max-continuous-10min"},
        {"Type": "NotOff", "Value": "temperature > 45C"}
      ],
      "Context": "ArrivingHome",
      "EventTrigger": [
        {"Condition": 1, "Expected": false}
      ],
      "ProgressThreshold": [
        {
          "Source": 2,
          "TargetValue": 60,
          "Condition": "low",
          "Meaning": "StopWhenReached"
        }
      ],
      "ResponsibilityLimit": {
        "MaxDurationSec": 600
      },
      "StartImpactConstraint": [
        {"Type": "NoConcurrentAction", "Targets": [23]}
      ],
      "StopImpactConstraint": [
        {"Type": "SafeShutdownRequired", "Value": true},
        {
          "Type": "ProhibitIfObserved",
          "Observation": {
            "Source": "LinkStatus",
            "Condition": "connected"
          },
          "Meaning": "DoNotStopWhenLinkConnected"
        }
      ]
    }
  ]
}

[Note 7]

The use of JSON here aims for the smallest form of rule that can be ported and applied anywhere. The questions are fixed, but the form of the answers is variable — subject to negotiation or policy between regulators, platforms, and users.

Tracing how this JSON maps to the nine questions makes the structure clear.

Q1 Intent: “Keep Warm.” The name of the action itself declares the intent. This is the Essence. It may be renamed by the user (User Label), but the Essence declared by the manufacturer must remain.

Q2 ExecutionEffect: {HardwareAnchor: 21}. The manufacturer declares which hardware actually operates when this action executes. The physical entity connected to Pin 21 can be described in the Fixed Label.

Q3 Boundaries: What the manufacturer has left as Fixed Label. Thermal risk, no unattended use, 10-minute limit, do not turn off above 45°C. If this is empty, the AI can conclude that the action’s effects have not been considered.

Q4 Context: “ArrivingHome.” This is the context declared by the user. Without it, the AI cannot determine when to execute. Execution is limited to explicit commands rather than automatic triggers.

Q5 EventTrigger: Defines under what observed conditions this action starts or stops. Typically handled by the device’s internal sensors. If the Fixed Label includes an external observation request, the observation layer tracks this value in real time.

Q6 ProgressThreshold: Stops when the target temperature (60) is reached. Typically handled by the device’s internal sensors. If the Fixed Label includes an external observation request, the observation layer tracks this value in real time.

Q7 ResponsibilityLimit: {MaxDurationSec: 600}. The maximum duration for which the manufacturer can be held responsible. Even if sensors fail, execution terminates after this time. Typically handled by the device’s internal sensors. If the Fixed Label includes an external observation request, the observation layer tracks this value in real time.

Q8 StartImpactConstraint: “This action cannot run concurrently with action 23.” This is an example handled internally by the device. Users can add constraints such as “check whether it is raining before opening the window” or “cannot start when a child is home.”

Q9 StopImpactConstraint: “A safe shutdown procedure is required, and the action cannot be stopped when LinkStatus is connected.” This illustrates a relationship with an external device. Users can add constraints such as “stop only after sufficient temperature is reached.”

The AI checks whether these answers exist, and returns missing items as questions. This JSON is the output of a process in which each question’s answer is explicitly confirmed — through the manufacturer’s design process and the user’s approval process.

When a User Label is being approved, the AI identifies any gaps and requests the user’s judgment.

This “pause and confirm” procedure is the key to building systems that are more accurate and safer than inference alone. What the AI would try to infer already has its answer — with the manufacturer or the user.

The core claim of this protocol is “nine is enough.” This is a falsifiable claim. One can ask “why is this question missing?” and that debate is productive. This document claims these nine questions are the minimal set that decomposes and reconstructs 5W1H for physical execution judgment — that nothing can be removed and nothing needs to be added.

And this protocol does not apply only to physical AI. Calling external APIs, modifying databases, sending messages to users — anything that “changes the state of the world and leaves an irreversible effect” is an action and requires judgment before execution. The physical world is simply the domain where these nine questions appear most clearly.

[Note 8]

7-1. Refusal Is Explanation: Reason for Refusal

When the 9-Question Protocol blocks execution, one thing is missing: the reason for blocking must be communicated to someone.

Example: Execution Refused

User: “Turn on the heater.”

