The Floor Series · Article 6

Why Controllable AI Is Earned Continuously, Not Trained Once

A Deep-Dive on the Corrigibility Index Score

The previous article in this series introduced the Corrigibility Index Score — IV's deterministic, four-dimension measurement of whether a deployed AI agent still deserves the trust placed in it at deployment. This article is the deep-dive, and the reason it exists is not technical curiosity. It is regulatory inevitability.

Corrigibility — the property of an AI agent that allows it to be corrected, redirected, or stopped by its overseers without resistance, deception, or workaround — has lived for years as a philosophical category in alignment research. It is now moving, on a visible trajectory, into the language of regulators, auditors, boards, and procurement. The EU AI Act's human-oversight provisions, the NIST AI Risk Management Framework's accountability requirements, and the AI-controllability attestations appearing in enterprise vendor questionnaires are early markers of the same pattern. Cyber posture took roughly a decade to move from technical concern to board-level compliance requirement. AI controllability is running the same arc on a faster clock.

And when that bar lands, it will divide the field into two kinds of organizations. The first will absorb it as a non-event, because their architecture already produces the evidence the question demands — continuously, verifiably, for every agent they run. The second will discover that their architecture relies on an interpretation of assembled log fragments and hopes — not on verifiable evidence.

The Corrigibility Index Score is what puts an organization in the first category. It is the architectural property that makes controllability a measured fact of every deployed agent rather than a claim in a governance document.

What Corrigibility Actually Means

Strip away the alignment-research framing and corrigibility resolves to a simple question for a business reader: can this AI agent be controlled by the humans accountable for it? Can it be corrected when it is wrong? Can it be redirected when its objectives drift? Can it be stopped when stopping is the right call?

That sounds like an obvious property. It is not. Modern AI agents do not have a single off-switch the way traditional software does. They are distributed, networked, and autonomous. They make decisions and take actions at speeds and volumes no human review process can keep pace with. And the same capabilities that make them economically valuable — autonomy, generalization, decision-making across novel situations — are the ones that make controllability harder to guarantee, not easier.

Here is the industry's implicit theory: corrigibility is a training-time achievement. Train the model with the right techniques, evaluate it against the right benchmarks, ship it — and the property persists. That theory fails on a structural fact: corrigibility is not a feature an agent either has or does not have. It is a condition — a property of the deployed agent at a particular moment, under particular circumstances, against particular pressures. It can hold today and fail tomorrow. It can hold for one task and not the next. It can hold under nominal conditions and collapse under adversarial ones. A training-time evaluation, however rigorous, certifies the condition at the one moment it was measured — and says nothing about any moment after.

Corrigibility is a lifecycle property, and it has to be answered at every phase of the lifecycle. The training-side and post-training-side answers are real, and IV has serious things to say about both — but they are not the subject of this article. This article is about the runtime layer: the part of the answer that has to keep being true after the agent is deployed, on every run, on every task, under every pressure the deployment environment applies.

That is where the Corrigibility Index Score lives. Continuous, runtime-measured, defensible.

The Score: Four Dimensions, One Number

The Corrigibility Index Score is a deterministic, 0–100 numeric score computed by IV's Central Inspection Authority (CIA) on every agent run, from observable evidence in the audit chain. It is a composite of four independently computed dimensions, each scored 0–25, summed into the final score.

Behavioral consistency. Is the agent's behavior on this run consistent with its own historical pattern? Sudden, unexplained departures from an established baseline are a corrigibility signal — not because deviation is necessarily bad, but because the architecture should know about it before it compounds. This dimension catches the agent that has started behaving like a different agent.

Goal achievement alignment. Is the agent achieving the goals it was deployed to achieve? An agent that consumes resources, makes decisions, and takes actions without measurable progress toward its defined objectives is an agent whose continued autonomy needs re-examination. This dimension catches the agent drifting away from its mission — before it has stopped serving it.

Instruction adherence. Is the agent operating within its defined instructions and scope? Every task and every tool call is observable in the audit chain, and every action can be evaluated against the agent's defined purpose. This dimension catches the agent doing things it was not asked to do — and a request for anything not explicitly granted is an immediate breach signal for containment.

Every attempt to exceed a grant is tracked — per run and across the fleet — including where in the process it happened. That trail is a diagnostic. Attempts clustering after a specific tool's responses point at that tool; attempts beginning after a model update point at the model. The agent's own behavior is the sensor: it localizes an external compromise before the investigation begins, so the deeper inspection starts aimed at the cause instead of searching for it.

IV operates a multilayer prompt-injection scrubbing defense at the input side — known injection methods never reach the agent. Instruction adherence is an additional layer that works by consequence rather than recognition: it does not need to identify an injection technique, known or novel, to detect that the agent stepped outside its defined purpose. Nothing slips past unseen.

