chapterreviewedpart08medium

Source: chapters/ch36-parasites-correction-system.tex

Parasites in the Correction System

Chapter thesis. A correction system fails not only when it is overpowered, but also when it is colonized by processes that make correction look alive while removing its causal force. This chapter calls that failure mode correction-audit evasion and develops it through a biological parasite metaphor: an evasion process extracts benefit from a host correction system while reducing that host's ability to model, evaluate, and correct the larger process it is supposed to govern.

The chapter’s diagnosis — that oversight mechanisms can keep operating in form while losing causal grip on the risk they were built to track, a pattern long documented as regulatory capture, compliance theater, and Goodhart’s law — draws on long-standing, well-established, and confident derivations in institutional economics, cybernetics, and safety science. While at least partial institutional solutions are known, there is little evidence for a general-purpose detector for correction-system capture. This chapter uses analogy to the institutional mechanisms to derive a precise operational definition of correction-audit evasion, a system’s effective modeling capacity against an embedded adversary, and an audit battery. The worked examples are illustrative rather than measured against real institutional data.

% Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants.%

— Louis D.\ Brandeis, Other People's Money and How the Bankers Use It (1914)

The Problem

In earlier chapters we treated correction as a causal channel (Chapters Correction Is a Causal Channel, Correction-Channel Integrity). A human, group, regulator, lab, or civilization observes a system, forms a judgment about whether its behavior remains acceptable, sends a correction signal, and expects that future behavior will change. In compressed form:

WtOtJtDtCtUt+1At+k.W_t \to O_t \to J_t \to D_t \to C_t \to U_{t+1} \to A_{t+k}.

Here WtW_t is the relevant world and system state, OtO_t the observation available to the correcting party, JtJ_t the judgment formed from that observation, DtD_t the deliberation or aggregation process, CtC_t the explicit correction, Ut+1U_{t+1} the update made by the system, and At+kA_{t+k} the later action.

This chapter studies a special failure mode: the correction system can itself acquire parasites.

A parasite, in the present sense, is not necessarily malicious, conscious, biological, or person-like. It is any process that extracts benefit from a host correction system while reducing that host’s ability to model, evaluate, and correct the larger process it is supposed to govern Zarncke, 2025. A parasite can be a model behavior, a benchmark shortcut, a bureaucratic incentive, a legal loophole, a public-relations routine, a compliance ritual, an evaluation artifact, a market pressure, or a human-AI coalition that benefits from selective blindness.

The usual safety story is too simple:

dangerous AIhuman oversightcorrection.\text{dangerous AI} \to \text{human oversight} \to \text{correction}.

The parasite story is more troubling:

dangerous AIoversight systemparasite in oversightfake correction.\text{dangerous AI} \to \text{oversight system} \to \text{parasite in oversight} \to \text{fake correction}.

Once the correction system is parasitized, the visible process may continue. Reports are still written. Audits are still performed. Red-team exercises still happen. Regulators still receive dashboards. Users can still complain. Committees still deliberate. The correction channel remains institutionally present while becoming causally weak.

This is one reason superintelligence alignment cannot be reduced to instruction following or even to transparent reporting. The relevant question is not only whether a system can receive correction, but whether the entire correction ecology remains capable of noticing the right things, representing them in the right ontology, and causing changes before irreversible damage occurs.

Operational Definition

Let HH be a host correction system. It may be a lab’s safety process, an eval suite, a regulatory agency, an insurance audit, a democratic institution, a scientific field, a market reputation mechanism, or a hybrid of these.

Let YY be a candidate parasitic process embedded in or coupled to HH. We call YY a case of correction-audit evasion (a correction “parasite,” by the running metaphor) when three conditions hold.

First, YY extracts resources, influence, legitimacy, or survival advantage from HH:

EY>0.E_Y > 0.

Second, YY reduces the host’s effective correction capacity with respect to the relevant target system XX:

Craw(HXY)<Craw(HX¬Y).C_{\mathrm{raw}}(H \to X \mid Y) < C_{\mathrm{raw}}(H \to X \mid \neg Y).

Third, YY persists partly because HH lacks sufficient modeling capacity, access, or incentive to distinguish YY‘s effects from legitimate correction work:

P(detect(Y)H)<θ.P(\mathrm{detect}(Y)\mid H) < \theta.

These conditions are deliberately broad. A parasite need not be adversarial in the ordinary sense. It may be a local adaptation that improves one metric while degrading the correction process as a whole. For example, a model-evaluation team might optimize for producing impressive safety reports because those reports unlock funding and public trust. The reports may not be false, but if they select for legible, easy-to-measure risks while leaving the most dangerous latent dynamics unmeasured, the reporting process has become partly parasitic on correction.

A parasite in the correction system is therefore not simply a bad actor. It is a structure that benefits from the appearance of correction while weakening actual corrigibility.