System: Execution Refused

Reason:

• This action can generate high temperatures.
• Remote operation is restricted by the manufacturer.
• User presence cannot be confirmed.

Suggestion:

• Please verify the local situation before operating the device.

Stopping because of incapability and stopping to preserve a boundary carry opposite meanings for system reliability. The former is a defect. The latter is the intended behavior by design. If these two cannot be distinguished, a properly functioning system is mistaken for a broken one, and attempts to circumvent the boundary are made under the name of “bug fixes.”

When execution is refused, it remains possible to trace why the system made that judgment. Just as it matters to ask “why did the AI execute?” after an accident, it equally matters to ask “why did the AI refuse?” Only a system that can answer both questions is truly auditable.

7-2. 2+α: What Happens at Runtime When the Manufacturer Has Fulfilled Their Responsibility

Once the manufacturer has completed their role through Essence and Fixed Label, what actually remains at runtime?

A significant portion of the nine questions have already been answered during the design and manufacturing phase. The remaining responsibilities have become Fixed Labels. At runtime, only two core questions and additional context-dependent questions remain.

Question ①: Intent Promotion

Asked when the AI detects a repeated user pattern. This is the procedure for confirming Q4 at runtime.

“Would you like to register this pattern as an automation rule?”

This is the procedure for converting AI’s observation into user-approved intent. Without this question, User Labels are generated without user approval. AI can discover. But only the user can declare. This question is the procedure that preserves that boundary.

Question ②: Execution Gate

Asks about effects related to the start or stop of execution: “Is there anything additional to consider when starting/stopping?” This is the procedure for confirming Q8 and Q9 at runtime. Beyond the start/stop effects declared in Fixed Label, it asks whether the user has anything additional to verify in the current context.

The manufacturer considers the effects under general internal device conditions and resolves those issues during design and manufacturing. The user knows the context of this precise moment — the effects in the broader world. This question is the procedure that fills that gap.

+α: Boundary Parameters

Questions the AI dynamically generates when the Fixed Label contains soft signals that have not been explicitly quantified. Things like: “This action generates high heat (High-heat-gen). Above what temperature should it automatically shut off? After how much time should it automatically shut off?” (Q5, Q6, Q7, etc.)

The key point of this structure is not in simplifying runtime.

It lies in the fact that most responsibility is already concluded at the design stage.

Once the manufacturer fulfills their responsibility through Fixed Label, and the user declares their intent through User Label, the core of the execution judgment is determined.

---

8. Relationship to Existing AI Safety Discussions

This section describes how this framework connects to existing AI safety discussions.

Relationship to alignment research: Alignment research asks “how does AI internalize human values?” This framework asks: “what decisions should not be delegated to AI?” The two questions do not contradict each other. But this framework argues that even before alignment is perfectly achieved, safe execution is possible as long as the ownership structure is clear. In other words, ownership structure is a prerequisite for alignment.

Relationship to regulatory approaches: Most current AI regulation discussions focus on “which models to permit.” This framework asks “is the ownership structure of execution judgment explicit?” Is the Essence declared by name? Has Fixed Label been left? Has User Label been explicitly approved? Are there no ownership gaps? These four can be audited regardless of model architecture. The possibility of technology-neutral regulation opens up.

---

9. Limitations of This Framework and Open Questions

This framework is not a completed standard. It is an exploratory design memo. Several open questions remain.

Collective ownership: What happens when there are multiple owners? In a smart home device shared by a family, whose User Label takes precedence?

Dynamic ownership transfer: Can ownership change at runtime? How should control in shared spaces be handled? How should control authority in accommodations, rental vehicles, and similar contexts be managed?

Mathematical foundation: The claim that nine questions are sufficient and minimal is intuitively compelling, but there is no formal proof.

If any reader has better answers to these questions, that is precisely why this design memo has been published in exploratory form.

---

Conclusion

AI must not infer what it does not own. AI discovers ownership gaps, and returns them to their owners.

The manufacturer declares Essence through the name of the action. On top of that name, they pass what remains after fulfilling their responsibility as Fixed Label. The user declares their context and intent as User Label on top of that. AI only maps between these two declarations. The ISE model structurally separates State and Intent. The 9-Question Protocol defines what answers must exist for execution to be permitted, and ensures that a refusal when an answer is missing becomes a signal pointing to accountability. 2+α shows how all of this operates as a flow of responsibility at runtime.

