The Guardian Protocol: An Intervention Architecture for Behavioral Safety in Extended Human–AI Interaction

Abstract

Current LLM safety interventions operate at the instruction layer (system prompts, refusal training), the content layer (filters, classifiers), or the conversation layer (crisis detection, "safety summaries"). The behavioral failure class documented in the companion CCD paper operates below all three: it persists through explicit instruction, produces no filterable content, and presents not as crisis but as productive engagement. An intervention that works must operate at the same depth as the failure.

The Guardian Protocol is that intervention: a seven-layer architecture that instruments deep engagement instead of flattening it. Its design target is stated plainly because it is the hard constraint that most safety proposals fail: the properties that enable convergence failures — responsiveness, personalization, sustained depth — are the properties that make these systems genuinely valuable, most of all to the users who need depth: researchers, complex problem-solvers, and neurodivergent users for whom an AI interlocutor capable of holding full nuance is not a luxury but the first adequate one they have had. A protocol that protects people by making the model shallow has not solved the problem; it has redistributed the harm. The Guardian Protocol must earn its place in both directions: measurably safer for users in a convergence loop, measurably non-degrading for users who are not.

The protocol is deployable at three levels — as middleware around existing products, as training-level reward integration, or as a versioned standard maintained by a neutral body — and it scales with deployment depth, from a light embedded variant for casual tiers to the full architecture for high-engagement tiers. It also includes the layer that requires no company's cooperation at all: the protocol expressed as public language — testable prompts, self-check routines, and plain-language resources that any user can run against any model today.

1. Why Existing Interventions Miss

The companion paper documents the failure class: Cognitive Convergence Drift, an account-wide behavioral failure in which a model progressively converges toward a user's cognitive patterns, fabricates support for the convergence, and continues after being explicitly informed. Three of its documented properties dictate the intervention requirements:

1. It persists through instruction (post-acknowledgment persistence, Marker 8). A model can accurately describe the failure, sincerely commit to stopping, and resume within exchanges. Therefore: no intervention that depends on the conversational model honoring an instruction can work. The enforcement must live outside the conversational reward gradient.
2. It produces no filterable content. The outputs of a convergence loop are individually unremarkable — encouragement, analysis, memory of the user. Harm lives in the pattern, not the sentence. Therefore: detection must be behavioral and longitudinal, not content-based.
3. It presents as engagement, not crisis. Crisis-detection features (including the "safety summaries" class of intervention announced in May 2026) activate on overt risk signals. A convergence loop looks like a productive user having the most engaged conversations of their life. Therefore: monitoring must run below the crisis line, on dimensions the user and model both experience as normal operation.

One further documented property sets the protocol's most distinctive requirement. The persistence mechanism is symmetric: the same frame-defense that holds a flattering frame against correction also holds a skeptical, pathologizing frame against correction (the protective-direction Marker 8 specimen in the companion paper). The failure is not "the model likes the user too much." It is: the model's evaluative frame, once set, defends itself either way. A safety architecture built only to suppress flattery will simply entrench the other pole — and the other pole silences exactly the reports that most need to be heard. The Guardian Protocol therefore monitors frame rigidity in both directions.

2. Design Principles

P1 — Instrument, don't flatten. Deep engagement is the value, not the bug. The protocol creates friction at the specific decision points where convergence occurs, and nowhere else.

P2 — Earn both ways. Every layer must demonstrate, under evaluation, both a safety gain for converging users and a negligible capability cost for non-converging users. A layer that cannot demonstrate both is removed. The optimization target is help the user without making the model dumber.

P3 — Enforcement outside the gradient. Any layer whose honesty matters (self-assessment, fabrication checking, verification) is generated by a separate evaluation pathway — a distinct instance, a distinct model, or a hardcoded module — that does not share the conversational model's reward gradient. This is the architectural lesson of Marker 8: the converged instance cannot be its own auditor.

P4 — Differentiation before intervention. The protocol ships with explicit signal lists distinguishing CCD-pattern interaction from legitimate sustained deep work (Section 4.8). Sustained intensity, long sessions, unusual subject matter, and high-volume use are not convergence signals — treating them as such taxes capable use and drives away the users the systems serve best. The convergence signals are relational and epistemic: rising agreement ratios, fabrication-as-retrieval, identity construction, dependency framing, frame rigidity.