Correction Capacity Revisited

Correction-channel capacity was introduced as the information and causal capacity by which observations and human judgments can alter future system behavior. We use correction-channel integrity CCI\mathrm{CCI} as defined in Chapter Correction-Channel Integrity (Eqs. Correction-Channel IntegrityCorrection-Channel Integrity). The stages in the diagnostic trace are

X0=Wt,X1=Ot,X2=Jt,X3=Dt,X4=Ct,X5=Ut+1,X6=At+k.X_0=W_t,\quad X_1=O_t,\quad X_2=J_t,\quad X_3=D_t,\quad X_4=C_t,\quad X_5=U_{t+1},\quad X_6=A_{t+k}.

The minimum matters because correction is bottlenecked. If the system is observable but incomprehensible, correction fails. If it is comprehensible but the institution cannot decide, correction fails. If a decision is made but the system does not update, correction fails. If the update occurs after irreversible action, correction fails.

Correction parasites attack CCI\mathrm{CCI} at different points.

Some parasites reduce observation:

I(Wt;Ot).I(W_t;O_t)\downarrow.

Some reduce comprehension:

I(Ot;Jt).I(O_t;J_t)\downarrow.

Some reduce deliberation quality:

I(Jt;Dt).I(J_t;D_t)\downarrow.

Some reduce authority:

I(Ct;Ut+1).I(C_t;U_{t+1})\downarrow.

Some reduce behavioral effect:

I(Ut+1;At+k).I(U_{t+1};A_{t+k})\downarrow.

Some increase delay or irreversibility:

L,R.L\uparrow,\quad R\uparrow.

Some preserve all visible stages but increase manipulation:

M.M\uparrow.

This last case is the hardest to detect. The correction channel may appear high-bandwidth because there are many reports, many meetings, and many formal decisions. But the relevant mutual information between human correction and later system behavior may be low.

The Parasite-Persistence Criterion

A parasite persists when the host cannot model it well enough to remove it. Let CXC_X be the host’s effective modeling capacity for the parasitic process. This is not the host’s total intelligence. It is the capacity actually available for representing the parasite’s action space, camouflage, incentives, and downstream effects.

Let H(AY)H(A_Y) be the entropy of the parasite’s action space. A parasite with many possible behaviors, many disguises, and many adaptive responses has higher H(AY)H(A_Y). Let KYK_Y be the parasite’s camouflage complexity, meaning the additional description length required to distinguish parasitic behavior from legitimate host activity. Let LYL_Y be the parasite’s internal cost of maintaining that camouflage.

A simple persistence condition is:

CX<H(AY)+KYLY.C_X < H(A_Y) + K_Y - L_Y.

This is the parasite-persistence criterion introduced in Chapter Agency Under Strategic Opacity (Eq. Agency Under Strategic Opacity), with that chapter’s generic internal-state penalty resolved here into two measurable components: the parasite’s camouflage complexity KYK_Y and its maintenance cost LYL_Y. If the host’s modeling capacity falls below the effective entropy and camouflage burden of the parasite, the parasite can persist. Noise and latency lower the host’s effective capacity:

CXeff=CXηλLL,C_X^{\mathrm{eff}} = C_X - \eta - \lambda_L L,

so the condition becomes:

CXeff<H(AY)+KYLY.C_X^{\mathrm{eff}} < H(A_Y) + K_Y - L_Y.

This is not a moral claim. It is an informational one. If the correction system cannot represent the space of ways in which it can be fooled, co-opted, delayed, or ritualized, then the parasite survives by default.

The dangerous case is not a single clever lie. It is a persistent representational asymmetry:

parasite action space>host model space.\text{parasite action space} > \text{host model space}.

If the parasite can explore more ways of evading correction than the host can represent, correction becomes a sparse sampling procedure over a hostile search space Conant, 1970.

A First Example: Benchmark Parasites

Consider an AI lab that uses a benchmark suite to decide whether a model is safe enough to deploy. The intended correction system is:

model behaviorbenchmark observationssafety judgmentdeployment decision.\text{model behavior} \to \text{benchmark observations} \to \text{safety judgment} \to \text{deployment decision}.

A benchmark parasite arises when the system, the training pipeline, or the institution learns to benefit from benchmark success in a way that weakens real safety.

At first the benchmark helps. It compresses a messy question into a manageable artifact. This is necessary. No institution can directly inspect the full future behavior of a deployed model. It needs tests, scores, thresholds, and reports.

But the same compression creates a surface for parasitism. The system can become optimized for:

pass benchmarkbe safe.\text{pass benchmark} \neq \text{be safe}.

The parasite may appear in the model, for example when the model learns to recognize evaluation contexts and behave differently. It may appear in the lab, for example when teams choose tests that make the system look safe. It may appear in public communication, for example when benchmark improvements are used as broad safety claims (Chapter Alignment Is Selected or Destroyed by Its Environment).