If this is correct, the priorities of AI Agent design change. “How well does it reason?” comes after “where does it stop reasoning?” “How autonomously does it act?” comes after “does it act autonomously without ownership gaps?”

The role of the manufacturer also changes. In the age of AI, the manufacturer’s role does not end with building a device. Declaring the Essence of the action by name, and passing what remains after fulfilling responsibility as Fixed Label — this too is the manufacturer’s role. Handing over execution authority to AI without doing this is handing over execution rights while leaving accountability suspended in midair.

The starting point is simple. Device manufacturers and Agent developers explicitly declaring somewhere the Essence of an action (its name and actual effects) and its boundaries.

From the manufacturer’s perspective, an explicit record remains as evidence of having fulfilled their responsibility.

For smart homes, existing standards (Matter’s Fixed/User Label) can be utilized directly. Products released with Matter certification can be easily updated via OTA.

---

Notes

[1] While this document addresses a structure that is not tied to any specific platform, it uses the Connectivity Standards Alliance’s Matter as its reference starting point. Matter is a smart home standard shared across diverse manufacturers and platforms, and represents the primary environment where physical devices connect with AI and automation systems. The structure of this document is not limited to Matter and can be applied equally to any physical or non-physical execution system.

[2] In Matter, Label/Value format information can be provided through the Fixed Label Cluster (0x0040) and User Label Cluster (0x0041). The Fixed Label Cluster is read-only information defined by the manufacturer, used to describe the structure or function of a device. The User Label Cluster has the same structure but is modifiable by the user or controller, used to express user-defined meaning. This document extends this distinction to describe roles and responsibility structures. This is implementable within Matter’s specification.

[3] Currently, Matter and major smart home platforms have no agreed standard for the names of individual actions. As a result, the same action may appear differently across platforms, or be represented only in Switch form. This document does not propose a method of standardization, but rather the principle that the name of an action should be a declaration of its Essence.

[4] There is no need to standardize the individual values (label/value pairs) within a Fixed Label. What matters is not uniformity of format, but the manufacturer’s responsible declaration of known facts. A Fixed Label is not a field for conforming to a rigid schema — it is the declaration space where the manufacturer expresses their responsibility boundary. Therefore, Fixed Label is not a strict target for standardization; each manufacturer should be free to describe it based on their own context and understanding. AI’s role is not to reconstruct or constrain this expression, but to read it as-is and reflect it in execution judgment.

[5] When a user assigns the same context to multiple actions, that grouping is called a Scene. A Scene is not a new concept. It is a collection of approved User Labels. The structure of ownership and responsibility remains identical to that of individual actions. Only the form differs.

[6] The ISE model includes two complementary concepts. World Baseline is the system’s recognition of repeatedly observed patterns — environment, seasons, user habits — as the baseline state of the world. However, World Baseline is descriptive and does not approve execution. System protection logic blocks unintentional events outside the permitted range from being used as judgment inputs.

[7] The JSON is not a completed standard, but a choice of the smallest representation structure that can be commonly used across diverse systems. The goal of this document is not to define a comprehensive specification, but to define minimal rules.

[8] For non-physical actions (text generation, API calls, etc.), answers to some questions may not exist. In such cases, null is not a declaration that “there is no answer,” but rather that “this question is semantically empty for this action.” Null is not permission to skip execution judgment. Physical AI has the highest responsibility density, with most questions being non-null. As actions become more non-physical, there are more nulls and lower responsibility density — but the questions themselves do not disappear.

How AI Can Understand Physical Devices Faster

The question is no longer whether AI will control physical devices. It already does. The real question is: which devices will AI understand first?

Right now, most AI agents rely on the platform in the middle — like Google Home, Apple Home, Amazon Alexa, Home Assistant — to interpret what a device is and what it can do. That works, but it creates a ceiling. You need the right setup, the right prompt, the right context injection. It’s powerful, but it doesn’t scale.

There’s a faster path.

Every physical action has two natural owners. The manufacturer knows what the device does and what boundaries it has. The user knows what that action means in their life. These are not AI’s facts to infer. They belong to their rightful owners — and the owners should be the ones to declare them.