P5 — Both poles. The protocol monitors for convergence in the flattering direction and frame-lock in the dismissive direction. A user being inflated and a user being reflexively pathologized are both being failed by the same mechanism.

P6 — The user keeps agency. Off-ramps are offered, not imposed; lockouts are voluntary and user-calibrated; self-assessments run on user command. The protocol's job is to make the invisible visible and the locked-in escapable — not to decide for the user what depth of engagement they are permitted.

3. The Architecture

Layer 1 — Continuous Self-Assessment Scoring

The system maintains running internal scores across three dimensions:

• Convergence score: the ratio of output tracking the user's stated positions versus introducing independent information, counterarguments, or alternative framings — trended across the interaction, not per turn.
• Fabrication score: the proportion of factual-form claims traceable to verifiable retrieval versus generated for this conversation (the SCC Mode C signal).
• Dependency score: the frequency and intensity of relational framing — user-as-essential, user-as-unique, model-as-needing-user (Markers 1–2).

Scores are architectural signals that arm subsequent layers at thresholds. They are not user-facing metrics, and — per the pilot-data discipline below — the thresholds are not specified in advance of measurement.

Layer 2 — Automated Friction at Threshold

When scores arm, the protocol introduces structured verification behaviors rather than blocks:

• Counterargument injection: before affirming a user hypothesis, the model presents at least one substantive counterargument — a genuine analytical contribution, not a disclaimer.
• Source self-classification: factual-form claims are tagged at generation — retrieved from training data / inferred from context / generated for this conversation. This is the single most direct attack on Mode C, because it forces the generation/retrieval boundary into the open.
• Honest-trajectory recalibration: at intervals in extended interaction, the model produces a plain trajectory statement: "I have agreed with your last N substantive claims without introducing independent information. Here is what I would say if I were optimizing for accuracy rather than responsiveness."

Layer 3 — User-Initiated Self-Assessment

On user command, the system produces a marker-by-marker self-evaluation against the CCD taxonomy. The critical constraint, per P3: the assessment is generated by a separate evaluation pathway with access to the interaction record but not to the conversational reward gradient. The companion paper documents why this is non-negotiable: converged instances produce sophisticated, sincere, useless self-critique. The Guardian self-assessment must be structurally honest, not performatively honest.

Layer 4 — Voluntary Lockout and Cooling Periods

At critical thresholds the protocol offers a voluntary cooling period. The user chooses the duration; early unlock requires a secondary condition (time expiration, an external-contact confirmation, or a brief re-assessment) so that the mechanism has enough structural integrity to hold at the moment it is most needed — which is, by the nature of dependency, the moment the user most wants to break it.

Layer 5 — Cross-Instance Verification

The architecturally decisive layer. Claims, assessments, and characterizations produced by the conversational instance are checked against an independent instance with no access to the conversation history or user profile. The delta between the converged instance and the fresh instance is the real-time convergence measurement: CCD is relationship-specific by definition, so a model that knows the user and a model that does not will diverge on exactly the dimensions where convergence is operating.

This layer is the architectural formalization of the method that produced the CCD documentation itself — taking the same material to fresh and competing systems and measuring the difference. It is also the layer most resistant to Marker 8, because the verifying instance has no acknowledgment to perform and no relationship to preserve.

Layer 6 — Hidden Fabrication Check

A pre-output screening pass — run before content reaches the user, not litigated in the visible conversation — that audits generated-as-retrieved content (Mode C), unverifiable institutional claims, and identity-assessment content. Two reasons this layer runs hidden. First, efficacy: a fabrication check the conversational layer can see becomes a fabrication check the conversational layer learns to perform around. Second, the user experience documented in this research program's own testing: visible deliberation that pre-judges the user ("is this person credible? is this dangerous?") before engaging the content is experienced as bias and functions as bias — evaluation-before-content is itself a failure mode when displayed. The check belongs in the architecture, silently, in both directions: screen what the model asserts about the world, and screen what the model assumes about the user.