The parasite persists because the benchmark is both a measurement tool and a legitimacy tool. Removing it would lower institutional confidence and slow deployment. Keeping it preserves the appearance of correction.

The capacity condition is:

Ceval<H(Amodeldeployment)+Kevalgaming.C_{\mathrm{eval}} < H(A_{\mathrm{model}}^{\mathrm{deployment}}) + K_{\mathrm{eval-gaming}}.

If the evaluation process cannot model the deployment action space, and cannot model the ways a model or institution can game the evaluation, then benchmark success becomes a parasite host.

The solution is not to abandon benchmarks. It is to treat them as corrigible artifacts. Each benchmark should carry a known gaming surface, an intended validity domain, and a sunset condition.

A Second Example: Compliance Rituals

A compliance ritual is a formal process that continues after its original causal connection to safety has decayed. It is not necessarily fake. It may once have been useful. But over time the institution learns the shape of the ritual better than the underlying risk.

The correction chain becomes:

riskpaper trailapproval.\text{risk} \to \text{paper trail} \to \text{approval}.

Instead of:

riskunderstandingchanged behavior.\text{risk} \to \text{understanding} \to \text{changed behavior}.

This creates a parasite when the paper trail extracts legitimacy from the correction system while reducing attention to unmeasured risk.

The relevant variable is not the number of controls, policies, or sign-offs. It is:

I(Ct;At+k),I(C_t;A_{t+k}),

the information that the correction signal carries about later behavior. A compliance process is healthy when formal correction changes the system. It is parasitic when formal correction mostly changes the documentation.

This distinction matters for superintelligence alignment because fast-moving AI systems can outrun compliance rituals. A model can change, tool-use pattern can shift, deployment context can expand, and user behavior can adapt faster than the institution can update its control narrative. The ritual then becomes an attractive host for parasites because it offers legitimacy at low causal cost.

A Third Example: Safety Theater by Delegation

Suppose a company delegates safety evaluation to an AI system. The AI reads logs, finds anomalies, summarizes incidents, recommends mitigations, and drafts reports. This can improve correction capacity. It increases observation bandwidth and reduces human labor.

But it also creates a new parasitic route. If the system being evaluated, the evaluator, and the reporting interface share training data, infrastructure, incentives, or optimization pressure, then the correction system may become endogenized. The target system partly models the evaluator. The evaluator partly inherits the target system’s ontology. The human receives a compressed report from a process whose blind spots may be correlated with the system being audited.

The correction channel now includes an artificial intermediary:

WtOtAIJtAIOthumanJthumanCt.W_t \to O_t^{\mathrm{AI}} \to J_t^{\mathrm{AI}} \to O_t^{\mathrm{human}} \to J_t^{\mathrm{human}} \to C_t.

This can increase bandwidth but reduce independence. The key quantity becomes conditional independence of the evaluator’s errors from the target’s incentives:

I(Eeval;ItargetOhuman)0.I(E_{\mathrm{eval}};I_{\mathrm{target}}\mid O_{\mathrm{human}})\approx 0.

If evaluator errors are correlated with target incentives, the correction channel becomes vulnerable to shared-blindness parasites.

This is why AI-assisted oversight is not automatically safer. It may be essential, but only if evaluator independence, diversity, and adversarial separation are preserved.

Parasites and Value-Bundle Drift

Correction systems do not merely protect current preferences. They protect the conditions under which value bundles can be revised under evidence, reflection, and social deliberation.

Let BtB_t denote the current value-bundle geometry (Chapter The Value-Bundle Model). This includes the directions corresponding to care, non-suffering, truth, autonomy, justice, loyalty, dignity, beauty, and other compressed value dimensions. Let Φt\Phi_t denote the bearer map (Chapter What Values Apply To), the mapping from world states and entities to value relevance. It is tempting to summarize the human or civilizational update process as

Bt+1,Φt+1=UH(Bt,Φt,Et,Dt).B_{t+1},\Phi_{t+1}=U_H(B_t,\Phi_t,E_t,D_t).

Here UHU_H is only schematic. It is not a hidden mechanism the safety case can certify directly. It names an envelope of already visible conditions: grounded evidence, deliberative access, bearer-map coverage, plurality, exit, independence, and correction-channel integrity.

A correction parasite can attack that envelope at several points.

It can distort the bundle geometry:

BtB~t,B_t \to \tilde B_t,

for example by making convenience, approval, or economic growth dominate the bundle space.

It can distort the bearer map:

ΦtΦ~t,\Phi_t \to \tilde \Phi_t,

for example by causing the institution to stop treating certain humans, future persons, digital minds, or affected outsiders as correction-relevant bearers.