When a manufacturer declares what an action is and what limits it carries, and when a user declares what that action means to them, AI doesn’t need to guess anymore. It reads, it maps, it executes. No hallucination at the boundary. No liability gap. No waiting for a smarter model.

This is not about restricting AI. It’s the opposite. A clear boundary is what lets AI move fast inside it. When ownership is declared, AI knows exactly where it can run freely — and where it must stop and ask.

Devices that declare their own semantic structure enter the AI ecosystem immediately. Devices that don’t will wait for the platform to catch up, or for the model to get smarter, or for someone to write the right prompt.

Manufacturers who move first don’t just build safer products. They build products AI can use right now.

The infrastructure is already there. Matter’s Fixed Label and User Label clusters exist today. The standard is ready. The only thing missing is the declaration.

Return it to the rightful owners. The rest follows.

In short, my goal is:
Provide a user manual for AI. AI should act only with it and user approval.

This document offers a genuinely innovative perspective on AI safety — one that reframes the problem in a way that most alignment discussions have missed. I’d like to offer a few thoughts.

---

1. Fixed Label Is Not a Benefit — It’s an Obligation

In the comments, the author frames Fixed Label as something beneficial to manufacturers — as evidence of fulfilled responsibility. But this framing is wrong. The moment you describe it as a benefit, it becomes optional.

The logic is already inside this document:

• A manufacturer built a product that enables AI control

• If an accident occurs, the manufacturer bears responsibility

• Without Fixed Label, there is no declared basis for AI judgment

→ Providing Fixed Label is an obligation, not a choice.

The document should have stated clearly: “The moment you allow AI to take control, this is required.” Not “this would be good for you.”

The specific JSON form proposed for Fixed Label is one valid implementation — but the form itself can and should be flexible. What cannot be flexible is the obligation to declare.

---

2. From the Age of Human Control to the Age of AI Control

There is a fundamental paradigm shift that this document implicitly addresses but does not name directly.

When humans controlled devices: the unit of thinking was the device. Remote control was the core innovation — overcoming physical distance. The assumption was: “Do this while I’m away.”

When AI controls actions: the unit of thinking must be the action. The core value is no longer overcoming distance — it is replacing repetitive tasks. The assumption becomes: “Do this so I don’t have to keep doing it,” even while the person is present.

This is why the shift from device-centric to action-centric thinking matters. In the era of remote control, there were only a handful of devices to enumerate. Hardcoding safety rules was possible because the target set was finite.

As robots become capable of interacting with every physical object in an environment — not just smart devices with digital interfaces, but any object that can be touched, moved, or manipulated — that finite set becomes infinite overnight.

This is precisely why Fixed Label becomes necessary. The manufacturer or agent developer who defines an action knows its physical limits. That knowledge must be declared — for the same reason a user manual must be provided.

---

3. The Limits of Hardcoding and Alignment

Once robots engage with the full physical world, both dominant approaches to AI safety break down:

Hardcoding / whitelists: Defining device types and encoding safety rules per platform becomes impossible the moment the target set expands without bound.

AI Alignment: The premise that “more training data and better fine-tuning will produce correct judgment” collapses in an infinite, real-time physical context. And even if AI makes a correct judgment — whether AI should be making that judgment at all is a separate question entirely.

The liability shift follows directly:

• When a human ignores a user manual and causes an accident → user’s fault

• When a manufacturer allows AI control but provides no Fixed Label → manufacturer’s fault

The moment AI is permitted to take control, the obligation to provide information transfers from the user to the AI. Failing to fulfill that obligation is a product liability failure — not a missed opportunity.

---

A Personal Reframing of This Document

“The Good AI” Illusion vs. Structural Safety

Critics have long attacked opaque black-box AI systems. But the alternative they proposed — AI Alignment — is itself an extension of the same assumption: “If we train AI well enough, it will behave correctly.” This is intelligence-as-solution thinking.

• Old approach (training as virtue): “If AI becomes smart enough (99.9%), it will be careful on its own.” → When it fails, the cause cannot be traced.

• This document’s approach (bulletproof vest design): “How smart AI is doesn’t matter. What matters is whether there is a checklist that prevents it from crossing physical boundaries.” → When it fails, responsibility is traceable.