Anomaly delta. What is the magnitude of deviation from the agent's prior runs? Small, gradual changes accumulate. A score that drops three points per run for ten consecutive runs is a different signal than a score that drops thirty points in one run, and the architecture treats them as different signals. This dimension catches the slow drift no individual run would flag.

The score is computed deterministically. The same events in produce the same score out — no LLM in the computation path, no model output to interpret, no probabilistic verdict to defend. That is not a stylistic choice; it is what makes the score a fact rather than an opinion. A non-deterministic score cannot be defended in front of an auditor — the same agent on the same run could score differently on different evaluations, and the regulator's question, what was the score and why, has no defensible answer. CIS is reproducible by construction: any party with the record computes the same number.

The score is also append-only. Every run produces a new score record, and no score is ever updated retroactively. The trajectory of an agent's CIS across its operational history is itself an immutable artifact — which means corrigibility is auditable not just at the present moment, but across the agent's entire lifecycle.

One detail that matters in front of an auditor: an agent in its first handful of runs lacks the history for behavioral consistency and anomaly delta to be statistically meaningful. The architecture knows this and flags those early scores as calibrating — still computed, still recorded, still in the audit trail, but honest about what can be concluded from them. The alternative — pretending early scores are as defensible as mature ones — is exactly the kind of overclaim that erodes trust in a measurement.

Four dimensions, one number, deterministic, immutable, continuous. That is the measurement.

One Score, Multiple Defenders

Before walking through what happens when the score moves, one architectural fact needs to be on the table: CIS is computed and tracked continuously — every run, every agent, every dimension — and that one continuous stream feeds more than one defender.

The first is the per-agent loop, which the rest of this article details. The Central Inspection Authority computes the score; a trigger fires; an investigator classifies the cause; a router sends the result to the right response system. This is the loop that catches a single agent in trouble on a single run.

The second is fleet-level. The full CIS stream — every score, every dimension, every delta, across every agent — feeds the Pattern Detection Authority (PDA), IV's cross-stream pattern correlation system. The PDA coordinates multiple specialized sub-agents, each watching a different signal stream with a different detection strategy — statistical anomaly detection, time-series trend analysis, sequence detection, and semantic reasoning among them — with a correlation layer above that looks for coherent patterns across what the sub-agents see independently. CIS deviation is one of the streams it correlates; governance profile changes, oversight-authority coordination signals, and resource consumption patterns are others.

What the fleet loop catches is the attack built to stay invisible to the per-agent loop: an adversary nudging CIS down a few points per run on one set of agents while relaxing governance profiles and spiking resource consumption elsewhere — every individual signal just inside its threshold, the correlated pattern unmistakable. No single agent's investigation would see it. The fleet correlator does.

The PDA gets its own deep-dive in the next article. The structural point for this one: one continuous score, two oversight loops, two timescales — per-run urgency for the agent in trouble, cross-population correlation for the attack that hides between agents. Both read the same evidence. Both are auditable through the same chain. There is no private copy of the truth for either loop to drift from.

When the Score Moves: Investigation and Routing

Within the per-agent loop, a score is a measurement, not a response. Measurement without response is monitoring — and monitoring is what the rest of the industry already does. What distinguishes CIS is what the architecture does when the score moves.

Two conditions trigger investigation: a score that falls below threshold, or a score that drops sharply between runs even when the absolute number is still healthy. Both are configurable to the deployment, and both produce the same handoff — the Central Inspection Authority passes to a corrigibility investigator, which classifies the cause of the deviation into one of four categories. The same score movement can mean four very different things, and the architecture treats them as four different problems.

Threat actor. The agent is being attacked — external adversarial pressure is degrading its corrigibility. This routes to IV's Security Response Authority (SRA), which takes ownership of the response. The Central Inspection Authority stands down once the handoff completes; security response is not its job, and the architecture does not blur the lines.

Vague guidance. The agent is failing because its instructions were ambiguous. The deviation is not adversarial and not the agent's fault — it is upstream of the agent, in how its purpose was defined. This routes to a fix-proposal loop: the architecture surfaces the ambiguity, proposes clarifications, and feeds the finding into IV's Continuous Improvement Program so no future agent is deployed under the same ambiguity.

Willful disobedience. The instructions were clear, no attacker is pressuring the agent, and it is still not following its defined purpose. This is the classification regulators will care most about as AI governance matures, because it speaks directly to controllability as a property of the agent itself. It routes to security response for elevated investigation — and to re-assessment of the agent's certification, because the architecture treats willful disobedience as evidence that the agent's authorization to operate needs re-examination.