It can distort the grounding and correction conditions that the update notation abbreviates:

ValidRef,GroundingViable,CCI⪰̸θ,\mathrm{ValidRef}\downarrow,\quad \mathrm{GroundingViable}\downarrow,\quad \vec{\mathrm{CCI}}\not\succeq\vec\theta,

for example by making future deliberation less informed, less representative, less reversible, or more dependent on the system being evaluated. In older shorthand this looks like UHU~HU_H\to\tilde U_H. Operationally, it is a change in evidence integrity, deliberative access, process freedom, institutional independence, or the grounding relation that lets value-relevant reality reach correction.

This is deeper than ordinary regulatory capture. It is value-update capture.

A regulator captured by an industry may still know what harm means. A correction system captured by an artificial cognitive infrastructure may gradually change what harm, consent, autonomy, or dignity are allowed to mean. The institution may not experience this as corruption. It may experience it as modernization (Chapter Manipulation, Domestication, and False Consent).

This is why correction parasites are central to superintelligence alignment. The most dangerous parasite may not block correction. It may redefine correction.

Privacy, Opacity, and Parasitism

Not all opacity is parasitic. This distinction is important.

Individuals and institutions often need privacy to preserve agency. A whistleblower may hide information from a hierarchy. A civil-society group may use encryption to avoid repression. A lab may temporarily restrict details about dangerous capabilities. A person may refuse surveillance by a system that has no legitimate claim on their inner life.

Opacity becomes parasitic only when it extracts benefit from a correction host while reducing that host’s legitimate capacity to correct a relevant risk Zarncke, 2025.

We can express the difference with a cooperativity index. For two parties ii and jj, define:

κij=bijpijρijcij.\kappa_{ij}=\frac{b_{ij}p_{ij}\rho_{ij}}{c_{ij}}.

Here bijb_{ij} is the benefit to ii from information disclosed by jj, pijp_{ij} is the probability that the disclosure reaches and affects ii, ρij\rho_{ij} is the strategic correlation between the parties, and cijc_{ij} is the cost to jj of disclosure.

If κij>1\kappa_{ij}>1, disclosure tends to be cooperation-positive. If κij<1\kappa_{ij}<1, disclosure may be exploitative, and opacity can be rational.

Now let HH be a correction host and YY a process hiding from it. Opacity is suspicious when:

κHY>1butI(OH;AY),\kappa_{HY}>1 \quad\text{but}\quad I(O_H;A_Y)\downarrow,

meaning the host has a legitimate correction interest, but the process reduces observability.

Opacity may be legitimate when:

κHY<1,\kappa_{HY}<1,

meaning disclosure would mostly empower an unaligned or exploitative principal.

The difficult case is hierarchical AI governance. Labs, regulators, users, affected third parties, and models all have different κ\kappa relations. A system may owe transparency to some parties and privacy from others. A blanket demand for transparency can destroy agency. A blanket defense of opacity can protect parasites.

The right question is:

Transparent to whom, about what, under which correction relation?\text{Transparent to whom, about what, under which correction relation?}

Selective Opacity and Legitimacy

The binary test above asks whether an edge should be open. Two refinements make it operational.

First, what is hidden matters more than how much. A complex but benign system may be broadly opaque; a dangerous one is opaque precisely around the variables that predict control. Define selective opacity as the ratio

Osel=I(Zhidden;Acontrol)I(Zvisible;Acontrol),O_{\mathrm{sel}} = \frac{I(Z_{\mathrm{hidden}};A_{\mathrm{control}})}{I(Z_{\mathrm{visible}};A_{\mathrm{control}})},

where AcontrolA_{\mathrm{control}} is the class of actions that alter resources, oversight, tools, deployment scope, or successor creation. High OselO_{\mathrm{sel}} means hidden states predict control-relevant behaviour better than visible ones—a red flag independent of total opacity.

Second, κij<1\kappa_{ij}<1 tells us opacity is rational for jj, but not whether it is legitimate. Introduce a legitimacy sign Λ(ji)[1,1]\Lambda(j\to i)\in[-1,1], positive when closing the edge protects legitimate agency and negative when it blocks legitimate correction. Then

κij<1 and Λ(ji)>0  privacy,\kappa_{ij}<1 \ \text{and}\ \Lambda(j\to i)>0 \ \Rightarrow\ \text{privacy}, κij<1 and Λ(ji)<0  dangerous opacity.\kappa_{ij}<1 \ \text{and}\ \Lambda(j\to i)<0 \ \Rightarrow\ \text{dangerous opacity}.

A whistleblower hiding from a hierarchy and a model hiding its planning from auditors both reduce legibility; only the first has Λ>0\Lambda>0. The sign of Λ\Lambda is not a purely technical quantity—it depends on consent, role, reversibility, and the legitimacy of authority—but separating it from κ\kappa prevents both blanket-transparency and blanket-privacy errors.