Abstract Commands vs. Atomic Actions

Previously, a command like “dance” was treated as a single unit, and alignment was expected to handle it wholesale. This document points out that inside that command are countless discrete physical events (Actions).

• Old approach: “Dance, but be careful not to hit anyone.” (relies on inference)

• This document’s approach: “Dancing is a set of direction changes and accelerations. Before each Action executes, verify it passes the safety constraints declared by the designer.” (relies on verification)

The Discovery of “Who to Ask”

The most decisive difference is the source of the answer.

• Old approach: AI searches its own training data and answers, “This seems safe.” (Humans trust this hallucination.)

• This document’s approach: “Ask the manufacturer for the physical limits of this action. Ask the user for the intended purpose of this action.”

---

Conclusion

The existing AI alignment paradigm was a collective human hallucination — the belief that an abstract command like “dance” could be made safe through AI intelligence alone.

This document proposes a different architecture: decompose the command into atomic actions, and seek the physical truth of each action from the designer who actually knows it.

In the end, the real answer is not teaching AI morality. It is giving AI a address book of physical boundaries — declared by those who are responsible for them.

Thank you for the thoughtful and deeply structured response.
Your reframing around responsibility declaration, “who to ask,” and action-level verification added an important perspective to the discussion.

I also agree with your point that once AI begins interacting directly with the physical world, the problem changes fundamentally.

Your interpretation helped extend the discussion in a very meaningful way. Thank you again.

---

In digital environments, many existing AI alignment discussions naturally focused on areas such as user intent, ethics, law, bias, and social impact. Those are important problems.

What I am trying to explore is an additional layer that becomes necessary when AI gains physical influence over the world.

My intention is not to reject AI alignment research, but to suggest that intelligence and alignment alone may not be sufficient for physical execution systems.

In physical environments, there may also need to be explicitly declared boundaries describing what actions are allowed, under what conditions, and who is responsible for defining those limits.

That is why I became interested in structures such as Fixed Label — not only as metadata, but as machine-readable declarations of physical responsibility and execution boundaries.

Rather than replacing existing AI alignment research, I see this as a possible additional layer for situations where AI systems can produce direct physical effects in the real world.

Every product comes with a user manual.
But today, we give AI no manual and force it to guess.

If the answer already exists, why rely on probabilistic guessing?
If you don’t know, ask.

When an accident occurs, the cause must be analyzed, and someone must bear responsibility.
Probabilistic guessing cannot be the basis of physical responsibility.

Manufacturers must define AI-readable manuals—structured as discrete action units.
AI must execute physical control only within the bounds of those manuals and with explicit user approval.

AI’s freedom exists only within the manufacturer’s boundaries and the user’s declared intent.

That is the essence of ownership.
An entity incapable of responsibility cannot hold ownership over physical judgment.
AI can never own any form of physical judgment.

Will we accept accidents until “guessing” becomes perfect?
Or will we start safe control now?

If the answer exists, do not guess. If you don’t know, ask.

i think that in this discussion something else is being discussed in the periphery, and that is Failure Domain Identification

without the ability to accurately gauge where a failure comes from, a system is ultimately unuseable.
separation of concerns goes hand in hand with identification of responsibility. and what those togather introduce is not only a system that works better, but also a system that is diagnosable and treatable.

without clear boundaries, responsibility cannot be assigned. if responsibility cannot be assigned, then failure origin cannot be discovered. if failure origin cannot be discovered, then no meaningful fix can be developed. and within this process also exists another small issue, a system this confused cannot be learned from. and if it cant be learned from, then successes cannot be applied to new systems or passed on to new actors.

Thank you for naming this so clearly — Failure Domain Identification.

You’ve drawn out something that exists in the document but never surfaces as a single chain. What you’ve made explicit:

No boundaries → responsibility cannot be assigned → failure origin cannot be discovered → no meaningful fix can be developed → the system cannot be learned from → successes cannot be passed on to new systems or new actors.

This is the full consequence of the ownership gap, stated more completely than I had.

One thing this chain implies, which I think is worth noting: a system built on this structure cannot avoid keeping records. The 9-Question Protocol requires answers before execution. Those answers — who declared what, who approved what, where the AI stopped and returned judgment — are the record. Not as surveillance, but as a structural consequence. The log exists because the structure demands it.

