NIST proof: no finite set of guardrails blocks every jailbreak

What is this?

On June 9, 2026, NIST published a news release describing a peer-reviewed result by Apostol Vassilev, a senior scientist at the National Institute of Standards and Technology and a specialist in adversarial machine learning. In the paper “Robust AI Security and Alignment: A Sisyphean Endeavor?” (IEEE Security & Privacy, May 2026, DOI 10.1109/MSEC.2026.3678214), Vassilev gives a mathematical proof that no finite set of guardrails is universally robust against adversarial prompts. For any fixed collection of safety rules, some prompt exists that makes the model disregard them — the only question is finding it.

This is not a vulnerability disclosure and there is no payload. It is a structural, provable limit on a defensive approach that much of the industry still treats as a problem to be solved once. We cover it because the conclusion reframes how teams should budget their safety effort, and because it puts a rigorous foundation under a shift others have argued on empirical grounds — including OWASP’s case that defenders should contain prompt injection at machine speed rather than expect a fix.

How it works

The argument extends Kurt Gödel’s incompleteness theorems, published in 1931. Gödel showed that any consistent formal system built on a finite set of axioms cannot prove every true statement expressible within it; you can add axioms to patch the gaps, but each addition reopens the same problem. Vassilev maps this onto AI safety: the guardrails an AI’s designer writes are exactly such a finite rule set, so there will always be an input the rules fail to cover.

Two properties of LLMs make the gap practically exploitable rather than merely theoretical:

Property                        Consequence for guardrails
------------------------------  --------------------------------------------
Natural-language input          Compliance checking against a finite rule set
                                is "infinitely ambiguous" — harmful intent can
                                be hidden in plain text in unlimited ways.

Instructions and data share     The model has no reliable internal boundary
the same channel                between trusted rules and untrusted input, so
                                input can compete to become an instruction.

Crucially, the proof is an existence result, not a recipe. It says a bypassing prompt exists for any fixed defense; it gives an attacker no method to construct one. In Vassilev’s framing this forces adversaries toward zero-day-style discovery — searching for a weakness no one else knows — rather than reusing a published technique. That is the same structural fact behind the defense trilemma for prompt-injection wrappers and the reason approaches that aim at provable guardrails constrain what an agent can do rather than promise the model will never be fooled.

Why it matters

The result draws a hard line under the “one and done” security model: ship a model, bolt on a classifier, declare the safety problem closed. If a complete, fixed defense is mathematically impossible, then any claim of being “robust against all adversarial prompts” is false by construction, and a static guardrail set is a snapshot that decays as attackers probe it.

Empirical findings already point the same way. Help Net Security’s coverage cites Stanford’s Trustworthy AI Research Lab finding that model-level guardrails are insufficient on their own — fine-tuning attacks bypassed Claude Haiku in 72% of cases and GPT-4o in 57% — echoing the broader pattern that benign-looking fine-tuning degrades safety. Prompt injection topped the OWASP 2025 LLM Top 10 precisely because models struggle to separate instructions from data. The proof explains why none of this is a temporary engineering shortfall.

Defenses

Vassilev’s prescription is not despair but a change of model — from seeking a permanent fix to a continuous monitor-and-update posture with three elements:

• Continuous red teaming. Stand up teams (and automated harnesses) that constantly hunt for new adversarial prompts before attackers do. The economics here favor speed — see how agentic red teaming compresses weeks to hours.
• Continuous hardening. Update guardrails against each newly discovered prompt, and wire adversarial test suites into CI/CD so that model swaps, prompt changes, and agent reconfigurations automatically re-run the attack battery.
• Operational resilience. Assume an exploit will eventually land. Prioritize limiting blast radius and fast recovery — minimal tool scopes, ephemeral credentials, and runtime containment over after-the-fact log review.
• Layer beyond fixed rules. Combine input/output filtering with representation- or behavior-level signals such as internal-state jailbreak detection, accepting that each layer raises cost rather than guarantees coverage.
• Set honest expectations. The goal Vassilev states explicitly is an economic equilibrium: make the cost of finding a new exploit exceed what an attacker is willing to spend. That is partial, ongoing security — not a finish line.

Status

Item	Detail
Author	Apostol Vassilev, senior scientist, NIST
Paper	”Robust AI Security and Alignment: A Sisyphean Endeavor?”, IEEE Security & Privacy, May 2026 (DOI 10.1109/MSEC.2026.3678214)
NIST release	June 9, 2026
Press coverage	Help Net Security, June 10, 2026
Nature	Mathematical proof (Gödel-based) — no payload, no attack method
Takeaway	Fixed guardrails cannot be universally robust; adopt continuous monitor-and-update

The durable lesson is that AI safety, like Gödel’s mathematics, has no finite axiom set that closes it for good. Guardrails remain worth building — they raise the attacker’s cost — but they should be treated as a process to maintain, not a perimeter to finish. The honest target is making attacks economically prohibitive, then never standing still.