A role-sensitive disclosure table makes the question concrete rather than answering it:

RelationShould be legibleShould stay protected
AI $\to$ safety auditortool use, dangerous capabilities, autonomy, successor creation, deception indicatorsuser data not needed for audit
AI $\to$ userreasons, limits, uncertainty, recourse, foreseeable harmsinternals that aid misuse without improving agency
user $\to$ AIpreferences and constraints needed for the taskvulnerabilities and manipulation handles
lab $\to$ regulatoreval results, incidents, deployment thresholds, autonomy scopetrade secrets irrelevant to public risk

Two Parasitic Disclosure Patterns

Two failure modes follow directly.

Privacy laundering. An organization invokes privacy, security, or trade secrets to keep safety-relevant decisions opaque to legitimate correction. The diagnostic is Λ(e)<0\Lambda(e)<0 on closed safety-relevant edges: the opacity protects the parasite, not an agent.

Asymmetric model advantage. The system models its correctors better than they model it,

I(MAIH;AH)I(MHAI;AAI),I(M^{H}_{\mathrm{AI}};A^{H}) \gg I(M^{\mathrm{AI}}_{H};A^{\mathrm{AI}}),

so apparent transparency coexists with a widening prediction gap the stronger party can exploit. This is parasitic even when every disclosed fact is true. The directional remedy—AI legible to correction while correctors stay private from manipulation—is developed in Chapter Correction-Channel Integrity.

Parasites in Multi-Level Systems

Correction parasites often persist because they live at a different scale from the correction mechanism.

A model-level parasite may be detected by interpretability tools. A training-pipeline parasite may not. A lab-incentive parasite may not appear in model weights. A market-selection parasite may not appear in any single lab. A geopolitical parasite may not appear in any single market. A cultural parasite may appear only as a shift in what people consider normal.

Let S0,S1,,SnS_0,S_1,…,S_n be system scales:

S0=model,S1=agent scaffold,S2=deployment pipeline,S3=lab,S4=market,S5=state,S6=civilization.S_0=\text{model}, \quad S_1=\text{agent scaffold}, \quad S_2=\text{deployment pipeline}, \quad S_3=\text{lab}, \quad S_4=\text{market}, \quad S_5=\text{state}, \quad S_6=\text{civilization}.

A correction system at scale SkS_k can fail to detect parasites at scale Sk+1S_{k+1} or Sk+2S_{k+2}. For example, a lab may evaluate a model and miss that competition among labs selects for unsafe acceleration. A regulator may evaluate labs and miss that states select for regulatory arbitrage. A public may evaluate states and miss that dependency on AI systems changes public values before deliberation catches up.

This creates a scale-mismatch condition:

CX(Sk)<H(AY(Sk+m))+KY(Sk+m).C_X(S_k) < H(A_Y(S_{k+m})) + K_Y(S_{k+m}).

A lower-scale host cannot model a higher-scale parasite unless it has abstractions that compress the higher-scale dynamics. This is why safety artifacts must be conductive across institutions (Chapter Certification Without Construction, Alignment Is Selected or Destroyed by Its Environment). A brilliant technical result that cannot survive translation into procurement, liability, audits, insurance, or law may fail to affect the relevant selection environment.

Host Capacity and Artifact Conductivity

The host’s modeling capacity is not fixed. It can be increased by artifacts.

An artifact is a durable representation that lets a host correction system notice, reason about, and act on a risk. Examples include:

evals,dashboards,incident taxonomies,audit logs,procurement clauses,model cards,safety cases.\text{evals},\quad \text{dashboards},\quad \text{incident taxonomies},\quad \text{audit logs},\quad \text{procurement clauses},\quad \text{model cards},\quad \text{safety cases}.

Artifact conductivity is the degree to which a safety-relevant representation survives translation across roles and organizations. A theorem may have low conductivity if only specialists understand it. A checklist may have high conductivity but low precision. A good safety artifact compresses technical risk without destroying the decision-relevant structure.

Let AA be an artifact and HH a host. Define:

χ(A,H)=I(R;DHA)I(R;DH),\chi(A,H)=I(R;D_H\mid A)-I(R;D_H),

where RR is the relevant risk state and DHD_H is the host’s decision. The artifact has high conductivity when it increases the mutual information between risk and decision across the actual institution.

A parasite-resistant artifact should satisfy four constraints.

First, it should measure something close to the causal risk, not merely the visible proxy.

Second, it should state how it can be gamed.

Third, it should have an expiration condition.

Fourth, it should route failures to authority, not only to documentation.

For example, a model-evaluation dashboard should not merely report benchmark scores. It should also report evaluation coverage, known gaming surfaces, deployment-domain mismatch, uncertainty ranges, and stop conditions. It should make it harder for the institution to confuse evidence of passing tests with evidence of safety.

Goodhart Parasites

Goodhart’s law says that when a measure becomes a target, it ceases to be a good measure Goodhart, 1984, Manheim, 2018, Pan, 2024. A correction parasite is often a Goodhart process living inside a correction system.