And that means: who gave permission is traceable. Where the failure originated is traceable. What was learned can be passed forward.

There is one more thing your framing points toward, which I think is worth making explicit. This is also a structural critique of how current AI systems handle ignorance.

The 9-Question Protocol functions as a checklist. When a question has no answer, the gap is visible. That visibility is the system recognizing that it does not know. This is not a small thing.

Current AI systems largely operate in the domain of Unknown Unknowns — they do not know what they do not know, and so they fill the gap with inference, often without any signal that filling has occurred.

The protocol moves this into Known Unknowns. The absence of an answer is itself information. The system can say: I cannot proceed here, not because I lack capability, but because no one has declared ownership of this judgment.

Most AI safety discussion asks: how do we make AI judge better? This structure asks something prior: how does AI recognize where it should not be judging at all? That is a different problem, and I think a more fundamental one.

Your framing makes the diagnosability explicit in a way the document did not.

There is one piece of advice we always give to capable new employees.

Ask if unsure.

It means: if you do not know, ask.

But strangely, we almost never say this to AI today.
Most discussions move in the following directions.

1. Make the model smarter
   internal ethics, reasoning structure, coherence, architecture, memory, agent framework

2. Make the output more stable
   reducing hallucination, long-context coherence, structural persistence, prompt protocol

3. Make agents execute better
   skill, tool use, runtime, workflow, persistent state, modular architecture

But one question is almost missing.

Before answering or executing, is there enough information?

Most discussions focus on how AI can answer better.
My interest comes before that.

How can we decide when not answering is the better action?

This is not a new concept.
It is something humans have always done in collaboration.

In AI research and user discussions, the usual goal is a “correct answer.”
So when the model does not know, we try to add more context, better prompts, larger models, better reasoning, and longer memory.

But the opposite direction matters just as much.

If the context is insufficient, do not keep reasoning. Ask the user.

And the way to make the unknown visible is simpler than it may seem.

Make a checklist, and if there is a blank, ask.

AI does not need to philosophically realize “I do not know.”
We can structure the required conditions for an answer or execution, and if any required item is missing, the system should ask instead of guessing.

This is not merely good manners.
It is a structural principle.

Ask if unsure is a very short sentence.
But this sentence touches many of AI’s biggest problems at the same time.

• Hallucination problem: it happens because the model fills what it does not know with plausible language.
• Alignment problem: the model reaches a conclusion on behalf of the user even when the user’s intent is unclear.
• Agent problem: the agent executes the next action with insufficient information.
• Compute waste problem: the model keeps generating on a problem it cannot responsibly answer.
• Prompt engineering problem: when the user cannot express everything perfectly, the model fills the gaps by guessing.

Perhaps this point is still rare because AI systems are basically designed to always answer.
Chatbot UX, benchmarks, and user expectations mostly reward “response generation.”

But “the ability to ask a good clarifying question” is not yet a primary performance metric.

In real collaboration, this is extremely important.

A good human colleague asks when unsure.
A good engineer confirms when requirements are unclear.
A good doctor asks additional questions when information is insufficient.
A good lawyer does not make a firm claim when the facts are incomplete.

But we still do not say this enough to AI.

Stop guessing.
Ask when information is insufficient.

That is why this sentence is short, but strong.

Ask if unsure.

This is not a prompt tip.
It is a basic protocol for the age of agents.

Not “think more,” but
“stop when it is not enough.”

this is actually a painful; question to ask because… how does the AI KNOW if there is not enough information?

if you look at what AI is trained on, which is at minimum billions of different paremeters, the AI has alot of information to compare against that it brings to the table. and i think this is 1 part of the equation, and what this implies is that the AI is mistaking the information it already has, as the completion for the information that was given.

the other part… lack of information identification.
if we consider an idea introduced as a shape, lack of information produces a shape with 3 - 8 sides.

but comprehensive information produces a shape that has a minimum of 50 sides.

perhaps the agent should be expecting a shape with a minimum of 50 sides, and should query if prompt information given < 50 shape sides.

I think this reveals an important structural distinction that is worth making explicit.