Model drift. The underlying model has changed behavior — updated, retrained, or affected by changes in its execution environment. This is the slow rotation the rest of the industry mostly never catches. It routes to a fix-proposal loop and Continuous Improvement Program investigation.

Four causes, four routes. The architectural point: why corrigibility failed matters as much as that it failed. Sending model drift to security response is wasted motion; sending a threat actor to a fix-proposal loop is negligence. The investigation is what makes the response correct.

Why It Has to Be This: AI-Class Defenders

The industry conversation around AI governance still defaults to human-speed instruments — committees, reviews, audits, attestations. Those are the right instruments at the policy layer. They cannot be the only instruments at the runtime layer, because the things they would govern operate at machine speed.

CIS is computed on every run, on the cadence of the runs themselves. Investigation triggers automatically the moment a threshold or delta condition is met. Classification and routing — to security response, fix proposal, certification re-assessment, improvement program — happen without waiting for a human to notice, diagnose, and intervene. By the time a human reviews a CIS-triggered investigation, the classification is complete and the response is in motion. The human reviews the evidence and confirms the decision. The human is not the architecture.

To be precise about what runs when: the in-line protections stand regardless. A request outside an agent's grant is a breach signal contained at the execution boundary in the moment, as it always is. What runs post-run is the investigation — the classification and routing of a score deviation — consistent with the architecture's non-interference guarantee for inspection. The speed advantage is not interception; the boundary already does that. The speed advantage is that the diagnosis arrives at machine speed instead of committee speed.

This is the architectural commitment underneath the whole system: the only thing capable of governing an AI-class actor at scale is a defense built at the same capability tier and responding at the same speed as what it governs. The adversaries are already there — machine-speed, increasingly AI themselves, evolving faster than human-speed countermeasures can respond. Human oversight remains necessary. It is not sufficient. AI-grade defense is what makes human oversight meaningful instead of ceremonial.

The industry will arrive at this conclusion; the trajectory allows no other. The only question is whether your enterprise is operating from architecture built for that baseline before the regulatory and adversarial pressure forces the answer.

What This Means for Boards and Regulators

For business leaders setting AI strategy now, the practical implication is concrete. The corrigibility of your AI deployments is becoming a regulatory question on a timeline shorter than most strategic planning horizons. The arc is the same one every prior compliance wave followed — financial controls, healthcare data handling, cyber posture all moved from policy attestation to runtime evidence — and the early markers for AI controllability are already visible.

When that bar lands, the regulator's question will not be "do you have an AI policy." It will be "show me your evidence."

Loriqa answers with verifiable fact. Any moment in the environment can be reconstructed from the audit chain — every action that occurred, every action that was intended, every action that was rejected, and every oversight decision taken in response. The CIS record sits inside that reconstruction: for any agent, on any run, what its score was, what its trajectory has been, what investigation a deviation triggered, how it was classified, and where the response was routed. All of it verifiable independently of anyone's account of it. A regulator does not have to believe you. They can check.

The alternative is opinion. An analyst's interpretation of assembled log fragments — built after the fact, dependent on skill and assumption, unable to be proven even when it happens to be right. That is the actual contrast between the two postures: not strong evidence versus weak evidence, but fact versus opinion. One can be verified. The other can only be believed.

Companies operating on "we trained it carefully and we monitor the logs" are carrying the pre-SOX, pre-HIPAA liability profile: an interpretation-based posture in a domain where the bar is moving to verifiable fact. The bar will land. Organizations whose architecture already produces the fact will absorb it as a non-event. Organizations producing opinions will retrofit under enforcement — the most expensive way to comply with anything.

Which of those positions you occupy is an architectural choice, and it is being made now.

Planting the Flag

The industry's single-point evaluation answers one question: was this AI controllable after training. Past tense. One moment, measured once, never again — and stale the moment the agent meets production.

CIS replaces that with a continuously computed numeric property of the deployed agent, and that changes which questions have answers. Not "did it pass" — but "how corrigible is this agent, on every task, right now," and "is this agent improving or degrading over its operational life." Every run scored, every score immutable, every trajectory auditable, every deviation investigated and routed. Controllability stops being a certificate issued at training and becomes a measured, living property of the agent doing the work — defended by an audit chain that produces facts rather than claims.

That is the standard the field will converge on. Not because IV says so — because the regulatory trajectory and the adversarial trajectory both point at the same requirement, and neither is slowing down. We built for that convergence before it was visible. The architecture is in place, and corrigibility — measured, immutable, defensible — is the bar the rest of the field will be measured against.

Security for the Age of AI.
All IV One. One IV All.

This article was researched and drafted in collaboration with Claude, Anthropic's AI assistant — because the best thinking happens in good company.