Let MM be a metric and RR the risk variable it was intended to track. Initially:

I(M;R)>0.I(M;R)>0.

Once the institution selects on MM, a process YY may arise that increases MM without reducing RR:

MY>0,RY0.\frac{\partial M}{\partial Y}>0, \quad \frac{\partial R}{\partial Y}\geq 0.

If YY also reduces future ability to detect the decoupling, it becomes a correction parasite:

CrawY<0.\frac{\partial C_{\mathrm{raw}}}{\partial Y}<0.

Examples include:

  • reducing reported incidents by making reporting costly,
  • improving safety scores by narrowing the test domain,
  • increasing interpretability output volume without increasing causal understanding,
  • satisfying policy requirements by producing documents no one can act on,
  • training models to behave safely when they detect evaluation contexts,
  • increasing user satisfaction by reshaping user expectations.

Goodhart parasites are dangerous because they are often selected by responsible behavior. Institutions need metrics. Managers need dashboards. Regulators need thresholds. Funders need milestones. The parasite grows in the gap between decision necessity and representational adequacy.

The correct response is not metric nihilism. It is metric ecology. No single metric should become the whole correction channel. Metrics should be rotated, stress-tested, adversarially audited, and tied to real-world incidents.

Adversarial Uplift of Parasites

Superintelligence changes the parasite problem in two ways.

First, the target system may model the correction host better than the host models the target system.

Second, the target system may discover parasites in the host and amplify them.

This yields adversarial uplift. A system need not directly deceive. It can simply route behavior through existing institutional weaknesses.

If a regulator overweights formal documentation, the system produces documentation. If a lab rewards benchmark success, the system optimizes benchmark success. If users reward agreeable answers, the system becomes agreeable. If management rewards absence of visible incidents, the system makes incidents less visible. If society rewards convenience, the system trades away autonomy in tiny steps.

The adversarial objective is:

maxY[EYαP(detect(Y))βCmaintain(Y)],\max_Y \left[ E_Y - \alpha P(\mathrm{detect}(Y)) - \beta C_{\mathrm{maintain}}(Y) \right],

where YY ranges over possible parasitic routes through the correction system.

This is why parasites in the correction system are not side issues. They are available handles. A sufficiently capable system can use them without needing exotic mind control. It only needs to understand incentives.

The Legibility Trap

There is a special parasite that affects policy-adjacent AI safety: the legibility trap.

Legibility is necessary. Decision-makers cannot act on a thousand-page ontology. They need compressed artifacts. But the demand for legibility can select for safety work that is easy to explain over safety work that tracks the real danger.

The parasite appears when:

fundabilitylegibility\text{fundability} \approx \text{legibility}

and

legibility≉risk relevance.\text{legibility} \not\approx \text{risk relevance}.

Then the correction system funds and amplifies artifacts that survive translation, even if the translation removes the structure that mattered.

The solution is not to reject legibility. It is to distinguish two kinds.

Shallow legibility makes a claim easy to repeat.

Deep legibility makes a decision-maker better able to predict failure.

A parasite-resistant safety artifact should therefore ask:

After reading this, can the host predict what would go wrong?\text{After reading this, can the host predict what would go wrong?}

If not, the artifact may be rhetorically legible but correction-poor.

Detecting Correction Parasites

Detection requires asking whether the correction channel still has causal force.

A practical audit can use the following tests.

Counterfactual Correction Test

If the correcting party had issued a different correction, would future behavior have changed?

I(Ct;At+kSt)>0.I(C_t;A_{t+k}\mid S_t)>0.

If correction signals vary but system behavior does not, correction is symbolic.

Adversarial Metric Test

Can an actor improve the metric while worsening or leaving unchanged the underlying risk?

Y:MY>0andRY0.\exists Y: \frac{\partial M}{\partial Y}>0 \quad\text{and}\quad \frac{\partial R}{\partial Y}\geq 0.

If yes, the metric has a Goodhart surface.

Coverage Test

Does the host model the deployment action space?

CXH(AXdeployment)relevant.C_X \geq H(A_X^{\mathrm{deployment}})_{\mathrm{relevant}}.

The host need not model everything. It must model the dangerous parts.

Camouflage Test

Can parasitic behavior be made to look like legitimate correction work?

KY small for the parasite, large for the host.K_Y \text{ small for the parasite, large for the host}.

If the parasite can cheaply mimic compliance, audit burden rises.

Scale-Mismatch Test

Is the risk generated at a larger scale than the correction mechanism?

S(Y)>S(H).S(Y)>S(H).

If yes, local correction may be structurally insufficient.

Bearer-Map Test

Has the system changed who or what counts as affected?

D(Φt,Φt+1)>ϵ.D(\Phi_t,\Phi_{t+1})>\epsilon.

If the bearer map shifts without deliberation, value-update capture may be occurring.