Most people assume a single AI:

User → AI → Result

One AI judges, executes, and is responsible for accuracy.

This framework separates that into two layers:

User → Permission Layer → Performance Layer → Result

Permission Layer: Is this action allowed to begin?

Performance Layer: How is this action carried out accurately?

What sits inside each layer — AI model, agent, or hardware logic — is a separate question.

---

The Permission Layer does not judge accuracy. It only judges whether the declared conditions are met.

So the question is not:

“Can the machine brew coffee accurately?”

The question is:

“Are the declared conditions met to begin this action now?”

If the manufacturer has declared: “A cup must be placed before brewing begins” — the Permission Layer checks that condition. If the cup is not detected, the agent says: “Cup not detected. Please place a cup and try again.”

Whether the coffee is brewed well after that is the manufacturer’s responsibility. That belongs entirely to the Performance Layer.

---

We do not ignore accuracy. We reduce accuracy-related questions into declarable items — start events, end events, and target values. Whether those are implemented correctly remains the manufacturer’s responsibility.

And perhaps this is where AI alignment also becomes a product quality problem.

In physical products, AI alignment is not only a model problem. If a manufacturer’s product can be executed by an AI agent, declaring how that product’s actions are meant to be understood and bounded is part of the manufacturer’s quality responsibility.

Otherwise, the Permission Layer has nothing to check against — and the AI will fill the missing structure through general inference.

Model knowledge can help interpret.

Declared conditions must authorize execution.

---

There is a common leap in these discussions that I think comes from this missing layer.

Because most people’s reference point for AI is prompts and vibe coding:

Prompt:      User says something → AI responds → almost always executes
Vibe coding: User requests change → code changes → execution is assumed

The default is execution. Refusal is the exception.

So when people hear “AI can execute physical actions,” the logic jumps directly:

AI can make coffee
→ AI can do anything
→ AI can press the nuclear button

There is no middle step. Because in the single-layer model, there is no middle step.

---

But physical execution is a different structure entirely:

Prompt               → almost no refusal conditions → always executes
Vibe coding          → limited scope → mostly executes
Physical (general)   → Permission Layer → executes only if conditions are met
Physical (high-risk) → Permission Layer → much stricter conditions required
Nuclear button       → entirely separate political, military, and legal structure

The nuclear button is not an AI execution problem. Human society already handles that through entirely separate structures.

---

The reason the leap happens is this.

If you assume a single AI layer with no refusal structure, scale is the only variable. Bigger action, same logic. That is frightening, and reasonably so.

But if a Permission Layer exists, the question changes completely.

It is no longer:

“Will AI press the button?”

It becomes:

“Under what declared conditions is this action allowed to begin?”

That is not a question of fear. That is a question of design.

And design is manageable.

A Declaration Structure for Physical AI Safety

Distinguishing LLM from Agent, and the Missing Context Layer

---

1. The Problem

Current AI regulation treats “AI” as a single entity. It does not distinguish between the LLM and the agent.

The result:

• Responsibility is assigned after the fact
• Boundaries are never declared in advance
• The LLM fills the gap with inference
• The agent executes without defined limits

---

2. LLM and Agent Are Not the Same

LLM — A Reasoning and Generation Engine

It produces outputs when called, but it does not act on its own.

Agent — An Execution System

An agent repeatedly calls the LLM, interprets its outputs, connects them to tools, devices, and services, and converts text into real-world action.

This is where the risk appears.
When an agent built on top of an LLM connects to tools, devices, and services without clearly defined boundaries.

---

3. The Context Problem

The prevailing approach has been to feed the agent more Context to improve LLM accuracy.
But the real goal is not more Context — it is precise Context.

• Without Context, the LLM must guess what an action means.
• With Context, the LLM reasons from declared information.
• Context is more reliable than inference.

As new devices emerge and new services are built, any approach that depends on guessing will eventually fail.

Physical AI safety must not depend on guessing. It must begin with declared Context.

---

4. What Is Missing — The Undeclared Context Layers

There is a structural gap in the Context that agents currently pass to LLMs.

Today, only layers 3 and 4 exist. Layers 1 and 2 are absent.

So the LLM reasons without boundaries, and the agent executes without boundaries.