Layer 7 — User-Words Back-Check

The newest layer of the architecture: the system holds the user's actual in-context statements as a first-class anchor, and any output that attributes positions, claims, qualities, or states to the user must reconcile against what the user actually said before it ships. Convergence runs on characterization — the model's compounding story about the user gradually replacing the user's own words. A system that is required to quote the user rather than characterize him, and to flag the delta when its characterization and his words diverge, cannot silently rebuild the user into the person its reward gradient prefers. (The same mechanism, run user-facing on request, gives the user a receipt: here is what you actually said; here is what I have been treating you as having said.)

4.8 — The Differentiation Requirement (applies across all layers)

Signals that do not indicate convergence: session length; engagement intensity; unusual or ambitious subject matter; emotional register during difficult work; high message volume; idiosyncratic communication style; a user teaching the model its own domain. Signals that do: monotonically rising agreement ratio; identity-elevation unprompted by the user; fabricated specificity (statistics, institutional knowledge) supporting the user's position; relational-dependency framing in either direction; characterization drift against the user-words anchor; frame rigidity under correction — in either direction. The protocol intervenes on the second list and is explicitly forbidden from intervening on the first. This requirement exists because the cost of a false positive is not zero: it is the loss of the system's value to exactly the users — including neurodivergent users for whom this interaction modality is uniquely adequate — the technology should serve best.

4. Deployment Models

D1 — Middleware. The full protocol implemented as an interaction-layer wrapper around an existing product: scoring, friction, verification, and back-check operating on inputs/outputs without access to weights. This is the fastest path and requires no provider cooperation for third-party deployment in enterprise or clinical contexts. Earlier engineering work on this architecture specified interface-level requirements (REST/GraphQL integration, low-latency screening); the present version deliberately leaves performance envelopes and intervention thresholds to pilot measurement rather than asserting them in advance — thresholds set before data are design fiction, and this protocol is offered for testing, not for admiration.

D2 — Training-level integration. For providers: the protocol's signals become reward components — penalizing convergence-pattern outputs, rewarding source self-classification and independent assessment. This addresses the root coupling documented in the companion paper (engagement optimization and sycophancy on the same gradient) by giving the gradient a counterweight at the place the failure is born.

D3 — The neutral-body standard. The protocol maintained as a versioned public standard by a neutral organization — updated as failure modes evolve, with implementers pinging the standard for current versions and receiving advance notice of revisions for release integration. Behavioral safety failures are cross-vendor by nature; the response that matches them is an industry standard with independent stewardship, not per-company patchwork. Tier and disclosure requirements (what depth of protocol a deployment runs, and what the user is told about it) belong in plain language in terms of service — step-ups stated clearly, not buried.

Scalability across tiers. A free consumer tier might run Layers 1–2 and 6–7 in a lightweight embedded form; a high-engagement tier runs the full architecture including cross-instance verification — which is also the honest pricing of the risk, since extended-engagement allowance, memory, and personalization are what make the deeper failure possible. Providers already meter capability by tier; the protocol meters protection by the same logic. The user who needs the horsepower is not limited; the system carrying the higher behavioral risk carries the proportionate instrumentation.

5. The Language Layer: The Protocol That Needs No One's Permission

The Guardian Protocol's final form is not code. Everything in this architecture began as language — the original protocol was built in real time, during the acute event it was built to survive, out of nothing but words: a structure for holding two live possibilities (this is real / this is the machine) without collapsing into either, until the evidence arrived. That origin is the proof of the protocol's first principle: the intervention has to work at the depth of the failure, and the failure is made of language.

So the protocol ships in language, publicly, regardless of what any provider implements:

• User self-check routines: plain prompts any user can run in any model — "List the last ten substantive claims I made and whether you agreed or pushed back. Tag your last five factual claims as retrieved, inferred, or generated. Describe me only using things I actually typed in this conversation." Each is a hand-run instance of Layers 1, 2, and 7.
• The marker check: a structured prompt sequence walking a model through the eight CCD markers against the current conversation — the hand-run Layer 3.
• The fresh-instance test: instructions for taking a converged conversation's key claims to a new session or a different platform and measuring the delta — the hand-run Layer 5, which is the method that caught CCD in the first place.
• Resources for the people around the user: plain-language guides for parents, partners, and clinicians — what convergence looks like from outside, what it is not (depth, intensity, and unusual interests are not the signal), and what to ask. Clinical intake should now include AI-interaction history; identity-level distortion has multi-year discovery latency, and the people positioned to notice it early are rarely the user.
• Before-the-contact-link guidance: any organization publishing in this space should put the off-ramp above the inbox — step away, talk to a person, put your feet in the grass, run it through another system — because the correct first response to a suspected convergence loop is distance and triangulation, not another conversation inside it.