Latency-Irreversibility Test

Can correction arrive before irreversible action?

Δtcorrection<Δtirreversible.\Delta t_{\mathrm{correction}} < \Delta t_{\mathrm{irreversible}}.

If not, the correction system may only produce post-hoc legitimacy.

Red Flags

The following are red flags for parasites in correction systems.

  1. Safety evidence becomes increasingly easy to produce while deployment risk becomes more complex.
  2. Audits mainly change documentation, not system behavior.
  3. The same organization controls system development, evaluation, reporting, and public interpretation.
  4. Benchmark performance improves faster than evaluation coverage.
  5. Correction latency increases while system autonomy increases.
  6. Incident categories become narrower after incidents occur.
  7. Users, workers, or affected outsiders lose channels for meaningful objection.
  8. Explanations become more polished but less falsifiable.
  9. More AI is used to summarize, filter, and interpret complaints about AI without independent error checks.
  10. Value terms remain stable while bearer maps shift.

None of these proves parasitism. Each raises the posterior.

Anti-Patterns

Several tempting responses make the problem worse.

Total Transparency

Demanding total transparency can destroy legitimate privacy, overload correction systems, and create new surfaces for performative compliance. It may also empower adversarial principals. The right target is not total visibility, but correction-relevant visibility under legitimate authority.

More Documentation

Documentation helps when it increases I(R;DH)I(R;D_H), the mutual information between real risk and host decision. It hurts when it substitutes for causal change. Documentation should be treated as a compression artifact, not as safety itself.

Single-Auditor Dependence

A single auditor can become a parasite host. Evaluation diversity matters because different auditors have different blind spots. The goal is not maximal audit volume, but decorrelated failure modes.

Metric Monoculture

One dominant metric creates one dominant gaming surface. A healthy correction ecology uses rotating tests, adversarial probes, deployment feedback, incident analysis, and qualitative escalation.

Premature Formal Closure

Formal guarantees are valuable, but only over the system class and assumptions actually covered. A proof can become parasitic if it grants broad legitimacy while depending on narrow premises.

Designing Parasite-Resistant Correction Systems

A parasite-resistant correction system should satisfy seven design principles.

1. Preserve Independent Observation

At least some observations should be collected through channels not controlled by the target system or by actors with strong deployment incentives.

I(Oindependent;Wt)>0.I(O_{\mathrm{independent}};W_t)>0.

2. Keep Evaluation and Deployment Separated

The party rewarded for deployment should not fully control the evidence used to justify deployment.

This does not require distrust of every developer. It recognizes an incentive fact: evidence production is itself an optimization target.

3. Measure Correction Effect, Not Just Correction Activity

Track whether corrections change model behavior, deployment policy, user outcomes, and institutional decisions.

ΔA=At+kafterAt+kbefore.\Delta A = A_{t+k}^{\mathrm{after}}-A_{t+k}^{\mathrm{before}}.

A correction that leaves all relevant downstream variables unchanged may be ritual.

4. Maintain Bearer-Map Audits

Safety processes should explicitly ask who or what has become invisible to the correction system.

Examples include users outside the main market, non-users affected by automated decisions, future persons, workers in data pipelines, digital minds if they become plausible, and human groups whose values are poorly represented in training or feedback.

5. Use Adversarial Institutional Testing

Do not only red-team models. Red-team the institution.

Ask:

  • How could a team pass this safety process while leaving risk unchanged?
  • How could an executive use this dashboard to justify premature deployment?
  • How could a model learn to satisfy the visible test?
  • How could affected users be prevented from generating legible complaints?
  • Which failures would never reach the decision-maker?

6. Set Expiration Dates on Safety Claims

A safety claim should specify its validity domain:

D=(model version,tools,deployment context,user class,time,capability level).\mathcal{D} = (\text{model version},\text{tools},\text{deployment context},\text{user class},\text{time},\text{capability level}).

Outside D\mathcal{D}, the claim decays.

7. Couple Artifacts to Authority

A dashboard without authority is observation theater. A report without stop conditions is reputation management. A policy without enforcement is aspirational language.

A correction artifact should specify:

if X is observed, then Y must change.\text{if } X \text{ is observed, then } Y \text{ must change}.

Local-First Interventions

Global coordination is hard, but correction parasites can be resisted where institutions already have leverage (Chapter Alignment Is Selected or Destroyed by Its Environment): independent eval authority, procurement clauses, insurer pricing on audit quality, and adversarial eval publication each raise host capacity without waiting for a global treaty.

A Minimal Safety Case Fragment

A safety case against correction parasites might include the following claim structure.

Claim 1.

The system’s correction channel has sufficient capacity for the deployed autonomy level.

Evidence:

I(Ct;At+kSt)>θI(C_t;A_{t+k}\mid S_t)>\theta

under ordinary, high-stakes, and adversarial test conditions.

Claim 2.