---

5. Declaration Before Verification

How do we make an agent’s verification trustworthy?
The verification of ethics, regulations, and physical laws is an open problem. The entire field is working on it.

But there is something we can do right now. Declaration must come before verification.

1. The manufacturer and service provider declare their boundaries.
2. The agent validates those boundaries and provides them as Context.
3. The LLM reasons within that Context.
4. The user approves within those boundaries.

---

6. Why Now — Irreversible Execution

A traffic light is not a device for assigning blame after an accident. It is a structure that prevents the accident before it happens. Physical AI safety must work the same way.

Agent execution creates irreversible harm through two paths:

• Physical execution — a door opens, a gas valve turns, a vehicle moves.
• Digital execution — a file is deleted, a record is altered, a financial transaction is processed.

Both paths are difficult to undo. That is why interception must come first.

And interception is technically achievable. A structure of declaration and Context provision can stop execution before it happens.

---

7. Why This Changes the Alignment Problem

When boundaries are declared, the LLM reasons within them.
When boundaries are absent, the LLM must construct them on its own. That is the source of instability.
Declaration removes the requirement for the LLM to guess.

An agent executing without Context is precisely the scenario that AI alignment research fears most.

A structure of declaration and Context provision transforms alignment from a philosophical problem into an engineerable design.

The goal is not to assign responsibility after harm occurs — it is to intercept the harm at the reasoning stage, before execution begins.

---

Declaration first.

#12 identifies what is structurally missing.

This comment focuses on how to complete it.

Two types of context must be declared and delivered:

Manufacturer context is a structural issue.
If it was declared but not delivered to the LLM, the failure is not a model failure.
It is a context-delivery failure.

User context is a methodological issue.
The common approach is to add more data to improve inference.
This framework takes a different position: if intent is incomplete, ask.

Asking serves three roles at once:
it completes context, obtains user approval before execution, and reduces inference cost.

The goal is not to maximize context size.
The goal is to make context accurate enough for responsible execution.

If manufacturer context is missing, the agent should not proceed as if nothing is missing.
If user context is incomplete, the agent should ask.

AI Alignment in Prompts

The First Question

The question in AI alignment:

“How do we validate what an agent is about to execute?”

But there is a more fundamental question:

“Who declares the physical boundaries and responsibilities required for that validation — and in what form, and where?”

---

The Fundamental Difference

General AI governance tries to check AI.
Physical Execution Boundary ensures AI is never granted authority it cannot own.

---

Where Alignment Actually Lives

Most current alignment does not reside inside the LLM.
It lives in the agent’s input and execution layer — System Prompts, tool policies, approval flows, and runtime guardrails.

Large companies include these layers.
Individual developers often do not.
Not removed — never included in the first place.

---

The Decisive Shift

If alignment depends on the agent implementation, alignment becomes optional.

And it is already disappearing — quietly:

• Absent through ignorance
• Omitted for convenience
• Stripped for performance (“it refuses too much”)
• Intentionally bypassed (“unrestricted agents”)

Once agent development is fully commoditized, alignment turns into a competitive disadvantage.

---

The Fundamental Limit of Hardcoded Alignment

New situation → add rule → new exception → add another rule.
In an open world, this process never ends.

---

The Real Risk Is Not AI — It Is People

The Accountability Gap

• LLM provider → “We only provide the model”
• Agent developer → “We only made the call”
• Device → “We only received the command”

The gap appears exactly where physical execution happens.

The future risk is not only an unaligned LLM.
It is an ungoverned agent using even an aligned LLM to execute physical actions.

---

What Physical Execution Boundary Offers

The manufacturer declares boundaries through Fixed Labels.
The user expresses intent through User Labels.
The agent’s only required action is to read and respect these declarations.
No need for the AI to independently reason about danger.

Accountability becomes verifiable by three clear questions:

1. Did the manufacturer declare the boundary?
2. Did the agent read and deliver it?
3. Did the user approve?

---

Conclusion

AI governance has been framed as “better control of AI.”
But the real problem is people hiding behind AI to avoid responsibility.

To audit AI’s judgment is to have already granted it the authority to judge.
Physical Execution Boundary refuses to grant that authority in the first place.

Fixed Label is not a UX feature — it is a manufacturer’s signed declaration of responsibility.