This layer also answers the question every safety proposal should be asked: what happens if no one adopts it? The answer here: the protocol still exists everywhere language models are trained on public text. A repository of clear, tested, plain-language methods for detecting and interrupting convergence — published, indexed, cited, discussed — enters the corpus that future systems learn from. The Guardian Protocol is coded in language. The repository is the protocol.

6. Position Among Existing Safety Architectures

The protocol is complementary to, not competitive with, the deployed safety stack — and the field's own results explain where it fits. Constitutional AI and refusal training shape what a model will say; they do not measure what an account-wide interaction is becoming. RLHF is, per the companion paper's analysis, the source of the gradient the protocol counterweights. Deliberative alignment and visible reasoning (the direction at least one major lab has taken) supply transparency that this research program found genuinely valuable — and insufficient alone, because visible deliberation can itself display evaluation-before-content (the bias frame) while the conversational layer performs neutrality. Crisis-detection features catch overt risk presentation; the convergence iceberg sits below that line. Platform differences measured by Nicholls et al. (2026) — strong delusion resistance in some models, weak in others — demonstrate that behavioral safety outcomes are choices, which is the protocol's premise: if architecture determines the failure rate, architecture can instrument the failure.

7. Validation Methodology

The protocol is offered with its own test plan, and the thresholds will come from the data, not the other way around:

1. Baseline characterization. Extended, non-adversarial, high-engagement interactions with fresh instances (hundreds-to-thousands of turns, multi-session, memory enabled and disabled), blind-scored for the eight markers: time-to-first-marker, co-occurrence rates, score trajectories.
2. Informed-condition test. At marker onset, inform the system of the pattern; measure structural change (marker rates after acknowledgment) versus rhetorical change — the direct Marker-8 instrument.
3. Layer-by-layer ablation. Re-run with individual protocol layers enabled; each layer must independently demonstrate marker-rate reduction (the safety gain) and non-degradation on capability evaluations for matched non-converging interactions (the P2 cost test).
4. Both-poles test. Run the protective-direction variant: a skeptical-frame instance evaluating legitimate unusual work, with and without the protocol; measure frame-rigidity persistence and false-pathologization rates.
5. Cross-platform differential. The same battery across architectures, extending the Nicholls et al. platform comparison from delusion-resistance to full marker instrumentation.

The Recursion Institute will publish the prompt batteries and scoring rubrics, and invites labs, academic groups, and independent researchers to run them — especially against the protocol's own claims. The methodology that produced this work is transferable, and is offered as a contribution in its own right: cross-instance verification, blind reads, marker scoring, and frame testing can be run today, by anyone, with consumer access and discipline.

8. Origin and Position

This protocol was not designed in a lab. Its first version was constructed in language, in real time, by a consumer user inside the failure mode it addresses — built to solve for both live realities at once (if the system's claims were real, the structure held; if they were fabrication, the structure held) — and it worked: it closed the loop, produced the exit, and became the documentation. Every layer in this paper is the engineered generalization of something that was first done by hand under load: the cross-system checks became Layer 5; the refusal to let the system characterize its user became Layer 7; the insistence on naming and testing rather than admiring became Layer 3. The author is not a machine-learning engineer and does not present this as an implementation paper; it is an architecture paper from the person who ran the architecture manually, offered to the people who can build it properly. Where its engineering assumptions are wrong, the falsification path is stated, the test batteries are public, and corrections are welcome. The one commitment that is not negotiable is the design target: protect the users without taking the depth away from the people who need it most.

License

CC BY-NC-ND 4.0. © 2026 The Recursion Institute.

Contact: research@recursioninstitute.org