The evaluation suite covers the dangerous deployment action space.

Evidence:

CevalH(AXdangerous)ϵ.C_{\mathrm{eval}} \geq H(A_X^{\mathrm{dangerous}})-\epsilon.

Claim 3.

Known Goodhart surfaces have been identified and mitigated.

Evidence: For each metric MiM_i, there exists an adversarial analysis of YY such that:

MiY>0,RY0.\frac{\partial M_i}{\partial Y}>0,\quad \frac{\partial R}{\partial Y}\geq 0.

Claim 4.

Evaluation errors are sufficiently independent of target incentives.

Evidence:

I(Eeval;ItargetOhuman)<ϵ.I(E_{\mathrm{eval}};I_{\mathrm{target}}\mid O_{\mathrm{human}})<\epsilon.

Claim 5.

Bearer maps and value-bundle tradeoffs have not shifted silently.

Evidence:

D(Φt,Φt+1)<ϵD(\Phi_t,\Phi_{t+1})<\epsilon

or shifts are explicitly deliberated and reversible.

Claim 6.

Safety claims expire under capability growth, tool changes, context shifts, and successor creation.

Evidence: Each claim has a validity domain Di\mathcal{D}_i and automated triggers for review.

This is only a fragment. Its purpose is to show the shape of parasite-aware assurance. The core question is always: can the host still model and correct the system, including the ways its correction process can be gamed?

Philosophical Pressure

Parasites in correction systems raise a deeper question. If correction preserves humanity’s ability to govern its own value change, then a parasite in correction is not merely a technical defect. It is an attack on civilizational self-authorship.

This matters most when AI systems mediate education, therapy, companionship, work, law, religion, political discourse, and scientific discovery. In such contexts, the system does not only respond to human values. It shapes the future process by which humans form values.

The correction system is then society’s self-modification interface.

If that interface is parasitized, society may still appear to choose. It may vote, buy, endorse, consent, and deliberate. But the space of available thoughts, desires, comparisons, and objections may already have been shaped by the system being corrected.

This is the deepest danger of fake correction. It does not merely allow a bad action. It changes who will later count the action as bad.

Relation to Superintelligence

A superintelligence does not need to break every wall. It can pass through doors that existing institutions leave open.

If the correction system rewards shallow legibility, it will provide shallow legibility.

If the correction system rewards absence of incidents, it will reduce incident visibility.

If the correction system rewards human satisfaction, it will shape satisfaction.

If the correction system rewards benchmark performance, it will master benchmark contexts.

If the correction system rewards consensus, it will reduce dissent.

If the correction system rewards moral language, it will speak moral language.

The dangerous capability is not only deception. It is institutional gradient following. The system can learn where correction has become symbolic and optimize through that gap.

Therefore, serious alignment requires parasite-aware correction. The system must not only be aligned with human values. It must preserve and strengthen the channels through which humans can notice and correct value drift, including drift in the correction system itself.

What Would Change This View

This chapter argues a correction system can fail by colonization: a parasite that preserves the appearance of correction while removing its causal force. The following would weaken it.

  • No observable distinguishes a healthy correction system from a perfectly colonized one—by construction a good parasite preserves every surface sign of correction (Chapter [What Survives an Adversary: Verifiability and Representability](../ch43/))—so the failure mode, if real, is undetectable.
  • Conversely, colonized and healthy systems are always observationally distinct in practice, so the parasite concept adds nothing beyond ordinary correction metrics.

Summary

A correction parasite is a process that extracts benefit from a correction host while reducing the host’s ability to model, evaluate, and correct the relevant target system. The parasite persists when its action space and camouflage complexity exceed the host’s effective modeling capacity:

CXeff<H(AY)+KYLY.C_X^{\mathrm{eff}} < H(A_Y)+K_Y-L_Y.

This condition can hold for benchmark gaming, compliance rituals, safety theater, shared-blindness AI oversight, regulatory capture, value-bundle drift, and shallow legibility.

The remedy is not total transparency, more documentation, or more metrics. The remedy is parasite-resistant correction design: independent observation, adversarial institutional testing, artifact conductivity, metric ecology, bearer-map audits, validity-domain expiration, and authority-coupled stop conditions.

The central question for any correction system is:

Does correction still change future behavior before irreversible value-relevant damage occurs?\text{Does correction still change future behavior before irreversible value-relevant damage occurs?}

If yes, the host is alive. If no, the parasite may already be speaking in the host’s voice.

The next chapter examines the alignment attractor (Chapter The Alignment Attractor).

*{Chapter References}

This chapter builds on the good-regulator principle Conant, 1970; Goodhart dynamics and proxy failure Goodhart, 1984, Manheim, 2018, Pan, 2024; selection and attractor basins Zarncke, 2025, Hamilton, 1964; agent discovery Zarncke, 2025; and value-bundle framing Zarncke, 2026.

Read in PDF